03-20-2009 07:19 PM - last edited on 03-25-2019 03:23 PM by ciscomoderator
When we originally signed up with our ISP, we requested 30 usable public IPs for use on our Cisco 3600 series router. Currently I have my serial interface configured on the router along with one interface on the first subnet assigned to us. We have now requested a second set of public IPs to accommodate growth and I'm wondering what I need to do to get traffic flowing over the new IPs. The 2nd block of IPs are non-contiguous from the first set and I'm guessing I need to create an interface with one of the IPs from the new block? As it stands right now, if I do a traceroute to one of the new IPs it bounces back and fourth between the ISP and my router serial interface. Here's a basic rundown: (IPs modified for security purposes)
ISP Serial IP: 10.10.10.73/30
CPE Serial IP: 10.10.10.74/30
LAN IP Block 1: 10.20.20.176/28
Router IP: 10.20.20.177/28
Firewall IP: 10.20.20.178
LAN IP Block 2: 10.130.70.192/26
It appears from the traceroute to an IP on the new block that the ISP is routing the new subnet to the serial interface rather than my firewall interface and therefore my router is going to need an IP on the new subnet? My problem with that is I don't have a physical interface available, can it be done with a virtual interface?
Sample trace:
traceroute to 10.130.70.193 (10.130.70.193), 64 hops max, 40 byte packets
1 results removed
2 results removed
3 results removed
4 results removed
5 results removed
6 results removed
7 results removed
8 results removed
9 results removed
10 * * *
11 results removed
12 10-10-10-74.dia.static.qwest.net (10.10.10..74) 65.082 ms 67.250 ms 65.736 ms
13 10-10-10-73.dia.static.qwest.net (10.10.10.73) 66.694 ms 68.474 ms 76.452 ms
14 10-10-10-74.dia.static.qwest.net (10.10.10.74) 72.039 ms 68.509 ms 89.042 ms
The trace continues flopping between the same two interfaces on hop 13 and 14 (qwest side and my side serial interfaces of the DS3)
Solved! Go to Solution.
03-21-2009 04:07 AM
Hello Randy,
IP routing works hop by hop it is your border router that needs an additional static route to the ASA outside interface
Wan router:
ip route new-block mask asa-outside-ipaddress.
After this you can allocate the ip addresses of the new block using static NAT pairs as suggested by Jon in the thread you have referenced.
Hope to help
Giuseppe
03-21-2009 05:56 AM
Randy:
Just to elaborate a bit more on what Jon and Giuseppe said...
You have to understand how routing works.
The ISP has assigned you this new subnet, which means that they own it and they route for it. It is native to their routing domain. So, their edge router probably has a static route that points to your edge router for the new subnet they assigned you, and they are then advertising that back to their core. This is why traffic destined for this new subnet knows how to reach your router.
But then your router has only one static route and it is a default route pointing OUT to the ISP. This is why you see the routing loop. The ISP sends to you, you send to it, and on and on.
The other subnet does not have that problem because there is an interface on your edge router in the subnet, so there must be a routing entry in the route table that says that that subnet is "directly connected." If so, then the "routing" ends and the "switching" begins, ie ARP requests, layer 2 addresses, etc.
You can do the same with this new subnet, but as Giuseppe points out, you certainly dont have to. Just tell your edge router what to do with the traffic destined for the new subnet when it receives it, ie, the static route that will point inward to your ASA that Giuseppe recommended.
By the way, to save that routable IP address from the old subnet - since it seems that you need many of them and they are scarce -- you can remove it from your router's Ethernet interface and replace it with a private address. To be able to route the traffic for the subnet, just make sure you configure a new static route for the old subnet that also points inward to your ASA, since, by removing the IP address from the ethernet interface, you will have killed the "directly connected" route to the old subnet.
I hope I didnt confuse you more. :-)
[EDIT]
So, what you'll end up with are 3 static routes: 1 default route pointing OUT, and two static routes for each subnet pointing IN toward your ASA's outside interface.
[EDIT]
[EDIT 2]
I neglected to mention that if you do migrate to a private address on your g0/0 interface and use a static pointing to the ASA, as it is recommended you do for the new subnet, you will have to change the IP address of the ASA's outside interface to0 and place it on the same subnet as G0/0, ie, 10.10.10.1/30 for G0/0 and 10.10.10.2/30 for ASA outside.
[EDIT 2}
Victor
03-20-2009 08:18 PM
Hi:
Can you please post the configs of your router?
03-20-2009 08:39 PM
Here you go. I did not modify the IPs as in the summary since there really is no security risk.
What is not reflected in the config is the new block of IPs that have recently been issued to me. That block is 63.239.148.192/26 which if you trace to any IP in that range you'll see it bounces between the qwest router and my router serial interfaces. Should I have asked Qwest to route this new block to my FW interface rather than having them route to the serial block (which is likely their default as I didn't specify one over the other in the order process)? My FW interface is one of the IPs in the 204.133.153.176/28 IP block.
qwest3845gw#sh run
Building configuration...
