LIVE IP on server behind DMZ zone scenario with BGP Failover Scenario

Unanswered Question
May 27th, 2012

Hi,

We are recieving two separate last mile fibers from  our ISP. We are receving two separate /30 subnets from the ISP and a  separate /28 pool. Now the first pool for instance is x.x.x.128/30, the  second one is x.x.x.136/30 and the last pool is x.x.x.160/28. We have an  eBGP relationship with the ISP. We were informed that the /28 pool is  for live IPs for our servers which would be in a DMZ zone on the  firewall. I am assuming that we will need to give a static route to  these servers from our edge router (eBGP running router with ISP),  through the firewall to the server and advertise the /28 live ip pool  via BGP to the ISP. In this scenario if the connection fails over from  the first connection to the ISP to the second one the live IPs will  still be accessible via the second link. I won't be creating a NAT entry  for these entries on the routers since these are being pubicly  advertised over the internet. Now firstly, am I right in understaiding  that this design is right? Also, on the DMZ interface on the firewall  should I assign the x.x.x.161/28 IP as a secondary IP (secondary IP  because that zone already has a private IP addressing scheme for INSIDE  users on the firewall. The server in that zone for instance would have  the second useable IP in that range. x.x.x.162. This would give my servers a live IP on the internet. Am I right here?

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
RAIS AHMAD Sun, 05/27/2012 - 07:29

You can use the /28 to NAT your servers on the firewall. I'm not sure how to assign secondary addresses on the servers.

Thanks.

tdotvix1982 Sat, 06/02/2012 - 01:15

Hi,

Well, after further investigations with the client and their ISP. I have learnt that the two /30 pools were for running eBGP with the ISP. The links were configured for failover using the Local Preference attribute. The other /28 pool was not assigned on any WAN facing interface rather it was for assigning Public IPs directly on the servers. I assigned the /28 pool on the server facing DMZ interface on the firewall allowing ports that needed to be accessed from outside and routed that live pool in OSPF which made it reachable from the edge router and then advertised that particular pool in BGP to send it across to the ISP. Worked perfectly. I didn't NAT those IPs on the servers because I didn't assign them any private IPs. Instead I assigned them live IPs hence I had to route them in OSPF and advertise them in BGP so as to send them across to the ISP.

Thanks,

Vick.

mikull.kiznozki Sat, 06/02/2012 - 23:02

altaddr /set can be used on win 2008 servers to set an alternate IP.


rais wrote:

You can use the /28 to NAT your servers on the firewall. I'm not sure how to assign secondary addresses on the servers.

Thanks.

tdotvix1982 Sun, 06/03/2012 - 06:51

Hi,

Yes, but that wouldn't be the best design scenario now would it? It would create a double NAT scenario with NAT being configured on the firewall and the Internet Edge router. Also, it would defeat the main purpose of obtaining a /28 pool from the ISP. For eg. a web server hosted locally having a LIVE IP means we do not have to use the DNS Round-Robin approach anymore. Well, the firewall does not allow assigning a secondary IP on it's physical interface hence on the same NIC on the server it would be an unfruitful activity to assign a secondary IP.

Thanks,

Vick.

Actions

Login or Register to take actions

This Discussion

Posted May 27, 2012 at 2:17 AM
Stats:
Replies:4 Avg. Rating:
Views:591 Votes:0
Shares:0
Tags: bgp, asa
+

Related Content

Discussions Leaderboard