Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-18-2012 10:21 AM
Hello all,
I'm hoping you can help me with a problem that has me stumped. I'm trying to configure our PA 5020 to support a Microsoft Lync 2010 server edge environment being load balanced by an F5. Per Microsoft, in order to do this the IP addresses on the edge servers must be publicly routable and cannot employ NAT. Currently, my external interface is configured with a 63.x.x.x/24 address/netmask. We have two DMZ's 10.11.107.1/24 and 10.11.113.1/24 respectively that are taking advantage of NAT's. We have 16 addresses in all that we need to make publicly routable, currently configured to be 63.x.x.120-135. I thought that I could setup a new interface as a public DMZ but was unable to as the IP address ranges on the two interfaces overlapped, so the commit failed. I'm somewhat of a networking novice but I'm pretty sure trying to put those devices in the 107 DMZs won't work as they'll have the wrong gateway address and won't route.
I'm really stumped as to how I can accomplish this without NAT's.
Any help would be greatly appreciated.
Rob Z ,
06-19-2012 02:34 AM
To sum it up:
External: 63.x.x.x/24
DMZ1: 10.11.107.1/24
DMZ2: 10.11.113.1/24
I assume the range at External is a public range handed over to you by your ISP?
This is what I would do:
1) Setup a linknet between your PA and your ISP, for example:
PA: 10.0.0.1/30
ISP: 10.0.0.2/30
2) Instruct your ISP to route that 63.x.x.x/24 with nexthop 10.0.0.1 (or whatever IP your PA end up with).
3) Set your PA to use 10.0.0.2 (or whatever IP your ISP will use) as default gateway.
Now you can setup parts of 63.x.x.x/24 directly on interfaces on your PA aswell as NAT the other IP's to the DMZ's using private IP's (DMZ1 and DMZ2).
So you would end up with (just an example):
External: 10.0.0.1/30 (10.0.0.1 is IP at PA, routed 63.x.x.x/24)
DMZ1: 10.11.107.1/24 (10.11.107.1 is IP at PA, 10.11.107.0-255)
DMZ2: 10.11.113.1/24 (10.11.113.1 is IP at PA, 10.11.113.0-255)
DMZ3: 63.0.0.113/28 (63.0.0.113 is IP at PA, 63.0.0.112-127)
NAT1: 63.0.0.1 -> 10.11.107.2 (or whatever)
NAT2: 63.0.0.44 -> 10.11.113.5 (or whatever)
But if possible I would start to use this range from two sides. Like NATed IPs from the lower part and routed IPs from the higher part (or the other way around 😃
Like so:
External: 10.0.0.1/30 (10.0.0.1 is IP at PA, routed 63.x.x.x/24 from ISP)
DMZ1: 10.11.107.1/24 (10.11.107.1 is IP at PA, 10.11.107.0-255)
DMZ2: 10.11.113.1/24 (10.11.113.1 is IP at PA, 10.11.113.0-255)
DMZ3: 63.0.0.241/28 (63.0.0.241 is IP at PA, 63.0.0.240-255)
NAT1: 63.0.0.1 -> 10.11.107.2 (or whatever)
NAT2: 63.0.0.2 -> 10.11.113.5 (or whatever)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
