We are in the process of replacing our 3Com Access builder (dial-in) system with a Cisco PIX 515e.
Currently, we have a 350+ node IP based WAN with fixed IP addresses. It works well. But, our addressing scheme does not currently utilize IANA reserved addresses. We have numerous offices linked by dedicated line. We are running NT4.0 servers and also and have several distinct, domains with no trusted Domains. A future plan is to consolidate Domains prior to migrating to Windows2000.
We have no immediate plans to allow direct Internet access from our WAN, although it is certainly a future likelihood that we will modify our topology to permit direct workstation access. However, this is several years away.
The problem I have is that some people be accessing the PIX via the Internet. If we don't switch to a private addressing scheme for the Intranet, will that cause problems? Let's say the host dials in. He has a private IP address of 10.xxx.xxx.xxx and the server he is trying to access within our internal intranet has an address of 130.xxx.xxx.xxx. How will the host be able to find the server?
The individual who is setting the system up claims that the Server and all of our interior LANs must utilize private addresses for the Internet based VPN hosts to locate the Servers and peripherals within the interior LAN. Thus, we need to redo the IP addresses throughout our entire operation. If this is not the case, I'll need to explain why and how we can get around the need to redo the addresses
Does it make sense to convert our internal IP addressing to one of the private address blocks; (i.e. 10.xxx.xxx.xxx) or go with NAT? What are the concerns and issues associated with each? Is security a problem or advantage when using NAT?
Are we required to go forward with changing our internal IP addressing our internal WAN with a private address scheme if we are to use the Cisco PIX firewall?
I guess the reason for bringing the Private IP addressing option into th epicture is to utilize your addresses in a better and efficient manner. You can still use the Addressing that you have but might need to further Subnet the addresses, but if its not too much to ask, it might just be a good idea to use the Private addressing for your inside and then NAT those going out. This will make sure that your Intranet is not accessible directly but is hiding behind a PIX with Private addressing. For further design consideration get in touch with your local Cisco account team.
Thanks for your reply. I was hoping that we could come up with a way to avoid having to redo the addressing for the entire enterprise. This would be a massive undertaking. One that will be done, but I wanted to do it at a later time.
One of the consultants told us that if we went with the PIX, we could not utiulize our current "public" addresses. In order to use the PIX, a private scheme was required. This did not sound right to me. I was hoping that I could go back to them with a suggested design or strategy that would allow us to keep our current addressing scheme for now.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...