cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3505
Views
5
Helpful
7
Replies

NAT public ip address

clark white
Level 2
Level 2

Dears,,

Attached is the diagram only the difference is there is one ISP in my design

I want to static nat servers and also want to terminate vpn on the firewall, can i have a private ip addressing from the firewall outside ip address till internal interface of the internet edge routers.internet edge routers external interface will have a a public ip pool subnet /30 from different pools.

Thanks

 

1 Accepted Solution

Accepted Solutions

From routing prescriptive, you will not have any issue as long as you route your public IP into your network on the your edge router. All transit interfaces can have private ip addresses. Only traceroute from outside does return response time when it gets to your firewall because the external interface toward internet has private ip which is not routable. 

Masoud

View solution in original post

7 Replies 7

Hello,

As long as you route your public IP address to the firewall, transit interfaces can have any IP addresses. You need to have a block of public IP and route that block to your firewall on your edge router. On your firewall, you need to create a loopback interface and assign it to you crypto-map

crypto map myvpn local-address Loopback0

For static NAT, you use that routed block of IPs for destination NAT, something like this(just raw config)

object service Object-tcp-80
 service tcp source eq 80

object network Object-server
 host 192.168.1.1
object network object-mypublicip
 host 161.1.1.1 (this needs to be routable)


nat (inside,outside) source static Object-server object-mypublicip service Object-tcp-80 Object-tcp-80

Masoud

Dear Masoud,

the vpn firewall is different from the firewall shown in the diagram it is kept in the DMZ only for VPN termination and its outside interface is configured with private ip address and this private ip address is statically natted to the public ip address on the fortigate firewall ( which is seen in the diagram)

so i think it will not make any issue for the routing the traffic, please correct me ???

From routing prescriptive, you will not have any issue as long as you route your public IP into your network on the your edge router. All transit interfaces can have private ip addresses. Only traceroute from outside does return response time when it gets to your firewall because the external interface toward internet has private ip which is not routable. 

Masoud

Dear Masoud/jack

If u see carefully in the snapshot cisco has considered only one way traffic from in to out by HSRP VIP as a redundancy perspective but what about the return traffic from the ISP router to the firewall.

thanks

Hello,

Firewalls are usually configured in form of cluster. It means they exchange states. If somehow traffic returns to the other firewall, it accepts and forwards the traffic if it is in active/active mode. If it is in active/passive mode, depending on your configuration and also the firewall, the second one either receives no traffic or it receives traffic but passes it to the first firewall.

Masoud 

Dear Masoud,

so on the Internet routers internal interfaces I have to use a 4 Public IP address for HSRP, this will kill me,

so instead of public ip address if I will be using private IP addressing and on the  external interface (facing to ISP) I will use 2 no's of  /30 subnet from public ip address.

DO I have to take any consideration for proxy arp or any other sort of configuration.

thanks

Hello,

As long as you do not have mismatch subnet mask between you and your service provider, you should not be concern.

You do not have to set the second /30 IP address on any interfaces. Just used that set in your NAT statement If you are Natting on your edge router.

Even you can talk with your service provider and use private IP on the external interface, if you are not concern about traceroute.

Masoud

Review Cisco Networking for a $25 gift card