Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2910
Views
5
Helpful
16
Replies

ISP NAT / ARP Issue

jonathanw84
Level 1
Level 1

‎04-28-2021 07:50 AM - edited ‎04-28-2021 07:52 AM

We have a 1941 that we use at a residence with a Frontier FIOS circuit. They provide us with 5 static IPs and we NAT different internal networks to each of the addresses - a pretty standard config. As of a week ago, this stopped working with the exception of the main IP. The ISP says there is nothing on their end that is wrong, but nothing has changed on our end and this has been working for around 6 months. We are also seeing entries in the arp table that show the ISP as the hardware address:

 

Internet X.X.X.1 -   204e.71c5.31c8 ARPA GigabitEthernet0/1
Internet X.X.X.37 - c47d.4f75.21e1 ARPA GigabitEthernet0/1
Internet X.X.X.38 - 204e.71c5.31c8 ARPA GigabitEthernet0/1
Internet X.X.X.39 - 204e.71c5.31c8 ARPA GigabitEthernet0/1

 

I have tried doing a static arp entry with no success as well. It's a very standard and simple configuration and while I think it's an ISP issue (perhaps they enabled proxy-arp or something like that), I wanted to check here as well. Thanks!

 

Relevant Configuration:

 

interface GigabitEthernet0/1
bandwidth 100000
ip address X.X.X.37 255.255.255.0
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto

 

ip route 0.0.0.0 0.0.0.0 X.X.X.1

ip nat pool GUEST X.X.X.39 X.X.X.39 netmask 255.255.255.0
ip nat pool CAMERAS X.X.X.38 X.X.X.38 netmask 255.255.255.0

 

ip nat inside source route-map CAMERAS pool CAMERAS overload
ip nat inside source route-map GUEST pool GUEST overload
ip nat inside source route-map INTERNAL interface GigabitEthernet0/1 overload

 

route-map INTERNAL permit 10
match ip address NETWORKS_INTERNAL
match interface GigabitEthernet0/1

!

route-map CAMERAS permit 10
match ip address NETWORKS_CAMERAS
match interface GigabitEthernet0/1
!
route-map GUEST permit 10
match ip address NETWORKS_GUEST
match interface GigabitEthernet0/1

Labels:
0 Helpful
16 Replies 16

jonathanw84
Level 1
Level 1
In response to paul driver

‎05-13-2021 05:44 AM

Hi Paul! Thanks for the response.

 

I would go off the configuration I posted in my last post:

 

ip nat pool CAMERAS X.X.X.38 X.X.X.38 netmask 255.255.255.0
ip nat pool GUEST X.X.X.39 X.X.X.39 netmask 255.255.255.0
ip nat pool INTERNAL X.X.X.40 X.X.X.40 netmask 255.255.255.0
ip nat inside source route-map CAMERAS pool CAMERAS overload
ip nat inside source route-map GUEST pool GUEST overload
ip nat inside source route-map INTERNAL pool INTERNAL overload
ip nat inside source list NETWORKS_NAT interface Cellular0/1/0 overload (used for cellular backup)

 

That is where we were at before things miraculously stopped working a few weeks ago and where we want to be. 

 

With regard to the ZBF, the ACLs are there I just must have omitted them from the configuration. Either way, this has been a working configuration for years so I don't suspect any issues with the ZBF because I can definitely get this working for a while and then it stops after a short time. Good points with the CAMERA / DMZ zones though! I will consolidate those.

 

Another update is that it definitely has nothing to do with the cellular back up I mentioned in the last post as it seems as if the ISP is only allowing one address at a time and blocking the rest, even though we pay for a block of addresses. We had a high SLA DIA circuit with a block before and this worked fine for years. We then moved to a Frontier FiOS line with an address block about 6 months ago and this has been working up until a few weeks ago. I've worked with them tirelessly for weeks but they keep coming back saying it's my equipment. I don't think that's correct though and definitely think it's an ISP issue. We have the 1941 connected directly to the ONT box via copper (so no router in between).

0 Helpful

paul driver
VIP
VIP
In response to jonathanw84

‎05-13-2021 06:55 AM

Hello

If you have scope to test, try domainless nat instead just to see if this makes any difference.


Nat interfaces
int x/x
no ip nat inside or outside
ip nat enable

no ip nat inside source route-map CAMERAS pool CAMERAS overload
no ip nat inside source route-map GUEST pool GUEST overload
no nat inside source route-map INTERNAL pool INTERNAL overload
no ip nat inside source list NETWORKS_NAT interface Cellular0/1/0 overload (used for cellular backup)


ip nat source route-map CAMERAS pool CAMERAS overload
ip nat source route-map GUEST pool GUEST overload
ip nat source route-map INTERNAL pool INTERNAL overload
ip nat source list NETWORKS_NAT interface Cellular0/1/0 overload (used for cellular backup)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card