got a question regarding additional ip ranges assigned to a company that belong in a different subnet from the WAN IP address:
SCENARIO
WAN IP address = 10.10.10.2/30 (let’s assume that this is a public IP)
Additional subnet assigned to the company = 10.20.20.0/29 (let’s assume that this is a public IP)
Internal subnets with private IP addressing = 192.168.1.0/24, 192.168.2.0/24
a) 192.168.1.0/24 → src-nat → 10.10.10.2
b) 192.168.2.0/24 → src-nat → 10.20.20.0/29
QUESTIONS
Is there a problem if the additional subnet is not in the same subnet as the WAN IP address? I don’t think so but I want to clear any doubts
Does the additional allocated subnet need to be configured on a specific interface on the router (physical (e.g., the wan interface) or logical (e.g., bridge)) or will writing source nat rules be enough (e.g., 192.168.2.2 → src-nat → 10.20.20.2)? I think that this is not a requirement on CISCO routers but I will lab this up in CML today to make sure.
I know that another option is to create an internal subnet with the additional range provided and assign public ip addresses directly on the devices but I’m specifically interested in how to handle the situation using nat.
Pretty sure 10.20.20.2/29 will need to be added to your WAN interface for it to be used successfully in a src-nat rule. I always add it, but to be fair I have not tested without. You don’t need to have the IP on the interface for a DST-NAT rule to work, so maybe you don’t even need it there for a src-nat rule to work. But it would surprise me if you didn’t.
It really depends on how exactly ISP delivers traffic for the additional IP addresses. If they use “base” IP address as next hop downstream, then none of those addresses need to be present on WAN interface (even more: they should not be). If, OTOH, ISP expects to see these addresses via “ARP who has” procedure, then those addresses have to be set on WAN interface (or elsewhere with proxy ARP enabled).
Thanks you both for chipping in! Sounds like what I was expecting. Although @mkx why do you say that “they should not be”? Will that interfere with the nat translations and forward traffic to the wrong place or is that a best-practice suggestion that could also be done differently?
If packets for the extra IP addresses are being routed via “main WAN IP address”, then upstream router doesn’t care if your router has them on WAN interface. However they might be (ab)used by some other entity on WAN side of your router … not harmful by itself, but it can possibly increase atrack surface.
And when it comes to NAT (both SRC and DST), firewall doesn’t care how a packet with a particular dst IP address arrived in its processing pipeline (or how it’ll be handled after firewall is done processing it). So again setting addresses on WAN interface is useless.
Further more: you may decide to route part of that address space further downstream (can be individual IP addresses or a small subnet) and in this case having those addresses set on WAN interface will interfere.