Multiple IPs on public facing interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Multiple IPs on public facing interface

L4 Transporter

We have a number of IPs assigned by our ISP.  I have been told that I can set incoming NAT rules for the IP addresses even if they are not "assigned" to the public facing interface.  Is that accurate?

Thanks,

Bob

1 accepted solution

Accepted Solutions

L6 Presenter

Yes, you can use NAT even in VWIRE mode.

The NAT is just to manipulate the srcip and/or dstip (along with srcport and/or dstport) of a packet before it gets further in the process-chain.

In order for this to work the packet must obivously be sent through your PA device and the PA device must have something to trigger on (for example if dstip=1.1.1.1 then change dstip to 2.2.2.2).

View solution in original post

4 REPLIES 4

L6 Presenter

Yes, you can use NAT even in VWIRE mode.

The NAT is just to manipulate the srcip and/or dstip (along with srcport and/or dstport) of a packet before it gets further in the process-chain.

In order for this to work the packet must obivously be sent through your PA device and the PA device must have something to trigger on (for example if dstip=1.1.1.1 then change dstip to 2.2.2.2).

L3 Networker

Yes, Bob, your ISP is correct is the short answer. What I would do as a starting point is to look at the IP addresses and subnet mask they have given you. Work out the size of the subnet they have allocated you and all the possible IPs in that block. Discount the network and broadcast addresses, then make a note of the IP in the block you're using for your main firewall interface and then the IP they have give you as a gateway. Whatever IPs left should be free for you to use, assuming they've not used any more and not told you.

You can then create policy objects with IPs from the range and then create NAT rules to forward the traffic into your network. Once the NAT rule is in place, the firewall will automatically respond to traffic destined for that IP. No extra configuration is required at the interface level.

Your NAT rule would be something like:

Soure Zone: Internet

Dest Zone: Internet

Source Address: Any

Dest Address: [policy object with ext ip you want to use]

Service: Any

Source Trans: None

Dest Tran: [policy object of internal device using internal IP]

The source and destination zone both being Internet / Untrust is the bit that can trip people up. It's because from the point of view of the external user they are making contact with you an external, public IP and technically they don't know it's destination is internal or going to get NAT'd.

Hope that all makes sense!

UKRB. Smiley Happy

L4 Transporter

Thanks for your replies.  It makes more sense when I look at the packet flow process.  So really I don't need any external IP addresses at all!

Bob

VWIRE is funny when you start to think how you can use it 🙂

Otherwise if you have a public iprange assigned to you by your ISP you usually use a rfc1918 network as linknet between you and your ISP and the ISP will then route your public range to your private ip address of your router/firewall.

Like so (example):

interface:

You: 10.0.0.1/30

ISP: 10.0.0.2/30

routing:

ISP: x.x.x.x/x nexthop 10.0.0.1

You: 0.0.0.0/0 nexthop 10.0.0.2 (default route)

  • 1 accepted solution
  • 6364 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!