CE configuration query - routing issue

astarmach · ‎09-07-2010

Hi all

got BIP connection from ISP, with block of public ip's (100.100.100.1/30)

PE end : 80.80.80.1 /30

CE end : 80.80.80.2 /30

There is server on the LAN side which I want to be accessed via public IP 100.100.100.2

how can i go about setting this using just 1 box (do not want to involve firewall for NAT , just 1 router - cisco 1841 )

topology and most important config in attachments...

now, PE and CE ip's are pingabe fine from net

server can be accessed from outside (via telnet for example no problem)

ISP is advertising routes to 80.80.80.2 and 100.100.100.1/30 via PE (80.80.808.1)

the issue is trace to my public IP (100.100.100.2)...it hits PE then CE ..then goes back to PE then to CE...then again back to PE then CE ..etc....

please see how ping and traceroutes looks like:

C:\user>ping 100.100.100.2
Pinging 100.100.100.2 with 32 bytes of data:
Reply from 80.80.80.2: TTL expired in transit.
Reply from 80.80.80.2: TTL expired in transit.
Reply from 80.80.80.2: TTL expired in transit.
Reply from 80.80.80.2: TTL expired in transit.

C:\user>tracert 100.100.100.2
Tracing route to [100.100.100.2]
over a maximum of 30 hops:
1    <1 ms    <1 ms    <1 ms 10.252.240.1
2    <1 ms    <1 ms    <1 ms 10.252.254.1
..
..
6    16 ms    16 ms    16 ms 80.80.80.2
7    17 ms    16 ms    31 ms 80.80.80.1
8    30 ms    23 ms    25 ms [80.80.80.2]
9    23 ms    24 ms    23 ms 80.80.80.1
10    33 ms    57 ms    52 ms   [80.80.80.2]
11    67 ms    35 ms    39 ms 80.80.80.1
12    39 ms    59 ms    70 ms   [80.80.80.2]
13   101 ms    36 ms    44 ms 80.80.80.1
14    58 ms    45 ms    43 ms [80.80.80.2]
15    51 ms    62 ms   101 ms 80.80.80.1
^C

I think I need to put route to 100.100.100.1/30 in my config ...is that right ?

please help....

james.mirtsis · ‎09-12-2010

Hi astarmach,

Firstly it looks like all your hosts except for the server are NATing to your fa0/1.18 address of 80.80.80.2. Looking at your topology dont you want them to be NATing to the 100.100.100.1 address?

Anyway moving on to your question, you have statically NAT'd certain ports 25, 80, 110 & 443 to the 100.100.100.2 address but you have not statically NAT'd ICMP to the address. Can you reach your sever on port 25, 80, 110 & 443?

You can see that there is network connectivity to your CE for the 100.100.100.2 address as you are hitting the outside interface and bouncing back to the ISP. Alternatively you could just NAT 100.100.100.2 to the server on all ports by removing the extendable command, or else add one for ICMP.

Let me know how you go.

astarmach · ‎10-15-2010

Hiya

yes the server can be reached no problem on ports 25, 80 etc....

this was very easy solution, just add ip 100.100.100.2/30 to interface facing WAN - > FastEthernet0/1

That worked,

Thank for looked at this

antasson · ‎10-16-2010

Hi,

as James said, you used the so called port-mapping so there's no surprise the ICMP follows the default gateway going back to the PE.

What you can do, if you really want to be able to ping the server, is to create a full static entry (not just for the ports) but then you'll need to put in place some filtering (ACL, FW inspect, etc) to protect the server from malicious traffic.

Regards,

Antonio