We have an XG 450 version 17 appliance.
Our upstream provider has given us a touch down network (/252) which we use to connect to their next hop router. For the sake of clarity let us say that this touch down network is 128.128.128.128/252. The external interface on the XG 450 is configured to use 128.128.128.129 and the next hop router uses 128.128.128.130. This works no problem. That interface communicates using BGP.
Our upstream provider has also given us a set of public IP addresses. For the sake of clarity let us say that this range is 200.45.45.0/24.
In addition we are using private address space for some of our internal networks: 192.168.66.0/24.
Here is the question.
We can add machines to the 200.45.45.0/24 subnet by adding it to a LAN that is not configured to use NAT. Those machines can access the outside world because the provider's next hop router knows that packets with a source address on 200.45.45.0/24 should be returned to us. There is no NAT involved and remote machine that we connect to see that our source addresses are in the 200.45.45.0/24 range. So straight routing is working as one would expect.
Machines sitting on our 192.168.66.0/24 network obviously need to be nat'd when accessing outside machines. However, we do not want them to be nat'd to the IP address on the touch down network (128.128.128.129); we would like them to be nat'd to one of the IPs in our public range for example 200.45.45.1. As it stands, however, they are being nat'd to 128.128.128.129, our touch down network. We do not want this.
I have been thinking about how to solve this. The first question is whether we can assign an alias to the wan interface using an IP from 200.45.45.0/24 and then create a rule that says outgoing traffic from 192.168.66.0/24 must be nat'd to that ip, e.g. 200.45.45.1 instead of 128.128.128.129.
If it is possible to assign an alias for nat'ing purposes then I am proposing to use a non-standard subnet mask on our public ip address range and break it down in to two different subnets, where one half is used for aliases and the other is used for our public lan. That is, create two different subnets out of 200.45.45.0/24 i.e 200.45.45.0/128 and 200.45.45.128/128, use the former for the the non-nat'd public lan and the latter as a source of aliases on the wan interface. We need more than one alias because we will have multiple internal lans using different private address space subnets and we would like to assign each of these subnet their own nat'd IP address.
Regardless, this plan depends on being able to assign an alias to the wan interface that is different than the one assigned on the touch down network.
The reason why we want to do this is because our upstream provider is quite draconian and they have a tendency to black hole ips that in their judgement are behaving badly, however defined, and if they block our touch down network's ip, then all of our users will be blocked where as if I am able to nat to our public ips, then only part of our network will be blocked not all of it.
I am not sure if anyone has done something similar in their deployments but I would be interested in if they have.
Thank you very much in advance,
Si
This thread was automatically locked due to age.