Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Practical difference? Public IP vlan vs. Privat IP w/ NAT 1

Status
Not open for further replies.
JMCraig

JMCraig

Programmer
Feb 20, 2002
217
US
Hi Folks,

I'm in the process of replacing a PIX 501 /w an ASA 5505 (basic license). My ISP routes two different blocks of IPs through to my one ISP port:
x.x.x.128/29
x.x.x.176/29

On the old PIX, I could only use the first of these blocks (got them to set up the 2nd block in anticipation of using the ASA 5505 w/ its DMZ optiion). With the PIX I have the inside network assigned to x.x.x.128/29 and the inside interface itself assigned the IP x.x.x.129; the other usable public IP's in the block (130-134) assigned to NICs on boxes connected right to the inside interface.

Now, w/ the ASA 5505, the corresponding setup would be to put the x.x.x.128/29 IPs on gear attached to the inside VLAN (the inside interface itself gets the x.x.x.129 IP just as it had on the PIX). And, by the same token, I now can set up the x.x.x.176/29 IPs on gear attached to the DMZ VLAN (with the DMZ interface taking the x.x.x.177 IP).

So, my question is this: Is there any practical difference between doing that (as far as traffic between the boxes using the public IPs and the Internet) vs. setting up the inside & DMZ VLANs as (for instance) 192.168.1.0/24 and the DMZ vlan as 192.168.2.0/24 along with appropriate static NAT rules to translate the public IP to the corresponding inside IP? (I understand that the DMZ VLAN IPs cannot initiate traffic to the inside VLAN IPs; that's fine.)

My thought is there should not be any difference between explicit assignment of the public IPs to the VLANs vs. using private IPs on the VLANs w/ NAT, right? (I recognize that if the use of private IPs w/ NAT will work, that I'd have a lot more available private IPs directly on the inside and DMZ vlans--that'd be nice, but it's not absolutely required.) My ISP advised me to do the setup the way I did on the PIX initially. I assume they were just trying to save me steps/complications. Or, am I mistaken and there is some reason to have the public subnets assigned directly to the interfaces/VLANs?

Thanks!



John Craig
Alpha-G Consulting, LLC
 
Sort by date Sort by votes
Your typical setup is going to have the public blocks of ip's assigned to the outside interface and have private blocks on the inside and dmz interfaces. You then create the NAT statements as required. Flexibility and conservation are the keys here. Flexible in terms of future needs and conservative use of your public IP addresses. I guess I've never run into a config like you are proposing.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thanks for taking the time to reply, unclerico.

The outside interface has to be set via DHCP; I don't have any control over that. The ISP is routing traffic for both the subnets through an internal (to the ISP) IP address that I don't have any control over either. So, the outside interface isn't something whose IP address I can set one way vs. another.

Setting the inside and dmz interfaces to the first IP in the public block does work. It's up and functional this morning (mostly; some odd issues with lapses in DNS functions are happening).

Assuming it would work, the approach of using private IP subnets with NAT seems like the way to go. (But it's a tricky thing to try out another approach since I need to keep the non-functional transition times as short as possible). So I was hoping someone on this forum would have some experience/insight to bring to bear. (I continue to be impressed with the complexity of the whole IP routing question and the variety of ways things are set up in different environments. I'm going to get with the routing specialists at the ISP today--as I was working with the late-night generalist over the weekend when I set up the ASA 5505 late Saturday night. He freely admitted he didn't have a lot of experience, but his belief was that the inside and dmz interfaces had to have the public IPs for it to all work.)

John Craig
Alpha-G Consulting, LLC
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
266
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
235
XLNTech1
XLNTech1
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
283
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
309
intel233
intel233
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
91
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top