Understanding Firewall / IPs / NAT and basic concept 2

[michigan]

Hi all -

I really need some help understanding a situation I have got myself into. Though the equipment is not CISCO, I'm really looking for general feedback - and I figured this Cisco expert forum would be the best place to look for assistance.

I currently have a basic setup:

Internet --> DSL Router --> Network

and trying to go to the following setup:

Internet --> DSL Router --> Firewall --> Network

I have 5 IP addresses. I only use one for my internal email server. I'm running NAT at the router. Apparently, I need to change my 5 IP addresses to be available on my LAN (between Firewall and DSL Router) and run NAT at the firewall. When I called our ISP to inquire about this change, they didn't understand what I was talking about. To be honest, I don't understand it myself. I thought once I turned NAT off at the DSL Router, I would be good to go.

From what I understand, I need to have my ISP assign me a "WAN IP" so I can use my other 5 IPs on the inside of my network (between DSL Router and Firewall) ?? Does this sound correct? Or am I asking the wrong questions?

Again, I apologize for this not relating to a Cisco product, but I'm running out of resources. I appreciate your time. TIA.

 

[matioh]

What you're saying is correct. You need to get the ISP to change your DSL connection to route an additional subnet. When they have done that, configure the DSL router with the new subnet on the 'inside' interface and turn off NAT. Then configure your PIX with one of the new IP's from the additional subnet and configure NAT.

Make sense ?

 

[michigan]

matioh -

Thank you for the fast reply. Yes, it does makes sense. However, when I explained this to ISP, you would have thought this was the first time anyone had ask this question.

Perhaps I was asking it wrong. When they appeared to not have a clue, it made me 2nd guess my (small) knowledge of the situation. So I hung up, grabbed coffee, and started smoking again. I hate not knowing something 100%.

Again, I truly appreciate your response. Do I need to ask if I may have another block of IP addresses, or only another routed subnet?

My current set of 5 would remain where the are (internet to DSL Router)?

 

[yizhar]

HI.

The solutions vary between different DSL implementations in different countries.
Your DSL router has 2 interfaces, WAN and LAN.
The WAN interface can use a single IP address, and this is probably already the situation.
For the range of ip addresses you've got, it is probably a range of 8 addresses (subnet mask 255.255.255.248). The first and last addresses should not be used, so you get 6.
The DSL router LAN interface will use (or is probably currently using) one of those 6 addresses, and you get the 5 other addresses to play with.

So - if this is your situation, then you do not need additional addresses. Here is a sample:
Your range of ip addresses is x.x.x.2-x.x.x.6 (5 addresses).
DSL router WAN ip = assigned by the ISP (not from your pool)
DSL router LAN ip = x.x.x.1
Firewall outside ip = x.x.x.2
Firewall internal ip and other hosts in LAN = use private addressing as was used before.

The addresses x.x.x.3-x.x.x.6 can be mapped by the firewall to internal server, for example mail server.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[michigan]

yizhar -

Thanks for your response.

That is my situation (255.255.255.248) Just to confirm, I do not need another subnet/addresses?

After I drew your suggestion out on paper, I have a couple questions:

First, if my INTERNET --> DSL ROUTER (WAN IP)
Address is x.x.x.1 (subnet) y.y.y.248

And my DSL ROUTER --> FIREWALL
Address is x.x.x.2 (subnet) y.y.y.248


...I thought these can't exist in this manner, because you can't have the same subnet on both sides of a DSL ROUTER?
Or, is this not the issue when NAT is turned off at the router, and then handled at the Firewall? Again, what I thought to be true went out the window on Monday. So, this is now very new, helpful yet confusing @ the same time. I appreciate your assistance.

 

[yizhar]

HI.

> That is my situation (255.255.255.248) Just to confirm, I do not need another subnet/addresses?
I'm not sure, you should contact your ISP.
You need the range of 8 addresses (for the network between the router and the pix), and in addition another single ip address for the router WAN ip address.
But again, it depends on the implementation used by your ISP.

> First, if my INTERNET --> DSL ROUTER (WAN IP)
> Address is x.x.x.1 (subnet) y.y.y.248
No - the WAN IP should be different. However in some implementation the WAN can be without ip address.

> And my DSL ROUTER --> FIREWALL
> Address is x.x.x.2 (subnet) y.y.y.248
The DSL router ethernet interface will have = x.x.x.1
The firewall exterenal interface will have = x.x.x.2
(Or vice versa, it does not matter).

Contact the ISP - The configuration for the router WAN IP should be whatever the ISP tells you (could be dynamic PPPoE for example);
as long as the internal router address is from the pool you have, and those addresses (the 8 addresses range) are routed to your network.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[michigan]

Thanks again.

I'm growing more and more confused. Yet, your feedback/suggestions have been very helpful - and provides me with more knowledge to at least present to these other consultants I've hired.

(why they didn't think of these, I don't know)

Have a great day.