Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
817
Views
5
Helpful
7
Replies

Additional Public IP's

Go to solution
sarsamivel
Level 1
Level 1

‎10-08-2009 07:44 AM - edited ‎03-04-2019 06:18 AM

Hi Folks

We have exisitng internet connectivity from our provider.Recently we received additional public IP block for hosting web services.Currently we have the provider internet router connected to our untrust interface on our firewall.

I wanted to know what changes i need to make so that these IP's are avaliable to webservices and accessed from internet.we have 6 usable IP's and we need all of them for web services.

SP has told me that they will configure a static route for new subnet towards firewall untrust interface.

Thanks,

SAM

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sarsamivel

‎10-08-2009 12:59 PM

Sam

When you configure a static translation for the new address (translating it to some address that the firewall knows is inside - or in DMZ) then the firewall will begin listening for that address on its outside interface. Note that you do not configure the new subnet, you configure the individual host addresses used within that subnet.

So the Internet router will have a packet to forward to one of the new addresses and it will ARP for the new address. The firewall recognizes that the ARP request is for an address that comes through the outside interface and responds to the ARP with the firewall MAC address. The router forwards the packet to the firewall. The firewall does the translation and forwards the packet to the web server to which it has translated the address.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎10-08-2009 09:11 AM

Sam

I believe that what you want to do is to use those 6 new IP addresses to do static NAT Address Translation. The specifics of what you want to do vary depending on whether the web servers are on DMZ interfaces or on the inside/trusted interface. But you will do a one for one translation so that the Internet packet will come in with one of the new (public) addresses as the destination address and you will translate it so that it will come out with the server (private) address as the destination address.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
sarsamivel
Level 1
Level 1
In response to Richard Burts

‎10-08-2009 10:23 AM

Thanks Rick.Do i need to make any change on the exisiting firewall apart from doing NAT translations ?

SP have told me they will have a static route for the new subnet to my exisiting firewall IP.Since my old and new subnets are different,do i need to make change anything on my firewall ?

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sarsamivel

‎10-08-2009 11:43 AM

Sam

Perhaps there is some part of your situation that I am not understanding correctly. If the provider will route the block of 6 new addresses (in a new subnet) to the interface of your firewall then you do not need any additional routing logic on your firewall. Your original post talks about an Internet router and a firewall and is not specific about whether the Internet router is outside of the firewall or is inside the firewall. Perhaps you can clarify. If the Internet router is outside your firewall then it is likely that you would need routing logic on the Internet router to forward the new subnet to the firewall.

You do not need a secondary address on an interface of the firewall or anything like that. You probably do need to make sure that any access rules that you have will permit outside devices (from the Internet) to initiate traffic to the new addresses. (and if the Internet router is outside of the firewall you may also need to be sure that the Internet router is permitting this traffic)

HTH

Rick

HTH

Rick

Go to solution
sarsamivel
Level 1
Level 1
In response to Richard Burts

‎10-08-2009 11:57 AM

Thanks again Rick.The Internet router is outside the firewall and SP will configure a route to new IP block towards the firewall intrerface.

I was in a confusion whether we need to configure a secondary IP as this is a new subnet.I got the answer from your post.

Can you explain how traffic flow happens for this new subnet while my interface is in another subnet?

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sarsamivel

‎10-08-2009 12:59 PM

Sam

When you configure a static translation for the new address (translating it to some address that the firewall knows is inside - or in DMZ) then the firewall will begin listening for that address on its outside interface. Note that you do not configure the new subnet, you configure the individual host addresses used within that subnet.

So the Internet router will have a packet to forward to one of the new addresses and it will ARP for the new address. The firewall recognizes that the ARP request is for an address that comes through the outside interface and responds to the ARP with the firewall MAC address. The router forwards the packet to the firewall. The firewall does the translation and forwards the packet to the web server to which it has translated the address.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
sarsamivel
Level 1
Level 1
In response to Richard Burts

‎10-08-2009 01:16 PM

Excellent.You gave me the answer.Thanks Rick.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sarsamivel

‎10-09-2009 04:15 AM

Sam

I am glad that my suggestions gave you the answer that you need. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will find suggestions which led to a solution.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card