Solved: Re: CISCO Router NAT Public IP/29 (loopback) not able to use all IPs

ledaouk · ‎05-11-2018

Hi,

I have a connection from an ISP provided by a mode connected to my router and ISP was Providing 1 public IP, also I've an ASA behind the router and everything was cool.

I requested 4 more public IPs so I have now 5 to NAT to internal 5 WEB Servers.

the problem is that the configuration is the same for all web servers but I'm not able to get them all online, so every time I reboot the ISP modem some of the NAT will not work.

even if all webservers are up so I will have only 4 out of NAT working.

what I mean by working: that it is accessible from outside. also I tried to assign the nat for the same server on all IPs I faced the same: not all of them will work until I reboot the modem and when it is up, one of them will not work.

If I remove all NAT reboot the modem then set them later I will have 2 or 3 working only.

the ISP changed the subnet for me and I'm still facing the same.

is it an ISP issue or there is miss-configuration in my router?

by the ways the internet from internal network is working fine.

aaa.bbb.ccc.96/29 is my public subnet

172.16.49.128/30 is the subnet between router and ISP modem

172.17.0.0/16 is the router internal subnet

172.27.0.0/16 is the my internal network behind the ASA (172.17.0.2 asa ip)

Thank you.

Richard Burts · ‎05-15-2018

These IP addresses seem appropriate. As far as 7) is concerned the mac address associated with FastEthernet4 makes sense and the ISP should see this one. You do not need to do anything about this one.

HTH

Rick

HTH

Rick

View solution in original post

Georg Pauwen · ‎05-11-2018

Hello,

--> ip nat pool overld aaa.bbb.ccc.98 aaa.bbb.ccc.102 prefix-length 29

Are these the 'new' addresses ?

And is this another group of public addresses ?

ip nat inside source static tcp 172.27.3.1 80 aaa.aaa.aaa.aa 80 extendable
ip nat inside source static tcp 172.27.3.2 80 bbb.bbb.bbb.bb 80 extendable
ip nat inside source static tcp 172.27.3.3 80 ccc.ccc.ccc.cc 80 extendable
ip nat inside source static tcp 172.27.3.4 80 ddd.ddd.ddd.dd 80 extendable
ip nat inside source static tcp 172.27.3.5 80 eee.eee.eee.ee 80 extendable

ledaouk · ‎05-11-2018

yes this the new one:

ip nat pool overld aaa.bbb.ccc.98 aaa.bbb.ccc.102 prefix-length 29

and that was testing NAT and this the new NAT

ip nat inside source static tcp 172.27.3.1 80 aaa.bbb.ccc.98 80 extendable
ip nat inside source static tcp 172.27.3.2 80 aaa.bbb.ccc.99 80 extendable
ip nat inside source static tcp 172.27.3.3 80 aaa.bbb.ccc.100 80 extendable
ip nat inside source static tcp 172.27.3.4 80 aaa.bbb.ccc.101 80 extendable
ip nat inside source static tcp 172.27.3.5 80 aaa.bbb.ccc.102 80 extendable

and I added this route:

ip route aaa.bbb.ccc.96 255.255.255.248 aaa.bbb.ccc.97

not:

ip route aaa.bbb.ccc.102 255.255.255.248 aaa.bbb.ccc.97

and it will work with and without it

ledaouk · ‎05-11-2018

I'm not sure what is going on, I removed all NAT and just set 5 loopback also I had 4 IPs working trafic in and out, even after that ISP changed the Subnet and provided 5 IPs/32 I had the same I'm able to use only 4 IPs, with difference that after rebooting the modem the first 4 IP will be working.

Is there any limitation on the Cisco Router C881 for loopback IPs?

This is the first time facing similar issue with an ISP is it possible of miss-configuration or limitation on their modem?

Thank you experts for your help.

ledaouk · ‎05-14-2018

Hi,

I've been told from the ISP that my router is broadcasting all internal mac address and I'm limited to 5 mac address only for that I'm facing this issue, any idea about this?

why would a router broadcast internal mac address?

Richard Burts · ‎05-14-2018

I am not aware of any limitation on 881 about the number of loopback interfaces. I suggest that we should look for other causes of the issue and only if we find no other issue should we be concerned about the number of loopback interfaces.

There is certainly some possibility that the issue is some limitation of the ISP equipment or some misconfiguration. But I suggest that we look at your config before we try to raise issues with the ISP. You posted a config of the router in the original post. But you tell us of several things that you changed. Would you post the current running config and also a fresh description of currently what does work and what does not work.

HTH

Rick

HTH

Rick

Richard Burts · ‎05-14-2018

While I was thinking about your issue and writing my response you posted the update about the number of mac addresses. It is very unexpected for a router to broadcast all internal mac addresses, assuming that it is operating in routing mode. If it were configured for bridging then we would expect to see internal mac addresses. Perhaps seeing the current running config might shed some light on this.

HTH

Rick

HTH

Rick

ledaouk · ‎05-14-2018

Thank you Richard, the conf is attached in the previous comment

ledaouk · ‎05-14-2018

Hi Richard and thank you for your reply.

My current status is:

The ISP raise the mac address limit to more than 5 to give me time for fixing my issue

the deny: "access-list 100 deny ip any any" is not allowing him as said to see my mac addresses, as he said that I'm broadcasting my the mac addresses beyond the router and he can see while I already configured it with the deny rule before and it didn't help, so anyways why the router is allowing the the internal mac addresses to show on outside without the deny rule?

and this deny rule is enough? or there is alternative solution to manage it?

please find attached the current conf.

Regards.

Georg Pauwen · ‎05-14-2018

Hello,

what type/brand is the ISP modem, and who is the ISP ?

ledaouk · ‎05-14-2018

It is a zhone modem but he confirmed that the gateway limitation over mac address is on his gateway.

Richard Burts · ‎05-15-2018

I have looked at the config that you posted and am a bit puzzled. I do not see anything in the config that would explain why your ISP would be seeing internal mac addresses. I do see that you have a dynamic nat configured to translate any source address in the 172.17 network and that you have static nat configured for vpn traffic from the ASA to use the .98 address. And there is a static nat for the server at 172.27.2.4 for tcp ports 21 and 80. I do not see any other address translation configured. I see that you have configured additional loopback interfaces with the other Public IP addresses but do not see anything that would use those addresses.

HTH

Rick

HTH

Rick

ledaouk · ‎05-15-2018

Thankyou, I really appreciated you reply.

These are the IP Addresses delivered I double checked with them today to find out that they can see:

1- ip address set on my wan port (fastethernet4) / type: IP

2- aaa.bbb.ccc.98 / type: IP

3- aaa.bbb.ccc.99 / type: IP

4- aaa.bbb.ccc.100 / type: IP

5- aaa.bbb.ccc.101 / type: IP

6- aaa.bbb.ccc.102 / type: IP

7- a mac address which refer to the wan port (fastethernet4) / type: unicast

does it make sense? or should I manage some commands to hide the mac address to show as UNICAST?

Richard Burts · ‎05-15-2018

These IP addresses seem appropriate. As far as 7) is concerned the mac address associated with FastEthernet4 makes sense and the ISP should see this one. You do not need to do anything about this one.

HTH

Rick

HTH

Rick

ledaouk · ‎05-15-2018

many thanks.