10-06-2022 08:40 PM
For example we use 110.110.110.0/24 as internet facing interface
What are difference between
110.110.110.30/24 and 110.110.110.30/32
Which one is the correct, When I configured /24 it's seem conflict logs displayed
10-09-2022 09:27 AM
Hi @nattapong_thi ,
When you use Dynamic IP and Port for source nat you have two options for defining what address to be used for tranlation:
- Interface address - if you select this one, you tell the firewall to use the IP assigned to that particial interface to be used for translation. In this case firewall will translate all internal sources to single IP - the one configured on selected interface. On other words this is many-to-one translation
- Translated address - if you select this one, firewall is expecting you to configure valid IP pool that it will use for translation. In this case you define how big is the pool. If you use /32 prefix, this means that pool consist of single IP and it is again same as many-to-one translation. If you use /24 prefix this means that pool has 255 available addresses, which firewall can use for translation - this is many-to-many translation.
110.110.110.30/32 is valid configuration, because /32 prefix define range of single IP
110.110.110.30/24 is not valid configuration, because /24 prefix define range of 255 IP addresses, so the .30 is not the beginning of the prefix, but represent a host in that reange.
When you are configure your outside interface with 110.110.110.30/24 this is now valid, because you tell that FW is assigned with IP .30 from a /24 network, from which firewall can identify the lenght of the network, network mask etc.
In your specific case you can use either of the two:
- Use "Interface address" for address type and select the interface of the outside/untrust interface.
- Use "translated address" for type and enter /32 pool
10-09-2022 09:27 AM
Hi @nattapong_thi ,
When you use Dynamic IP and Port for source nat you have two options for defining what address to be used for tranlation:
- Interface address - if you select this one, you tell the firewall to use the IP assigned to that particial interface to be used for translation. In this case firewall will translate all internal sources to single IP - the one configured on selected interface. On other words this is many-to-one translation
- Translated address - if you select this one, firewall is expecting you to configure valid IP pool that it will use for translation. In this case you define how big is the pool. If you use /32 prefix, this means that pool consist of single IP and it is again same as many-to-one translation. If you use /24 prefix this means that pool has 255 available addresses, which firewall can use for translation - this is many-to-many translation.
110.110.110.30/32 is valid configuration, because /32 prefix define range of single IP
110.110.110.30/24 is not valid configuration, because /24 prefix define range of 255 IP addresses, so the .30 is not the beginning of the prefix, but represent a host in that reange.
When you are configure your outside interface with 110.110.110.30/24 this is now valid, because you tell that FW is assigned with IP .30 from a /24 network, from which firewall can identify the lenght of the network, network mask etc.
In your specific case you can use either of the two:
- Use "Interface address" for address type and select the interface of the outside/untrust interface.
- Use "translated address" for type and enter /32 pool
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
