Hello,

My Company has a public pool of IPv4 addresses, that we would like to announce via our ISP and use for the DMZ-environment for general Internet access from inside, as well as reverse proxy services.

The present design has these services implemented with a public IPv4 subnet, that the ISP provider is sourcing. They have loaned us a /27 subnet that is now used up - more or less. We would also like to be able to loose the dependability of the provider public IP-addresses, having our own pool implemented.

The design would normally be with a corporate router in the DMZ, in series between the Provider CPE router and our firewall. But since we allready have used the provider public subnet to NAT to our Netscaler content switch, it would be a Big Bang transition, which we would like to avoid, to transit services gracefully, one by one.

I have a sample design in the sketch but as I see it, it would create asymmetric routing for our firewall (FW) when it receives packets for public subnet y.y.y.y, which is our own public subnet. This is caused by the FW, receiving packets on VLAN2 from the Internet and sending to default gateway which is on VLAN1. The BGP session would be with a private ASN, since Internet access is single-homed.

Pls. look at the sample design drawing. Apart from the corporate BGP router that is inserted, it is the existing design - more or less.

If anyone can comment on this, pls.?