internet with public ip

dave dave · ‎01-05-2014

hi! when we subscibe to the internet with static public IP address (WAN(CE/PE) & LAN pool), do we need to tell the telco to set the internal LAN interface IP address in the Telco router/marc?

Eg. if i'm assigned a public LAN ip range of 2.2.2.0/29.

I'm assigning 2.2.2.2 for my FW outside interface, do i need to tell the telco to set eg. 2.2.2.1 in their marc internal interface?

Thanks.

paul driver · ‎01-05-2014

Hello

You shouldnt need to as the isp lan port will.be in the same subnet range has your wan interface public ip supplied by that isp

Your internal.lan.ip.range can be any ip range you wish as.long as you make sure this isnt leaked out on to the internet -this can be done by implementing NAT

Res
Paul

Sent from Cisco Technical Support Android App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dave dave · ‎01-05-2014

hi! If that's the case, how would i know which Public LAN IP Address is being used in the telco router's internal interface?

M. G. · ‎01-05-2014

Hi,

it depends on a service that you have with your ISP. If you've been assigned /29 public IP range then it probably means that the /29 range ISP will route towards your router. In that case ISP needs to give you another /30 block that will be configured on point to point link between your network and the ISP router (public or private, it works anyway)

Regards,

paul driver · ‎01-05-2014

Hello
Do you mean the your next hop wan address( ie the isps lan facing ip) then in that case they should inform of it -especially if you have been allocated a staticly assigned public address range

Res
Paul

Sent from Cisco Technical Support Android App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dave dave · ‎01-06-2014

hi! I was given a PE/CE IP adress which is the /30 network + a range of pulbic lan ip address of /29, which i can use it for my fw, dmz device and etc.

Jon Marshall · ‎01-06-2014

As already mentioned by Mate Gulic, your ISP will use the /30 for the connection between your firewall and their router. They will then add a route for the /29 range pointing to the IP you were assigned from the /30 subnet.

You would have a default route on your firewall pointing to the IP from the /30 assigned to the ISP.

You are then free to use the /29 subnet however you want ie. you do not need to use an IP from this range on a physical interface4, you can simply use them in your NAT config on the firewall.

Jon

dave dave · ‎01-06-2014

hi! If i understand you correctly. I would have something as follow

Telco router-----/30--------My FW------NAT /29-----public facing equipment

Is that correct?

How about? This is my understanding on how it shd be setup.

PE/----/30-----CE telco router-------./29 public facing FW

--------/29 ASA

--------/29 SSL vpn.

Jon Marshall · ‎01-06-2014

So do you have this -

internal network -> FW -> CE -> PE

where you own the CE router as well as the firewall ?

If so the CE -> PE link will probably use the /30 and the ISP will route the /29 to the outside of your CE router. In which case you could then either -

1) use 2 addresses from the /29 subnet for the firewall outside to CE inside interfaces and the rest for NAT

or

2) use a private address range between firewall outside and CE inside and then you have all the /29 range for NAT but you would need to use at least one for NAT of all internal clients whereas with option 1) you can overload all the internal clients with NAT to the firewall outside interface.

Note also with option 2) you would need to add a route for the /29 to point to the outside interface of your firewall because you are using a private range for the interconnection.

Jon