I have following scenario -
ISP Router ---- Organisation Router ----- Switch ----- Firewall1 & Firewall2 & Other equipment
Question : How do I assign public IP addresses to Firewall1, Firewall2 and other equipment?
Thank you and look forward to receiving your kind suggestions and/or help.
You have not provided enough information for us to be able to give you good answers. In particular we need to know whether you have your own Provider Independent IP addresses or whether you are using IP addresses assigned to you by your ISP. And we need to know how many IP addresses you have. I am assuming that there is a public address used to connect your Organization Router to the ISP Router (perhaps a /30) and need to know whether there is a second address block of public addresses.
When we know that we will be better able to give you answers.
Thank you very much for querying. Here are answers to your queries -
Re: 'Provider Independent IP addresses or whether you are using IP addresses assigned to you by your ISP'
Answer: IP addresses assigned by ISP
Re: 'how many IP addresses you have'
Answer: ISP allocated more than 10 public IP addresses.
Re: 'I am assuming that there is a public address used to connect your Organization Router to the ISP Router (perhaps a /30) and need to know whether there is a second address block of public addresses'
Answer: Unfortunately we are allowed 13 addresses for our network and NTE (ISP Router) will utilise 14th IP address.
Attached a basic diagram of what I am trying to achieve.
Hope this helps and thank you for posting your queries.
Thank you for the additional information. It appears that the ISP assumed that you would have a single address block and would use it on the device that connects to them. That is not what fits the best with what you are trying to accomplish. I do not know how much flexibility you have with your ISP. Probably the ideal solution would be for you to ask them for an additional address block of /30 and use that to connect your router to their router and to use the current address block on the inside.
If that is not possible then there is an alternative to consider. Perhaps you could take the existing address block with is 255.255.255.240 and subdivide it. You could perhaps take a 255.255.255.252 and use it for your router connection to the ISP. That would leave you with two subnets of 255.255.255.252 and of 255.255.255.248 which you could use inside.
Thank you for replying. Well I have already asked ISP for an additional block of /30. they haven't come back to me as yet. If they agree then there is no problem else I will need to subdivide it as you suggested. Though not sure how it will work out. Considering ISP assigned network 18.104.22.168/27 and have already configured 22.214.171.124/27 to be my default gateway.
Am I correct in assuming the following, where I could use
Public IP 126.96.36.199/30 for MY ROUTER (external / outside interface)
Public IP 188.8.131.52/28 for MY ROUTER (internal interface)
Public IP184.108.40.206/28 for FIREWALL1 (Outside interface)
Public IP 220.127.116.11/28 for FIREWALL2 (Outside interface)
Or did I make a total mess of things - sorry if I misunderstood. Is this the only way or is there a brilliant solution, which I am not aware of - folks please engage.
(( I noticed my mistake in the diagram - assigning network address to an interface, apologies for the mistake))
You are on the right track, but there are several issues with the details of what you suggest.
First you are quite correct that is the ISP has already assigned 18.104.22.168 then your router outside interface should be 22.214.171.124.
But your router inside can not be 126.96.36.199 because that is the subnet address of the next subnet. Also subnet 188.8.131.52 can not be the /28 subnet. The /28 subnet must be 184.108.40.206 and so your router interface might be 220.127.116.11 with firewalls at 18.104.22.168 and 22.214.171.124 (assuming that your firewalls have their outside interfaces in a common subnet).
If the ISP does not agree to supply the additional /30 then I do not see much alternative to doing it this way. If any of my colleagues in the forum see some alternative that I have missed then I hope that they will speak up.
Thank you for coming back and rectifying some of the mistakes with CIDR, much appreciated. Waiting to hear from the ISP and keeping fingers crossed so that they agree on your earlier suggestion.
I do hope that the ISP will agree to provide the additional /30. In my experience this is a common thing for ISP to do and it will make your deployment easier and better.
As for the issues with CIDR it is not a big issue. These are easy mistakes to make and with time and more experience you should become much more accurate in dealing with these things.