Hello Richard,

Thank you very much for querying.  Here are answers to your queries -

Re: 'Provider Independent IP addresses or whether you are using IP addresses assigned to you by your ISP'

Answer: IP addresses assigned by ISP

Re: 'how many IP addresses you have'

Answer: ISP allocated more than 10 public IP addresses.

Re: 'I am assuming that there is a public address used to connect your Organization Router to the ISP Router (perhaps a /30) and need to know whether there is a second address block of public addresses'

Answer: Unfortunately we are allowed 13 addresses for our network and NTE (ISP Router) will utilise 14th IP address.

Attached a basic diagram of what I am trying to achieve.

Hope this helps and thank you for posting your queries.

Neru

Neru

Thank you for the additional information. It appears that the ISP assumed that you would have a single address block and would use it on the device that connects to them. That is not what fits the best with what you are trying to accomplish. I do not know how much flexibility you have with your ISP. Probably the ideal solution would be for you to ask them for an additional address block of /30 and use that to connect your router to their router and to use the current address block on the inside.

If that is not possible then there is an alternative to consider. Perhaps you could take the existing address block with is 255.255.255.240 and subdivide it. You could perhaps take a 255.255.255.252 and use it for your router connection to the ISP. That would leave you with two subnets of 255.255.255.252 and of 255.255.255.248 which you could use inside.

HTH

Rick

Hi Rick,

Thank you for replying.  Well I have already asked ISP for an additional block of /30.  they haven't come back to me as yet.  If they agree then there is no problem else I will need to subdivide it as you suggested.  Though not sure how it will work out.  Considering ISP assigned network 1.2.3.160/27 and have already configured 1.2.3.161/27 to be my default gateway. 

Am I correct in assuming the following, where I could use

Public IP 1.2.3.162/30 for MY ROUTER (external / outside interface)

Public IP 1.2.3.164/28 for MY ROUTER (internal interface)

Public IP1.2.3.165/28 for FIREWALL1 (Outside interface)

Public IP 1.2.3.166/28 for FIREWALL2 (Outside interface)

Or did I make a total mess of things - sorry if I misunderstood.  Is this the only way or is there a brilliant solution, which I am not aware of - folks please engage.

Regards,

Neru

(( I noticed my mistake in the diagram - assigning network address to an interface, apologies for the mistake))

Neru

You are on the right track, but there are several issues with the details of what you suggest.

First you are quite correct that is the ISP has already assigned 1.2.3.161 then your router outside interface should be 1.2.3.162.

But your router inside can not be 1.2.3.164 because that is the subnet address of the next subnet. Also subnet 1.2.3.164 can not be the /28 subnet. The /28 subnet must be 1.2.3.168 and so your router interface might be 1.2.3.169 with firewalls at 1.2.3.170 and 1.2.3.171 (assuming that your firewalls have their outside interfaces in a common subnet).

If the ISP does not agree to supply the additional /30 then I do not see much alternative to doing it this way. If any of my colleagues in the forum see some alternative that I have missed then I hope that they will speak up.

HTH

Rick

Hi Rick,

Thank you for coming back and rectifying some of the mistakes with CIDR, much appreciated.  Waiting to hear from the ISP and keeping fingers crossed so that they agree on your earlier suggestion.

Regards,

Neru

Neru

I do hope that the ISP will agree to provide the additional /30. In my experience this is a common thing for ISP to do and it will make your deployment easier and better.

As for the issues with CIDR it is not a big issue. These are easy mistakes to make and with time and more experience you should become much more accurate in dealing with these things.

HTH

Rick

Hi Rick,

Many thanks for the support and answer.  ISP haven't answered yet keeping fingers crossed. :D

Regards,

Neru