Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 452 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing a Public C Class via another Public IP

Lokiarmos Hawkenspire

So our ISP we are currently working with to migrate our class C IP have basically given us 2 options in hosting our class C as they said that they will not host the class C on our NTU unlike our currently provider.

So the first option was to put another router between the internet link and our Firewalls (XG running latest Version in HA-AP) with the other interface hosting our current Class C gateway IP.

The other option they where saying was to host our Class C on the firewall as Virtual IPs and then have the firewall route the traffic via the internet IP. So i looked up Virtual IPs and that what we are doing are for some of our LAN Networks and i notice that in the document page for Virtual IPs this statement: 'Traffic from an alias network has to be masqueraded to reach other internal networks. Otherwise the firewall will drop these packets as "Invalid Packets".'

This would indicate to me that any traffic from the public C would be masqueraded as the outgoing Internet IP which would defeat the purpose as our mail and other servers need to come from specific IPs from our Class C...

Or am i reading it wrong and what i could do is modify the current WAN interface with the IP of the Internet IP but keep the Alias of the public C IPs on that interface which would allow it to accept traffic directed to those class C and i can continue to use existing NATs (Incoming and outgoing) on the public C network.

I have spoken with my MSP's Sophos tech and they where even hesitant to say that it could be done.

Thoughts good people.



This thread was automatically locked due to age.
Parents
  • 0

    Lokiarmos,
    This is a scenario where our Professional Services team can assist with planning and deploying this with you successfully.  It would probably take about 30 minutes to an hour to assist you.  If you can - reach out to your local sales team to get more guidance. 

    Info on professional services is found here: https://www.sophos.com/en-us/support/professional-services.aspx

    With that in mind though, here are some thoughts:

    1.  It most definitely can be done!
    2.  In short - you can use SNAT to re-write packets with your owned/leased addresses.  In practice you can bind the owned/leased netblock to a WAN interface as an alias to avoid route vector problems related to unused addresses within the block.  It also doesn't hurt anything to do this as its saves some packets between the XG(S) and the ISP flying back and forth looking for a place to die.
    3.  You should be able to just modify what you have in place to add this functionality.

    Hope this helps.  I still advise you to get it right the first time by utilizing our Pro Team!  Support would not be able to help since they only do break/fix scenarios and not implementation/deployment. 


Reply
  • 0

    Lokiarmos,
    This is a scenario where our Professional Services team can assist with planning and deploying this with you successfully.  It would probably take about 30 minutes to an hour to assist you.  If you can - reach out to your local sales team to get more guidance. 

    Info on professional services is found here: https://www.sophos.com/en-us/support/professional-services.aspx

    With that in mind though, here are some thoughts:

    1.  It most definitely can be done!
    2.  In short - you can use SNAT to re-write packets with your owned/leased addresses.  In practice you can bind the owned/leased netblock to a WAN interface as an alias to avoid route vector problems related to unused addresses within the block.  It also doesn't hurt anything to do this as its saves some packets between the XG(S) and the ISP flying back and forth looking for a place to die.
    3.  You should be able to just modify what you have in place to add this functionality.

    Hope this helps.  I still advise you to get it right the first time by utilizing our Pro Team!  Support would not be able to help since they only do break/fix scenarios and not implementation/deployment. 


Children
No Data