Currently, customer’s network has three devices: S9712, USG9560, NE40E. Router connects the internet line, firewall is between switch and router and is responsible for NAT translation, and switch contains customer’s private network. Firewall has a default route pointing to the router. Now, the bandwidth usage is nearly full and customer decides to buy another internet line with 13 usable public IP provided. Problem occurs. If the line is connected with router, some IP will be wasted as IP needs to be assigned to firewall for NAT use.
Current firewall setting: (Example: assume current public pool is 100.100.100.0/24)
nat server 0 zone untrust global 100.100.100.73 inside 172.19.12.101
nat server 1 zone untrust global 100.100.100.161 inside 172.19.12.111
nat server 2 zone untrust global 100.100.100.162 inside 172.19.12.112
nat server 3 zone untrust global 100.100.100.201 inside 172.19.12.121
nat server 4 zone untrust global 100.100.100.89 inside 172.19.12.131
ip route-static 0.0.0.0 0.0.0.0 100.100.100.5
IP 100.100.100.5 is router IP address.
After discussion with customer, we recommend the new internet line should be connected to firewall, with policy based routing setting to redirect dedicated traffic to new internet line.
acl number 3000
rule 5 permit ip source 220.127.116.11 0.0.0.15 destination any - 18.104.22.168/28 (example: assume 22.214.171.124/28 is new public IP)
traffic classifier new_nat operator or
if-match acl 3000
traffic behavior new_nat
redirect ip-nexthop 126.96.36.199
traffic policy new_nat
classifier new_nat behavior new_nat
interface Eth-trunk 1 - interface connected to switch
traffic-policy new_nat inbound