Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
766
Views
5
Helpful
14
Replies

Routing 2 subnets within a VLAN - Diagram Attached

GRANT3779
Spotlight
Spotlight

‎03-03-2015 04:34 AM - edited ‎03-07-2019 10:55 PM

Hi All,

Couldn't think of a title to describe this one!

Basically our ISP has provided us with 2 separate address spaces due to not assigning us correct number of addresses initially. 

The attached diagram shows the basic setup and I've amended the addressing, but logic is the same.

When they installed their equipment we were given 172.27.10.0 /29 and their GW was 172.27.10.1. This was all fine, so I made a public VLAN and plugged their kit into here as per the diagram. They have now given us another /29 - 10.49.50.0 /29 and are somehow routing it through their network Inbound to the 172.27.10.1 GW. I setup some inbound NATs on the new address to check and all works fine Inbound.

My query now is - If I have a router that I want to use as a VPN endpoint within the 10.49.50.0/29 address space, ideally I would have just plugged the Outside Interface into my Public VLAN 888, but because the ISP GW is still 172.27.10.1 this isn't going to work as I can't ping it when using the new address space.

Is there a way to use both address spaces within the same VLAN? Only thing I can think of is to ask them to add a secondary IP address on their KIT within the new address space.

Any ideas?

Thanks

Labels:
Preview file
87 KB
0 Helpful
14 Replies 14

Jon Marshall
Hall of Fame
Hall of Fame

‎03-03-2015 05:11 AM

I can't understand your diagram at all but it sounds as though you have a firewall (or router) connecting to the ISP using the 172.27.10.0/29 subnet.

So your firewall has an IP from that subnet on its outside interface and the ISP are routing the new block to that IP.

If so then yes you need the ISP to add a secondary interface on their router for the new block.

You don't need to assign a secondary IP to your firewall but what it does mean is that your firewall must be capable of using proxy arp for any NAT statements using the new block because the ISP is  no longer routing that block to your firewall.

Jon

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Jon Marshall

‎03-03-2015 05:37 AM

Hi Jon,

Apologies, hopefully this is slightly clearer...attached.

The situation is, we have a 3rd party client who requires a Public IP from our network so they can create a VPN back to their office (route on diagram). I have no IPs left on the 172.27.10.0/29 network hence I need to provide one to them from the 10.49.50.0/29 network. I don't in anyway want to use our FW as a router/next hop for them as they shouldn't be touching our kit. All I want is to drop them in VLAN 888, provide a public IP from the new subnet and have them use the ISP GW as their GW, the problem being the ISP GW is on a different subnet.

Preview file
101 KB
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to GRANT3779

‎03-03-2015 05:43 AM

Okay then what I said before is how you would do it.

You can still use the other 10.49.50.0/29 IPs on your firewall for NAT but like I say the firewall needs to be able to do proxy arp.

If it is an ASA then it depends. There was a certain version of 8.4 that won't allow this.

Anything after that will but you need to use the command "arp permit-nonconnected" on your firewall to allow it.

By the way as a side note your diagram is showing the core switch outside the firewall and with a direct connection to the switch on the inside of the firewall.

Is that how it is actually setup ?

Jon

 

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Jon Marshall

‎03-03-2015 05:51 AM

It's pretty much setup as attached here.

Preview file
184 KB
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to GRANT3779

‎03-03-2015 06:00 AM

Okay, see my last post for an alternative.

The issue with the way it is setup is your core switch is exposed to the internet ie. you go to the core switch to get to the outside interface of the firewall.

It doesn't mean you can route round the firewall because I assume you have all the routing via the firewall but if for example someone on the internet launched a denial of service against your firewall IP then it has to go through your core switch first before it gets to the firewall which isn't a good idea.

You want your core infrastructure behind the firewall.

Just a suggestion.

Jon

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Jon Marshall

‎03-03-2015 06:05 AM

Thanks Jon,

Off Topic I know but what would you suggest an alternative? Having the FW plugged directly into the ISP switch?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to GRANT3779

‎03-03-2015 06:16 AM

If there is an ISP switch that your core switch then connects to then definitely yes, I would look to connect the outside interface of your firewall directly to that switch and then your core switch only connects to the inside interface of the firewall.

Which means all traffic to your internal network doesn't touch any of your core infrastructure until it has gone through the firewall.

Obviously that would also mean connecting the VPN device to the ISP switch as well.

Jon

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Jon Marshall

‎03-03-2015 06:29 AM

Another quick query.

If on the ASA I am looking to do dynamic NATs such as the following (using the secondary address space). Would this require secondary IP on the ISPs router Interface? Or would it work as it is at the moment?

object network Inside
 nat (Inside,outside) dynamic 10.49.50.4

 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to GRANT3779

‎03-03-2015 06:33 AM

It will work as is because the ISP is simply routing all traffic for the 10.49.50.0/29 subnet to your ASA.

So there is no need for the ISP to have a secondary IP as long as they are routing that subnet to your ASA which you said they were.

Jon

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Jon Marshall

‎03-03-2015 08:58 AM

Just thinking,

If the ISP adds a secondary IP to their Interface using address from 10.49.50.0 /29 range I assume any NATs setup currently on the 10.49.50.x range will work without me having to add a second address on the ASA?

Trying to think of what benefit I would get from a secondary IP other than achieving the example I provided.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to GRANT3779

‎03-03-2015 09:14 AM

Yes they should work but see my post about what this means for your ASA in terms of proxy arp.

I say should because there is a specific version of code on the ASA where it won't, again see previous post.

If you can use one of your existing 172.17.10.x IPs for the VPN device that would be a much better option in my opinion as you do not need the ISP to do anything.

Jon

 

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Jon Marshall

‎03-03-2015 09:20 AM

Currently running 9.1

In the end I have provided IP address from the existing, but going forward might get secondary IP added just incase any other scenario like this crops up.

Thanks again.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to GRANT3779

‎03-03-2015 09:35 AM

Okay, 9.1 is fine although you would need to explicitly allow proxy arp for non connected subnets.

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to GRANT3779

‎03-03-2015 05:52 AM

The other solution to this is to leave the current setup as it is in terms of ISP routing and use one of your 172.27.10.x IPs for the VPN device.

That would work without any changes other than you may need to free up one of those IPs.

You do have spare IPs in the other block but I appreciate it may not be that simple eg. public DNS entries.

Jon

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card