cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1849
Views
45
Helpful
30
Replies

IP addressing design question

Kevin Melton
Level 2
Level 2

Forum

I have a rather interesting design dilema at a client site.  The client is preparing to install a router betweent themselves and a business partner for some data exchange.  While discussing this with my collegues, we determined the best place to put the Business Partner router was in our WAN network.  Our WAN network operates in address space 192.168.15.0/24.  We currently have three other routers in that WAN network (one for MPLS, one for Frame, and one for the backup ISDN.  The addresses are 15.50 (MPLS rtr), 15.4 (Frame) and 15.5 (ISDN).

This WAN network has a gateway to get to the clients INside networks at the client ASA (WAN interface IP 192.168.15.1).  During planning sessions with the Business Partner a month ago, we told them that we were assigning them the IP address 192.168.15.10 and placing them into the WAN network.  We were then going to NAT the devices on the Inside networks that need to talk to the BP and add the appropriate ACL entries to the ACL which we already have in place inbound on the WAN interface on the ASA.

During turn up activities with the business partner today, we found out that they cannot use the 192.168.15.10 address because there company policy mandates that they use IP address scheme 172.27.X.X.

There is a 3750 switch in between the routers and the ASA.  We have a VLAN created on the switch for the WAN network.

I am not sure how to get the IP address 172.27.6.130 on the BP router to route to the 192.168.15.1 interface on the ASA.

If need be I guess we could always create another VLAN on the switch and give it a 172.27.X.X address.  Then the switch would have to route to the 15.0 WAN network.

DIAGRAM IS  ATTACHED

I am open for any suggestions here.

Thanks

Kevin

1 Accepted Solution

Accepted Solutions


The one thing I have not been able to resolve yet is the NAT issue.  They need to be able to talk to address 172.27.6.133.  For us on the inside this is ip address 192.168.3.2.

Are you saying that when they access 172.27.6.133 that this should resolve to 192.168.3.2? on your end.

View solution in original post

30 Replies 30

Jon Marshall
Hall of Fame
Hall of Fame

Kevin

Could you post the visio as .jpg please ?

Jon

my bad Jon. Here is the .jpg.

Kevin

Jon Marshall
Hall of Fame
Hall of Fame

Kevin

Is the 3750 switch acting purely as a L2 switch at present ?

Also this is your WAN so i'm unclear why you need to allocate 172.27.6.130 address to the WAN router ?

Jon

Jon

Here are your answers

Is the 3750 switch acting purely as a L2 switch at present ?

Currently it is configured only as Layer 2.  Right now there are two VLAN's with IP interfaces configured, but I do not think any routing occurs between them.

Also this is your WAN so i'm unclear why you need to allocate 172.27.6.130 address to the WAN router ?

It is due to requirements from the Vendor.  Originally during planning, we had told the vendor that they would need to configure an IP address of 192.168.15.10 on that interface.  This was actually on a planning document that we sent to the vendor some time ago.

Today during turn up, it seems like the vendor must never have read or either it did not register with them, as they are now telling us that they dont NAT, and that we must NAT, and that we have to NAT the 172.27.6.130 address which they have configured on the router.

Thanks

Kevin

k-melton wrote:


Today during turn up, it seems like the vendor must never have read or either it did not register with them, as they are now telling us that they dont NAT, and that we must NAT, and that we have to NAT the 172.27.6.130 address which they have configured on the router.

Thanks

Kevin

Kevin

Yes you could configure another vlan on the 3750 switch for the 172.27.6.x network and turn on routing is the short answer. But i am still confused about the 172.27.6.130 interface.

If this is the WAN interface it shouldn't make any difference to the BP what you configure it as. They don't ever need to route to this address and it is your WAN so you should address it as you want. How you NAT their traffic should be up to you. Is the router although in your WAN still managed by the BP.

Perhaps you could clarify because i'm not understanding the issue.

Jon

Jon

My humble apologies for the confusion.  I probably could have taken more time to try to explain in greater detail but did not.

Here we go with a better attempt at an explanation that hopefully will clear up any confusion. 

The client is getting ready to exchange data with a Business Partner.  The Business Partner will be exchanging data to and from the clients network.

The BP will be collecting data from a specific server on an inside network off of the ASA's inside interface.  The WAN interface of the ASA is the gateway for the 15.X/23 WAN network.  This ASA WAN interface plugs into the switch in question in this equation, landing on a port in the WAN vlan 15.  As is easy enough to tell from the diagram, others routers are also in this subnet. 

The Business Partner 2 months ago forwarded a questionnaire asking specific network questionnaire which was meant to ascertain all of the important IP addresses and other network requirements.  This in order that they can configure their router at a later time thru a aux port on a POTS line.

The document did publish the fact that they will be using a 28 bit Ethernet network at each site within the IP address range of 172.27.X.X to 172.28.X.X, and that NATing would be our (clients) responsibility.  They had also indicated that if the equipment that was going to be monitored were on different LAN’s than the Ethernet connection of their router, a route to these networks must be supplied to their router.

The document then went on to ask for some specific information such as 1) a network address and mask, and then 2) an IP address to assign to their router.  It continued by also asking if a Firewall was going to be in between their router and the Inside network devices, and if so would it be providing NAT, and of course we answered 'yes'.

