Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
5
Helpful
3
Replies

NAT & Routing

Go to solution
adamgibs7
Level 6
Level 6

‎03-29-2017 08:44 AM - edited ‎03-12-2019 02:08 AM

Dears,

i have a perimeter firewall which is connecting to ISP router, ISP provided to me 2 public subnets, one is of /30 and the other of /29 both of different subnets,

I have used /30 subnet between the isp router and the firewall outside interface, i want to use /29 public ip subnet for my servers which will be static natted  so here the challenge is how the routing will take place for my /29 public ip address,

ISP will throw the packet on my firewall and how the firewall will come to know that /29 subnet is static natted when no interface is configured with the /29 subnet.

thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-29-2017 09:55 AM

When you configure NAT the firewall takes ownership of the IP. So if a packet arrives with an IP from that block and you have a static NAT statement on your firewall then the firewall will simply translate to the real IP and forward on the traffic,assuming it is allowed.

This is how all L3 devices handle NAT.

Note the above assumes the ISP is routing the /29 to your firewall. There is another way the ISP could do it and you might need additional configuration but the more common way is to route.

Jon

View solution in original post

3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-29-2017 09:55 AM

When you configure NAT the firewall takes ownership of the IP. So if a packet arrives with an IP from that block and you have a static NAT statement on your firewall then the firewall will simply translate to the real IP and forward on the traffic,assuming it is allowed.

This is how all L3 devices handle NAT.

Note the above assumes the ISP is routing the /29 to your firewall. There is another way the ISP could do it and you might need additional configuration but the more common way is to route.

Jon

Go to solution
adamgibs7
Level 6
Level 6
In response to Jon Marshall

‎03-30-2017 10:17 PM

Dear Jon,

is it proxy arp takes place here.

thanks

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to adamgibs7

‎03-31-2017 05:50 AM

Adam

Not when the traffic is routed to your firewall. The other way of doing it that I mentioned however does use proxy arp and that is when the ISP instead of having a route for that subnet pointing to your firewall have a secondary IP address from the new subnet on their router.

So then they would arp for any of the new IPs and your firewall would answer ie. be a proxy for the arp requests.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card