Reserved IP

A reserved IP is a single-tenant public IP address deployed on Cisco Secure Access. The reserved IP maps to a unique source IP address for your organization's web traffic and is not shared with any other Secure Access instance. Secure Access NAT as a Service (NATaaS) manages the web traffic egressing from the secure web gateway on your reserved IP.

Note: Reserved IP is available only for web traffic protected by the Secure Access secure web gateway.

Table of Contents

Network Requirements

For Reserved IP, Secure Access designates an IP address only for your organization's web traffic from the secure web gateway. For more information about the Secure Access IP address range for web traffic, see Secure Access NAT as a Service.

Best Practices

🚧

Important

To ensure that your organization's network traffic reaches the data center where Secure Access provisioned the reserved IP, we recommend that you use the Secure Access DNS servers.

Set up your organization's DNS to resolve queries to the Secure Access DNS servers. For information about the Secure Access DNS servers, see Secure Access DNS Resolvers.

Deployment of the Reserved IP

🚧

Important

Before Cisco can assign the reserved IP address to your organization, your must contact your Cisco partner or sales representative and order your reserved IP address.

  • Reserved IP is available only for web traffic protected by the Secure Access secure web gateway.
  • Secure Access does not support reserving contiguous IP addresses.
  • Once Secure Access deploys the reserved IP for your organization, any web traffic that is forwarded to the provisioned cloud provider region uses the reserved IP for all web traffic.

Known Limitations

Secure Access has known limitations for the use of Reserved IP.

Remote Browser Isolation

  • Remote Browser Isolation (RBI) is not supported by Reserved IP. Applications or services that require a reserved IP address should not use remote browser isolation.

Reserved IP Surrender

When an organization surrenders one or more reserved IPs back to Cisco, the reserved IPs become available to other organizations for provisioning. Reserved IP addresses are not transferable from one AWS region to another. For more information, see Reserved IP Supplemental Terms.

Port Exhaustion

Port exhaustion is unlikely to occur. However, if port exhaustion does occur, the session is dropped and the client on the user device retries the connection.

Reporting and Reserved IP

The Activity Search report has two filters associated with Reserved IP.

  • Egress IP Type—The egress IP type, choose either Shared or Reserved.
  • Egress Data Center—The list of available Secure Access data centers.

To filter by Egress IP Address, use the IP Address filter field. For more information, see Advanced Search.

Calculate Your Maximum Sessions

Determine the maximum sessions available in a Secure Access instance.

This formula illustrates the way in which Reserved IP maps sessions to a single reserved IP.

sIP x sP x dIP x dP x nP
  • sIP (Source IP)— A single source IP address. For example, use a value of 1.
    Secure Access supports more than one source IP address at a time. The source IP address the egress IP from your organization's premises or from a roaming user device.
  • sP (Source Ports)—We do not restrict source ports. Use the value of 65536 for the full port range of 65,536 potential source ports.
  • dIP (Destination IPs)—The total number of destination IPs, which clients can use to establish a session.
    To determine the greatest number of sessions supported, use the total possible number of public IPv4 addresses 3,706,452,992.
    To determine the fewest number of sessions supported, use 1. A value of 1 emulates a fully qualified domain name (FQDN) that only supports a single IP address. All clients establish a session with the same FQDN.
  • dP (Destination Ports)—We do not restrict ports. Use the value of 65536 for the full port range of 65,536 destination ports.
  • nP (Number of Protocols)—Secure Access only supports TCP. Use a value of 1 for TCP.

Example

1 x 65536 x 1 x 65536 x 1 = 4294967296

Troubleshooting

If the network traffic for the organization is not using the reserved IP that Secure Access assigned to your organization, we recommend that you review your Secure Access deployments, configuration settings, and policy rules.

  • Ensure that destinations are not added in policy rules where you enabled remote browser isolation (RBI).
  • Ensure that destinations are available on HTTP/TCP port 80 or HTTPS/TCP 443.
    Note: Secure Access does not provide the reserved IP for web sites that load over QUIC.
  • Ensure that web traffic on the reserved IP appears in the Activity Search report, and that the traffic egresses through the region of data centers where Secure Access provisioned the organization's reserved IP.
    • Some 'find my IP' sites read the original IP in the proxy's HTTP X-Forwarded-For (XFF) header and show that IP instead of the organization's reserved IP. We recommend that you use the Activity Search report to verify that the network traffic is using the organization's reserved IP.
  • Secure Access excludes Microsoft Update traffic on the organization's reserved IP.
  • Ensure that the organization's network connects to the region of data centers where Secure Access provisioned the reserved IP.

Secure Access NAT as a Service < Reserved IP > Reserved IP Supplemental Terms