Subnetting /27 from ISP

wavewave Posts: 342Member
in CCNP
Hey guys,

I just need to double-check my design here...

We're having a new Ethernet internet service provisioned and the ISP is handing us a /27.

We have a Cisco ISR which this service will connect to and I need to split the /27 into two /28's. I can do this without notifying the ISP right? Because all they need to know is they're pushing e.g 68.43.5.0/27 to me and

So on our ISR I would have e.g

fa0/0 68.43.5.2/27 - gateway 68.43.5.1/27

fa0/1.1 68.43.5.3/28 (web servers etc)

fa0/1.2 68.43.5.17/28 (used for NAT pool for client PCs)

I would have a default route pointing to 68.43.5.1 out fa0/0
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP

Comments

  • networker050184networker050184 Posts: 11,962Mod Mod
    The router isn't going to let you overlap the subnets on different interfaces.
    An expert is a man who has made all the mistakes which can be made.
  • HeeroHeero Posts: 486Member
    do 1 to 1 static NAT for those addresses. Connection to ISP would be 68.43.5.2. First address is ISP gateway, second is your ASR, the rest would be NATed to whatever internal address you want it to map to.
  • wavewave Posts: 342Member
    networker050184 wrote: »
    The router isn't going to let you overlap the subnets on different interfaces.

    Duh! You're right...I clearly need an afternoon caffeine hit!
    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • wavewave Posts: 342Member
    Heero wrote: »
    do 1 to 1 static NAT for those addresses. Connection to ISP would be 68.43.5.2. First address is ISP gateway, second is your ASR, the rest would be NATed to whatever internal address you want it to map to.

    Ideally I would like to avoid using NAT. Perhaps I could have the ISP break it into two /28's and give me a /30 for my fa0/0 point-to-point to them? ...and I could use the two /28's on two other router interfaces.
    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • networker050184networker050184 Posts: 11,962Mod Mod
    Just tell them you want a /30 for the uplink and to route the /27 to you. Then you can do what you want on the inside with it.
    An expert is a man who has made all the mistakes which can be made.
  • ChooseLifeChooseLife Posts: 941Member ■■■■■■■□□□
    Heero wrote: »
    do 1 to 1 static NAT for those addresses. Connection to ISP would be 68.43.5.2. First address is ISP gateway, second is your ASR, the rest would be NATed to whatever internal address you want it to map to.
    +1, this is a very (most?) common implementation, and the gateway device is usually a multizone firewall because otherwise you will need multiple firewalls for web servers and clients.
    In this set up, public IPs are assigned on the firewall's fa0/0 interface, then some of them are NAT'ed to servers in DMZ(s), while others are used for NAT'ing internal network.
    “You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896

    GetCertified4Less     - discounted vouchers for certs
  • wavewave Posts: 342Member
    networker050184 wrote: »
    Just tell them you want a /30 for the uplink and to route the /27 to you. Then you can do what you want on the inside with it.

    Roger that
    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • wavewave Posts: 342Member
    ChooseLife wrote: »
    +1, this is a very (most?) common implementation, and the gateway device is usually a multizone firewall because otherwise you will need multiple firewalls for web servers and clients.
    In this set up, public IPs are assigned on the firewall's fa0/0 interface, then some of them are NAT'ed to servers in DMZ(s), while others are used for NAT'ing internal network.

    You can run into problems with some server applications, Internet serving DNS for example, if you're not able to bind the public IP to the server.
    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • JeanMJeanM Posts: 1,117Member
    wave wrote: »
    You can run into problems with some server applications, Internet serving DNS for example, if you're not able to bind the public IP to the server.

    Q: but then are you opening up your box potential sec issues since it's not behind nat/firewall?
    2015 goals - ccna voice / vmware vcp.
  • HeeroHeero Posts: 486Member
    You can have a firewall without NAT, and hosts have firewalls as well.
  • wavewave Posts: 342Member
    JeanM wrote: »
    Q: but then are you opening up your box potential sec issues since it's not behind nat/firewall?

    Exactly as Heero mentioned. You can still even use a hardware firewall appliance. Don't think of NAT as a security mechanism, because it really isn't one.
    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • JeanMJeanM Posts: 1,117Member
    Good point, was just thinking out loud.
    2015 goals - ccna voice / vmware vcp.
  • ChooseLifeChooseLife Posts: 941Member ■■■■■■■□□□
    wave wrote: »
    You can run into problems with some server applications, Internet serving DNS for example, if you're not able to bind the public IP to the server.
    I'm curious, could you elaborate on the problems? I managed Internet-facing DNS behind NAT in the past, do not recall having any issues with that.
    “You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896

    GetCertified4Less     - discounted vouchers for certs
  • wavewave Posts: 342Member
    ChooseLife wrote: »
    I'm curious, could you elaborate on the problems? I managed Internet-facing DNS behind NAT in the past, do not recall having any issues with that.

    Were you hosting domain names? Was it BIND on *nix?
    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
Sign In or Register to comment.