In dedicated Internet connection (i.e. T1/E1 or DS3/E3) and some xDSL plans, you may receive two different subnets from your ISP. One is for the WAN connection between your network and ISP.
In dedicated Internet connection plan using T1/E1 or faster circuit, typically the WAN subnet is in the form of /30 network since the circuit you have is point-to-point type. Note that it is possible to have the WAN subnet in the form of subnet larger than /30, especially when you have the xDSL plan.
Another subnet you receive from ISP is your Public IP Block. This block could be in the form of /29, /28, or /27 network; depending on which plan or subnet you choose to have.
There will be a router that connects to your ISP. This router has two Layer-3 interfaces. One interface should face your ISP and another interface should face your network.
You plan to have a Private network that uses Private IP addresses (i.e. 10.0.0.0/24, 172.16.1.0/24, or 192.168.4.0/24). Therefore there must be NAT/PAT in place within your network between the Private IP addresses and the Public IP Block assigned by your ISP.
Your objective is to find the suitable network setup using these IP blocks you receive from your ISP. You have several scenarios to choose to setup such network.
For the discussion sake, let's say you have the following subnets from your ISP
WAN IP Subnet: 1.1.1.0/30, where you have 1.1.1.2/30 for your WAN IP address and 1.1.1.1/30 as the ISP gateway
Public IP Block: 2.2.2.0/24
and you plan to use 192.168.0.0/24 as your Private subnet. Following are the scenarios.
Scenario 1: The router does NAT/PAT
In this scenario, there is a switch behind the router to connect to the Private LAN. The router inside (E0/0) interface is within the Private LAN, which also serves as default gateway to all hosts within the Private LAN.
You set the router to assign 2.2.2.1 as the Public PAT IP address to all Private LAN hosts. You may later assign other IP addresses within your Public IP Block to other devices such as servers and VPN Concentrator.
Router configuration
Following is sample configuration when there are multiple LAN interfaces on the router. Note that there are no NAT process take place between Ethernet0/0 and Ethernet0/1 interfaces since NAT process takes place only when the traffic traverse interfaces with ip nat inside command on one interface and ip nat outside command on other interface.
Router configuration
Typically you implement this scenario when there is no dedicated firewall to do NAT/PAT. When you do have dedicated firewall, then you may want to implement one of the next scenarios.
Scenario 2: There is a firewall behind the router that does NAT/PAT
In this scenario, you have a PIX Firewall as the dedicated firewall gear that sits behind the router. You have a crossover cable connecting the router E0/0 and the PIX e0 interfaces to make a point-to-point connection. This point-to-point connection has 192.168.1.0/30 subnet
There is a switch behind the PIX to connect to the Private LAN. The PIX inside (e1) interface is within the Private LAN, which also serves as default gateway to all hosts within the Private LAN.
You set the PIX to assign 2.2.2.1 as the Public PAT IP address to all Private LAN hosts. You may later assign other IP addresses within your Public IP Block to other devices such as servers and VPN Concentrator.
Router configuration
PIX Firewall configuration
Typically you implement this scenario when there are no other physical devices directly behind the router but the firewall.
More Sample Configuration regarding dedicated firewall behind an Internet router
»Cisco Forum FAQ »Internet - Router - PIX/ASA - LAN
Scenario 3: There is a firewall behind the router that does NAT/PAT and does IPSec VPN tunnel
In this scenario, you have a PIX Firewall as the dedicated firewall gear that sits behind the router. You have a crossover cable connecting the router E0/0 and the PIX e0 interfaces to make a point-to-point connection.
There is a switch behind the PIX to connect to the Private LAN. The PIX inside (e1) interface is within the Private LAN, which also serves as default gateway to all hosts within the Private LAN.
You set the PIX to assign 2.2.2.3 as the Public PAT IP address to all Private LAN hosts. You set the PIX outside interface as 2.2.2.2 which will be the VPN Concentrator IP address. You can later assign other IP addresses within your Public IP Block to other devices such as servers. Check out the following FAQ for more info on running servers with ASA or PIX Firewall.
»Cisco Forum FAQ »PIX Firewall/ASA configuration to run server (with and without port forwarding)
Router configuration
PIX Firewall configuration
This is an alternate scenario when there is a possibility to connect other devices behind the router other than the firewall. In addition, this might be the preferred scenario when the firewall acts also as VPN Concentrator. Check out the following FAQ for more info in setting up ASA or PIX Firewall as both Internet firewall and VPN Concentrator.
»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator
 feedback form
 feedback form
by aryoba 
last modified: 2009-03-23 09:29:21 |
