Static IP configuration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Static IP configuration

L4 Transporter

I have some question regarding static IP given by ISP and how to configure it on the firewall as the external interface IP.

 

ISP has given me IP of X.X.X.120/27.  Next hop gateway is X.X.X.97

 

How would you configure this on firewall, because the other IP addresses in the /27 range appear to be used by other businesses, not mine

 

Seems like incorrect ISP design, but this is what I was given

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@ce1028,

I would seek some clarification from the ISP if you're being allocated the full /27 or not. There should be a fairly quick response since it's such a simple question. 

 

You could really configure this either way you want. Either method will work perfectly fine and won't cause any issues. Personally I would use /32 just as a way to make it clear you can't use the other addresses. If you ever have someone new come into the environment they may think that you have addresses available for use that you simply don't. Really poor form by your ISP. 

 

1) Configure the untrust interface with the X.X.X.120/27 address as you were provided. As long as you don't configure a NAT statement for an address you don't own the firewall won't send out any ARP requests for the other addresses.

2) Configure the untrust interface with X.X.X.120/32 and just configure a static route for 0.0.0.0/0 with the next-hop address configured. 

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

@ce1028,

I would seek some clarification from the ISP if you're being allocated the full /27 or not. There should be a fairly quick response since it's such a simple question. 

 

You could really configure this either way you want. Either method will work perfectly fine and won't cause any issues. Personally I would use /32 just as a way to make it clear you can't use the other addresses. If you ever have someone new come into the environment they may think that you have addresses available for use that you simply don't. Really poor form by your ISP. 

 

1) Configure the untrust interface with the X.X.X.120/27 address as you were provided. As long as you don't configure a NAT statement for an address you don't own the firewall won't send out any ARP requests for the other addresses.

2) Configure the untrust interface with X.X.X.120/32 and just configure a static route for 0.0.0.0/0 with the next-hop address configured. 

@BPry 

 

Thank you for response. This is the exact problem I have, I came new and see the /27 and thought we owned those addresses, but we don't.

 

I was considering doing the /32 for the interface IP, but wasn't sure if that would break the connection.  This is a remote site, so I was nervous.  I do have a static route pointing to the gateway.  So you think it's safe to change to /32?

 

Been trying to get in touch with ISP to figure out why they would do such a thing

 

 

@BPry 

 

I was able to get in touch with ISP, the /27 is correct, but I only pay for 1 IP.  I've requested them to change it but was denied.  Poor design from this ISP

  • 1 accepted solution
  • 2791 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!