Handing a public IP address off to another firewall behind the primary firewall

Handing a public IP address off to another firewall behind the primary firewall

Problem: You are given a block of static IP addresses from your ISP (typically a /29) and you need to give one of those statics to a firewall or device behind your primary, edge firewall. (image is not entirely accurate to the problem)

Solution: There are two typical methods to tackle this. Static NAT or simply break the /29 into /30s. Let me explain both with scenarios I have recently dealt with.

Scenario 1 - I have two buildings that require internet and each building has a firewall in it. However, I only have one source of internet and it resides in building 1. Building 1 and building 2 are connected through a fiber link. I wanted building 2 to have one of the static IP addresses from building 1. The interfaces connecting the two firewalls were given IP addresses on the same subnet, a local subnet. So, for example, building 1 interface had an IP address of 172.16.0.1 and building 2 interface had an IP address of 172.16.0.2. All I had to do was create a static NAT on the firewall at building 1 that basically takes all traffic going to one of the public static IP addresses and sends it to 172.16.0.2. Do not forget to setup dynamic NAT in building 1 for the 172.16.0.x subnet to NAT to the public or external interface connected to the internet. 

Scenario 2 - I have the internet coming into our primary firewall with a block of static IP addresses (/29). There is another firewall behind this one that also needs one of the public IP addresses. I cannot use method described in scenario 1 because the firewall behind mine is not mine and I do not have credentials to edit the config and its interface that connects to the primary firewall is already configured for one of the public IP addresses in the /29 I was given from the ISP. Conceptually all you have to do is break the /29 into /30s and edit the interfaces to reflect that. So, the primary firewall interface to the second firewall was assigned one of the static IP address with a /30 subnet and the second firewall was given one of the public IP addresses with the default gateway being the static IP address of the interface on the primary firewall. Do not forget to create any policies required for inbound/outbound traffic on the primary firewall. 

 

about the author

admin

related posts