ISP Static IP setup on ISP provided router

Posted on 2014-10-16
Last Modified: 2014-10-21
This is going to be a hard one to explain.  If you are up to the challenge get a cup of coffee and here we go.

Our company has a factory operating in Vietnam.  I was tasked with getting the facility connected to the main office via VPN Tunnel.  The factory obtained internet access in advance of my trip and ordered internet access and six static IP addresses.  The ISP installed the equipment and gave us the static address range of

I told them I needed to know other information.  Subnetmask, Default Gateway, preferred DNS but I didn't get anything in advance.  The ISP in Vietnam is VERY difficult to work with along with significant language barriers.  When I arrived the internet was working and I did a check at whatismyip and it returned a similar but very different address.

I found this to be very odd.  If we have a static address I should be accessing the internet under one of our static addresses.

I program my equipment PA 200 FW and set the outside interface to match the ISP information.  My outside interface gets set to (guessing the subnet based off the range provided) but I am stuck without a default gateway.  I try a few guesses using .71 .70 and .1 but get no where on the internet.

I reset everything back and am unable to get any information out of the ISP.  They have no answers for my questions so I log into the wireless router device that was left by the ISP.

I find that the outside WAN connection on the router is set not as static but as a PPoE connection.  I find that occasionally the outside interface of the router will change when I browse the web as if it is DHCP.  I find that the LAN side of the router has the subnet assigned with DHCP ON using the static range of  The LAN address is

Using this information I configure the Palo Alto with it's outside interface to be with a default gateway of and set up NAT behind the firewall and we are able to access the internet just fine using the PA at that point.

My next hurdle is to set up a few servers... I need to get SSH through to one and a web services port to another.  I can not access any of the static addresses directly through the ISP device.  If I ping any of the addresses I receive no response.  In my thought processes this makes perfect sense because these static addresses do not seem public at all as they are on the inside interface of the ISP router.  It would seem to me I could use any address on that side and the effect would be the same.  Why are we paying for static addresses on the lan side of the interface???

Anyway, I do get the services through by using Port Forwarding on the ISP provided device.  Basically saying any traffic on port 22 go to this address on the LAN.

I set up the VPN tunnel through the palo alto devices and the tunnel does get established however I can not route traffic between them.  Palo alto spent a couple of hours troubleshooting this and it was determined that the ports are getting allowed through so the tunnel can estabish however it can not route any esp packets.  They are sent out but never received.

It is believed this is because the ISP device is only allowing port forwarding and not allowing a static mapping of public IP's to Private IPS (My internal addresses).

I have never seen a ISP setup like this before.  Usually this process is quite straightforward so I'm really confused by this setup and I'm wondering if anyone has any advice here or if I am completely missing something.

As added information the ISP did provide a different router for a bit that did have some ability to map IPs and I was able to route traffic through the tunnel.  However this device had a lot of other issues that degraded performance significantly.  The tunnel did work though (not really sure how as the static addresses were still on the inside of the device, The only differences is I could map the provided static address to my Palo Alto.  I can't find anything like that on the current ISP device.

For reference the ISP device currently in place is called TOTO Link Model No F1.
The other device was called TP-Link (no model number available on that one)

Any advice here?
Question by:-Darvin-
  • 5
  • 2

Expert Comment

ID: 40384666
Hm, did you define any of these public IP addresses on your FW and create some rule for inbound access to the server, using NAT?

Author Comment

ID: 40384709
Yes, I have NAT rules in place on the Palo Alto firewall to route traffic based on the static addresses for the servers that need them.  The problem now is the vpn tunnel though and that doesn't require any nat rules as it's outside interface to outside interface.

I can not ping the outside interface of the palo alto from the main office at this time even though it is enabled to answer ping requests.  If I use port forwarding on the ISP device and forward SSH or 443 to the firewalls outside interface I can reach it but still can not ping it.  Since ping (i am told) is not port specific but rather rides on the IP layer it's the same with the esp packets.  They can't make it through because I can not port forward them.

Accepted Solution

-Darvin- earned 0 total points
ID: 40384725
I think I may have this thing working.

I set up port forwarding to forward UDP packets on port 4500 to the outside interface of the palo alto and I can now ping the inside network in vietnam.  Testing it further at this time.
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).


Author Comment

ID: 40384784
This problem is resolved.  I still don't fully understand how this is working and why it works but I am able to use the vpn tunnel correctly at this time.  Thanks Matt for chiming in and taking the time to read all of that but in the end I guess there is nothing to do here.
LVL 29

Expert Comment

by:Predrag Jovic
ID: 40385428
I told them I needed to know other information.  Subnetmask, Default Gateway, preferred DNS but I didn't get anything in advance.

Subnet mask you know from range of addresses (range is ip range and is broadcast address). So your network address is
Default gateway is not needed, it is needed only for layer 2 network this is L3, so you need default route.
ip route
Preferred DNS you can use whatever you want, you can have your own DNS server, use public DNS (like google DNS) etc...

So, all you asked them was unnecessary except IP address of next-hop for default route (not gateway). But there's solution for that too (I just improvised situation and it is later in post), but I don't think you will often be in situation that ISP did not give you next hop address.

I try a few guesses using .71 .70 and .1 but get no where on the internet.
Those addresses are not in same IP address range ISP gave you. So unless you have already established default route (but that's problem you were trying to solve) pings were dying on your router (router did not know where ping need to be sent, through which interface).

This is all just info for next time, when you get into similar situation. :)

Way that you can learn what is next-hop address on link is:
You can set your default route as
ip route FastEthernet 0/0 (your WAN interface - this is not efficient way to set route but it is temporary anyway)
after that you can do traceroute to google DNS (or any other IP address out of range of your scope of addresses)
First result should be your next-hop address in your case that would be something like
1.  32 msec    30 msec    28 msec  
and after that remove inefficient route with
no ip route FastEthernet 0/0
and set default route as
ip route

I just simulated solution in GNS3, I was not sure will it work - but it works.

Author Comment

ID: 40385452
Interesting, thanks for the information!  This set up was very different from what I have always done previously so it really caused some issues.  Very glad that it is working now though.
LVL 29

Expert Comment

by:Predrag Jovic
ID: 40386027
I forgot to add that you need to configure IP address on WAN interface.
If you get message %IP-4-DUPADDR: Duplicate address on FastEthernet0/0 you don't need procedure to find next-hop address :) in that  case - you already know what is IP address of next hop.
And it is great that your network it is working.

Author Closing Comment

ID: 40393880
I ended up port forwarding both port 500 and 4500 udp to the outside interface of the network firewall.

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setting up a VPN 60 205
VPN tunnel between Watchguard and OpenVPN? 1 127
Sonicwall TZ 190 2 31
Cisco Licensing for Wi Fi 4 44
Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question