General discussion


Firewall NIC need a subnet mask.

By Philippians ·
I would like to install a firewall for our network. The firewall requires two NIC with a different subnet mask. Our ISP gave us this static address (sample only) and the server NIC they placed was (sample only). Our local network address is to 255. What subnetting should I do here for the second NIC of our server?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by Jaqui In reply to Firewall NIC need a subne ...

nic 1 is the static ip from isp.
nic2 is the ip you choose for your default gateway from the server to the internet.

you don't need to subnet, as the firewall should be between the server and the internet. ( actually, between any equipment and the internet.
all traffic through the firewall.

Collapse -

by justemazing In reply to Firewall NIC need a subne ...

This question really can't be properly answered without knowing what equipment is currently installed. You indicate that there is more than just the router the ISP placed. What server NIC did the ISP place? Do you mean the router ethernet side?

What other piece of equipment do you have installed that your local netowrk addresses are on a different subnet than the router LAN side?

There are some common scenarios:

1. ISP Router with a firewall behind it (1 public IP)

Router WAN: (public)
Router LAN: (private)
Firewall WAN: (private)
Firewall LAN: (private)

Your firewall would do NAT and DHCP for the local network on The problem with this scenario is the double NAT being done: once with the router and once with the firewall. Depending on the equipment being used it can cause problems.

2. If the ISP is bridging the public IP through their equipment to you, instead of assigning it to their router's WAN side, then you can install your firewall behind the route and assign the public IP to it's WAN nic.

Any way you do this, you want all traffic to hit the firewall box. The firewall WAN nic should be the only machine on the same subnet as the ISP equipment. Everything else would join the second subnet for which the firewall LAN nic is the gateway.

Collapse -

by mshavrov In reply to Firewall NIC need a subne ...

First of all. I understand, that you do not want to give real IP addresses. But are you sure you gave all correct "samples"?

Theoretically you may configure IP mask on the "server NIC", but it will include all IP addresses between to, and they will be unaccessible for you.

Since you mentioned, that your LAN addresses are, you should have mask on your LAN. But this puts your firewall IP address "out of the subnet". If you have a router between your LAN and the firewall, which will have (what ever your IPS gave to you) address on the "firewall" interface, and on the "LAN" interface, it will fix the problem.

Another solution is, if you do not have router between LAN and the firewall, assign "LAN" ip address to the "LAN" firewall interface (i.e. You should also make this address "default gateway" on all your servers.

Good luck. If you have more questions, do not hesitate to e-mail me directly.

Michael Shavrov
Cisco CCNP, CCDP, CCSP, Voice, MCSE W2K, Security+, ...

Related Discussions

Related Forums