ISP Static IP setup on ISP provided router
Posted on 2014-10-16
This is going to be a hard one to explain. If you are up to the challenge get a cup of coffee and here we go.
Our company has a factory operating in Vietnam. I was tasked with getting the facility connected to the main office via VPN Tunnel. The factory obtained internet access in advance of my trip and ordered internet access and six static IP addresses. The ISP installed the equipment and gave us the static address range of 126.96.36.199-78.
I told them I needed to know other information. Subnetmask, Default Gateway, preferred DNS but I didn't get anything in advance. The ISP in Vietnam is VERY difficult to work with along with significant language barriers. When I arrived the internet was working and I did a check at whatismyip and it returned a similar but very different address. 131.126.280.42
I found this to be very odd. If we have a static address I should be accessing the internet under one of our static addresses.
I program my equipment PA 200 FW and set the outside interface to match the ISP information. My outside interface gets set to 188.8.131.52/29 (guessing the subnet based off the range provided) but I am stuck without a default gateway. I try a few guesses using .71 .70 and .1 but get no where on the internet.
I reset everything back and am unable to get any information out of the ISP. They have no answers for my questions so I log into the wireless router device that was left by the ISP.
I find that the outside WAN connection on the router is set not as static but as a PPoE connection. I find that occasionally the outside interface of the router will change when I browse the web as if it is DHCP. I find that the LAN side of the router has the subnet 255.255.255.248 assigned with DHCP ON using the static range of 184.108.40.206-78. The LAN address is 220.127.116.11.
Using this information I configure the Palo Alto with it's outside interface to be 18.104.22.168 with a default gateway of 22.214.171.124 and set up NAT behind the firewall and we are able to access the internet just fine using the PA at that point.
My next hurdle is to set up a few servers... I need to get SSH through to one and a web services port to another. I can not access any of the static addresses directly through the ISP device. If I ping any of the 126.96.36.199-78 addresses I receive no response. In my thought processes this makes perfect sense because these static addresses do not seem public at all as they are on the inside interface of the ISP router. It would seem to me I could use any address on that side and the effect would be the same. Why are we paying for static addresses on the lan side of the interface???
Anyway, I do get the services through by using Port Forwarding on the ISP provided device. Basically saying any traffic on port 22 go to this address on the LAN.
I set up the VPN tunnel through the palo alto devices and the tunnel does get established however I can not route traffic between them. Palo alto spent a couple of hours troubleshooting this and it was determined that the ports are getting allowed through so the tunnel can estabish however it can not route any esp packets. They are sent out but never received.
It is believed this is because the ISP device is only allowing port forwarding and not allowing a static mapping of public IP's 188.8.131.52-78 to Private IPS (My internal addresses).
I have never seen a ISP setup like this before. Usually this process is quite straightforward so I'm really confused by this setup and I'm wondering if anyone has any advice here or if I am completely missing something.
As added information the ISP did provide a different router for a bit that did have some ability to map IPs and I was able to route traffic through the tunnel. However this device had a lot of other issues that degraded performance significantly. The tunnel did work though (not really sure how as the static addresses were still on the inside of the device, The only differences is I could map the provided static address to my Palo Alto. I can't find anything like that on the current ISP device.
For reference the ISP device currently in place is called TOTO Link Model No F1.
The other device was called TP-Link (no model number available on that one)
Any advice here?