Solved: Question Re: 2nd non-contiguous routable subnet

rjrii · ‎03-20-2009

When we originally signed up with our ISP, we requested 30 usable public IPs for use on our Cisco 3600 series router. Currently I have my serial interface configured on the router along with one interface on the first subnet assigned to us. We have now requested a second set of public IPs to accommodate growth and I'm wondering what I need to do to get traffic flowing over the new IPs. The 2nd block of IPs are non-contiguous from the first set and I'm guessing I need to create an interface with one of the IPs from the new block? As it stands right now, if I do a traceroute to one of the new IPs it bounces back and fourth between the ISP and my router serial interface. Here's a basic rundown: (IPs modified for security purposes)

ISP Serial IP: 10.10.10.73/30

CPE Serial IP: 10.10.10.74/30

LAN IP Block 1: 10.20.20.176/28

Router IP: 10.20.20.177/28

Firewall IP: 10.20.20.178

LAN IP Block 2: 10.130.70.192/26

It appears from the traceroute to an IP on the new block that the ISP is routing the new subnet to the serial interface rather than my firewall interface and therefore my router is going to need an IP on the new subnet? My problem with that is I don't have a physical interface available, can it be done with a virtual interface?

Sample trace:

traceroute to 10.130.70.193 (10.130.70.193), 64 hops max, 40 byte packets

1 results removed

2 results removed

3 results removed

4 results removed

5 results removed

6 results removed

7 results removed

8 results removed

9 results removed

10 * * *

11 results removed

12 10-10-10-74.dia.static.qwest.net (10.10.10..74) 65.082 ms 67.250 ms 65.736 ms

13 10-10-10-73.dia.static.qwest.net (10.10.10.73) 66.694 ms 68.474 ms 76.452 ms

14 10-10-10-74.dia.static.qwest.net (10.10.10.74) 72.039 ms 68.509 ms 89.042 ms

The trace continues flopping between the same two interfaces on hop 13 and 14 (qwest side and my side serial interfaces of the DS3)

Giuseppe Larosa · ‎03-21-2009

Hello Randy,

IP routing works hop by hop it is your border router that needs an additional static route to the ASA outside interface

Wan router:

ip route new-block mask asa-outside-ipaddress.

After this you can allocate the ip addresses of the new block using static NAT pairs as suggested by Jon in the thread you have referenced.

Hope to help

Giuseppe

View solution in original post

lamav · ‎03-21-2009

Randy:

Just to elaborate a bit more on what Jon and Giuseppe said...

You have to understand how routing works.

The ISP has assigned you this new subnet, which means that they own it and they route for it. It is native to their routing domain. So, their edge router probably has a static route that points to your edge router for the new subnet they assigned you, and they are then advertising that back to their core. This is why traffic destined for this new subnet knows how to reach your router.

But then your router has only one static route and it is a default route pointing OUT to the ISP. This is why you see the routing loop. The ISP sends to you, you send to it, and on and on.

The other subnet does not have that problem because there is an interface on your edge router in the subnet, so there must be a routing entry in the route table that says that that subnet is "directly connected." If so, then the "routing" ends and the "switching" begins, ie ARP requests, layer 2 addresses, etc.

You can do the same with this new subnet, but as Giuseppe points out, you certainly dont have to. Just tell your edge router what to do with the traffic destined for the new subnet when it receives it, ie, the static route that will point inward to your ASA that Giuseppe recommended.

By the way, to save that routable IP address from the old subnet - since it seems that you need many of them and they are scarce -- you can remove it from your router's Ethernet interface and replace it with a private address. To be able to route the traffic for the subnet, just make sure you configure a new static route for the old subnet that also points inward to your ASA, since, by removing the IP address from the ethernet interface, you will have killed the "directly connected" route to the old subnet.

I hope I didnt confuse you more. :-)

[EDIT]

So, what you'll end up with are 3 static routes: 1 default route pointing OUT, and two static routes for each subnet pointing IN toward your ASA's outside interface.

[EDIT]

[EDIT 2]

I neglected to mention that if you do migrate to a private address on your g0/0 interface and use a static pointing to the ASA, as it is recommended you do for the new subnet, you will have to change the IP address of the ASA's outside interface to0 and place it on the same subnet as G0/0, ie, 10.10.10.1/30 for G0/0 and 10.10.10.2/30 for ASA outside.

[EDIT 2}

Victor

View solution in original post

lamav · ‎03-20-2009

Hi:

Can you please post the configs of your router?

rjrii · ‎03-20-2009

Here you go. I did not modify the IPs as in the summary since there really is no security risk.

What is not reflected in the config is the new block of IPs that have recently been issued to me. That block is 63.239.148.192/26 which if you trace to any IP in that range you'll see it bounces between the qwest router and my router serial interfaces. Should I have asked Qwest to route this new block to my FW interface rather than having them route to the serial block (which is likely their default as I didn't specify one over the other in the order process)? My FW interface is one of the IPs in the 204.133.153.176/28 IP block.

qwest3845gw#sh run

Building configuration...

