cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jhouse
New Contributor

Separate Public IP Ranges

Jump to solution

I was just given a new range of public IP's from my colo, but I'm not sure how to config the NetVanta to use them.

The first range is a /29, and isn't tagged.

The new range is a /28, and IS tagged.

The Interface Mode is set to IP routing.

The NetVanta is a 3430 running firmware R10.1.1.E.

Any advice?

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Separate Public IP Ranges

Jump to solution

:

The configuration depends how you have designed your firewall and security zones, but generally, this configuration will be done via the firewall's security zones.  There is a very similar example in the Configuring the Firewall (IPv4) in AOS document, in example 9, beginning on page 40.

Essentially, the configuration will be the exact same as the previous one-to-one (1:1) NAT, but the main difference is that the "private" policy-class will need to NAT traffic from the address of 192.168.101.32 to 203.3.  This will be done by the order in the list of the "private" security zone.

If you would like to reply and attach a copy of the configuration (remember to remove any sensitive information), I will be happy to review what you have and make suggestions and recommendations.

Levi

View solution in original post

0 Kudos
4 Replies
Anonymous
Not applicable

Re: Separate Public IP Ranges

Jump to solution

:

Thank you for asking this question in the support community.  Based on the information provided that the traffic is/isn't tagged, it appears the ISP is looking for a trunk port with VLANs.  The ISP will need to provide you with which VLAN ID should be assigned to each IP address range they provide you.   This type of configuration is explained in the Configuring Enhanced Ethernet Quality of Service (QoS) in AOS document. 

Below is a basic example configuration for this type of application:

interface eth 0/1

  encapsulation 802.1q

  no shutdown

!

interface eth 0/1.100

  vlan-id 100 native

  ip address <ip address> <subnet mask>

  no shutdown

!

interface eth 0/1.200

  vlan-id 200

  ip address  <ip address>  <subnet mask>

  no shutdown

I hope that makes sense, but please do not hesitate to reply to this post if you have any additional information or questions.  I will be happy to help in any way I can.

Levi

jhouse
New Contributor

Re: Separate Public IP Ranges

Jump to solution

Thanks Levi; that helped a lot.

Now I'm stuck on something else:

The original IP range we were given is on eth 0/2.10. The main IP for that interface is X.X.202.66, while 202.67-70 are setup as secondary IP's. The default route is 202.65.

The new IP range is on eth 0/2.20. The main IP for that interface is X.X.203.2, with 203.3-14 as secondary IP's. The default route is 203.1.

The LAN is on eth 0/1. Its IP is 192.168.101.1/24.

There are some NAT rules that forward traffic from X.X.202.70 to 192.168.101.28, and traffic from 101.28 goes back to the Internet from 202.70.

I basically need to do the same thing for a different server with an address from the new IP range:

Traffic to 203.3 needs to go to 192.168.101.32, and traffic from 101.32 needs to go back to the Internet from 203.3.

Any tips on how I can make that happen?

Anonymous
Not applicable

Re: Separate Public IP Ranges

Jump to solution

:

The configuration depends how you have designed your firewall and security zones, but generally, this configuration will be done via the firewall's security zones.  There is a very similar example in the Configuring the Firewall (IPv4) in AOS document, in example 9, beginning on page 40.

Essentially, the configuration will be the exact same as the previous one-to-one (1:1) NAT, but the main difference is that the "private" policy-class will need to NAT traffic from the address of 192.168.101.32 to 203.3.  This will be done by the order in the list of the "private" security zone.

If you would like to reply and attach a copy of the configuration (remember to remove any sensitive information), I will be happy to review what you have and make suggestions and recommendations.

Levi

0 Kudos
jhouse
New Contributor

Re: Separate Public IP Ranges

Jump to solution

Mischief managed!

Thank you very much!