Static NAT for a /30
-
Say I purchase a /30 block from my ISP. How do I set that up on an ASA or router. I've seen on other sights a method where the external interface gets a assigned address from the ISP not in the CIDR block, and then static routes are created translating each of the 2 usable addresses to one of 2 internal servers with private IPs.
Does that sound correct? How would this change if I bought a /29 or /28 or even larger? At what point do I have the CIDR block assigned to an actual LAN instead of static routes? -
You would Overload NAT for one of the 2 IP addresses and internally you would just assigned yourself what ever network address schema you need; like you would give 172.20.0.0 255.255.255.0 to your internal network and overload the one address to allow these to be routed on the internet; of course since you have 2 addresses you could also statically NAT map that address to one of the internal IP addresses.
-
Michael,
There are a few different scenarios that ISPs follow when assigning IP blocks. Here is a quick summary of the most common ones:- With a /30 you typically only get one IP which you attach to the external interface of your router/firewall. The other IP represents the ISP's end of the point-to-point WAN link.
- Some ISPs will assign you RFC 1918 Private IPs and then perform static NAT mappings to connect public IPs to your private IPs. This is not always a true /30 as they could easily assign IPs from many different blocks to your hosts. This gives the ISP and the customer more flexibility as you can get IP blocks of non-standard sizes like 3, 12, 100, etc. You can also quickly expand the amount of public IPs without having to route new subnets.
- When requesting a larger block (like a /28) many ISPs will assign an additional /30 alongside your requested block. The /30 will be used to handle the point-to-point WAN connection between the ISP and the external interface of your router/firewall. The /28 can then be directly attached to your internal interface. You would assign one of the /28 addresses to your internal interface and use that as the default gateway for all internal hosts assigned public IPs.
- A variation of #3 is where a /30 is used for the point-to-point WAN link, and the /28 (or whatever) is also attached to the WAN link. In this scenario, your router/firewall would use RFC 1918 addresses on the internal interface and you would configure one-to-one static NAT mappings for any internal hosts that needed a static IP. You would typically reserve one address for Dynamic NAT for the remainder of your hosts, but I usually use the /30 address on the WAN interface.
I am sure there are other scenarios out there, but those are the most common ones I have seen. Let me know if you need me to elaborate on any of those.
Don Pezet
Host, ITProTV
-
Thanks Don, that makes a lot of sense. I've been reading through some Cisco docs on internet edge design for enterprise out of curiosity but i was a bit confused in how the ISP's generally work. Really looking forward to the CCNP!