PIX 515 failover pair in a datacentre - external IP address question....

Hi Guys,

A strange question I know but bare with me. I asked a question yesterday about VPN and failover best practice and got a fantastic answer. The firewalls are going into a datacentre and the data centre provider had already told me that the were going to give me a /27 range which was fine. I was going to use one address for the primary, one for the failover and another to do PAT for out going connections.

The PIX's have six interfaces so I was going to have LAN based failover and state too. There will also be a DMZ network that will host a couple of web and FTP servers. On the inside will be an Exchange server, several Terminal servers running Remote Web Desktop connection. I was going to have one to one NAT's configured for the afore mentioned machines. Hopefully sounds OK so far.

Here is were the problem (or not hence the question) the datacentre provider told me today that they want to give me a /29 range on the uplink they are giving me to my perimeter switch and will route my /27 address range to the outside address of my primary PIX.

Before I make myself look stupid tomorrow (again), is this going to work???? for example if I have a one to one NAT for the Exchange server translating an address from the /27 range to its inside address will that work? And more importantly when the Exchange server sends out mail would what the datacentre provider suggest mess with the source address and cause reverse look up problems? I can't understand why they would not provide the /27 directly on the uplink?

Am I missing something or do I have to persuade the provider to give me the /27 range on the uplink to my perimeter switch?

Any advise would be much appreciated


Who is Participating?
calvinetterConnect With a Mentor Commented:
 Yes that'll work, & it's a typical setup to assign the smallest subnet (/29 here) to the outside interface of your border device (PIX in this case I assume), & just route the larger subnet to your border device; the larger subnet (/27 here) in its entirety can be used however you want - setting a 1-to-1 static NAT for the Exchange server, general outbound NAT, etc.  
  A /29 subnet for the outside of your PIXes gives you enough public IPs for both PIXes plus a couple left over for whatever you want (general outbound NAT for a DMZ subnet, etc).

>...when the Exchange server sends out mail would what the datacentre provider suggest mess with...
   No, not if you setup a 1-to-1 static NAT entry for the Exchange server, for example:
/29 subnet = 199.3.2.x
/27 subnet = 77.1.1.x
static (inside, outside) netmask ...

  The above entry forces all outbound traffic from the internal Exchange server to always be sent via the public IP, regardless if you have a generic "global (outside) 1 <public IP>" entry for the whole 'inside' subnet that gets NAT'd to a /29 IP, since static NAT entries take precedence over general, dynamic NAT.  Since it always gets translated to, reverse lookups work fine.

kjorvissAuthor Commented:

I have always had the larger subnet assigned to the uplink into my perimiter network before, and just wanted the validation you gave....

Very good explination. What I was really worried about was one to one NAT not working properly with the smaller subnet on the outside interface.

Thanks again

Glad to help, Kevin!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.