Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


ISP Static IP setup on ISP provided router

Posted on 2014-10-16
Medium Priority
Last Modified: 2014-10-21
This is going to be a hard one to explain.  If you are up to the challenge get a cup of coffee and here we go.

Our company has a factory operating in Vietnam.  I was tasked with getting the facility connected to the main office via VPN Tunnel.  The factory obtained internet access in advance of my trip and ordered internet access and six static IP addresses.  The ISP installed the equipment and gave us the static address range of

I told them I needed to know other information.  Subnetmask, Default Gateway, preferred DNS but I didn't get anything in advance.  The ISP in Vietnam is VERY difficult to work with along with significant language barriers.  When I arrived the internet was working and I did a check at whatismyip and it returned a similar but very different address.

I found this to be very odd.  If we have a static address I should be accessing the internet under one of our static addresses.

I program my equipment PA 200 FW and set the outside interface to match the ISP information.  My outside interface gets set to (guessing the subnet based off the range provided) but I am stuck without a default gateway.  I try a few guesses using .71 .70 and .1 but get no where on the internet.

I reset everything back and am unable to get any information out of the ISP.  They have no answers for my questions so I log into the wireless router device that was left by the ISP.

I find that the outside WAN connection on the router is set not as static but as a PPoE connection.  I find that occasionally the outside interface of the router will change when I browse the web as if it is DHCP.  I find that the LAN side of the router has the subnet assigned with DHCP ON using the static range of  The LAN address is

Using this information I configure the Palo Alto with it's outside interface to be with a default gateway of and set up NAT behind the firewall and we are able to access the internet just fine using the PA at that point.

My next hurdle is to set up a few servers... I need to get SSH through to one and a web services port to another.  I can not access any of the static addresses directly through the ISP device.  If I ping any of the addresses I receive no response.  In my thought processes this makes perfect sense because these static addresses do not seem public at all as they are on the inside interface of the ISP router.  It would seem to me I could use any address on that side and the effect would be the same.  Why are we paying for static addresses on the lan side of the interface???

Anyway, I do get the services through by using Port Forwarding on the ISP provided device.  Basically saying any traffic on port 22 go to this address on the LAN.

I set up the VPN tunnel through the palo alto devices and the tunnel does get established however I can not route traffic between them.  Palo alto spent a couple of hours troubleshooting this and it was determined that the ports are getting allowed through so the tunnel can estabish however it can not route any esp packets.  They are sent out but never received.

It is believed this is because the ISP device is only allowing port forwarding and not allowing a static mapping of public IP's to Private IPS (My internal addresses).

I have never seen a ISP setup like this before.  Usually this process is quite straightforward so I'm really confused by this setup and I'm wondering if anyone has any advice here or if I am completely missing something.

As added information the ISP did provide a different router for a bit that did have some ability to map IPs and I was able to route traffic through the tunnel.  However this device had a lot of other issues that degraded performance significantly.  The tunnel did work though (not really sure how as the static addresses were still on the inside of the device, The only differences is I could map the provided static address to my Palo Alto.  I can't find anything like that on the current ISP device.

For reference the ISP device currently in place is called TOTO Link Model No F1.
The other device was called TP-Link (no model number available on that one)

Any advice here?
Question by:-Darvin-
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2

Expert Comment

ID: 40384666
Hm, did you define any of these public IP addresses on your FW and create some rule for inbound access to the server, using NAT?

Author Comment

ID: 40384709
Yes, I have NAT rules in place on the Palo Alto firewall to route traffic based on the static addresses for the servers that need them.  The problem now is the vpn tunnel though and that doesn't require any nat rules as it's outside interface to outside interface.

I can not ping the outside interface of the palo alto from the main office at this time even though it is enabled to answer ping requests.  If I use port forwarding on the ISP device and forward SSH or 443 to the firewalls outside interface I can reach it but still can not ping it.  Since ping (i am told) is not port specific but rather rides on the IP layer it's the same with the esp packets.  They can't make it through because I can not port forward them.

Accepted Solution

-Darvin- earned 0 total points
ID: 40384725
I think I may have this thing working.

I set up port forwarding to forward UDP packets on port 4500 to the outside interface of the palo alto and I can now ping the inside network in vietnam.  Testing it further at this time.
Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.


Author Comment

ID: 40384784
This problem is resolved.  I still don't fully understand how this is working and why it works but I am able to use the vpn tunnel correctly at this time.  Thanks Matt for chiming in and taking the time to read all of that but in the end I guess there is nothing to do here.
LVL 31

Expert Comment

ID: 40385428
I told them I needed to know other information.  Subnetmask, Default Gateway, preferred DNS but I didn't get anything in advance.

Subnet mask you know from range of addresses (range is ip range and is broadcast address). So your network address is
Default gateway is not needed, it is needed only for layer 2 network this is L3, so you need default route.
ip route
Preferred DNS you can use whatever you want, you can have your own DNS server, use public DNS (like google DNS) etc...

So, all you asked them was unnecessary except IP address of next-hop for default route (not gateway). But there's solution for that too (I just improvised situation and it is later in post), but I don't think you will often be in situation that ISP did not give you next hop address.

I try a few guesses using .71 .70 and .1 but get no where on the internet.
Those addresses are not in same IP address range ISP gave you. So unless you have already established default route (but that's problem you were trying to solve) pings were dying on your router (router did not know where ping need to be sent, through which interface).

This is all just info for next time, when you get into similar situation. :)

Way that you can learn what is next-hop address on link is:
You can set your default route as
ip route FastEthernet 0/0 (your WAN interface - this is not efficient way to set route but it is temporary anyway)
after that you can do traceroute to google DNS (or any other IP address out of range of your scope of addresses)
First result should be your next-hop address in your case that would be something like
1.  32 msec    30 msec    28 msec  
and after that remove inefficient route with
no ip route FastEthernet 0/0
and set default route as
ip route

I just simulated solution in GNS3, I was not sure will it work - but it works.

Author Comment

ID: 40385452
Interesting, thanks for the information!  This set up was very different from what I have always done previously so it really caused some issues.  Very glad that it is working now though.
LVL 31

Expert Comment

ID: 40386027
I forgot to add that you need to configure IP address on WAN interface.
If you get message %IP-4-DUPADDR: Duplicate address on FastEthernet0/0 you don't need procedure to find next-hop address :) in that  case - you already know what is IP address of next hop.
And it is great that your network it is working.

Author Closing Comment

ID: 40393880
I ended up port forwarding both port 500 and 4500 udp to the outside interface of the network firewall.

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question