So based on all that, and considering the diagram, we then decided that the place for that router would be in the WAN network with the Firewall in between it and us.  We assigned the network address 192.168.15.10 for them in that network and sent back the document.  We have had several discussions with them about the configuration, and they never once indicated that they saw a problem with having the 15.10 address on that Ethernet interface.  Today it became an issue, and they reminded us that it was our responsibility to provide NATing.  I had just naturally assumed that since they would have looked at the document when we returned it, that if in fact they could not configure their Ethernet interface to the specified address, that they would have flagged that and let us know.

So we have to have that 172.27.6.130 instead.  And since we dont have a 172.27.6.X network, and also since we had planned on it going into the 15 network, we have to come up with a way to communicate with them.

Currently it seems to me that the best answer is that we turn a switch port to an L3 port and configure 172.27.6.X on it, and then they can put routes on their router for the stuff they need on our inside net.

I hope that cleared things up a bit.  I look forward to your comments.

Kevin

Jon

Yes the router is managed by the BP.

Is there a way if we use a switchport on the switch as a routed port in the 172.27.6. network, that we could then NAT at the switch?

thanks

Kevin

k-melton wrote:

Jon

Yes the router is managed by the BP.

Is there a way if we use a switchport on the switch as a routed port in the 172.27.6. network, that we could then NAT at the switch?

thanks

Kevin

Kevin

Unfortunately not because the only switch which supports NAT is the 6500.

I'm really sorry but i still cannot understand what the issue is with using a 192.168.15.x address. It should make absolutely no difference to the BP at all. I'm assuming from your diagram that the BP clients are behind the new router ?

What matters to them is -

1) the subnet they use on the LAN side of the router

2) any Natting for the devices behind the ASA which is indeed your clients responsibility but that is taken care of

the interface address of the interface connecting to your WAN is never used by them for anything ie. they don't route to it, their clients don't use it as a default-gateway, and if they want to monitor the router the LAN interface would be the logical one to use.

When you ask about natting on the switch what exactly are you wanting to nat ?

If you have to a 172.27.x.x address on the BP router and i still can't see why then your 3750 has to route. You can either use a routed port as suggested above or a L3 SVI. Whether you want the 3750 to route is another matter. It could confuse things but i don't know enough about the setup to say for sure.

Jon

Here is what I have been able to accomplish so far John.

We changed the port on the switch to an L3 port, and assigned address 172.27.6.136 to it.  The LAN side over here is network 172.27.6.128/28.  Also remember that they have 172.27.6.130 configured on the Ethernet of their router.

From our switch we were able to ping the Enet on their router at 172.27.6.130.

Here is a table which shows what they need on the LAN side (our side).

Ref

Device Description

IP Address

2

Firewall (if applicable)

172.27.6.132

3

Primary Server,

172.27.6.133

4

Secondary Server

172.27.6.134

5

Tertiary Server

172.27.6.135

Other Devices

172.27.6.136/.142

Other Devices

Other Devices

Other Devices

Here is a table they provided to us that shows what devices on ThEIR side that we will be talking to:

Ref

bus. Partner Server

Primary IP Address

6

BP Test Server 1 & 3

206.223.104.20 & .21

7

BP Test Server 2 & 4

206.223.104.22 & .23

8

BP  EMS  UCS Pair

206.223.104.11

9

BP  EMS  UCS Pair

206.223.104.13

10

Alternate  EMS UCS Pair

206.223.104.15

11

Alternate  EMS UCS Pair

206.223.104.17

12

BUCC EMS

206.223.104.80

13

BP  Primary GMS Server

206.223.105.2

14

BP Secondary GMS Server

206.223.105.3

15

Additional PJM Device(s)

I turned on IP routing on the switch.

I created an interface in our WAN vlan 15 and gave it an ip address of 192.168.15.2.  This is to allow them to get to our ASA at 192.168.15.1.

I also had to create routes to their 206 networks on our switch.  Once that was done then they were able to ping from their host at 206.223.104.11 to the 172.27.6.136 address on our switch.

The one thing I have not been able to resolve yet is the NAT issue.  They need to be able to talk to address 172.27.6.133.  For us on the inside this is ip address 192.168.3.2.  I tried putting the following into place but it did not work:

static (inside,WAN) 192.168.3.2 172.27.6.133 netmask 255.255.255.255  - i was actually getting a message that this was overlapping with an existing static map: static (inside,WAN) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

So then I tried the following configuration:

1.  access-list policy_PJM permit ip host 192.168.3.2 host 206.223.104.11
2.  nat (inside) 2 access-list policy_PJM
3.  global (WAN) 2 172.27.6.136

this because they have a ping nailed up from their server at 206.223.104.11 to the address 172.27.6.133 (which is our 192.168.3.2). They were leaving this ping nailed up and were going to call me once they were receiving replies.

Perhaps you can tell me what I am doing incorrectly with the NAT?

Thanks Jon

Kevin


The one thing I have not been able to resolve yet is the NAT issue.  They need to be able to talk to address 172.27.6.133.  For us on the inside this is ip address 192.168.3.2.

Are you saying that when they access 172.27.6.133 that this should resolve to 192.168.3.2? on your end.

that is correct

Then I would suggest using a static nat statement like this.

"ip nat inside source static 192.168.3.2 172.27.6.133"

Then when somebody tries to access the 172 address it will resolve to the 192.

Hope this Helps.

Kyle

I don't think Kevin can do that because he already has a static ie.

static (inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

so therefore you need to use policy nat.

Jon

Kyle

The only issue I see with your statement is that it looks like a statement for an IOS router.  We are performing the NAT on an ASA.

thanks

Kevin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco