Home | Articles | About | Contact | Forum |
Friday, September 20, 2019

Lunarpages.com Web Hosting

Mailing List

By Joining the mailing list you will be notified of site updates.

Show Your Support For
This Site By Donating:

Audience: System Admins - I.T. Managers
Last Updated: 6/15/2011 2:17:25 PM
**All times are EST**

Using public IP addresses behind a firewall

By Erik Rodriguez

Tags: firewall with public IP addresses, Juniper firewall setup, IP addresses behind firewall, slash notation

The following article illustrates how to configure the use of public IP space on the trust side of a firewall. This is common in data center networks and other networks that require the use of public IP space with the protection of a firewall. There is also information on the combination of public IPs and NAT on the same device.


Traditionally, IP space is allocated and all devices behind the firewall are configured with NAT addresses. This works well most the time, but there are cases where public IP addresses need to be assigned to servers or devices directly. In order to accomplish this, you will need at least (2) different allocations from your ISP or network administrator. One will be used as your connection to the public Internet. The 2nd or rest of the allocations will be for devices "behind" or protected by your firewall. This is commonly referred to as the trust side or trusted zone of your firewall. If you are not familiar with "slash notation" see the subnet cheat sheet.

Device and provider configuration:

For this example, let us say an ISP has provided two IP space allocations for our firewall. They provide an allocation of /30 for the Internet facing side and an allocation of /27 for the trust side.

The /30 will provide (2) usable IP addresses*:

The /27 will provide (29) usable IP addresses*: -

*Remember that with IP address allocation, you lose 3 IP addresses for the network, broadcast and gateway to your provider. With a /24 allocation (say you will be unable to use,, and whatever the provider uses as a gateway. This is usually

The 2 IP addresses from the /30 will need to be used on the provider side and the Internet facing side of the firewall. In this case, will be the gateway (provider side). The other IP ( will be assigned to the Internet facing side (also called the untrust side) of the firewall. An IP address from the /27 will also need to be assigned to the trust side of the firewall. In this case, we will use Here is where the tricky part comes in. The provider MUST statically route to This will tell the rest of the Internet that it must go through to communicate with any address with Last, a default route must be added in the firewall for This will allow traffic to leave the firewall, travel through the providers network, and out to the internet. See the diagram below:

Public IP addresses can also be used in conjunction with NAT on the same device. For information see Public IPs and NAT on the same firewall.

Contact Us

If you found this information useful, click the +1 button

Your E-mail:


Type verification image:
verification image, type it in the box


NOTE: this form DOES NOT e-mail this article, it sends feedback to the author.

Juniper SRX anti-spam filtering config
Windows Server 2008 Clustering Configuration
Windows 2008 R2 Network Load Balancing (NLB)
Extreme Networks: Downloading new software image
Juniper SRX save config to USB drive
Juniper SRX logout sessions
Extreme Networks Syslog Configuration
Command line drive mapping
Neoscale vs. Decru
Data Security vs. Data Protection
Juniper SRX Cluster Configuration
HOWTO - Create VLAN on Extreme Switch
Using a Non-local Colocation Facility
Linux Server Administration
IT Chop Shops
Flow Viewers: SFLOW, NetFLOW, and JFLOW
Exchange 2007 Back Pressure
IPtables open port for specific IP
Politics in IT Departments
HOWTO - Block Dropbox
Cisco IOS Cheat Sheet
Subnet Cheat Sheet
Design a DMZ Network
How DNS works
Firewall Configuration
Juniper SSG Firewalls
Server Management
Configuring VLANs
Runlevels in Linux
Server Clustering
SONET Networks
The Red Hat Network
Server Colocation
Complicated Linux Servers
Dark Fiber
Data Center Network Design
Firewall Types
Colocation Bandwidth

Copyright © 2002-2016 Skullbox.Net All Rights Reserved.
A division of Orlando Tech Works, LLC
By using this site you agree to its Terms and Conditions.
Contact Erik Rodriguez