Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2938
Views
5
Helpful
17
Replies

Second Public IP Block To Firewall on same line

Go to solution
Bob Boklewski
Level 1
Level 1

‎03-24-2017 11:35 AM - edited ‎03-05-2019 08:14 AM

I am load balancing over two ISP's and have an ISA570 firewall.  We need a second public IP block as we have used up the existing ones we have with our main isp.  Now, it sounds like the ISP can do one of two things.  

1. They can trunk the port and add the new block off of the ISP router with a new vlan, which would require us to add the corresponding vlan to our WAN interface of our firewall.  Then we could use the remaining ip's for static NAT.  

Or

They can route you the block, which from what I am reading you can just start entering static NAT entries and use accordingly.

1. The first option, there doesn't seem to be an option in the firewall to add a VLAN for a WAN interface.  Even if there was, how would the firewall choose which subnet to use for PAT? The first public block or the new public block?  Static NAT entries for inbound traffic would work from what I am gathering, but what outbound ip address would be seen to the outside for a host set up for this second public ip block address?  This goes along with part two question below. 

2.  If they route me the block, how does the static NAT for the second public ip subnet work on my firewall?  Do I have to add a default route to the the ISP's gateway our firewall connects to?

Thanks in advance.

Labels:
0 Helpful
17 Replies 17

Go to solution
Bob Boklewski
Level 1
Level 1
In response to Jon Marshall

‎04-03-2017 12:05 PM

Yeah, confirmed.  They set up the Secondary IP address, what I figured when they put the ip on the gateway.  From what I am reading, it says you shouldn't use the secondary ip permanently, because there can be issues with two subnets in the same broadcast domain. 

0 Helpful

Go to solution
Bob Boklewski
Level 1
Level 1
In response to Bob Boklewski

‎04-03-2017 12:14 PM

So, I got off with one of the engineers and he said that they can't setup a static route with new block to our box over the existing public subnet.  He made it sound like you can't do it because right now their router is in bridge mode. Does this make sense what they are saying?  Ever run into this?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Bob Boklewski

‎04-04-2017 05:37 AM

My experience is that routing the new subnet is more common but different ISPs do things differently and based on the way they have setup their router it sounds like using a secondary IP is the only way.

As to whether it is a good thing or not the main issue is you are increasing the broadcast domain by using secondary IPs which can be an issue but with the small amount of IPs from the original and new subnets you should be okay.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card