Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jfelix
Explorer

Public IP - MPLS Connected 1590

Jump to solution

Hi,

I have a  Gaia embedded 1590 directly connected to ISP provided MPLS Network.   IP Addressing on WAN port is therefore a private address.  

Internet is provided by a service hanging off the MPLS.   There is a /28 of public's routed through the MPLS terminating at the Checkpoint. 

Public IP's work happily for in and outbound NAT's. 

Network traffic from lan interface is NAT'd to the internet using one of the /28

Traffic to the internet from the firewall itself doesn't seem to use the above NAT, and resolves to a public IP not in the /28 range.   It seems only basic ports are allowed through this IP at the internet connection source.  I am therefore having trouble getting reachmydevice and connectivity to security management portal to work.   

I am trying to find a way to set a public IP in the /28 range for the router itself to use.  I suppose assign a public IP to the WAN interface that already has a private address assigned.    

Any hints?

0 Kudos
1 Solution

Accepted Solutions
Maarten_Sjouw
Champion
Champion

Just add the /28 to the DMZ network interface and connect it to a switch on a dead VLAN so the port is up, set the first IP from the range to the DMZ interface and use that to NAT all traffic from the gateway. That way you can always connect to/from the Gateway from/to the internet.

For a VPN you can then set the link selection to the DMZ interface IP.

Regards, Maarten

View solution in original post

0 Kudos
5 Replies
_Val_
Admin
Admin

Do I understand it as you have an external FW filtering traffic and disallowing GW to MGMT connectivity?

0 Kudos
jfelix
Explorer

Yeah there must be a firewall on that internet link.   Firewall would be managed via the MPLS provider. 

/28 doesn't seem to be impacted by the same firewall port filtering though.  


0 Kudos
Maarten_Sjouw
Champion
Champion

Just add the /28 to the DMZ network interface and connect it to a switch on a dead VLAN so the port is up, set the first IP from the range to the DMZ interface and use that to NAT all traffic from the gateway. That way you can always connect to/from the Gateway from/to the internet.

For a VPN you can then set the link selection to the DMZ interface IP.

Regards, Maarten

View solution in original post

0 Kudos
jfelix
Explorer

Unit actually already has a DMZ.  And I can connect to the firewall from the internet using the IP allocated to the DMZ interface. 

I actually already tried to set a NAT like you describe and couldn't get it to go. 

 

Tried LAN IP in the original source + DMZ Public IP in translated source
Tried WAN IP in the original source + DMZ Public IP in translated source

"This Gateway" is only a selectable option in Original Destination. 

0 Kudos
jfelix
Explorer

Actually I take that back. 

WAN IP in the original Source + DMZ public in translated source is actually the solution.   Verified from CLI that outbound traffic from the firewall itself is now nat'd as DMZ public IP. 

Thanks for your assistance

0 Kudos