Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

ISP lab scenario

Hello network experts,

I am new on this forum and i would like to ask if somebody have experience with ISP network architecture. I want to simulate real network situation as you can see in screenshot but I have some problems with routing or NAT configuration.

Now the network shown in screenchot works fine and I can do ping from workstation 192.168.8.165 to external network 90.183.241.53. Also i can ping from 192.168.1.1 to 90.183.231.53, so basically network works fine but there is one problem with NAT or routing (probably).

I have decided to assign some specific external IP (NAT) for inside host 192.168.8.166. This IP is from another range than between PIX(FW0) and ISP router(R0). So ISP assigned me 88.103.247.209/27 network range for my servers to be reachable (NATed)  outside internet (in this case R0).

On PIX(FW0) I created new static nat 192.168.8.165 --> 88.103.247.216 and now I want to make this IP available from another network (like from internet) for example from network 90.183.241.53. But when I try to ping from 90.183.241.53 result is timeout.

How should I configure R0 to be able to route NAT pool (88.103.247.209/27) to another networks ??? This IP addresses are real and it is range what I got from ISP provider and I would like to know how it is configured on ISP side.Could someone help with it or tell me how does it works ?

My network is terminated by PIX and there is no other router on my side. I am connected to ISP side with normal ethernet cable (no serial cable or other type of connection, no frame relay) Which routing protocol should I use ?

I hope that description is clear.Thank you very much for help :-)

Jan

3 REPLIES
Silver

Re: ISP lab scenario

Wow there is a lot going on here so we need to take this in steps.

First thing I see on the config is the use of the same network going in two different directions, why is this the case?

You need different /30 networks for eact connected interface.

I think I understand you have 2 public IP's being NAT'd to the same Private IP, did I read that correctly?

What the ISP does is just add a static route in their network for that IP range with a next hop of your directly connected interface IP so it would look something like this:

ip route 88.103.247.192 255.255.255.224

They will take the whole block and route it to you.  The ISP assumes you have it set-up on your side to accept the routes.

As far as NAT, if you have a static NAT and no ACL blocking then it should work just fine.  My first suggestion would be to add an IP to an interface on the Edge out of the 88.103.247.192/27 block and make sure you are able to reach it from site to site first, then work on the NAT.

Bronze

Re: ISP lab scenario

Thank you for reply,

first I will correct my wrong description of NAT pool there is /28 mask not /27 but it is small detail i think. So here is 88.103.247.209-222 usable IP range and subnet is .208 .

I don't understand your first question. Why is this case? Because I don't understand it how does it works.

I think you are right there are 2 public IP ranges on side of my PIX. One is small just for directly connected interface e0(FW0) with IP 90.183.231.53/30 and second range is 88.103.247.209/28 for NATed pool.

So if I configure just dynamic NAT (overload) so all machines will go out to internet via 90.183.231.53. Also all this machise will looks like this public address from internet.

If I will configure static NAT for some server or machine so this machine will go out through 90.183.231.53 interface but will have e.g. 88.103.247.209 public IP right?

I will try to add static route and will come back with config files of router and PIX.

Thank you for patience.

Bronze

Re: ISP lab scenario

OK here is my configuration on R0 and FW0:

Tried to ping from 192.168.8.165(90.183.231.53 dynamic NAT) --> 90.183.241.53 ping SUCCESS.

Tried to ping from 192.168.8.165(88.103.247.209 NATed) --> 90.183.241.53 NO success.

So what is wrong in my configuration ?

================

R0                         
================
!
!
memory-size iomem 15
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
interface FastEthernet0/0
ip address 90.183.231.54 255.255.255.252
no ip mroute-cache
speed auto
full-duplex
no mop enabled
!
interface FastEthernet1/0
ip address 90.183.241.54 255.255.255.252
no ip mroute-cache
duplex auto
speed auto
!
router rip
version 2
network 90.0.0.0
!
ip classless
ip route 88.103.247.208 255.255.255.240 90.183.241.53

================
FW0

================
!
interface Ethernet0
nameif outside
security-level 0
ip address 90.183.231.53 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.8.166 255.255.255.0
!
!
ftp mode passive


access-list 101 extended permit icmp any any echo-reply


pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover


icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo inside
icmp permit any echo-reply inside


asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400

global (outside) 1 interface
nat (inside) 1 192.168.8.0 255.255.255.0
static (inside,outside) 88.103.247.209 192.168.8.165 netmask 255.255.255.255


access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 90.183.231.54 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.8.165 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!

310
Views
0
Helpful
3
Replies