cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2915
Views
5
Helpful
17
Replies

Second Public IP Block To Firewall on same line

Bob Boklewski
Level 1
Level 1

I am load balancing over two ISP's and have an ISA570 firewall.  We need a second public IP block as we have used up the existing ones we have with our main isp.  Now, it sounds like the ISP can do one of two things.  

1. They can trunk the port and add the new block off of the ISP router with a new vlan, which would require us to add the corresponding vlan to our WAN interface of our firewall.  Then we could use the remaining ip's for static NAT.  

Or

They can route you the block, which from what I am reading you can just start entering static NAT entries and use accordingly.

1. The first option, there doesn't seem to be an option in the firewall to add a VLAN for a WAN interface.  Even if there was, how would the firewall choose which subnet to use for PAT? The first public block or the new public block?  Static NAT entries for inbound traffic would work from what I am gathering, but what outbound ip address would be seen to the outside for a host set up for this second public ip block address?  This goes along with part two question below. 

2.  If they route me the block, how does the static NAT for the second public ip subnet work on my firewall?  Do I have to add a default route to the the ISP's gateway our firewall connects to?

Thanks in advance.

1 Accepted Solution

Accepted Solutions

You wouldn't really trunk to your firewall unless you actually wanted a second interface for the new subnet. What would normally happen is the ISP could use a secondary IP on their router interface from the new subnet but you don't need to do anything. The difference is instead of the ISP routing the new block to your firewall they send arp requests for the new IPs because they have a directly connected interface in that subnet.

Again all of the above is based on the ASA firewall as I have not used yours.

In terms of PAT you should still be able to use either subnet not sure why you need to choose but if you have two ISPs then because your static NATs will be tied to one of the ISPs you may want to use a different block for PAT.

Does this make sense ?

Jon

View solution in original post

17 Replies 17

Jon Marshall
Hall of Fame
Hall of Fame

Generally speaking routing the second block to the firewall is the way to go. You do not need to add anything in terms of routing, you simply use those new IPs in your NAT statements.

I'm not sure I follow what your question about NAT is. For outbound traffic ie. PAT you can just use one of the new IPs if you wanted to. How you configure that depends on your firewall and you don't  seem to be talking about an ASA but on that firewall it would easy to do.

Can't say for sure with the firewall you reference.

Jon

So if you static NAT from the second ip address block it just somehow knows to route out one of the WAN interfaces (Since I am load balancing) even though I have other ip's from existing public subnets assigned to the WAN interfaces?  I am just trying to understand the logic there.

So it sounds like getting routed the block is better than trunking with VLAN of the ISP's router to my firewall.  However, just trying to get a handle on the first option to make sure I understand my options.  So if I were to have the ISP trunk their port with the new subnet to my firewall, I would have to choose which subnet I would want to use for NAT, not possible to use both correct? Then would my only option be to use either Policy based routing or static NAT in order to use that new subnet, is that right in my thinking?  

Thanks for the help.

Not sure I follow the first question. When it routes out to the WAN which IP you have used for NAT is irrelevant because that IP will be the source IP.  Can you clarify what you mean ?

For the second question again not entirely clear what you are asking. If you used a trunk  you should still be able to use both subnets for NAT on your router.

Perhaps it is your setup I am not fully understanding.

Jon

Okay, following now what you mean about the second subnet just being the source IP so routing doesn't play into it. 

The second question, if trunking the second subnet to my firewall, I would have to "choose" whether the first subnet or second subnet is use for PAT, correct?  Meaning, I will have some static NAT entries for both subnets on my firewall for inside servers and what not, but one of these subnets needs to be used for NAT/PAT for hosts that don't have static NAT entries. 

You wouldn't really trunk to your firewall unless you actually wanted a second interface for the new subnet. What would normally happen is the ISP could use a secondary IP on their router interface from the new subnet but you don't need to do anything. The difference is instead of the ISP routing the new block to your firewall they send arp requests for the new IPs because they have a directly connected interface in that subnet.

Again all of the above is based on the ASA firewall as I have not used yours.

In terms of PAT you should still be able to use either subnet not sure why you need to choose but if you have two ISPs then because your static NATs will be tied to one of the ISPs you may want to use a different block for PAT.

Does this make sense ?

Jon

Okay, so if I was using a secondary address on my firewall using static NAT.  In regards to returned traffic to this address, would it work like this:  ISP router would see a packet destined for the Static NAT address on my firewall, ISP router would then ARP out it's interface to the WAN interface of my firewall to get the h/w address of the host tied to the NAT entry?

 

The ISP would arp out for the mac address of the IP you used and the firewall would return the mac address of the WAN interface which I think is what you are saying ie. the actual host's mac address is not the one returned.

Just to clarify again though as I said if your firewall was an ASA even if the ISP is using the secondary IP option you still wouldn't need a secondary IP on your end but you do need to add an extra command with some versions of the software.

Jon

So if the ISP router does an ARP request for the secondary ip assigned as static NAT on my firewall, why would my my firewall even respond since my firewall WAN interface IP is not one of the secondary IP's? 

The ISP will send an arp request for any IP it thinks is on a directly connected network. The firewall responds to an arp request for any of the IPs it is responsible for whether that is an IP assigned to an interface or an IP used in a NAT statement.

From the firewall's perspective the arp request is just for one of the IPs it knows about.

Have I misunderstood what you are asking ?

Jon

Okay that makes sense now.  So the firewall responds because it looks up in it's NAT table for that subnet and sees there is a record and just responds with h/w address of the WAN interface?

Yes, exactly.

The firewall, or any L3 device using NAT, knows what IPs it is responsible for and so it can respond with it's own interface mac address when it receives an arp for that IP. That way the traffic is always delivered to the firewall.

Jon

Makes sense now, very thorough!  Appreciate all the help you gave me.  Thanks again!

Hey Jon,

So the isp said they would route me the block.  However, got an email with the block, but they also used one of the addresses for their gateway (ISP router interface).  That shouldn't be needed if they route me the block, correct?  I am assuming they set it up as a "Secondary IP" on their interface, since used one of the ip's for their interface. 

Hi Bob

Correct, if they are routing the block then I can see no reason why they would need to use one of the IPs on their router.

It is probably worth double checking with them although even if they do use a secondary IP you should still just be able to configure NAT statements on your firewall. Just be aware that they will be sending an arp request for any IP in that new subnet and your firewall needs to respond to these requests which it should be able to do but might need to be configured to do it.

Like I say though worth checking again with ISP and by all means come back if you have more queries.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: