Generic IP Addressing Question

Many perimeter setups are full of historical artifacts. Well artifacts,depends on how you look at it :

in our case and for many others probably, when we got to the Internet NAT was not yet a common technology.

Hence setups like this, which you will find at many places so to speak.

M.

One reason: if the firewall is acting as a VPN termination point, then having NAT before the firewall can interfere with the VPN. isakmp nat traversal (NAT-T) is relatively new and has throughput implications.

Here are some other issues:

1) If there are servers behind the firewall, the firewall often needs to redirect different public addresses to each server. You may be able to get away with a single IP and port redirection if each server is on a different port, but if you have multiple servers of the same type (e.g. multiple web servers) then it's easiest to redirect separate IPs. 2) Sometimes you need to have machines on the segment outside the firewall. There may be some protocols that are hard to pass through a NAT. You may need to do some network troubleshooting on a machine outside the firewall. You might want to test a new firewall, and need to access it with a public IP.

Some ISP's now use RFC1918 addresses on the outside of the router facing their own core network. As these /30 links don't need to be routable outside the ISP's network there is no need to use public address space.