- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-17-2020 10:25 AM - edited 12-17-2020 10:32 AM
I have some question regarding static IP given by ISP and how to configure it on the firewall as the external interface IP.
ISP has given me IP of X.X.X.120/27. Next hop gateway is X.X.X.97
How would you configure this on firewall, because the other IP addresses in the /27 range appear to be used by other businesses, not mine
Seems like incorrect ISP design, but this is what I was given
12-17-2020 11:32 AM
I would seek some clarification from the ISP if you're being allocated the full /27 or not. There should be a fairly quick response since it's such a simple question.
You could really configure this either way you want. Either method will work perfectly fine and won't cause any issues. Personally I would use /32 just as a way to make it clear you can't use the other addresses. If you ever have someone new come into the environment they may think that you have addresses available for use that you simply don't. Really poor form by your ISP.
1) Configure the untrust interface with the X.X.X.120/27 address as you were provided. As long as you don't configure a NAT statement for an address you don't own the firewall won't send out any ARP requests for the other addresses.
2) Configure the untrust interface with X.X.X.120/32 and just configure a static route for 0.0.0.0/0 with the next-hop address configured.
12-17-2020 11:32 AM
I would seek some clarification from the ISP if you're being allocated the full /27 or not. There should be a fairly quick response since it's such a simple question.
You could really configure this either way you want. Either method will work perfectly fine and won't cause any issues. Personally I would use /32 just as a way to make it clear you can't use the other addresses. If you ever have someone new come into the environment they may think that you have addresses available for use that you simply don't. Really poor form by your ISP.
1) Configure the untrust interface with the X.X.X.120/27 address as you were provided. As long as you don't configure a NAT statement for an address you don't own the firewall won't send out any ARP requests for the other addresses.
2) Configure the untrust interface with X.X.X.120/32 and just configure a static route for 0.0.0.0/0 with the next-hop address configured.
12-17-2020 11:40 AM
Thank you for response. This is the exact problem I have, I came new and see the /27 and thought we owned those addresses, but we don't.
I was considering doing the /32 for the interface IP, but wasn't sure if that would break the connection. This is a remote site, so I was nervous. I do have a static route pointing to the gateway. So you think it's safe to change to /32?
Been trying to get in touch with ISP to figure out why they would do such a thing
12-18-2020 08:44 AM
I was able to get in touch with ISP, the /27 is correct, but I only pay for 1 IP. I've requested them to change it but was denied. Poor design from this ISP
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!