As I understood it, the

cktechnology · ‎07-07-2017

Hi Everyone!

Our IT person is out of the country on vacation and we have a serious problem. We need to add a new /29 IP WAN block to our network as we need more servers to get assigned public IPs. Currently, we have one /29 assigned to our IG0/0 interface. The first ip is primary and the other four are listed as secondary. We had our ISP forward another /29 block to us over our fiber connection and i simply added the other 5 as secondary. Of course this didn't work because the default router (ip route 0.0.0.0 0.0.0.0 x.x.x.x x.x.x.x is going to another gateway. The new IP block has a different gateway.

I tried to simply add a second default router, but of course, that caused all sort of routing problems. I suspect i need some ACLs or something, but i'm just not that versed in cisco.

Can anyone help point me in the right direction?

Thanks so much!

Georg Pauwen · ‎07-07-2017

Hello,

route maps should be able to solve this. Can you post the configuration you have so far ?

cktechnology · ‎07-07-2017

I thought something like that. The sanitized output is below. I replaced sensitive IPs and other stuff but you have the whole configuration there. As you can see, we use all the IPs for the multiple port forwards we have for different servers, our PBX, etc.

Thanks in advance!!!!

WDRP-ROUTER#sh runn
Building configuration...

Current configuration : 12262 bytes
!
! Last configuration change at 11:27:51 GMT Fri Jul 7 2017 by admin
! NVRAM config last updated at 11:07:07 GMT Fri Jul 7 2017 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname WDRP-ROUTER
!
boot-start-marker
boot system flash flash:c2800nm-advipservicesk9-mz.124-24.T3.bin
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 $1$CIRT$6bXp6SGHsIR5qSOkpgkUk0
!
aaa new-model
!
!
aaa authentication login default local line
aaa authentication login ezvpnuserlist local
aaa authorization network ezvpnusergroup local
!
!
aaa session-id common
clock timezone GMT -5
clock summer-time DST date Mar 27 2011 0:00 Oct 31 2011 0:00
!
!
crypto pki trustpoint TP-self-signed-1652146037
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1652146037
revocation-check none
rsakeypair TP-self-signed-1652146037
!
!
crypto pki certificate chain TP-self-signed-1652146037
certificate self-signed 01
  xxxxxxxx
        quit
dot11 syslog
ip source-route
!
!
ip cef
ip dhcp excluded-address 10.10.200.1 10.10.200.99
ip dhcp excluded-address 10.10.210.1 10.10.210.10
ip dhcp excluded-address 192.168.10.1 192.168.10.20
!
ip dhcp pool WDRP-CORP-LAN
   network 10.10.200.0 255.255.255.0
   default-router 10.10.200.1
   dns-server 10.10.200.10 10.10.200.9
!
ip dhcp pool WDRP-VOICE-LAN
   network 10.10.210.0 255.255.255.0
   default-router 10.10.210.1
   dns-server 10.10.200.10 xxxx
   option 66 ascii xxxx
   option 128 ip 10.10.210.2
!
ip dhcp pool TEST-LAN
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
   dns-server xxxx
!
!
ip domain name xxxx
ip name-server 10.10.200.10
ip name-server xxxx
ip name-server xxxx
ip ips notify SDEE
ip ips name sdm_ips_rule
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
username admin privilege 15 secret 5 $1$jz/f$qFH8OOdHBn1gs9c1qUIWj0
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group xx
key x
acl split_tunnel_acl
save-password
max-users 20
!
crypto isakmp client configuration group xx
key x
dns 10.10.200.10
domain xxxx
pool office
acl split_tunnel_acl
include-local-lan
max-users 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set default esp-aes esp-sha-hmac
!
crypto identity ad
!
!
crypto dynamic-map dyntemplate 1
set transform-set default
reverse-route
!
!
crypto map secure client authentication list ezvpnuserlist
crypto map secure isakmp authorization list ezvpnusergroup
crypto map secure client configuration address respond
crypto map secure 65535 ipsec-isakmp dynamic dyntemplate
!
archive
log config
hidekeys
!
!
!
!
!
!
interface GigabitEthernet0/0
description To-Internet$ETH-WAN$
ip address x.x.158.195 255.255.255.248 secondary
ip address x.x.158.196 255.255.255.248 secondary
ip address x.x.158.197 255.255.255.248 secondary
ip address x.x.158.198 255.255.255.248 secondary
ip address x.x.22.234 255.255.255.248 secondary
ip address x.x.22.235 255.255.255.248 secondary
ip address x.x.22.236 255.255.255.248 secondary
ip address x.x.22.237 255.255.255.248 secondary
ip address x.x.22.238 255.255.255.248 secondary
ip address x.x.158.194 255.255.255.248
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map secure
!
interface GigabitEthernet0/1
description Internal LAN$ETH-LAN$
ip address 10.10.200.1 255.255.255.0
ip mtu 1412
