Subnetting /27 from ISP
Hey guys,
I just need to double-check my design here...
We're having a new Ethernet internet service provisioned and the ISP is handing us a /27.
We have a Cisco ISR which this service will connect to and I need to split the /27 into two /28's. I can do this without notifying the ISP right? Because all they need to know is they're pushing e.g 68.43.5.0/27 to me and
So on our ISR I would have e.g
fa0/0 68.43.5.2/27 - gateway 68.43.5.1/27
fa0/1.1 68.43.5.3/28 (web servers etc)
fa0/1.2 68.43.5.17/28 (used for NAT pool for client PCs)
I would have a default route pointing to 68.43.5.1 out fa0/0
I just need to double-check my design here...
We're having a new Ethernet internet service provisioned and the ISP is handing us a /27.
We have a Cisco ISR which this service will connect to and I need to split the /27 into two /28's. I can do this without notifying the ISP right? Because all they need to know is they're pushing e.g 68.43.5.0/27 to me and
So on our ISR I would have e.g
fa0/0 68.43.5.2/27 - gateway 68.43.5.1/27
fa0/1.1 68.43.5.3/28 (web servers etc)
fa0/1.2 68.43.5.17/28 (used for NAT pool for client PCs)
I would have a default route pointing to 68.43.5.1 out fa0/0
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP
Comments
Duh! You're right...I clearly need an afternoon caffeine hit!
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP
Ideally I would like to avoid using NAT. Perhaps I could have the ISP break it into two /28's and give me a /30 for my fa0/0 point-to-point to them? ...and I could use the two /28's on two other router interfaces.
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP
In this set up, public IPs are assigned on the firewall's fa0/0 interface, then some of them are NAT'ed to servers in DMZ(s), while others are used for NAT'ing internal network.
GetCertified4Less - discounted vouchers for certs
Roger that
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP
You can run into problems with some server applications, Internet serving DNS for example, if you're not able to bind the public IP to the server.
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP
Q: but then are you opening up your box potential sec issues since it's not behind nat/firewall?
Exactly as Heero mentioned. You can still even use a hardware firewall appliance. Don't think of NAT as a security mechanism, because it really isn't one.
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP
GetCertified4Less - discounted vouchers for certs
Were you hosting domain names? Was it BIND on *nix?
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP