Solved: ISP Metro service has a WAN and LAN side.

haggittmark@tm-america.com · ‎05-22-2020

We are installing a Metro line. The ISP gave us a /30 address for the WAN side and /29 on the LAN side. We are supposed to use the LAN side for our 6 public addresses. I don’t know how to setup a WAN and a LAN side and connect (route/NAT) them. I have attached a document that better explains what I am trying to say. How would I do this in the firewall.

Richard Burts · ‎05-24-2020

We do not have much detail about your environment and that makes it difficult to give good advice. But the general situation you describe is clear. Your ISP will provide 2 address blocks, a /30 for the transit subnet connecting your firewall to their router and a /29 to be used for addressing devices in your network. This is a fairly common situation, especially when some of the devices in your network need to be accessible from the Internet (perhaps a mail server, perhaps a web server, perhaps something else).

So in general this is what your firewall should do:

- configure its outside interface with an IP address from the /30. And establish communications with the ISP router over this subnet.

- configure a default route using the address of the ISP in that /30 as the next hop.

- configure dynamic address translation for traffic originating from the inside network(s) going to outside.

-- the common approach for this is to use the address of the outside address for the dynamic address translation.

-- but an option is to use 1 (or several) address(es) from the /29 to configure an address pool for the translation.

- configure static address translation so that the servers on the inside which should be accessible from the outside translate their inside addresses to an address in the /29.

HTH

Rick

View solution in original post

marce1000 · ‎05-22-2020

- If you still need to buy equipment you will probably be better of by working on this with a re-seller and discuss/implement the configuration with them too.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

haggittmark@tm-america.com · ‎05-22-2020

They are not very helpful. I have reached out to them.

balaji.bandi · ‎05-22-2020

What FW you like to configure, what is the challenge you have ?

how is your FW connected to network to your WAN Router

we need more information or some network diagram to understand your network.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎05-24-2020

We do not have much detail about your environment and that makes it difficult to give good advice. But the general situation you describe is clear. Your ISP will provide 2 address blocks, a /30 for the transit subnet connecting your firewall to their router and a /29 to be used for addressing devices in your network. This is a fairly common situation, especially when some of the devices in your network need to be accessible from the Internet (perhaps a mail server, perhaps a web server, perhaps something else).

So in general this is what your firewall should do:

- configure its outside interface with an IP address from the /30. And establish communications with the ISP router over this subnet.

- configure a default route using the address of the ISP in that /30 as the next hop.

- configure dynamic address translation for traffic originating from the inside network(s) going to outside.

-- the common approach for this is to use the address of the outside address for the dynamic address translation.

-- but an option is to use 1 (or several) address(es) from the /29 to configure an address pool for the translation.

- configure static address translation so that the servers on the inside which should be accessible from the outside translate their inside addresses to an address in the /29.

HTH

Rick

haggittmark@tm-america.com · ‎05-26-2020

Richard Burts · ‎05-26-2020

Thank you for the diagram showing how your firewall is connected. In the more typical situation the firewall connects to the Internet and traffic from the Internet goes through the firewall to reach the DMZ. Your drawing shows the Internet goes through the DMZ to get to the firewall. No matter which way the firewall connects I believe that the steps I describe of using the /30 for addressing the interface connecting to the Internet, establishing a default route for traffic using the subnet of the /30, setting up dynamic address translation for traffic originated inside and going to the Internet, and using addresses from the /29 to set up static address for some devices should accomplish what you need.

HTH

Rick

haggittmark@tm-america.com · ‎06-15-2020

I forgot to mention there are two firewalls connected in HA mode. Won't they both need their own public address. Is there some kind of routing I could do in the DMZ or firewall so I could give each of the ASA's it's own public address even though there is one WAN connection?

balaji.bandi · ‎06-15-2020

if these are HA pair you need active / standby IP address that is a basic requirement to build HA.

The diagram is a high level - do you have Low level, how they connected, and how many Public IP addresses you have, how you connected to the internet., using Router or Directly Ethernet to Switch?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help