[c-nsp] Best Practices for Enterprise networks

Kristofer Sigurdsson ks at rhi.hi.is
Mon Aug 30 11:06:31 EDT 2004 

Sam Munzani, Mon, Aug 30, 2004 at 09:18:29AM -0500 :
> 
> >On Sat, 28 Aug 2004, Tracy Smith wrote:
> >
> >>Hello.  I am tyring to gauge what the Best Practices are for 
> >>Enterprise network connections to the Internet.  Specifically, to NAT 
> >>or not to NAT?  At what point should NAT-ting be performed ... 
> >>exclusively at the Egress point or at decentralized points?  What 
> >>about firewalling - centralized/decentralized?
> >
> >
> >I recommend you to not NAT. You can achieve the same result with 
> >proper firewalling. Using NAT making your life harder: bottleneck, 
> >prevent you to setup certain services. Firewalling of course is very 
> >important: depending on your situation: what to protect? different 
> >protection shemes for different departments etc.
> >Regards,
> >
> >Janos Mohacsi
> 
> Whenever you have dual exits to internet using 2 or more firewalls, the 
> best approach is NAT. Each firewall would run NATs using public IP 
> scheme from it's ISP. This ensures that the traffic leaving one 
> firewall/ISP will come back to the same firewall.
> 
> Without NAT the reurn traffic could come to second firewall(Since you 
> are not NATing and announcing your own public block through 2 different 
> ISPs) which doesn't have any knowledge of the connection. It will drop it.

If he's running dual homed, he'll probably be announcing his network, which
means it wouldn't matter through which upstream the traffic would come.  The
firewalls couldn't care less what way the packets took from the source.

The other way would be to have two firewalls, like you say, connected to seperate
ISPs, using PA space from each ISP.  You would then probably have two default routes
injected in your IGP, making the selection random for each connection - I wouldn't
want to troubleshoot a network where my outgoing IP for each new connection would be random. :)

Also, tracking abuse (eg. virus infected hosts) is a lot harder when using NAT - you
might get a complaint over an IP, the IP in question would simply be one from your
NAT pool...

-- 
Kristófer Sigurðsson		   | Tel: +354 525 4103 / MSN: ks at rhi.hi.is
Netsérfræðingur/Network specialist | Reiknistofnun HÍ/University of Iceland

More information about the cisco-nsp mailing list