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1360
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1.1
description VOICE_LAN
encapsulation dot1Q 10
ip address 10.10.210.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface GigabitEthernet0/1.2
description TEST_LAN
encapsulation dot1Q 200
ip address 192.168.10.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface GigabitEthernet0/1.3
description MANAGEMENT_LAN
encapsulation dot1Q 4093
ip address 192.168.0.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface GigabitEthernet0/1.4
description VIDEOWALL_LAN
encapsulation dot1Q 5
ip address 10.10.250.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
no cdp enable
!
ip local pool ckoffice 10.10.200.250 10.10.200.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.158.193
ip http server
ip http authentication local
no ip http secure-server
!
ip flow-export destination 10.10.200.11 9999
!
ip nat inside source static tcp 10.10.200.90 64100 interface GigabitEthernet0/0 64100
ip nat inside source static udp 10.10.200.90 64100 interface GigabitEthernet0/0 64100
ip nat inside source route-map nat-permit interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.10.200.10 21 xxxx 21 extendable
ip nat inside source static tcp 10.10.200.7 25 xxxx 25 route-map nat-permit extendable
ip nat inside source static udp 10.10.210.2 69 xxxx 69 extendable
ip nat inside source static tcp 10.10.200.14 80 xxxx 80 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.10 389 xxxx 389 extendable
ip nat inside source static tcp 10.10.200.7 443 xxxx 443 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.10 587 xxxx587 extendable
ip nat inside source static tcp 10.10.200.15 873 xxxx 873 extendable
ip nat inside source static udp 10.10.200.15 873 xxxx 873 extendable
ip nat inside source static tcp 10.10.200.19 902 xxxx 902 extendable
ip nat inside source static udp 10.10.200.19 902 xxxx 902 extendable
ip nat inside source static tcp 10.10.200.19 903 xxxx 903 extendable
ip nat inside source static tcp 10.10.200.14 1001 xxxx 1001 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.15 21 xxxx 2115 extendable
ip nat inside source static tcp 10.10.200.10 2121 xxxx 2121 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.5 8005 xxxx 8005 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.16 8080 xxxx 8080 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.19 8443 xxxx 8443 extendable
ip nat inside source static tcp 10.10.200.10 8889 xxxx 8889 extendable
ip nat inside source static tcp 10.10.200.8 80 xxxx 80 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.11 443 xxxx 443 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.12 8011 xxxx 8011 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.11 8080 xxxx 8080 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.12 8081 xxxx 8081 route-map nat-permit extendable
ip nat inside source static udp 10.10.200.12 8081 xxxx 8081 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.11 8085 xxxx 8085 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.46 xxxx 22 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.46 xxxx 80 route-map nat-permit extendable
ip nat inside source static tcp 10.10.210.2 443 xxxx 443 route-map nat-permit extendable
ip nat inside source static udp 10.10.210.2 5060 xxxx 5060 extendable
ip nat inside source static tcp 10.10.210.2 50000 xxxx 50000 extendable
ip nat inside source static tcp 10.10.210.2 50003 xxxx 50003 extendable
ip nat inside source static 10.10.210.2 xxxx route-map PBX
ip nat inside source static tcp 10.10.200.16 8030 xxxx 80 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.18 443 xxxx 443 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.18 5222 xxxx 5222 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.18 5223 xxxx 5223 route-map nat-permit extendable
ip nat inside source static tcp 10.10.200.16 8090 xxxx 8090 route-map nat-permit extendable
!
ip access-list extended nat
deny   ip 10.10.200.0 0.0.0.255 10.10.0.0 0.0.255.255
permit ip 10.10.200.0 0.0.0.255 any
permit ip 10.10.210.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended pbxnat
permit udp host 10.10.210.2 range 10000 20000 any
deny   ip 10.10.210.0 0.0.0.255 any
ip access-list extended split_tunnel_acl
permit ip 10.10.200.0 0.0.0.255 any
!
logging trap critical
logging 10.10.200.11
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.210.0 0.0.0.255
access-list 10 remark CCP_ACL Category=16
access-list 10 permit 10.10.200.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.10.200.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=20
access-list 101 permit ip 0.0.0.186 255.255.255.0 any
no cdp run

