How to route this?

Unanswered Question
Mar 8th, 2007

ISP give you Public IP 111.222.333.96/29

You have a Router - PIX - Layer 3 Switch

Router:

outside: 111.222.333.102/29

inside: ????????

PIX:

outside: ??????

inside: 172.16.1.1/24

Switch:

IP Routing for 172.16.0.0/16

Performs Intervlan routing

Am I forced to do double NAT between inside Router and outside PIX?

How to setup these ????? interfaces?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
owaisberg Thu, 03/08/2007 - 12:08

In fact ISP public space you got should be

assigned to "internal" router interface.

And router's "outside" interface should have

ISP's link (or sometimes called DMZ address)

Saying all that you should modify your setup:

Router:

outside: ISP's provided link address

inside: x.x.x.96/29 network

PIX:

outside: x.x.x.96/29 network

inside: 172.16.1.1/24

L3 Switch:

172.16.0.0/16

NAT is required for outbound connections

on the PIX from 172.16.0.0/16 network

into x.x.x.96/29 network space.

No need in double NAT

HTH,

OW

acomiskey Thu, 03/08/2007 - 12:21

Or you could make two /30 networks out of your /29.

Router

Outside: 111.222.333.97/30 or .98/30

inside: 111.222.333.101/30

PIX:

outside: 111.222.333.102/30

inside: 172.16.1.1/24

owaisberg Thu, 03/08/2007 - 12:35

ISP's links are assigned by ISP and not by

the customer, and even though you could

assign it yourself, why would you use 4 IPS

out of that small section you get which is just /29 So, call your ISP and get link

addresses details.

Thx,

OW

sundar.palaniappan Thu, 03/08/2007 - 12:43

Both previous posts recommend valid options. However, you may or mayn't be able to get to an address, typically a /30 bit mask, for the WAN link between the perimeter router and the ISP. In that case, Adam's recommendation of breaking up the /29 to 2 two /30 bits subnets is your only option.

The one thing that has to be asked in your case is, where do you want to do the NAT? I assume you probably want to setup the NAT on the PIX. If that's the case, you have a 3rd option and that would be to use a private address on the outside of the PIX and use the 2nd /30 bit for NAT pool. This setup provides you the option of 4 available address for NAT. You can use 1 address to NAT(PAT) all inside users and the other 3 addresses can be used for static translations for servers/hosts that has to be reached from the outside.

HTH

Sundar

owaisberg Thu, 03/08/2007 - 13:08

Sundar,

I've never encountered that ISP would refuse

to provide link/DMZ address and force the customer to use it from the IP space he paid for. Secondly, even if customer would like

to use his space for the link, he cannot as

it is associated with assigning customer's

space on ISP edge routers which is far from being the best practice...of course theoretically customer space can be broken

into smaller peaces it is just not applicable

in that scenario. As of the NAT, again if we

follow the best practices - NAT should be done on the PIX which faces the public end (in a case we wouldn't have the PIX that would be different story)

Regards,

OW

sundar.palaniappan Thu, 03/08/2007 - 13:26

OW,

I don't work for an ISP hence, I can't comment on what the ISP's response would be when a separate IP block is requested for the WAN link by the original poster. But, I have seen some of our customers use their own block for WAN link and for the users as well. If the ISP was to give out an address/subnet for the WAN link they probably should have informed the original poster of the same when they got the /29 bit address.

If I have to guess why the ISP mightn't assign a separate subnet for the WAN link, if it's a small network and uses only a router then the customer can configure the same /29 bit address on the outside int of the router and NAT (PAT) the inside users and the use the other addresses for the static NAT translations.

However, I agree, the ISP has to be contacted first before the configuration is finalized.

HTH

Sundar

cisconoobie Thu, 03/08/2007 - 13:24

The ISP's router at their location is 111.222.333.97/29 which connects to my office router at 111.222.333.98/29

How can I still subnet this IP?

Can I still put this?

Router

Outside: 111.222.333.97/30 or .98/30

inside: 111.222.333.101/30

PIX:

outside: 111.222.333.102/30

inside: 172.16.1.1/24

If I can what do i need to do on my router as far as setting static routes?

owaisberg Thu, 03/08/2007 - 13:36

If I were you, I'd contact ISP and

clarify what is the link addressing

is, so you can configure it properly

on your equipment. When you purchase

that small portion of public space

from an ISP it is obvious that you

don't like the idea of wasting half

of this space just to establish

connectivity to the same very ISP.

So, if they do not provide link IP

addressing they at least should

assist in establishing unnumbered

connection to their premises so you

won't waste you public IP space.

Thx,

OW

cisconoobie Thu, 03/08/2007 - 13:50

If the ISP does not manage your Router and gives you an IP Block to use for your office, is it normal for them to use part of that IP block for the Router at their location?

I would think that they would give me one of their IPs for the outside interface of my router and the IP block that they assigned me for my inside interface use.

What do you guys think? BTW this is in CHINA, not USA.

Actions

This Discussion