Subnetting /27 from ISP

Hey guys,

I just need to double-check my design here...

We're having a new Ethernet internet service provisioned and the ISP is handing us a /27.

We have a Cisco ISR which this service will connect to and I need to split the /27 into two /28's. I can do this without notifying the ISP right? Because all they need to know is they're pushing e.g 68.43.5.0/27 to me and

So on our ISR I would have e.g

fa0/0 68.43.5.2/27 - gateway 68.43.5.1/27

fa0/1.1 68.43.5.3/28 (web servers etc)

fa0/1.2 68.43.5.17/28 (used for NAT pool for client PCs)

I would have a default route pointing to 68.43.5.1 out fa0/0

Find more posts tagged with

Comments

networker050184

The router isn't going to let you overlap the subnets on different interfaces.

Heero

do 1 to 1 static NAT for those addresses. Connection to ISP would be 68.43.5.2. First address is ISP gateway, second is your ASR, the rest would be NATed to whatever internal address you want it to map to.

wave

networker050184 wrote: »

The router isn't going to let you overlap the subnets on different interfaces.

Duh! You're right...I clearly need an afternoon caffeine hit!

wave

Heero wrote: »

do 1 to 1 static NAT for those addresses. Connection to ISP would be 68.43.5.2. First address is ISP gateway, second is your ASR, the rest would be NATed to whatever internal address you want it to map to.

Ideally I would like to avoid using NAT. Perhaps I could have the ISP break it into two /28's and give me a /30 for my fa0/0 point-to-point to them? ...and I could use the two /28's on two other router interfaces.

networker050184

Just tell them you want a /30 for the uplink and to route the /27 to you. Then you can do what you want on the inside with it.

ChooseLife

Heero wrote: »

do 1 to 1 static NAT for those addresses. Connection to ISP would be 68.43.5.2. First address is ISP gateway, second is your ASR, the rest would be NATed to whatever internal address you want it to map to.

+1, this is a very (most?) common implementation, and the gateway device is usually a multizone firewall because otherwise you will need multiple firewalls for web servers and clients.
In this set up, public IPs are assigned on the firewall's fa0/0 interface, then some of them are NAT'ed to servers in DMZ(s), while others are used for NAT'ing internal network.

wave

networker050184 wrote: »

Just tell them you want a /30 for the uplink and to route the /27 to you. Then you can do what you want on the inside with it.

Roger that

wave

ChooseLife wrote: »

+1, this is a very (most?) common implementation, and the gateway device is usually a multizone firewall because otherwise you will need multiple firewalls for web servers and clients.
In this set up, public IPs are assigned on the firewall's fa0/0 interface, then some of them are NAT'ed to servers in DMZ(s), while others are used for NAT'ing internal network.

You can run into problems with some server applications, Internet serving DNS for example, if you're not able to bind the public IP to the server.

JeanM

wave wrote: »

You can run into problems with some server applications, Internet serving DNS for example, if you're not able to bind the public IP to the server.

Q: but then are you opening up your box potential sec issues since it's not behind nat/firewall?

Heero

You can have a firewall without NAT, and hosts have firewalls as well.

wave

JeanM wrote: »

Q: but then are you opening up your box potential sec issues since it's not behind nat/firewall?

Exactly as Heero mentioned. You can still even use a hardware firewall appliance. Don't think of NAT as a security mechanism, because it really isn't one.

JeanM

Good point, was just thinking out loud.

ChooseLife

wave wrote: »

You can run into problems with some server applications, Internet serving DNS for example, if you're not able to bind the public IP to the server.

I'm curious, could you elaborate on the problems? I managed Internet-facing DNS behind NAT in the past, do not recall having any issues with that.

wave

ChooseLife wrote: »

I'm curious, could you elaborate on the problems? I managed Internet-facing DNS behind NAT in the past, do not recall having any issues with that.

Were you hosting domain names? Was it BIND on *nix?