Current configuration : 4808 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname qwest3845gw

!

boot-start-marker

boot-end-marker

!

card type t3 1

logging buffered 4096 notifications

!

no aaa new-model

ip cef

!

ip domain name yourdomain.com

!

controller T3 1/0

cablelength 350

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 204.133.153.177 255.255.255.240

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet0/1

description $ES_LAN$

no ip address

shutdown

duplex auto

speed auto

media-type rj45

!

interface Serial1/0

ip address 67.148.138.74 255.255.255.252

dsu bandwidth 44210

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Serial1/0

!

logging history notifications

!

control-plane

!

scheduler allocate 20000 1000

!

end

qwest3845gw#

rjrii · ‎03-20-2009

I'm pretty sure this post answers my question.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc28ade/0#selected_message

It looks like I will either need to have Qwest route the new subnet to my FW interface or create a new interface on both my router and firewall containing an IP from the new subnet. Sound right?

I have an available port on the 3845 router, but I don't have one on my ASA5520 because I already use one for my inside, one for my current outside address and the other two are used for lan/state failover. I believe I can combine the lan/state failover to one port to free up one for this configuration. Concerns with doing so?

Giuseppe Larosa · ‎03-21-2009

Hello Randy,

IP routing works hop by hop it is your border router that needs an additional static route to the ASA outside interface

Wan router:

ip route new-block mask asa-outside-ipaddress.

After this you can allocate the ip addresses of the new block using static NAT pairs as suggested by Jon in the thread you have referenced.

Hope to help

Giuseppe

lamav · ‎03-21-2009

Randy:

Just to elaborate a bit more on what Jon and Giuseppe said...

You have to understand how routing works.

The ISP has assigned you this new subnet, which means that they own it and they route for it. It is native to their routing domain. So, their edge router probably has a static route that points to your edge router for the new subnet they assigned you, and they are then advertising that back to their core. This is why traffic destined for this new subnet knows how to reach your router.

But then your router has only one static route and it is a default route pointing OUT to the ISP. This is why you see the routing loop. The ISP sends to you, you send to it, and on and on.

The other subnet does not have that problem because there is an interface on your edge router in the subnet, so there must be a routing entry in the route table that says that that subnet is "directly connected." If so, then the "routing" ends and the "switching" begins, ie ARP requests, layer 2 addresses, etc.

You can do the same with this new subnet, but as Giuseppe points out, you certainly dont have to. Just tell your edge router what to do with the traffic destined for the new subnet when it receives it, ie, the static route that will point inward to your ASA that Giuseppe recommended.

By the way, to save that routable IP address from the old subnet - since it seems that you need many of them and they are scarce -- you can remove it from your router's Ethernet interface and replace it with a private address. To be able to route the traffic for the subnet, just make sure you configure a new static route for the old subnet that also points inward to your ASA, since, by removing the IP address from the ethernet interface, you will have killed the "directly connected" route to the old subnet.

I hope I didnt confuse you more. :-)

[EDIT]

So, what you'll end up with are 3 static routes: 1 default route pointing OUT, and two static routes for each subnet pointing IN toward your ASA's outside interface.

[EDIT]

[EDIT 2]

I neglected to mention that if you do migrate to a private address on your g0/0 interface and use a static pointing to the ASA, as it is recommended you do for the new subnet, you will have to change the IP address of the ASA's outside interface to0 and place it on the same subnet as G0/0, ie, 10.10.10.1/30 for G0/0 and 10.10.10.2/30 for ASA outside.

[EDIT 2}

Victor

Richard Burts · ‎03-21-2009

Randy

Your original post asked how you could assign an address in your new subnet to an interface on your router. An alternative, which would not require any additional interfaces would be to configure a secondary address on the LAN interface of your router.

While the secondary address could work, I agree with the suggestions of others that the best solution is to configure a static route on your router pointing to the firewall as the next hop to get to the new subnet, and then to use the new subnet in your firewall or in the inside network as works best for you.

HTH

Rick

HTH

Rick

lamav · ‎03-21-2009

Rick!

How are you, man?

Long time...

I was asking Jon about you the other day...was missing your stuff.

All OK?

Richard Burts · ‎03-21-2009

Victor

Thanks for missing me. I am ok, just been busy with some projects.

HTH

Rick

HTH

Rick

rjrii · ‎03-21-2009

thanks Rick. I went with the static routes and we're good to go. again, thanks for the additional input, its always great to get so much information.

rjrii · ‎03-21-2009

Thanks for the additional info, Victor. I have a basic understanding, but with no test environements to try things out, I often default to the opinion of the great knowledge base here in the discussion groups prior to making a change.

lamav · ‎03-21-2009

Understood and Im glad I could help. :-)

rjrii · ‎03-21-2009

Hey Giuseppe,

Thanks for the info, this solved my problem. I wasn't exactly sure if I could do the static route. Just a note, I also had to add a route on the ASA back to the edge router for the new subnet in order to make things work.

Giuseppe Larosa · ‎03-21-2009

Hello Randy,

nice to hear you have solved and for your kind remarks.

I don't know ASA well as routers so I tried to suggest what was in the thread you had picked up.

Probably the static route tells the ASA out what interface to send packets after NAT operation (not sure just a wild guess..).

I was also in doubt because I see that you have a free lan interface on the router but adding the new ip block there would mean not using the ASA.

Hope to help

Giuseppe