Forum Discussion
Oseias_68756
Nimbostratus
NimbostratusWhich of these two designs is better? why?
Design 1:
INTERNET -> ROUTER -> FIREWALL -> F5-LTM -> SERVERS
With router to Firewall using private addresses
Firewall to F5 using PUBLIC addresses
F5 to Servers using PRIVATE addresses - Servers to go to Internet use NAT
.
Design 2:
INTERNET -> ROUTER -> FIREWALL -> F5-LTM -> SERVERS
the same, but:
With Router to Firewall using private addresses
Firewall to F5 using PRIVATE addresses
F5 to Servers using PUBLIC addresses - Servers can go to Internet with its own IP
What would you use? The decision here is: is the best solution to use public addresses at the servers or only publish it using NAT?
- JRahm
Admin
Design two is normally avoided due to limited IP availability. If you control the routing table and the l3/l4 packet flow with firewall rules, I'm not sure it really matters what IP ranges you use inside your infrastructure. However, using private addresses internally gives you a little more flexibility in moving around the public addresses externally. My $.02. 
hoolioCirrostratus
I agree on the IP space. I'd also suggest considering putting the router inside the firewall. In general, it's a good practice to have a firewall between any untrusted network and your network devices.
Aaron
HamishCirrocumulus
The big question is are you restricted on IP addresses? I've been fortunate enough to have worked at organisations that have had a whole class B for DMZ's and another class B for their data centres (All valid routable). It really does make things a breeze as far as debugging traffic problems...
My 2p is do whatever you can to have the LEAST NAT'ing in it that you can get away with, and NAT as late as possible...
H
