|reply to Da Geek Kid |
Re: Leased Line with BGP
Ideally they want the firewall to take care of NAT, etc cause it does web filtering, inspection, it's a VPN end point and stuff too and they're wanting to use certain IP addresses in that /28 for certain services that the firewall hosts
As others have mentioned, there is no need to run double NAT just because you use an Internet router and Internet firewall combo. You can even run no NAT with those two equipments if the requirement calls for it.
One standard practice used by many organizations is set a router in front of a firewall where the router (in this case the 1841) connects directly to the ISP for WAN subnet assigned by them. Simply assign the WAN IP address to the router and establish BGP routing with your ISP to receive a default route from them (or to receive full/partial routes from them depending on your agreement). You also need to advertise the /28 subnet via BGP towards the ISP.
To use the firewall. the router also connects directly to the firewall's untrust zone (or security level 0 in Cisco ASA) for the /28 LAN subnet assigned by the ISP. Assign one IP address for the router, one IP address for the untrust zone firewall interface, one IP address for Internet access (PAT), and use the rest of the IP address for static IP addresses of your servers (or as you may call it the certain services your company wants to have).
In other words, only the firewall does PAT/NAT and basic routing between the router and your internal LAN. The router does BGP with the ISP and does not do PAT/NAT. The untrust zone firewall interface IP address is used for your VPN end point. The router IP address is used for BGP relationship and the router management.
There are sample configurations in this forum's FAQ that you can review using Cisco router and Cisco firewall as illustrations, though they are applicable to any router and any firewall make and model. Please go through all of them for ideas and clarification. Here is one of them.
»Cisco Forum FAQ »Setting Up Network With ISP WAN and Public IP Block subnets running NAT