hi all
in our lan, we plan to install 2 nokia checkpoint which connect to the ISP network. We have offical address, a complete class C, and some addresses are used by the 2 external firewall interfaces.
in our lan, these 2 nokia checkpoint firewall doesn't share the same layer 3 segment. but in the future, if mpls is implemented, they might be. an idea is to have a common dmz, reachable by the 2 checkpoints.
both firewall will be used for http traffic, load sharing, by the moment and both will allow vpn access. internal routing is eigrp.
one checkpoint is already installed, external range A.B.C.129-254 /
25, with a dmz A.B.C.144/28 the other is to be replaced , it is currently a borderware firewall, external range with A.B.C.1-126 / 25 with another dmz (and different servers), in our current borderware configuration, traffic from external to internal is "natted", means that servers have private address (10.0.0.0 /24) and not offical address basically, it functions by port redirection.while NAT is said to be more secure, a server cannot be reached from external except on configured "natted" port.
I thought it would more scalable given the potential mpls implemntation, and "dmz consolidation", to give these servers offical addresses. and not to uses NAT (i know that checkpoint provide natting functions),
my question is, according to you all, are there any bgp, mpls, or ISP related features i should consider in my choice. I dont know much about that, but i think to give offical address are more appropriate.
thanks for your consideration
igni