Current configuration : 4808 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname qwest3845gw
!
boot-start-marker
boot-end-marker
!
card type t3 1
logging buffered 4096 notifications
!
no aaa new-model
ip cef
!
!
!
!
ip domain name yourdomain.com
!
!
!
!
!
!
controller T3 1/0
cablelength 350
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 204.133.153.177 255.255.255.240
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description $ES_LAN$
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface Serial1/0
ip address 67.148.138.74 255.255.255.252
dsu bandwidth 44210
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
!
logging history notifications
!
control-plane
!
!
!
scheduler allocate 20000 1000
!
end
qwest3845gw#
03-20-2009 11:31 PM
I'm pretty sure this post answers my question.
It looks like I will either need to have Qwest route the new subnet to my FW interface or create a new interface on both my router and firewall containing an IP from the new subnet. Sound right?
I have an available port on the 3845 router, but I don't have one on my ASA5520 because I already use one for my inside, one for my current outside address and the other two are used for lan/state failover. I believe I can combine the lan/state failover to one port to free up one for this configuration. Concerns with doing so?
03-21-2009 04:07 AM
Hello Randy,
IP routing works hop by hop it is your border router that needs an additional static route to the ASA outside interface
Wan router:
ip route new-block mask asa-outside-ipaddress.
After this you can allocate the ip addresses of the new block using static NAT pairs as suggested by Jon in the thread you have referenced.
Hope to help
Giuseppe
03-21-2009 05:56 AM
Randy:
Just to elaborate a bit more on what Jon and Giuseppe said...
You have to understand how routing works.
The ISP has assigned you this new subnet, which means that they own it and they route for it. It is native to their routing domain. So, their edge router probably has a static route that points to your edge router for the new subnet they assigned you, and they are then advertising that back to their core. This is why traffic destined for this new subnet knows how to reach your router.
But then your router has only one static route and it is a default route pointing OUT to the ISP. This is why you see the routing loop. The ISP sends to you, you send to it, and on and on.
The other subnet does not have that problem because there is an interface on your edge router in the subnet, so there must be a routing entry in the route table that says that that subnet is "directly connected." If so, then the "routing" ends and the "switching" begins, ie ARP requests, layer 2 addresses, etc.
You can do the same with this new subnet, but as Giuseppe points out, you certainly dont have to. Just tell your edge router what to do with the traffic destined for the new subnet when it receives it, ie, the static route that will point inward to your ASA that Giuseppe recommended.
By the way, to save that routable IP address from the old subnet - since it seems that you need many of them and they are scarce -- you can remove it from your router's Ethernet interface and replace it with a private address. To be able to route the traffic for the subnet, just make sure you configure a new static route for the old subnet that also points inward to your ASA, since, by removing the IP address from the ethernet interface, you will have killed the "directly connected" route to the old subnet.
I hope I didnt confuse you more. :-)
[EDIT]
So, what you'll end up with are 3 static routes: 1 default route pointing OUT, and two static routes for each subnet pointing IN toward your ASA's outside interface.
[EDIT]
[EDIT 2]
I neglected to mention that if you do migrate to a private address on your g0/0 interface and use a static pointing to the ASA, as it is recommended you do for the new subnet, you will have to change the IP address of the ASA's outside interface to0 and place it on the same subnet as G0/0, ie, 10.10.10.1/30 for G0/0 and 10.10.10.2/30 for ASA outside.
[EDIT 2}
Victor
03-21-2009 06:35 AM
Randy
Your original post asked how you could assign an address in your new subnet to an interface on your router. An alternative, which would not require any additional interfaces would be to configure a secondary address on the LAN interface of your router.
While the secondary address could work, I agree with the suggestions of others that the best solution is to configure a static route on your router pointing to the firewall as the next hop to get to the new subnet, and then to use the new subnet in your firewall or in the inside network as works best for you.
HTH
Rick
03-21-2009 06:50 AM
Rick!
How are you, man?
Long time...
I was asking Jon about you the other day...was missing your stuff.
All OK?
03-21-2009 08:48 AM
Victor
Thanks for missing me. I am ok, just been busy with some projects.
HTH
Rick
03-21-2009 09:24 AM
thanks Rick. I went with the static routes and we're good to go. again, thanks for the additional input, its always great to get so much information.
03-21-2009 09:24 AM
Thanks for the additional info, Victor. I have a basic understanding, but with no test environements to try things out, I often default to the opinion of the great knowledge base here in the discussion groups prior to making a change.
03-21-2009 09:30 AM
Understood and Im glad I could help. :-)
03-21-2009 09:22 AM
Hey Giuseppe,
Thanks for the info, this solved my problem. I wasn't exactly sure if I could do the static route. Just a note, I also had to add a route on the ASA back to the edge router for the new subnet in order to make things work.
03-21-2009 09:33 AM
Hello Randy,
nice to hear you have solved and for your kind remarks.
I don't know ASA well as routers so I tried to suggest what was in the thread you had picked up.
Probably the static route tells the ASA out what interface to send packets after NAT operation (not sure just a wild guess..).
I was also in doubt because I see that you have a free lan interface on the router but adding the new ip block there would mean not using the ASA.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide