Solved: Information about the Public IP addresses

gurwinkle.singh · ‎05-18-2017

Well I have a topology of Router with redundant paths from ISP.Then,I will install the firewall in DMZ and will configure NAT on it for public access for the servers and will implement the rules and access lists to block the ports and stop the required traffic.My main question arises is that how many public IP addresses will be needed.One public IP Address will be needed for the Router for ISP or two if there is another path i-e redundant path and what about firewall which is terminating the DMZ.That will require public IP also ?

singhkulbir29881 · ‎05-19-2017

Hi gurwinkle.singh,

It depends upon your requirement. You need two IP's (if redundant ISP's). For firewall itself you don't need any public IP. You have two options Either to configure port forwarding or One to one NAT for internal servers that you want to be accessible form internet. For one to one NAT you need as many IP as you have servers in DMZ. But if you are doing port forwarding then One or two IP's are enough. You can configure NAT on firewall as well as edge router. If you want to configure NAT/Port forwarding on firewall then then you need to route those Public IP's towards firewall at Edge router but if you are configuring NAT/Port forwarding at edge router then you need to add NAT configuration at edge router.

View solution in original post

singhkulbir29881 · ‎05-19-2017

Hi gurwinkle.singh,

It depends upon your requirement. You need two IP's (if redundant ISP's). For firewall itself you don't need any public IP. You have two options Either to configure port forwarding or One to one NAT for internal servers that you want to be accessible form internet. For one to one NAT you need as many IP as you have servers in DMZ. But if you are doing port forwarding then One or two IP's are enough. You can configure NAT on firewall as well as edge router. If you want to configure NAT/Port forwarding on firewall then then you need to route those Public IP's towards firewall at Edge router but if you are configuring NAT/Port forwarding at edge router then you need to add NAT configuration at edge router.

gurwinkle.singh · ‎05-19-2017

Okay. I got that there is no need for public IP on firewall. If I am configuring VPN tunnels, do I need public IP for that.

singhkulbir29881 · ‎05-20-2017

Hi Gurwinkle,

Yes for VPN you need public IP. If you are configuring VPN on edge router then you already have Public IP's you can use those IP's for VPN. If you are configuring VPN on firewall then you can achieve this by configuring one to one NAT for firewall's IP or just configuring port forwarding for udp port 500, udp port 4500 and esp traffic at router.

gurwinkle.singh · ‎05-21-2017

Do you mean configuring NAT between router and firewall,a static NAT on router for firewall to save the public IP.PAT can do the job between firewalls and servers.

singhkulbir29881 · ‎05-22-2017

Yes you can configure static NAT on router for firewall. If you want to access servers from internet then you need to configure port forwarding or if you only want to provide internet access to servers then "yes" PAT can do the job.

Let me know your scenario if you want to understand how you can achieve this.