IP Addresses


IP address classes are defined as follows:

Class Description Netmask
A First octet is between 1 and 127.

The first octect is a one-byte net address and the last three octets are the host address.

255.0.0.0
B First octet is between 128 and 191.

The first two octets are the net address and the last two octets are the host address.

255.255.0.0
C The first octet is 192 or higher.

The first three octets are the net address and the last octet is the host address.

255.255.255.0.

Try to use RFC 1918 IP addresses for inside and perimeter addresses:

Class Begin End
A 10.0.0.0 10.255.255.255
B 172.16.0.0 172.31.255.255
C 192.168.0.0 192.168.255.255

Firewalls generally require that IP addresses used by the commands ip address, static, global, failover, and virtual be unique. They also must be different than IP addresses used by any routers.

There are several flavors of IP addresses:

  1. local_ip

    An untranslated IP address on the internal, protected network. In an outbound connection originated from local_ip, the local_ip is translated to the global_ip. On the return path, the global_ip is translated to the local_ip. The local_ip to global_ip translation can be disabled with the nat 0 0 0 command. In syslog messages, this address is referenced as laddr.

  2. global_ip

    A translated global IP address in the pool or those addresses declared with the global or static commands. In syslog messages, this address is referenced as gaddr.

  3. foreign_ip

    An untranslated IP address on an external network. foreign_ip is an address for hosts on the external network. If the alias command is in use, an inbound message originating for the foreign_ip source address is translated to dnat_ip by firewall.

  4. dnat_ip

    Dual NAT IP address on an external network. On firewalls, translated by the alias command. Outbound connections destined for dnat_ip are untranslated to foreign_ip. In syslog messages, this address is referenced as faddr.

  5. virtual_ip

    A fictitious public or private IP address that is not the address of a real web server on the interface you are accessing.