05-11-2018 12:05 AM - edited 03-08-2019 02:59 PM
Hi,
I have a connection from an ISP provided by a mode connected to my router and ISP was Providing 1 public IP, also I've an ASA behind the router and everything was cool.
I requested 4 more public IPs so I have now 5 to NAT to internal 5 WEB Servers.
the problem is that the configuration is the same for all web servers but I'm not able to get them all online, so every time I reboot the ISP modem some of the NAT will not work.
even if all webservers are up so I will have only 4 out of NAT working.
what I mean by working: that it is accessible from outside. also I tried to assign the nat for the same server on all IPs I faced the same: not all of them will work until I reboot the modem and when it is up, one of them will not work.
If I remove all NAT reboot the modem then set them later I will have 2 or 3 working only.
the ISP changed the subnet for me and I'm still facing the same.
is it an ISP issue or there is miss-configuration in my router?
by the ways the internet from internal network is working fine.
aaa.bbb.ccc.96/29 is my public subnet
172.16.49.128/30 is the subnet between router and ISP modem
172.17.0.0/16 is the router internal subnet
172.27.0.0/16 is the my internal network behind the ASA (172.17.0.2 asa ip)
Thank you.
Solved! Go to Solution.
05-15-2018 09:25 AM
These IP addresses seem appropriate. As far as 7) is concerned the mac address associated with FastEthernet4 makes sense and the ISP should see this one. You do not need to do anything about this one.
HTH
Rick
05-11-2018 01:06 AM - edited 05-13-2018 12:04 PM
Hello,
--> ip nat pool overld aaa.bbb.ccc.98 aaa.bbb.ccc.102 prefix-length 29
Are these the 'new' addresses ?
And is this another group of public addresses ?
ip nat inside source static tcp 172.27.3.1 80 aaa.aaa.aaa.aa 80 extendable
ip nat inside source static tcp 172.27.3.2 80 bbb.bbb.bbb.bb 80 extendable
ip nat inside source static tcp 172.27.3.3 80 ccc.ccc.ccc.cc 80 extendable
ip nat inside source static tcp 172.27.3.4 80 ddd.ddd.ddd.dd 80 extendable
ip nat inside source static tcp 172.27.3.5 80 eee.eee.eee.ee 80 extendable
05-11-2018 01:12 AM
yes this the new one:
ip nat pool overld aaa.bbb.ccc.98 aaa.bbb.ccc.102 prefix-length 29
and that was testing NAT and this the new NAT
ip nat inside source static tcp 172.27.3.1 80 aaa.bbb.ccc.98 80 extendable
ip nat inside source static tcp 172.27.3.2 80 aaa.bbb.ccc.99 80 extendable
ip nat inside source static tcp 172.27.3.3 80 aaa.bbb.ccc.100 80 extendable
ip nat inside source static tcp 172.27.3.4 80 aaa.bbb.ccc.101 80 extendable
ip nat inside source static tcp 172.27.3.5 80 aaa.bbb.ccc.102 80 extendable
and I added this route:
ip route aaa.bbb.ccc.96 255.255.255.248 aaa.bbb.ccc.97
not:
ip route aaa.bbb.ccc.102 255.255.255.248 aaa.bbb.ccc.97
and it will work with and without it
05-11-2018 09:10 AM - edited 05-11-2018 09:11 AM
I'm not sure what is going on, I removed all NAT and just set 5 loopback also I had 4 IPs working trafic in and out, even after that ISP changed the Subnet and provided 5 IPs/32 I had the same I'm able to use only 4 IPs, with difference that after rebooting the modem the first 4 IP will be working.
Is there any limitation on the Cisco Router C881 for loopback IPs?
This is the first time facing similar issue with an ISP is it possible of miss-configuration or limitation on their modem?
Thank you experts for your help.
05-14-2018 09:49 AM
Hi,
I've been told from the ISP that my router is broadcasting all internal mac address and I'm limited to 5 mac address only for that I'm facing this issue, any idea about this?
why would a router broadcast internal mac address?
05-14-2018 09:58 AM
I am not aware of any limitation on 881 about the number of loopback interfaces. I suggest that we should look for other causes of the issue and only if we find no other issue should we be concerned about the number of loopback interfaces.
There is certainly some possibility that the issue is some limitation of the ISP equipment or some misconfiguration. But I suggest that we look at your config before we try to raise issues with the ISP. You posted a config of the router in the original post. But you tell us of several things that you changed. Would you post the current running config and also a fresh description of currently what does work and what does not work.
HTH
Rick
05-14-2018 10:03 AM
While I was thinking about your issue and writing my response you posted the update about the number of mac addresses. It is very unexpected for a router to broadcast all internal mac addresses, assuming that it is operating in routing mode. If it were configured for bridging then we would expect to see internal mac addresses. Perhaps seeing the current running config might shed some light on this.
HTH
Rick
05-14-2018 10:18 AM
Thank you Richard, the conf is attached in the previous comment
05-14-2018 10:12 AM
Hi Richard and thank you for your reply.
My current status is:
The ISP raise the mac address limit to more than 5 to give me time for fixing my issue
the deny: "access-list 100 deny ip any any" is not allowing him as said to see my mac addresses, as he said that I'm broadcasting my the mac addresses beyond the router and he can see while I already configured it with the deny rule before and it didn't help, so anyways why the router is allowing the the internal mac addresses to show on outside without the deny rule?
and this deny rule is enough? or there is alternative solution to manage it?
please find attached the current conf.
Regards.
05-14-2018 10:28 AM
Hello,
what type/brand is the ISP modem, and who is the ISP ?
05-14-2018 11:32 AM
It is a zhone modem but he confirmed that the gateway limitation over mac address is on his gateway.
05-15-2018 06:59 AM
I have looked at the config that you posted and am a bit puzzled. I do not see anything in the config that would explain why your ISP would be seeing internal mac addresses. I do see that you have a dynamic nat configured to translate any source address in the 172.17 network and that you have static nat configured for vpn traffic from the ASA to use the .98 address. And there is a static nat for the server at 172.27.2.4 for tcp ports 21 and 80. I do not see any other address translation configured. I see that you have configured additional loopback interfaces with the other Public IP addresses but do not see anything that would use those addresses.
HTH
Rick
05-15-2018 07:07 AM
Thankyou, I really appreciated you reply.
These are the IP Addresses delivered I double checked with them today to find out that they can see:
1- ip address set on my wan port (fastethernet4) / type: IP
2- aaa.bbb.ccc.98 / type: IP
3- aaa.bbb.ccc.99 / type: IP
4- aaa.bbb.ccc.100 / type: IP
5- aaa.bbb.ccc.101 / type: IP
6- aaa.bbb.ccc.102 / type: IP
7- a mac address which refer to the wan port (fastethernet4) / type: unicast
does it make sense? or should I manage some commands to hide the mac address to show as UNICAST?
05-15-2018 09:25 AM
These IP addresses seem appropriate. As far as 7) is concerned the mac address associated with FastEthernet4 makes sense and the ISP should see this one. You do not need to do anything about this one.
HTH
Rick
05-15-2018 10:41 AM
many thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide