Can Network Number or Broadcast Addr be NATed?

I ran out of IP addresses so I got another pool and now I need to assign a few public addresses to servers behind a firewall. Is /30 the smallest subnet that can be assigned? If so, can all four of these IP addresses be used since the firewall will translate them into valid private addresses?

I know I need to route the new subnet to the firewall but does anything need to be done so return packets will properly route back out? In other words, will traffic from the new addresses simply follow the existing default route even though it's to a different network?

-- Bob Simon remove both "x"s from domain for private replies

Reply to
Bob Simon
Loading thread data ...

In article , Bob Simon wrote: :I ran out of IP addresses so I got another pool and now I need to :assign a few public addresses to servers behind a firewall.

"a firewall" ? Do you mean a Cisco PIX?

:Is /30 :the smallest subnet that can be assigned?

Not generally. There are productive uses of /31 on serial lines, and the PIX can handle down to /32 .

:If so, can all four of :these IP addresses be used since the firewall will translate them into :valid private addresses?

If you are talking about the PIX, then you don't need to subnet at all, if your router handles proxy arp or you can set host routes on your router.

The PIX can have arbitrary translations between public and private IPs. The PIX {mostly} only cares about subnets for translation for traffic originating (or terminating) at the PIX itself. For example, on one of our PIXes, we have *.37 as the outside interface IP, .75 and .76, and .83 and .84 as statics -- and we don't own the rest of the /24.

For example,

static (inside, outside) x.x.x.75 192.168.53.22 netmask 255.255.255.255

will grab traffic for the single IP address x.x.x.75 and send it to

192.168.53.22 -- and it will do so even if x.x.x.75 is in a completely different IP address range than the outside interface IP. [This relies on proxy arp {which is commonly on} or on the router specifically routing x.x.x.75 to the PIX outside IP.]

A PIX can also handle arbitrary internal subnets as long as you have appropriate 'route' statements -- but to get multiple internal subnets to work properly you usually need an internal LAN router.

:I know I need to route the new subnet to the firewall but does :anything need to be done so return packets will properly route back :out? In other words, will traffic from the new addresses simply :follow the existing default route even though it's to a different :network?

On the PIX, Yes.

If you do decide to subnet and send the entire range into the PIX, then as described above the PIX won't care or even notice.

There is one limitation, though: if you happen to use static with a netmask other than 255.255.255.255 then the PIX will treat the first and last IPs in the implied range as if they really are network and broadcast IPs, and will normally refuse traffic originating from the corresponding internal IP address. You can override the refusal by adding a specific static for the IPs with netmask

255.255.255.255 -- but the PIX will grumble about overlapping IP address ranges every time it reboots/reconfigures... and there are hints in some of the bug reports that those IP addresses won't really be handled properly all the time. But the PIX is happy to have an indefinite number of static's with netmask 255.255.255.255 .
Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.