0 Replies Latest reply on Jun 6, 2014 9:45 PM by thyvarin

    How to use second subnet in Outbound Multi-Link NAT

    thyvarin

      If ISP isn't able to give you large enough subnet but instead gives two smaller subnets, this is not a problem from NGFW outbound Multi-Link NAT point of view. You just need to make sure that ISP routes both subnets to NGFW and you can use IP addresses from the second subnet similarly in Multi-Link as IP addresses from first subnet. There's no need to use the second subnet in NGFW interface configuration nor routing.

       

      Here's imaginary example where we got two address ranges 50.50.50.0/29 (FW CVI 50.50.50.1, NDI1 50.50.50.2, NDI2 50.50.50.3 and ISP router 50.50.50.6) and 50.50.51.0/28 from ISP_A. Since we want to use two unused IP addresses 50.50.50.4 and 50.50.50.5 from first subnet in static destination NAT rules, we decide to use IP addresses 50.50.51.1 and 50.50.51.2 from second subnet in outbound Multi-Link NAT. In order to use IP addresses from second subnet in Multi-Link NAT, we need to add also the second subnet as valid network in properties of ISP_A netlink:

       

      netlinks.png

       

      So here I added both /29 and /28 networks as Network in ISP_A_netlink properties, but all the routing on Interface 0 is still done via ISP router 50.50.50.6.

       

      Now we can use this netlink in Multi-Link where we define the NAT pool to include two IPs 50.50.51.1 and 50.50.51.2:

       

      multilink.png

       

      And finally we use the Multi-Link element normally in NAT rule:

       

      nat_rule.png

      Same rules with IP address details:

      nat_rule2.png

       

      Similarly you could have used the IPs from second subnet in first two destination NAT rules.