Routing an official subnet

chasm_Ger · ‎05-10-2006

Hello,

we have a leased line from the german telekom with an official subnet 217.xxx.xxx.184 255.255.255.248.

The telekom installed a cisco router as their end point in our rack. This telekom cisco router is connected via crossover cable to our cisco router.

The telekom router has the first ip of the official subnet (217.xxx.xxx.185).

I have configured the fa 0/0 interface of our router, which is connected to the telekom router, with the second official ip address out of the subnet. On the fa 0/1 interface of our router, i have configured a local ip address of our LAN behind our cisco router.

We do not have access to the telekom router.

Here an extract out of our config:

int fa 0/0

ip address 217.xxx.xxx.186 255.255.255.248

int fa 0/1

ip address 192.168.xxx.253 255.255.255.0

ip route 0.0.0.0 0.0.0.0 217.xxx.xxx.185

ip route 217.xxx.xxx.187 255.255.255.255 FastEthernet 0/1

ip route 217.xxx.xxx.188 255.255.255.255 FastEthernet 0/1

ip route 217.xxx.xxx.189 255.255.255.255 FastEthernet 0/1

ip route 217.xxx.xxx.190 255.255.255.255 FastEthernet 0/1

ip classless

ip cef

ip subnet zero

There is nat enable and an access-list for incoming traffic. But i unset both for testing.

Traceroute from outside comes up to our cisco router, but not up to our systems behind our router. There is nothing between our router and our systems which could block the requests. Also a telnet to an open tcp port on our systems where a service is listen on, does not work.

I have configured the systems with an official ip address out of the subnet and once the router internal ip as gateway and once the router official ip as gateway. It seems that the systems find the gateway. But the router does not forward packets from outside to the systems.

Then i tried to configure the fa 0/1 interface with an additional official ip address, but cisco does not support such rubbish.

Any ideas how i can get it to work fine?

spremkumar · ‎05-10-2006

Hi

You can configure a secondary ip address taken from the official pool to the fa0/1 interface instead of configuring it as a primary one..

Also one more thing which you can do out here is to check out for one to one static nat (i.e.,natting your private ips assigned to the server to the official ip address)

regds

ankurbhasin · ‎05-10-2006

Hi Friend,

How come sombody from outside will be knowing the route to reach your internal subnet till the time you advertise you internal subnet to your remote location.

I may be able to ping or trace your official ip because it is a routable ip but I will not be able to reach your internal ip range as they are not routable on internet.

You need to define a destination NAT so that any one hitting your external ip is translated to your internal ip range.

HTH

Ankur

chasm_Ger · ‎05-11-2006

Hi Ankur,

there is a misunderstanding. Our Servers have configured an official IP address out of the subnet as well. And their default gateway is the official ip address of our router. Between the servers and the router is only one switch.

regards

chasm

chasm_Ger · ‎05-11-2006

Hi

i have tried to assign an official address on int fa 0/1 as secondary as shown below:

ip address 217.xxx.xxx.189 255.255.255.248 secondary

and got this message:

% 217.xxx.xxx.184 is assigned to FastEthernet0/0

So this is not possible.

Your static nat solution is an idea. But i thought that it would be possible to route the requests from extern to the intern servers with the official ips. I could not believe, that this is not possible in this situation...

REQUESTS FROM

INTERNET TO 217.xxx.xxx.187

||

\/

81.xxx.xxx.xxx

Telekom Router

217.xxx.xxx.185

||

\/

217.xxx.xxx.186

Our Router

192.168.xxx.253

||

\/

Cisco Switch

||

\/

217.xxx.xxx.187

192.168.xxx.200

Server

(Default Gateway is 217.xxx.xxx.186)