Solved: Hello.As I undesrtood, G0/1

chad.hooper · ‎03-04-2015

I have a setup that's giving me a bit of a headache, and I was hoping somebody might be able to help!

I have a 1921 router with 8 port Ethernet WIC - this is being used in a building that has multiple small businesses sharing one internet connection.

The internet connection has a /29 range of public IP addresses (93.xx.xx.32/29) that are being shared between the businesses.

For most of the businesses, they just use NAT which is fine. However, one business has just moved in and they want to assign one of the public IP addresses (93.xx.xx.35) directly to their own firewall whilst still having it connected to my router.

The outside interface is as follows:

interface GigabitEthernet0/1
description Outside Interface
ip address 93.xx.xx.33 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in max-reassemblies 32
zone-member security outside-zone
duplex auto
speed auto
service-policy output PARENT_SHAPER

The interface/vlan that their firewall is connected to is as follows:

interface GigabitEthernet0/1/2
description Shared Service Network 2
switchport access vlan 20
no ip address

interface Vlan20
description VLan Network 2
ip unnumbered GigabitEthernet0/1
no ip proxy-arp
zone-member security net2-zone
service-policy input 25MB_RATE_LIMIT
service-policy output 25MB_RATE_LIMIT

Their firewall has been configured with IP address 93.xx.xx.35 has been plugged into Gi0/1/2.

I've also added the following route:

ip route 93.xx.xx.35 255.255.255.255 Vlan20

which seemed to be necessary to get traffic to flow

The Zone Based firewall has been configured to pass all traffic between 'outside-zone' and 'net2-zone'

Absolutely everything works fine with this setup. Their firewall can be accessed from the internet via 93.xx.xx.35, all of the devices on the inside of their firewall can access the internet and absolutely everything is working as it should be.....

......for around four hours!!

After this time, they lose their internet access completely. They can ping 93.xx.xx.33 from their firewall. I can ping 93.xx.xx.35 from my router, but absolutely no access to or from the internet.

The four hours thing says to me that it must be arp cache related, but running show arp seems to still show the correct info.

I've found that if I set up a static NAT translation to 93.xx.xx.35 eg:

ip nat inside source static 192.168.22.2 9.xx.xx.35

and then

no ip nat inside source static 192.168.22.2 9.xx.xx.35

then everything starts working again.

This was discovered because when we first saw the problem, I tried to switch them over to a NAT setup, but that caused problems elsewhere. Switching them back caused it to start working again. When the problem occurred again four hours later, I found that running the two commands above fixed it.

I've only been working with Cisco devices for around a year, and whilst I'm fairly capable with configuring them, I find troubleshooting them a bit of a challenge!

Any assistance would be greatly appreciated.

If it helps, here is the version info:

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M6, REL EASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 19-Mar-14 11:56 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

gateway uptime is 6 weeks, 2 days, 2 hours, 13 minutes
System returned to ROM by power-on
System image file is "usbflash0:c1900-universalk9-mz.SPA.152-4.M6.bin"

Thanks in advance

Chad

Vasilii Mikhailovskii · ‎03-05-2015

Hello.

As I undesrtood, G0/1 is outside interface connected to the ISP.

If so, the problem might be caused by ARP on ISP gateway (no ARP entry for ASA host).

Workaround is to enable proxy-arp on G0/1.

The best solution would be to use /30 subnet (maybe even from private address space) for CE-PE connection and route /29 subnet internally.

View solution in original post

Vasilii Mikhailovskii · ‎03-05-2015

Hello.

As I undesrtood, G0/1 is outside interface connected to the ISP.

If so, the problem might be caused by ARP on ISP gateway (no ARP entry for ASA host).

Workaround is to enable proxy-arp on G0/1.

The best solution would be to use /30 subnet (maybe even from private address space) for CE-PE connection and route /29 subnet internally.

chad.hooper · ‎03-05-2015

Thanks, Vasilii.

That was exactly it - I enabled proxy-arp on G0/1 around 7 hours ago, and their firewall is still working properly.

Just to get my head around the issue- would I be right in saying that by setting up a NAT translation on that public IP address, the ISP gateway created an entry in its ARP cache to my router which allowed the above configuration to work. Around four hours later the ARP entry expired on the ISP router which then left no route to that IP address on the ISP router.

By enabling proxy-arp, any ARP requests from the ISP router to that public IP address would be answered by my router since it has an ARP entry or the IP address on VLan20.

Have I understood that correctly?

Do you think this is the best config for what I'm trying to achieve? Bearing in mind I have no access to the ISP router, and it is unlikely I will be able to get them to make any significant changes.

Thanks again.

Vasilii Mikhailovskii · ‎03-05-2015

Hello.

You are right, whenever you created static nat, this made you router to reply with ARP-response (once) and the responsed was cached on ISP's router.

THe best design, per my understanding would require PE reconfiguration - you need to assign any /30 subnet to be a transit subnet.

Your real /29 subnet may be dispersed over your devices as you want - you may assign /32 to loopbacks or you may just NAT to IP-address (that is not assigned to any interfaces) ... the only important thing here is to route traffic properly.

Cisco 1921 - Splitting Public IP Range over multiple interfaces