Multiple Public IP Ranges for a network migration

[nuclearsnake]

Hi everyone,

I work for a company who are going to be splitting our office into two seperate companies and will need to split the one network as well with a shared DMZ for the equipment that belongs to both companies. The problem we have is with our ISP/consultants.

Back story: We currently have 10/10 fiber internet access with a /28 block (let's call it 111.222.50.96/28, It's default gateway is the .97 and our Netscreen25's 'untrust' interface is at 111.222.50.98.

We have some systems located on the .100 and .101 for web and email and the like using MIPs (Mapped IP Address) into our DMZ.

Now here's the problem that just came up. Over the last two or 3 weeks I was in contact with our ISP to provide us with another set of 16 public IPs which I was planning on using with a 2nd Netscreen device for the other company. The plan was to place a switch above both Netscreens, and assign 16 (technically 14) IPs to each netscreens.

Today I received the 2nd block of IPs (111.222.50.16/28) but they gave my the default gateway of .97 to use meaning they expected me to use these other IPs with the 1st netscreen or place one netscreen behind the other one...

They then told me what I was asking for is impossible and they would need to charge me for a whole new circuit.

1) Without knowing how their network was setup, how must BS are they talking
2) What can I do to get around this without hacking and patching things to work. Putting one NS behind the other is not allowed.

 

[atomiser]

i work in local government. within our authority the education department are seperate. we have formed a border network with them, into which their perimeter devices are connected alongside ours. the address space used on the border network is internet routable. we then have a seperate range allocated to us (again, internet routable) for publishing services. this range is routed to our primary perimeter device. seems to work ok.

so, one way you might be able to get around this, if your isp will play ball: use your 111.222.50.96 /28 range as your border network. insert a switch here as you intended to. re-connect your existing perimeter device to this switch. continue to use .98 as the address on the untrust interface and .97 as the def gw on your existing device. connect the new netscreen untrust interface to the switch and allocate it a spare address in the 111.222.50.96 /28 range. use .97 as the def gw on the new netscreen too. then, get your isp to route 111.222.50.16 /28 to the address you allocated to the untrust interface of the new netscreen device. you should then be able to use the 111.222.50.16 /28 range to publish services through the new netscreen for the other half of the company.

you might want to talk to your isp before you start, since they may not play ball. we may only be able to do what we do because we are in effect our own mini isp in control of our own ip address space and internet routers.

good luck!

 

[StarTrek4U]

First off let me say it's actually pretty easy to do what you want without too much difficulty.

To answer your questions:

1)They aren't really talking that much BS, chances are what they are telling you is generally correct to get a different subnet w/ a new GW you probably do need a new circuit.
2)Buy a switch.

To do what you want to you need to do the following, in my example I'm going to use a managed switch however you can tweak the config and use an un-managed switch if you want to. Let's say FWA is your "original" Firewall and FWB is the one with the new address range.

Setup each Firewall so they only know about the addresses they are responsible for, basically just like you would normally (almost, but that's coming). Take your nice new switch and configure two VLANs on it, one for each FW, assigning them each a small private address range. Also set the default GW to your .97 address. Configure routing on the switch for each seperate public IP range to point to the correct FW on the correct VLAN. Take the External Int on each FW and address it appropriately for the VLAN it's on and make the switch IP it's default GW. Plug your WAN interfaces into the switch then the switch into your ISPs device and you're all set. Ok, in reality there are a few more steps but you should get the idea, when you're done it should look something like this sweet ASCII pic:

<removed since the formatting didn't stay>

Hope that makes sense.