[c-nsp] using a /29 mask on a /30 point-to-point
Randy
randy_94108 at yahoo.com
Tue Jun 30 17:11:13 EDT 2009
--- On Tue, 6/30/09, Deny IP Any Any <denyipanyany at gmail.com> wrote:
From: Deny IP Any Any <denyipanyany at gmail.com>
Subject: [c-nsp] using a /29 mask on a /30 point-to-point
To: cisco-nsp at puck.nether.net
Date: Tuesday, June 30, 2009, 12:44 PM
I have a new ISP for one of our locations, and we currently have a
pair of Cisco PIXs in an active/standby config. The new ISP wants to
give us a /30 for this MetroE WAN link, with one of the IPs being used
for their equipment on their side of the circuit (aka, our default
gateway). This only gives us one IP address for our Primary's external
interface, and none left over for the secondary firewall's external
int (which it requires to be in the same subnet as Primary's ext int).
The ISP refuses to issue a /29 instead, due a corp policy stemming
from a mis-configured customer many years ago.
What are my options to get this to work? I really don't want to lose
my redundant firewalls, and adding a router (a single point of
failure) to just get redundant firewalls seems self-defeating.
Could I configure the subnet on my side of the WAN as a /29? My
broadcast address would be wrong, but since its basically a
point-to-point anyway, I shouldn't need broadcasts. I realize this is
semi-evil, and might get my Internet drivers license revoked, but what
would I break by doing this?
--
deny ip any any (4393649193 matches)
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
...well for one thing, in the event the active pix died, the standby would source outbound PAT'd traffic from an address that doesn't belong to you.
I agree with gert - change ISP's
-Randy
More information about the cisco-nsp
mailing list