Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1448
Views
4
Helpful
8
Replies

/32 secondary ip adresse

Go to solution
markvilladsen
Level 1
Level 1

‎10-08-2015 07:26 AM - edited ‎03-05-2019 02:29 AM

Hi

I have a customer who has a Cisco 881 router, at a branch office, they now have a need for a second public IP address. The only way to get this from the ISP is that they will route an extra public address the primary address.
I now need to configure the router to accept this address.
The way I would do this is by creating a secondary IP on the WAN interface, but this is not working I get this error:
Bad mask /32 for address x.x.x.x
Is there another way of adding a single IP as a secondary IP, on other firewall I would add this as an IP Alias, but I cannot figure out how to achieve this.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to markvilladsen

‎10-08-2015 02:44 PM

You don't need to assign the new IP to an interface.

As long as the ISP is routing that new IP to your router your NAT statement should work.

If it isn't check with the ISP.

Jon

View solution in original post

0 Helpful
8 Replies 8

Go to solution
milan.kulik
Level 10
Level 10

‎10-08-2015 07:57 AM

Hi,

 

can't you use a Loopback address for your purpose?

It should accept a /32 IP address.

If not possible, why don't you configure the secondary address with  /30 (some IOSes even support /31 I read somewhere)?

 

Best regards,

Milan

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to milan.kulik

‎10-08-2015 08:23 AM

It would be helpful if we understood why the customer needs a second Public IP and how they intend to use it. My guess, based on the extremely limited information available, is that using the second address for address translation would work. There is no need to apply the IP address to an interface if it is to be used for address translation. And address translation is about the only thing that occurs to me that could use an isolated /32 address.

 

HTH

 

Rick

HTH

Rick

Go to solution
markvilladsen
Level 1
Level 1
In response to Richard Burts

‎10-08-2015 11:03 AM

Thank you for the reply.
The router are used for NAT, and the purpose of the extra IP are to be translated to a server at the location.

I have created a nat rule there looks like this:
ip nat inside source static 172.20.150.2 <The IP address>

However, when I ping the IP address I do not get any response, I think this is because the address is not associated with the WAN interface.
But if the translation works as expected then it is no problem. I will have the customer check tomorrow.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to markvilladsen

‎10-08-2015 02:44 PM

You don't need to assign the new IP to an interface.

As long as the ISP is routing that new IP to your router your NAT statement should work.

If it isn't check with the ISP.

Jon

0 Helpful

Go to solution
markvilladsen
Level 1
Level 1
In response to Jon Marshall

‎10-10-2015 06:08 AM

It is an quite old firmware on the router, the firmware version is: 12.4(22r)YB5
I will see if I can get at service window to upgrade it.
I can see that there is a warning about the 15.3.3M6 firmware, so I think I will go for the 15.4(3)M4

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎10-08-2015 01:46 PM

How many IP are you getting from that ISP?  If you are getting enough IP, just set the IP under the interface faced to the server as a secondary IP and give the server public IP.

As Jon said, you do not need to set the IP on the router if your using NAT. I assume you have configured NAT correctly with IP NAT inside and outside.  

 

Try to trace the new IP from another network to check whether the ISP has a route that router.

 

0 Helpful

Go to solution
markvilladsen
Level 1
Level 1
In response to Masoud Pourshabanian

‎10-09-2015 03:42 AM

I have one public IP address on the WAN interface and then I have received an extra IP address, which is routed to the WAN interface address from the ISP.
I am only getting one extra IP address.

I have tried to create the NAT rule and everything is being translated, but I now have another problem.
There are also CBAC enabled on the router, and this is causing problem.
All the sessions from the translated IP address are stuck in “Half-open Sessions”

The configuration around the interfaces looks like this:
interface FastEthernet4
 description Outside/WAN interface
 ip address 1.1.1.1 255.255.255.252
 ip access-group FW-IN in
 ip nat outside
 ip inspect FW out
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto

interface Vlan100
 description "Server"
 ip address 172.20.150.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW dns
ip inspect name FW smtp
ip inspect name FW pptp
ip inspect name FW icmp
ip inspect name FW ftp
!
ip nat inside source list NAT_TO_INTERNET interface FastEthernet4 overload
ip nat inside source static 172.20.150.2 2.2.2.2 extendable
!
ip access-list extended FW-IN
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit icmp any any echo
 permit ip any host 2.2.2.2

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to markvilladsen

‎10-09-2015 06:57 AM

You mean NAT is working without CBAC? If so, as far as I know, some Cisco softwares have bugs working specifically with NAT and CBAC. What is your IOS version? if it is very new, try a version back.

0 Helpful
Customers Also Viewed These Support Documents