Reserved IP
A reserved IP is a single-tenant public IP address deployed on Cisco Secure Access. The reserved IP maps to a unique source IP address for your organization's web traffic and is not shared with any other Secure Access instance. Secure Access NAT as a Service (NATaaS) manages the web traffic egressing from the secure web gateway on your reserved IP.
Note: Reserved IP is available only for web traffic protected by the Secure Access secure web gateway.
Table of Contents
- Network Requirements
- Best Practices
- Deployment of the Reserved IP
- Known Limitations
- Reporting and Reserved IP
- Calculate Your Maximum Sessions
- Troubleshooting
Network Requirements
For Reserved IP, Secure Access designates an IP address only for your organization's web traffic from the secure web gateway. For more information about the Secure Access IP address range for web traffic, see Secure Access NAT as a Service.
Best Practices
Important
To ensure that your organization's network traffic reaches the data center where Secure Access provisioned the reserved IP, we recommend that you use the Secure Access DNS servers.
Set up your organization's DNS to resolve queries to the Secure Access DNS servers. For information about the Secure Access DNS servers, see Secure Access DNS Resolvers.
- To get help with setting up the Secure Access DNS servers on your network, contact Cisco Support. For more information, see https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html.
- If you can not use the Secure Access DNS servers on your network, contact Cisco Support to enable the provisioning of Reserved IP with your organization's DNS.
Deployment of the Reserved IP
Important
Before Cisco can assign the reserved IP address to your organization, your must contact your Cisco partner or sales representative and order your reserved IP address.
- Reserved IP is available only for web traffic protected by the Secure Access secure web gateway.
- Secure Access does not support reserving contiguous IP addresses.
- Once Secure Access deploys the reserved IP for your organization, any web traffic that is forwarded to the provisioned cloud provider region uses the reserved IP for all web traffic.
Known Limitations
Secure Access has known limitations for the use of Reserved IP.
Remote Browser Isolation
- Remote Browser Isolation (RBI) is not supported by Reserved IP. Applications or services that require a reserved IP address should not use remote browser isolation.
Reserved IP Surrender
When an organization surrenders one or more reserved IPs back to Cisco, the reserved IPs become available to other organizations for provisioning. Reserved IP addresses are not transferable from one AWS region to another. For more information, see Reserved IP Supplemental Terms.
Port Exhaustion
Port exhaustion is unlikely to occur. However, if port exhaustion does occur, the session is dropped and the client on the user device retries the connection.
Reporting and Reserved IP
The Activity Search report has two filters associated with Reserved IP.
- Egress IP Type—The egress IP type, choose either Shared or Reserved.
- Egress Data Center—The list of available Secure Access data centers.
To filter by Egress IP Address, use the IP Address filter field. For more information, see Advanced Search.
Calculate Your Maximum Sessions
Determine the maximum sessions available in a Secure Access instance.
This formula illustrates the way in which Reserved IP maps sessions to a single reserved IP.
sIP x sP x dIP x dP x nP
- sIP (Source IP)— A single source IP address. For example, use a value of
1
.
Secure Access supports more than one source IP address at a time. The source IP address the egress IP from your organization's premises or from a roaming user device. - sP (Source Ports)—We do not restrict source ports. Use the value of
65536
for the full port range of 65,536 potential source ports. - dIP (Destination IPs)—The total number of destination IPs, which clients can use to establish a session.
To determine the greatest number of sessions supported, use the total possible number of public IPv4 addresses 3,706,452,992.
To determine the fewest number of sessions supported, use 1. A value of1
emulates a fully qualified domain name (FQDN) that only supports a single IP address. All clients establish a session with the same FQDN. - dP (Destination Ports)—We do not restrict ports. Use the value of
65536
for the full port range of 65,536 destination ports. - nP (Number of Protocols)—Secure Access only supports TCP. Use a value of
1
for TCP.
Example
1 x 65536 x 1 x 65536 x 1 = 4294967296
Troubleshooting
If the network traffic for the organization is not using the reserved IP that Secure Access assigned to your organization, we recommend that you review your Secure Access deployments, configuration settings, and policy rules.
- Ensure that destinations are not added in policy rules where you enabled remote browser isolation (RBI).
- Ensure that destinations are available on HTTP/TCP port 80 or HTTPS/TCP 443.
Note: Secure Access does not provide the reserved IP for web sites that load over QUIC. - Ensure that web traffic on the reserved IP appears in the Activity Search report, and that the traffic egresses through the region of data centers where Secure Access provisioned the organization's reserved IP.
- Some 'find my IP' sites read the original IP in the proxy's HTTP X-Forwarded-For (XFF) header and show that IP instead of the organization's reserved IP. We recommend that you use the Activity Search report to verify that the network traffic is using the organization's reserved IP.
- Secure Access excludes Microsoft Update traffic on the organization's reserved IP.
- Ensure that the organization's network connects to the region of data centers where Secure Access provisioned the reserved IP.
Secure Access NAT as a Service < Reserved IP > Reserved IP Supplemental Terms
Updated 10 days ago