cisco routing with multiple public ips, OSPF and NAT not working as expected

ossentoo · ‎01-14-2020

We've got multiple routers in our organisation and i can't get routing working as expected.

We have a limited number of public ip addresses which I will call 100.x.x.x/28
We have internal address space 172.16.x.x. Each router owns a /24 block for internal routing.
We have OSPF running under area 1 for all interfaces

We have the following routers.

R1 - border router with NAT - 172.16.1.0/24. Has a public ip on 100.x.x.1 with a default gateway of 100.x.x.254 and routes internet to the rest of the network. In this example, 100.x.x.1 is an ip address i control, whereas 100.x.x.254 is outside out network and belongs to our ISP.
R2 - 172.16.2.0/24
R3 - 172.16.3.0/24 hub router (connects to R2, R4 and R5)
R4 - 172.16.4.0/24 (int g1) connects to internal VLAN (int g2)- 172.16.0.24.
R5 - 172.16.5.0/24. We would like to connect a VPN to this router to Azure. Behind this VPN there is an additional network with multiple VMs. R5 connects to one of the interfaces (lets say int g3) on the R3 router.
For this we need to use one of our public IPs. We therefore assigned 100.x.x.2 to the outside interface (int g 2). It has a gateway of 100.x.x.254 just like the ip address on R5. However, we don't want this R5 interface 2 to be used for general internet traffic. it is only supposed to be used for VPN traffic.

The problem is this.

If R5 int g2 is in a shutdown state, NAT works correctly throughout the network. Specifically computers on the 172.16.0.0/24 network that are using R4 as a gateway are able to browse the internet going through R4, R3, R2 and R1 (which is the border router).

However, when I bring R5 int g2 up (i.e. the interface which has a public ip on it), but which I don't to use as a default gateway, i find that internet traffic on the internal 172.16.0.0/24 network stops. When i run a traceroute, I find that traffic is trying to go out via R4, R3, R5 instead.

So the question is, would can i force traffic via R1/Nat router rather than R5?

thanks

Georg Pauwen · ‎01-14-2020

Hello,

provide a schematic drawing of your topology including IP addressing that shows how your devices are interconnected.

Richard Burts · ‎01-14-2020

There are at least 2 issues in this post which make it difficult to give you good advice.

The first issue is that you tell us that you have a /28, that you want to use an address from this subnet on R1 connecting to the ISP and that you want to use another address from this subnet on R5. How can you have /1 on R1 and .2 on R5?

The second issue is that obviously you are attempting to disguise your addressing. But you make it very difficult for us to understand your environment and to give you helpful advise. You tell us that you have a /28 block of addresses. Then you tell us that

Has a public ip on 100.x.x.1 with a default gateway of 100.x.x.254

Unfortunately .1 and .254 do not fit into a /28. If we can not trust this how can we trust anything else that you tell us?

Please start over again. Please give us a drawing showing the devices and how they are connected, and the subnets found on each device.

HTH

Rick

HTH

Rick

ossentoo · ‎01-15-2020

thanks.

I'll make a better attempt. Sorry for the confusion

ip block is more like this:

100.x.x.10 - 100.x.x.14

gateway is 100.x.x.9

We are using

100.x.x.13 for R1

100.x.x.14 for R5

I've been discussing this locally and it seems some method of adding cost to a route would be the way to go. I will investigate this going forwards

Richard Burts · ‎01-15-2020

I am still not clear about the topology of this network and not clear how you are using .13 for R1 and .14 for R5. Perhaps a diagram might clarify this. Or posting the configuration of the router interfaces for R1 and R5 might help.

HTH

Rick

HTH

Rick