From: luis.alloza.martinez@accenture.com
Date: Mon Aug 11 2008 - 14:31:12 ART
Hello, this is my first post. I currently hold CheckPoint CCSE, Cisco CCSP and recently passed Security written. Now I am gathering stregnhts to pursue the Lab exam
I have followed this forum for about 5 months now and learned a lot from you, so thank you.
I mostly agree with Smarthost
In my case I had to deal with 2 bank (speed) merge with repeated IP ranges
Our approach was:
1. For security and technical matters, hide each bank's address space
2. Only used static routing
3. Required applications for each side would behave as DMZ servers, with static NAT Bank1-DMZ1, Bank2-DMZ2
4. Clients would be using NAT pools for accessing the other bank Bank1-NAT_Pool1, Bank2-NAT_Pool2 with one class C for every pool. I dont recommend PAT: if you are handling 700 host opening sockets be carefull with the 64K ports available for each IP address for every PAT
The result was fairly good , despite of the tight schedule.
Regards.
-----Mensaje original-----
De: nobody@groupstudy.com en nombre de Smarthost
Enviado el: mar 12/08/2008 18:55
Para: Scott Morris; 'Monica Belluci'; 'Cisco certification'; 'Cisco certification'
Asunto: Re: Doubt - Network Solution Provider or Infrastructure Redesigning
NATT'ng is your best bet.
I worked for a company that used to buy rivals like candy. What we found was
that every acquisition or merger came
with its enterprise application portfolio that provided a capability the
rest of the organisation needed immediately.
For networks we did not trust - (latest aquisition) we NATted the source
scope.
We then offered a trusted IP scope for the destination Pool.
Every remote cloud could access all the application - Natted internal
All source addresses that passed through the Nat router become Patt'ed
We made sure that the Inside NAT/PAT scopes were not distributed into the
New acquisition merger networks (OSPF) and vice versa
We had a few defaults just in case pointing to the NAT gateway from their
gateway
Every network behind the NAT router was considered alien and hostile. With
this in place we didnot care what IP ranges they had.
The next scenario was when we needed to migrate all remote users to approved
infrastructure services like EMAIL,FTP, DNS etc hosted in our datecenters.
They would retain their existing IP scopes sometimes in confilict with our
enterprise IP scheme.
The same logic but now in reverse order.
We just provided a /28 for the EMAIL/DNS/etc server cluster pool.
The source PAT/overload remained the same. For every server or service they
pointed to a NAT on the gateway.
The only downside was that we had a lot of cordination overhead.
DNS
Firewall rule changes
NAT statements.
Troubleshooting issues - esp with server redirects and sometimes
authentication
But it worked like a charm.
----- Original Message -----
From: "Scott Morris" <smorris@internetworkexpert.com>
To: "'Monica Belluci'" <mpls1979@gmail.com>; "'Cisco certification'"
<ccielab@groupstudy.com>; "'Cisco certification'" <security@groupstudy.com>
Sent: Monday, August 11, 2008 3:58 PM
Subject: RE: Doubt - Network Solution Provider or Infrastructure Redesigning
> One would first have to ask WHY! :)
>
> If they are talking to each other's networks, then you're looking at a NAT
> scenario which can get kind of hairy depending on your applications and
> firewall capabilities!
>
> Otherwise, if there are no overlapping host addresses, you could also
bridge
> them together.... But again, this may produce some ugly results!
>
> Good luck with it all!
>
>
> Scott Morris, CCIE4 #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al.
> CCSI/JNCI-M/JNCI-ER
> Senior CCIE Instructor
>
> smorris@internetworkexpert.com
>
>
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
> 4
> Knowledge is power.
> Power corrupts.
> Study hard and be Eeeeviiiil......
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Monica Belluci
> Sent: Monday, August 11, 2008 4:46 AM
> To: Cisco certification; Cisco certification
> Subject: Doubt - Network Solution Provider or Infrastructure Redesigning
>
> Dear GS,
>
> Suppose I have two companies want to interconnect with each other having
> same IP subnet blocks on both side
> 1) Company A - subnet 172.16.1.0/24 ,Subnet 10.1.1.0/16
> 2) Company B - Subnet 172.16.1.0/24 ,Subnet 10.1.1.0/16 On both side We
> have more than 700 hosts + Servers What is the better way to do
> communication between them without changing Ip addresses ?
>
> Thanks
> Monica Bell
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:30 ART