[c-nsp] Best Practices for Enterprise networks
Sam Munzani
smunzani at comcast.net
Mon Aug 30 10:18:29 EDT 2004
> On Sat, 28 Aug 2004, Tracy Smith wrote:
>
>> Hello. I am tyring to gauge what the Best Practices are for
>> Enterprise network connections to the Internet. Specifically, to NAT
>> or not to NAT? At what point should NAT-ting be performed ...
>> exclusively at the Egress point or at decentralized points? What
>> about firewalling - centralized/decentralized?
>
>
> I recommend you to not NAT. You can achieve the same result with
> proper firewalling. Using NAT making your life harder: bottleneck,
> prevent you to setup certain services. Firewalling of course is very
> important: depending on your situation: what to protect? different
> protection shemes for different departments etc.
> Regards,
>
> Janos Mohacsi
Whenever you have dual exits to internet using 2 or more firewalls, the
best approach is NAT. Each firewall would run NATs using public IP
scheme from it's ISP. This ensures that the traffic leaving one
firewall/ISP will come back to the same firewall.
Without NAT the reurn traffic could come to second firewall(Since you
are not NATing and announcing your own public block through 2 different
ISPs) which doesn't have any knowledge of the connection. It will drop it.
Just my 2 cents.
Sam Munzani
More information about the cisco-nsp
mailing list