03-08-2007 11:40 AM - edited 03-03-2019 04:05 PM
ISP give you Public IP 111.222.333.96/29
You have a Router - PIX - Layer 3 Switch
Router:
outside: 111.222.333.102/29
inside: ????????
PIX:
outside: ??????
inside: 172.16.1.1/24
Switch:
IP Routing for 172.16.0.0/16
Performs Intervlan routing
Am I forced to do double NAT between inside Router and outside PIX?
How to setup these ????? interfaces?
03-08-2007 12:08 PM
In fact ISP public space you got should be
assigned to "internal" router interface.
And router's "outside" interface should have
ISP's link (or sometimes called DMZ address)
Saying all that you should modify your setup:
Router:
outside: ISP's provided link address
inside: x.x.x.96/29 network
PIX:
outside: x.x.x.96/29 network
inside: 172.16.1.1/24
L3 Switch:
172.16.0.0/16
NAT is required for outbound connections
on the PIX from 172.16.0.0/16 network
into x.x.x.96/29 network space.
No need in double NAT
HTH,
OW
03-08-2007 12:21 PM
Or you could make two /30 networks out of your /29.
Router
Outside: 111.222.333.97/30 or .98/30
inside: 111.222.333.101/30
PIX:
outside: 111.222.333.102/30
inside: 172.16.1.1/24
03-08-2007 12:35 PM
ISP's links are assigned by ISP and not by
the customer, and even though you could
assign it yourself, why would you use 4 IPS
out of that small section you get which is just /29 So, call your ISP and get link
addresses details.
Thx,
OW
03-08-2007 12:42 PM
Why is ISP link sometimes called "DMZ address"?
03-08-2007 12:43 PM
Both previous posts recommend valid options. However, you may or mayn't be able to get to an address, typically a /30 bit mask, for the WAN link between the perimeter router and the ISP. In that case, Adam's recommendation of breaking up the /29 to 2 two /30 bits subnets is your only option.
The one thing that has to be asked in your case is, where do you want to do the NAT? I assume you probably want to setup the NAT on the PIX. If that's the case, you have a 3rd option and that would be to use a private address on the outside of the PIX and use the 2nd /30 bit for NAT pool. This setup provides you the option of 4 available address for NAT. You can use 1 address to NAT(PAT) all inside users and the other 3 addresses can be used for static translations for servers/hosts that has to be reached from the outside.
HTH
Sundar
03-08-2007 01:08 PM
Sundar,
I've never encountered that ISP would refuse
to provide link/DMZ address and force the customer to use it from the IP space he paid for. Secondly, even if customer would like
to use his space for the link, he cannot as
it is associated with assigning customer's
space on ISP edge routers which is far from being the best practice...of course theoretically customer space can be broken
into smaller peaces it is just not applicable
in that scenario. As of the NAT, again if we
follow the best practices - NAT should be done on the PIX which faces the public end (in a case we wouldn't have the PIX that would be different story)
Regards,
OW
03-08-2007 01:26 PM
OW,
I don't work for an ISP hence, I can't comment on what the ISP's response would be when a separate IP block is requested for the WAN link by the original poster. But, I have seen some of our customers use their own block for WAN link and for the users as well. If the ISP was to give out an address/subnet for the WAN link they probably should have informed the original poster of the same when they got the /29 bit address.
If I have to guess why the ISP mightn't assign a separate subnet for the WAN link, if it's a small network and uses only a router then the customer can configure the same /29 bit address on the outside int of the router and NAT (PAT) the inside users and the use the other addresses for the static NAT translations.
However, I agree, the ISP has to be contacted first before the configuration is finalized.
HTH
Sundar
03-08-2007 01:24 PM
The ISP's router at their location is 111.222.333.97/29 which connects to my office router at 111.222.333.98/29
How can I still subnet this IP?
Can I still put this?
Router
Outside: 111.222.333.97/30 or .98/30
inside: 111.222.333.101/30
PIX:
outside: 111.222.333.102/30
inside: 172.16.1.1/24
If I can what do i need to do on my router as far as setting static routes?
03-08-2007 01:36 PM
If I were you, I'd contact ISP and
clarify what is the link addressing
is, so you can configure it properly
on your equipment. When you purchase
that small portion of public space
from an ISP it is obvious that you
don't like the idea of wasting half
of this space just to establish
connectivity to the same very ISP.
So, if they do not provide link IP
addressing they at least should
assist in establishing unnumbered
connection to their premises so you
won't waste you public IP space.
Thx,
OW
03-08-2007 01:50 PM
If the ISP does not manage your Router and gives you an IP Block to use for your office, is it normal for them to use part of that IP block for the Router at their location?
I would think that they would give me one of their IPs for the outside interface of my router and the IP block that they assigned me for my inside interface use.
What do you guys think? BTW this is in CHINA, not USA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide