cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
705
Views
0
Helpful
10
Replies

How to route this?

cisconoobie
Level 2
Level 2

ISP give you Public IP 111.222.333.96/29

You have a Router - PIX - Layer 3 Switch

Router:

outside: 111.222.333.102/29

inside: ????????

PIX:

outside: ??????

inside: 172.16.1.1/24

Switch:

IP Routing for 172.16.0.0/16

Performs Intervlan routing

Am I forced to do double NAT between inside Router and outside PIX?

How to setup these ????? interfaces?

10 Replies 10

owaisberg
Level 1
Level 1

In fact ISP public space you got should be

assigned to "internal" router interface.

And router's "outside" interface should have

ISP's link (or sometimes called DMZ address)

Saying all that you should modify your setup:

Router:

outside: ISP's provided link address

inside: x.x.x.96/29 network

PIX:

outside: x.x.x.96/29 network

inside: 172.16.1.1/24

L3 Switch:

172.16.0.0/16

NAT is required for outbound connections

on the PIX from 172.16.0.0/16 network

into x.x.x.96/29 network space.

No need in double NAT

HTH,

OW

acomiskey
Level 10
Level 10

Or you could make two /30 networks out of your /29.

Router

Outside: 111.222.333.97/30 or .98/30

inside: 111.222.333.101/30

PIX:

outside: 111.222.333.102/30

inside: 172.16.1.1/24

ISP's links are assigned by ISP and not by

the customer, and even though you could

assign it yourself, why would you use 4 IPS

out of that small section you get which is just /29 So, call your ISP and get link

addresses details.

Thx,

OW

Why is ISP link sometimes called "DMZ address"?

Both previous posts recommend valid options. However, you may or mayn't be able to get to an address, typically a /30 bit mask, for the WAN link between the perimeter router and the ISP. In that case, Adam's recommendation of breaking up the /29 to 2 two /30 bits subnets is your only option.

The one thing that has to be asked in your case is, where do you want to do the NAT? I assume you probably want to setup the NAT on the PIX. If that's the case, you have a 3rd option and that would be to use a private address on the outside of the PIX and use the 2nd /30 bit for NAT pool. This setup provides you the option of 4 available address for NAT. You can use 1 address to NAT(PAT) all inside users and the other 3 addresses can be used for static translations for servers/hosts that has to be reached from the outside.

HTH

Sundar

Sundar,

I've never encountered that ISP would refuse

to provide link/DMZ address and force the customer to use it from the IP space he paid for. Secondly, even if customer would like

to use his space for the link, he cannot as

it is associated with assigning customer's

space on ISP edge routers which is far from being the best practice...of course theoretically customer space can be broken

into smaller peaces it is just not applicable

in that scenario. As of the NAT, again if we

follow the best practices - NAT should be done on the PIX which faces the public end (in a case we wouldn't have the PIX that would be different story)

Regards,

OW

OW,

I don't work for an ISP hence, I can't comment on what the ISP's response would be when a separate IP block is requested for the WAN link by the original poster. But, I have seen some of our customers use their own block for WAN link and for the users as well. If the ISP was to give out an address/subnet for the WAN link they probably should have informed the original poster of the same when they got the /29 bit address.

If I have to guess why the ISP mightn't assign a separate subnet for the WAN link, if it's a small network and uses only a router then the customer can configure the same /29 bit address on the outside int of the router and NAT (PAT) the inside users and the use the other addresses for the static NAT translations.

However, I agree, the ISP has to be contacted first before the configuration is finalized.

HTH

Sundar

The ISP's router at their location is 111.222.333.97/29 which connects to my office router at 111.222.333.98/29

How can I still subnet this IP?

Can I still put this?

Router

Outside: 111.222.333.97/30 or .98/30

inside: 111.222.333.101/30

PIX:

outside: 111.222.333.102/30

inside: 172.16.1.1/24

If I can what do i need to do on my router as far as setting static routes?

If I were you, I'd contact ISP and

clarify what is the link addressing

is, so you can configure it properly

on your equipment. When you purchase

that small portion of public space

from an ISP it is obvious that you

don't like the idea of wasting half

of this space just to establish

connectivity to the same very ISP.

So, if they do not provide link IP

addressing they at least should

assist in establishing unnumbered

connection to their premises so you

won't waste you public IP space.

Thx,

OW

If the ISP does not manage your Router and gives you an IP Block to use for your office, is it normal for them to use part of that IP block for the Router at their location?

I would think that they would give me one of their IPs for the outside interface of my router and the IP block that they assigned me for my inside interface use.

What do you guys think? BTW this is in CHINA, not USA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: