Solved

ISP Static IP setup on ISP provided router

Posted on 2014-10-16
8
713 Views
Last Modified: 2014-10-21
This is going to be a hard one to explain.  If you are up to the challenge get a cup of coffee and here we go.

Our company has a factory operating in Vietnam.  I was tasked with getting the facility connected to the main office via VPN Tunnel.  The factory obtained internet access in advance of my trip and ordered internet access and six static IP addresses.  The ISP installed the equipment and gave us the static address range of 131.116.107.73-78.

I told them I needed to know other information.  Subnetmask, Default Gateway, preferred DNS but I didn't get anything in advance.  The ISP in Vietnam is VERY difficult to work with along with significant language barriers.  When I arrived the internet was working and I did a check at whatismyip and it returned a similar but very different address.  131.126.280.42

I found this to be very odd.  If we have a static address I should be accessing the internet under one of our static addresses.

I program my equipment PA 200 FW and set the outside interface to match the ISP information.  My outside interface gets set to 131.116.107.73/29 (guessing the subnet based off the range provided) but I am stuck without a default gateway.  I try a few guesses using .71 .70 and .1 but get no where on the internet.

I reset everything back and am unable to get any information out of the ISP.  They have no answers for my questions so I log into the wireless router device that was left by the ISP.

I find that the outside WAN connection on the router is set not as static but as a PPoE connection.  I find that occasionally the outside interface of the router will change when I browse the web as if it is DHCP.  I find that the LAN side of the router has the subnet 255.255.255.248 assigned with DHCP ON using the static range of 131.116.107.74-78.  The LAN address is 131.116.107.73.

Using this information I configure the Palo Alto with it's outside interface to be 131.116.107.74 with a default gateway of 131.116.107.73 and set up NAT behind the firewall and we are able to access the internet just fine using the PA at that point.

My next hurdle is to set up a few servers... I need to get SSH through to one and a web services port to another.  I can not access any of the static addresses directly through the ISP device.  If I ping any of the 131.116.107.73-78 addresses I receive no response.  In my thought processes this makes perfect sense because these static addresses do not seem public at all as they are on the inside interface of the ISP router.  It would seem to me I could use any address on that side and the effect would be the same.  Why are we paying for static addresses on the lan side of the interface???

Anyway, I do get the services through by using Port Forwarding on the ISP provided device.  Basically saying any traffic on port 22 go to this address on the LAN.

I set up the VPN tunnel through the palo alto devices and the tunnel does get established however I can not route traffic between them.  Palo alto spent a couple of hours troubleshooting this and it was determined that the ports are getting allowed through so the tunnel can estabish however it can not route any esp packets.  They are sent out but never received.

It is believed this is because the ISP device is only allowing port forwarding and not allowing a static mapping of public IP's 131.116.107.73-78 to Private IPS (My internal addresses).

I have never seen a ISP setup like this before.  Usually this process is quite straightforward so I'm really confused by this setup and I'm wondering if anyone has any advice here or if I am completely missing something.

As added information the ISP did provide a different router for a bit that did have some ability to map IPs and I was able to route traffic through the tunnel.  However this device had a lot of other issues that degraded performance significantly.  The tunnel did work though (not really sure how as the static addresses were still on the inside of the device, The only differences is I could map the provided static address to my Palo Alto.  I can't find anything like that on the current ISP device.

For reference the ISP device currently in place is called TOTO Link Model No F1.
The other device was called TP-Link (no model number available on that one)

Any advice here?
0
Comment
Question by:-Darvin-
  • 5
  • 2
8 Comments
 
LVL 6

Expert Comment

by:Matt
Comment Utility
Hm, did you define any of these public IP addresses on your FW and create some rule for inbound access to the server, using NAT?
0
 

Author Comment

by:-Darvin-
Comment Utility
Yes, I have NAT rules in place on the Palo Alto firewall to route traffic based on the static addresses for the servers that need them.  The problem now is the vpn tunnel though and that doesn't require any nat rules as it's outside interface to outside interface.

I can not ping the outside interface of the palo alto from the main office at this time even though it is enabled to answer ping requests.  If I use port forwarding on the ISP device and forward SSH or 443 to the firewalls outside interface I can reach it but still can not ping it.  Since ping (i am told) is not port specific but rather rides on the IP layer it's the same with the esp packets.  They can't make it through because I can not port forward them.
0
 

Accepted Solution

by:
-Darvin- earned 0 total points
Comment Utility
I think I may have this thing working.

I set up port forwarding to forward UDP packets on port 4500 to the outside interface of the palo alto and I can now ping the inside network in vietnam.  Testing it further at this time.
0
 

Author Comment

by:-Darvin-
Comment Utility
This problem is resolved.  I still don't fully understand how this is working and why it works but I am able to use the vpn tunnel correctly at this time.  Thanks Matt for chiming in and taking the time to read all of that but in the end I guess there is nothing to do here.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
I told them I needed to know other information.  Subnetmask, Default Gateway, preferred DNS but I didn't get anything in advance.


Subnet mask you know from range of addresses 131.116.107.72 255.255.255.248 (range 131.116.107.73-78 is ip range and 131.116.107.79 is broadcast address). So your network address is 131.116.107.72.
Default gateway is not needed, it is needed only for layer 2 network this is L3, so you need default route.
ip route 0.0.0.0 0.0.0.0 131.116.107.73
Preferred DNS you can use whatever you want, you can have your own DNS server, use public DNS (like google DNS) etc...

So, all you asked them was unnecessary except IP address of next-hop for default route (not gateway). But there's solution for that too (I just improvised situation and it is later in post), but I don't think you will often be in situation that ISP did not give you next hop address.

I try a few guesses using .71 .70 and .1 but get no where on the internet.
Those addresses are not in same IP address range ISP gave you. So unless you have already established default route (but that's problem you were trying to solve) pings were dying on your router (router did not know where ping need to be sent, through which interface).

This is all just info for next time, when you get into similar situation. :)

Way that you can learn what is next-hop address on link is:
You can set your default route as
ip route 0.0.0.0 0.0.0.0 FastEthernet 0/0 (your WAN interface - this is not efficient way to set route but it is temporary anyway)
after that you can do traceroute to google DNS (or any other IP address out of range of your scope of addresses)
traceroute 8.8.8.8
First result should be your next-hop address in your case that would be something like
1. 131.116.107.73  32 msec    30 msec    28 msec  
2.  
and after that remove inefficient route with
no ip route 0.0.0.0 0.0.0.0 FastEthernet 0/0
and set default route as
ip route 0.0.0.0 0.0.0.0 131.116.107.73

I just simulated solution in GNS3, I was not sure will it work - but it works.
:)
0
 

Author Comment

by:-Darvin-
Comment Utility
Interesting, thanks for the information!  This set up was very different from what I have always done previously so it really caused some issues.  Very glad that it is working now though.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
I forgot to add that you need to configure IP address on WAN interface.
If you get message %IP-4-DUPADDR: Duplicate address 131.116.107.73 on FastEthernet0/0 you don't need procedure to find next-hop address :) in that  case - you already know what is IP address of next hop.
:)
And it is great that your network it is working.
0
 

Author Closing Comment

by:-Darvin-
Comment Utility
I ended up port forwarding both port 500 and 4500 udp to the outside interface of the network firewall.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now