05-19-2009 12:36 PM
They provided me on the circuit spec sheet 2 IP blocks:
** WAN **
ISP side: 220.127.116.11
Customer side: 18.104.22.168
** LAN **
Customer gateway: 22.214.171.124
Usable range: 126.96.36.199 - 188.8.131.52
I was able to obtain Internet connectivity by assigning the 184.108.40.206 address to my untrust interface in the untrust zone and then setting my default route 0.0.0.0/0 to 220.127.116.11.
My question is, how do I use the LAN (funny name since they are publicly routable) addresses as I need for DMZ or mapped IP for hosts in my trust zone? Oh, and how does the LAN gateway end up being used?
This setup makes much more sense to me when there's been some ISP-owned equipment to terminate a WAN connection. In that instance, I've never had to worry about anything but the "LAN" portion, but now, I need help!
Solved! Go to Solution.
05-19-2009 08:39 PM - edited 05-19-2009 08:42 PM
Your WAN interface is the /30. The LAN allocation they gave you can be defined either logically via a loopback, a physical network from an interface on the SSG, or a combination of both. Your ISP should be routing that /28 address to your untrust interface.
Their specification of a LAN gateway is just a specification. You can define any address outside of the broadcast or the network address as the gateway in that block. Its just best to pick either the first usable or the last.
Here are 3 different scenarios.
Use of the loopback interface to provide a holding spot for MIPs for access to your trust network.
For MIPs to your trust. Assign the LAN block to a loopback interface and create your MIPs from there.
set int loop.1 zone untrust
set int loop.1 ip 18.104.22.168/28
You may want to make the interface pingable during testing to verify routing.
set int loop.1 manage ping
set int loop.1 mip 22.214.171.124 host 10.1.1.1 netmask 255.255.255.255 vr trust-vr
To ping the interface, even though you have allowed it to be managable via ping, you will still need to create an untrust to untrust policy to allow it as well. You can go untrust to untrust any, or you can lock it down to a specific protocol.
Then create the MIP policy and you should have access.
Physical DMZ network, with publically routed LAN block.
From a DMZ, this is just assigning the LAN allocation to an interface. If your DMZ zone is assigned to another virtual router than the same vr that your untrust interface is set to, you will need a route between virtual routers.
set int e0/2 zone dmz
set int e0/2 ip 126.96.36.199/28
Then create a policy from untrust to dmz, or vice versa for access.
A combination of both.
If you want to do a bit of both, you will need to split your allocation.
So break the 188.8.131.52/28 into 184.108.40.206/29 and 220.127.116.11/29. Then use one block for the loopback and the other for the DMZ.
Hope this helps out.
**If this worked for you please flag my post as an Accepted Solution so others can benefit.**
05-20-2009 07:29 AM
Very helpful. Thanks for explaining all of the different options. I couldn't get out of my mind the idea that this would require 2 routers (or two vrouters), but you helped me understand more of the options.