cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
635
Views
4
Helpful
3
Replies

Subnet ID

sushil
Level 1
Level 1

Hi,

I was asked to share a public ip to one of our partner in business,so that he can allow access to one of his application server through that public server.

I shared IP of my firewall.All my internal network is patted to that.

Public IP on my firewall was x.y.z.173/28.

Now what he did he allowed my subnet id .i.e x.y.z.160 for the same and I was able to access his server from my internal network.

My questions?

1. Does he allowed all range of my public ip's from 161-174?

2. If he asked my external ip does that mean was x.y.z.173(As all my internal network patted to that ip).If He would have allowed 173 only even then my connection would have worked from my internal network.

3.Even though I am not able to ping subnet id how it forwards the traffic.Exactly how traffic is flowing from internal network..To best my knowledge it was something where internal ip gets converted to public on firewall int and then pushed to router lan and its serial(wan something a.b.c.114/30) and isp thorugh the modem lying (a.b.c.113/30).Where does the role of x.y.z.160 comes.

I am little confused.

Reg,

Sushil

1 Accepted Solution

Accepted Solutions

1) If your partner has allowed the subnet .160 - then ANY of your IP address will be able to connect. If he only allows 1 IP address, the IP address of your firewall outside interface - you will be able to connect, either way it will work.

2) If you want to someone to access a server in your internal LAN behind the firewall you have 2 choices:-

- Allow based on TCP/UDP port and use the outside firewall IP address = Port Forwarding.

- Assign a specific static 1 to 1 NAT external IP address in your range to specifically allow external users to connect to your server = Static 1:1 NAT

Let me clear something up for you - IP routing is based on a PHB = Per Hop Basis. Any routing device must have an idea of where a source/destination IP address is in relation to itself. So a routing devices MUST be connected via IP to the device it is routing to, or connected to a device that knows how to get to the IP address beyond it.

Static/dynamic routing - with both you always HAVE to know the next hop = 1 hop away.

HTH>

View solution in original post

3 Replies 3

andrew.prince
Level 10
Level 10

To answer your questions:-

1) Not necessarily.

2) Yes

3) the role of x.y.z.160/28 is the ID if your IP subnet on the internet. Your ISP will have a route dynamic or static that points to the router that your firewall connects to. Then all traffic on the internet that wants to get to x.y.z.160/28 will have a valid route.

x.y.z.160 is the network address for your /28

Your first usable IP is

.161

Your last usable IP is

.174

The broadcast for your subnet is .175

HTH>

Hi Andrew,

Thanks for ur answer.

I am ok with ur 2nd answer.

Don't you think if my partner has allowed the subnet id instead of my firewall ip and that worked 4 my access.

That creats some doubts in my mind too.

1. HaD he just allowed x.y.z.160/28 or my fw ip too?If only subnet id then if I choose any other ip on my fw or static ip on int that should work too.That means whole range allowed automatically thorugh subnet id ip only.Does it works like that or not?

Say if somebody asking me to access my internal server and I do the same arrangement how would my fw see the traffic coming from subnet id or fw ip.

2. ISP uses two types of ip's one the serial connectivity .i.e as I said ab.c.114/30 to my serail link on router and one the its previous ip in their Rad-Modem.Another is the range of ip's with subnetid in my case i.e x.y.z.160/28.Then there must be some relation with these serail and subnet id to best of my knowledge if I understand correctly from routing from isp side.

Reg,

Sushil

1) If your partner has allowed the subnet .160 - then ANY of your IP address will be able to connect. If he only allows 1 IP address, the IP address of your firewall outside interface - you will be able to connect, either way it will work.

2) If you want to someone to access a server in your internal LAN behind the firewall you have 2 choices:-

- Allow based on TCP/UDP port and use the outside firewall IP address = Port Forwarding.

- Assign a specific static 1 to 1 NAT external IP address in your range to specifically allow external users to connect to your server = Static 1:1 NAT

Let me clear something up for you - IP routing is based on a PHB = Per Hop Basis. Any routing device must have an idea of where a source/destination IP address is in relation to itself. So a routing devices MUST be connected via IP to the device it is routing to, or connected to a device that knows how to get to the IP address beyond it.

Static/dynamic routing - with both you always HAVE to know the next hop = 1 hop away.

HTH>

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: