Re: VPN, Private/Public IP Addressing

mafriedman · ‎07-17-2002

We are in the process of replacing our 3Com Access builder (dial-in) system with a Cisco PIX 515e.

Currently, we have a 350+ node IP based WAN with fixed IP addresses. It works well. But, our addressing scheme does not currently utilize IANA reserved addresses. We have numerous offices linked by dedicated line. We are running NT4.0 servers and also and have several distinct, domains with no trusted Domains. A future plan is to consolidate Domains prior to migrating to Windows2000.

We have no immediate plans to allow direct Internet access from our WAN, although it is certainly a future likelihood that we will modify our topology to permit direct workstation access. However, this is several years away.

The problem I have is that some people be accessing the PIX via the Internet. If we don't switch to a private addressing scheme for the Intranet, will that cause problems? Let's say the host dials in. He has a private IP address of 10.xxx.xxx.xxx and the server he is trying to access within our internal intranet has an address of 130.xxx.xxx.xxx. How will the host be able to find the server?

The individual who is setting the system up claims that the Server and all of our interior LANs must utilize private addresses for the Internet based VPN hosts to locate the Servers and peripherals within the interior LAN. Thus, we need to redo the IP addresses throughout our entire operation. If this is not the case, I'll need to explain why and how we can get around the need to redo the addresses

Does it make sense to convert our internal IP addressing to one of the private address blocks; (i.e. 10.xxx.xxx.xxx) or go with NAT? What are the concerns and issues associated with each? Is security a problem or advantage when using NAT?

Are we required to go forward with changing our internal IP addressing our internal WAN with a private address scheme if we are to use the Cisco PIX firewall?

Thanks for your help...

Mark

awaheed · ‎07-17-2002

Hi Mark,

I guess the reason for bringing the Private IP addressing option into th epicture is to utilize your addresses in a better and efficient manner. You can still use the Addressing that you have but might need to further Subnet the addresses, but if its not too much to ask, it might just be a good idea to use the Private addressing for your inside and then NAT those going out. This will make sure that your Intranet is not accessible directly but is hiding behind a PIX with Private addressing. For further design consideration get in touch with your local Cisco account team.

Hope this helps,

Thanks and Regards,

Aamir Waheed,

Cisco Systems, Inc.

CCIE#8933

-=-=-=-

mafriedman · ‎07-18-2002

Aamir,

Thanks for your reply. I was hoping that we could come up with a way to avoid having to redo the addressing for the entire enterprise. This would be a massive undertaking. One that will be done, but I wanted to do it at a later time.

One of the consultants told us that if we went with the PIX, we could not utiulize our current "public" addresses. In order to use the PIX, a private scheme was required. This did not sound right to me. I was hoping that I could go back to them with a suggested design or strategy that would allow us to keep our current addressing scheme for now.