[northlandboy]

Yes, I agree with Rob. I have done this in the past with privately addressed firewalls, but we ended up publicly addressing them, to deal with issues around VPNs.

It's not such an issue with NGX, but it can still cause problems.

Yes you do need either access to the upstream router, or understanding admins.

If you've got multiple ISPs, then I don't know how you deal with NATting issues anyway, unless you're doing it in a proper, serious way, and you've got your own transferable address block that you advertise via BGP. I haven't looked into how you deal with it with Check Point ISP redundancy.

Just to put this into context, remember that most of my experience is with reasonably large networks, where we do control the routers, and we do have our own address blocks. I don't really do much work with small setups. If you've only got a couple of public addresses, it doesn't really matter which way you do it. I'm more dealing with situations where NAT is used to control routing - i.e. to direct certain sorts of traffic via certain clusters. It's actually not all that often I do NAT for Internet-accessable systems. You're often NATting a third party to something in your network, so your systems can route to it, and then on the way out the firewall, you nat the source, so the vendor routes back to you.

In those situations, scalability, and ease of deployment are critical, which is why it is simply not practical to be configuring proxy ARP (or even worse, host routes) for every NAT you do. Nor would it scale.

I'm just looking back over this thread, and I see we've drifted a fair way from Brent's original question - but no problem, this is a good discussion! At least we answered the original question though ;-)

- Lindsay