!
!
!
!
route-map nat-permit permit 10
match ip address nat
!
route-map PBX permit 12
match ip address 102 pbxnat
!
!
snmp-server community xxx
snmp-server community xxx
snmp-server location xxx
snmp-server contact xxx@xxx
snmp-server enable traps tty
!
control-plane

Jon Marshall · ‎07-07-2017

If they are routing the new block to you then you do not need to use secondary IPs, just create your NAT statements and it should all work.

Jon

Georg Pauwen · ‎07-07-2017

I agree with Jon. If you configure just one of the new WAN IP addresses as a secondary address on the interface, and use that as the default gateway for the servers that get public IPs from the new block, the routing should be taken care of automatically.

Does that make sense ?

Jon Marshall · ‎07-07-2017

Georg

You don't need to use any secondary IPs for the new block if the ISP is simply routing the block to the existing primary IP of the interface.

That is assuming the servers are using private IPs and are on the internal LAN.

Jon

Georg Pauwen · ‎07-07-2017

As I understood it, the servers need public IP addresses directly assigned ? Maybe I got that wrong, in which case you are absolutely right...

Jon Marshall · ‎07-07-2017

Ahh, okay, yes if they do then it is you who is absolutely right :)

Guess we'll wait until the OP clarifies.

Jon

cktechnology · ‎07-07-2017

Hi All,

First off, thank you so much for trying to help me with this in my time of crisis.

The issue is one of default gateways. Even if i remove the secondary, i still can't use the public IPs because the router has no knowledge of them.

And with the new block of five that is forwarding to our router, i would need a default route, something like 0.0.0.0 0.0.0.0 x.x.22.233, correct?

Jon Marshall · ‎07-07-2017

When you configure NAT using those IPs the router knows about them and will answer queries for them so you do not have to assign them to any interface.

If the ISP is forwarding the new IPs to your router then they will have a route for the new block pointing to the primary IP on your interface ie. the IP from your existing block not the new block.

Are you sure the ISP is routing the new block to you as opposed to them adding a secondary IP to their router out of the new block ?

Jon

cktechnology · ‎07-07-2017

Yes its an Ethernet circuit, so they have blocks of IPs delivered to us over a single VLAN which going to their switch in the building. Then a port with a fiber cable running to our office is untagged with our vlan. So lets say our vlan is 2002 - they have two /29 blocks routed to our vlan. Then our vlan 2002 is untagged at their switch and ran directly into GigEthernet0/0 on the 2821.

Jon Marshall · ‎07-07-2017

You can just use the new IP block for NAT assuming you are not wanting to assign the public IPs to the servers.

You do not need to assign any of the new IPs to any interface on the router and you do not need to do anything with the routing.

Jon

Jon Marshall · ‎07-07-2017

Can you clarify what you meant about the default route ?

Jon

cktechnology · ‎07-07-2017

Yes i'm referring to the default gateways of the first block of 5 .194 - .198. Those are all using the .193 default gateway as indicated in the ip route 0.0.0.0 0.0.0.0 x.x.158.194 statement.

What I thought I had to do was simply add the second ip route statement fro the new /29 block (ip route 0.0.0.0 0.0.0.0 x.x.22.233).

Sam Smiley · ‎07-07-2017

Chris, secondary IP addresses work fine for inbound port translation however it doesn't work for the server's outbound traffic. The simple solution for your immediate problem is to have the ISP route the new block to your WAN IP (ip address x.x.158.194 255.255.255.248), this will prevent you from having to add another interface for the new subnet. Once they route the block to your public IP address you can do as you wish with the block.

As your config is written the port translations will work inbound but when the server answers it is going to answer the request off of the "nat" route map. This will have all of the servers going out the default IP of the interface (x.x.158.194 255.255.255.248). You should clean this up so that when the servers go out they are going out the IP address that you are bringing to them. Here is a discussion on this:

https://supportforums.cisco.com/discussion/11738651/multiple-wan-ip-addresses-and-multiple-inside-hosts

Regards,
Sam

Multiple Default Routes, one wan interface, Cisco 2821 Router