Do VOIP phones require all workstations/servers to have NAT'd IPs?

[wallsfd949]

We're getting new phone service and with that comes new internet service. Currently we're on a T-1 with 4 lines split off for voice. Nice thing about it is we can assign public IPs to our workstations/servers.

We're getting new phone service (VOIP) in the office w/a pair of bonded T-1s. With the new service comes 25 public/external IP addresses. I was told by the ISPs tech that because the phones were going to be on the same network as our workstations/servers that he was going to map the 25 public IPs to 25 internal IPs in the 10.x range and that we could not set our workstations to the public IPs. He was saying this was for firewall purposes and that we'd have to be NAT'd. I'm no networking expert, but this doesn't sound right. Doesn't NAT'ing the boxes (especially the server) totally defeat the point of having 25 IPs to play with? Is he full of crap or do I just have to deal with assigning NAT'd addresses to all the boxes?

 

[networkman]

I'm not sure who's full of .... but I can tell you this: my employer is a library system with roughly 500 PCs, 125 VoIP phones, plus printers, 35 servers, etc. and there is currently just ONE public IP address which is our firewall. All of the other IP addresses are in the 192.168.xxx.xxx range.

 

[wallsfd949]

Originally posted by: networkman
All of the other IP addresses are in the 192.168.xxx.xxx range.

They are NAT'd on what appears to be a class B. I'd prefer to have our servers assigned their own public IP (we have 2 webservers and a DNS server), and the workstations as well since we do get 25 public IPs. He will "MAP" each public IP to our individual NAT'd 10. IP, but I'd rather assign the server a public IP.

I know I can NAT, but I don't want to if I don't have to. I can understand NAT'ing the VOIP phones cause you don't need a public IP for each one.

Surely someone has dealt with this before...

 

[dphantom]

Why do your PCs need a public IP address? Just becasue you have them, is not a good reason to use them.

If you do not have a good design reason, then NAT your PCs.

 

[wallsfd949]

Wow

did no one read my original post? I thought I made it even clearer on the 2nd post...


In case anyone missed it in the 1st two, we have 2 webservers and 1 DNS server. That is why I want to be able to assign public/external IPs to the Servers.

 

[dphantom]

Originally posted by: wallsfd949
Wow

did no one read my original post? I thought I made it even clearer on the 2nd post...


In case anyone missed it in the 1st two, we have 2 webservers and 1 DNS server. That is why I want to be able to assign public/external IPs to the Servers.

Try reading mine.

PCs with public IP addresses servers no useful purpose.

SERVERS that must be accessed from the outside like web should not have a public IP address but should be NAT'ed as well with the following config.

Using your firewall or external router, map a public IP address to your webserver/DNS NAT address.

Using external public IPs for everything went out a long time ago.

 

[Thoreau]

The advice in this thread is sound. There is no reason for end-user workstations to have a public IP address, it's nothing more than a security headache waiting to happen. Servers should also be behind NAt or some type of firewall and only have the necessary ports forwarded through (both for incoming AND outgoing) for a decent level of security. One public IP address, like the poster who works for a library, is all that should ever be needed in most cases.

In your case, with two web servers plus one DNS server (btw, technically you should have two DNS servers to properly follow standards) would give *some* you reason (i say some since both web servers, dns, you name it, are all fully able to run from a single IP address) for up to 4 public IP's being used per server, but even then the servers should have a non-public IP configured on them, and have the public IP mapped to them via your router/firewall box (in some cases you may need to just route the IP right through depending on any web applications or daemons running that arent set up to handle an internally assigned IP.)