how-to block ads
There are times that some network devices have Public IP addresses that belong to different companies or organizations. In other times, there are appliances that "insist" to only work with certain IP addresses and refuse to work with other IP subnet.
In cases like these, NAT/PAT are necessary to avoid overlapping IP address assignment or routing issue. Following is the list of discussion with some sample network design and approach.
Setting up routing within internal network is probably simplest thing to accomplish. Simply run your routing protocol of your choosing on routers and Layer-3 switches (i.e. EIGRP for Cisco shop), the routes simply work "out of the box".
After the routes have been working for years, people start having ideas of introducing firewall into the mix which mean creating multiple security zones; i.e. Outside or Untrust zone for users, Inside or Trust zone for database servers, and DMZ for web servers. Unfortunately these people simply introduce the firewall into the mix and set up its routing just like routers without further consideration of what multiple security zone creation means.
Firewall introduction means to protect certain network resources, where there are at least two zones to be in place; Outside or Untrust zone and Inside or Trust zone. Untrust zone is where the least trusted networks lie, such as the Internet or simple users with their PC. Trust zone on the other hand is the most trusted networks lie, such as the server networks.
Prior the firewall introduction, those Untrust and Trust networks are interconnected in a setup as mesh as possible for redundancy. Firewall introduction that simply logically disconnect certain connectivity between Untrust and Trust networks while leaving the rest of networks in place is by default network design fundamental flaw since traffic between Untrust and Trust networks can simply be going bypassing the firewall through those alternate connectivity, hence defeat the purpose of firewall introduction.
This is when careful consideration is in order prior firewall introduction, where no traffic flow can bypass the firewall after the firewall introduction. Network redesign is a must to avoid issues. Following is an illustration.
»ASA SSH copnnection issues