ISP Static IP setup on ISP provided router

This is going to be a hard one to explain.  If you are up to the challenge get a cup of coffee and here we go.

Our company has a factory operating in Vietnam.  I was tasked with getting the facility connected to the main office via VPN Tunnel.  The factory obtained internet access in advance of my trip and ordered internet access and six static IP addresses.  The ISP installed the equipment and gave us the static address range of

I told them I needed to know other information.  Subnetmask, Default Gateway, preferred DNS but I didn't get anything in advance.  The ISP in Vietnam is VERY difficult to work with along with significant language barriers.  When I arrived the internet was working and I did a check at whatismyip and it returned a similar but very different address.

I found this to be very odd.  If we have a static address I should be accessing the internet under one of our static addresses.

I program my equipment PA 200 FW and set the outside interface to match the ISP information.  My outside interface gets set to (guessing the subnet based off the range provided) but I am stuck without a default gateway.  I try a few guesses using .71 .70 and .1 but get no where on the internet.

I reset everything back and am unable to get any information out of the ISP.  They have no answers for my questions so I log into the wireless router device that was left by the ISP.

I find that the outside WAN connection on the router is set not as static but as a PPoE connection.  I find that occasionally the outside interface of the router will change when I browse the web as if it is DHCP.  I find that the LAN side of the router has the subnet assigned with DHCP ON using the static range of  The LAN address is

Using this information I configure the Palo Alto with it's outside interface to be with a default gateway of and set up NAT behind the firewall and we are able to access the internet just fine using the PA at that point.

My next hurdle is to set up a few servers... I need to get SSH through to one and a web services port to another.  I can not access any of the static addresses directly through the ISP device.  If I ping any of the addresses I receive no response.  In my thought processes this makes perfect sense because these static addresses do not seem public at all as they are on the inside interface of the ISP router.  It would seem to me I could use any address on that side and the effect would be the same.  Why are we paying for static addresses on the lan side of the interface???

Anyway, I do get the services through by using Port Forwarding on the ISP provided device.  Basically saying any traffic on port 22 go to this address on the LAN.

I set up the VPN tunnel through the palo alto devices and the tunnel does get established however I can not route traffic between them.  Palo alto spent a couple of hours troubleshooting this and it was determined that the ports are getting allowed through so the tunnel can estabish however it can not route any esp packets.  They are sent out but never received.

It is believed this is because the ISP device is only allowing port forwarding and not allowing a static mapping of public IP's to Private IPS (My internal addresses).

I have never seen a ISP setup like this before.  Usually this process is quite straightforward so I'm really confused by this setup and I'm wondering if anyone has any advice here or if I am completely missing something.

As added information the ISP did provide a different router for a bit that did have some ability to map IPs and I was able to route traffic through the tunnel.  However this device had a lot of other issues that degraded performance significantly.  The tunnel did work though (not really sure how as the static addresses were still on the inside of the device, The only differences is I could map the provided static address to my Palo Alto.  I can't find anything like that on the current ISP device.

For reference the ISP device currently in place is called TOTO Link Model No F1.
The other device was called TP-Link (no model number available on that one)

Any advice here?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hm, did you define any of these public IP addresses on your FW and create some rule for inbound access to the server, using NAT?
-Darvin-Author Commented:
Yes, I have NAT rules in place on the Palo Alto firewall to route traffic based on the static addresses for the servers that need them.  The problem now is the vpn tunnel though and that doesn't require any nat rules as it's outside interface to outside interface.

I can not ping the outside interface of the palo alto from the main office at this time even though it is enabled to answer ping requests.  If I use port forwarding on the ISP device and forward SSH or 443 to the firewalls outside interface I can reach it but still can not ping it.  Since ping (i am told) is not port specific but rather rides on the IP layer it's the same with the esp packets.  They can't make it through because I can not port forward them.
-Darvin-Author Commented:
I think I may have this thing working.

I set up port forwarding to forward UDP packets on port 4500 to the outside interface of the palo alto and I can now ping the inside network in vietnam.  Testing it further at this time.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

-Darvin-Author Commented:
This problem is resolved.  I still don't fully understand how this is working and why it works but I am able to use the vpn tunnel correctly at this time.  Thanks Matt for chiming in and taking the time to read all of that but in the end I guess there is nothing to do here.
I told them I needed to know other information.  Subnetmask, Default Gateway, preferred DNS but I didn't get anything in advance.

Subnet mask you know from range of addresses (range is ip range and is broadcast address). So your network address is
Default gateway is not needed, it is needed only for layer 2 network this is L3, so you need default route.
ip route
Preferred DNS you can use whatever you want, you can have your own DNS server, use public DNS (like google DNS) etc...

So, all you asked them was unnecessary except IP address of next-hop for default route (not gateway). But there's solution for that too (I just improvised situation and it is later in post), but I don't think you will often be in situation that ISP did not give you next hop address.

I try a few guesses using .71 .70 and .1 but get no where on the internet.
Those addresses are not in same IP address range ISP gave you. So unless you have already established default route (but that's problem you were trying to solve) pings were dying on your router (router did not know where ping need to be sent, through which interface).

This is all just info for next time, when you get into similar situation. :)

Way that you can learn what is next-hop address on link is:
You can set your default route as
ip route FastEthernet 0/0 (your WAN interface - this is not efficient way to set route but it is temporary anyway)
after that you can do traceroute to google DNS (or any other IP address out of range of your scope of addresses)
First result should be your next-hop address in your case that would be something like
1.  32 msec    30 msec    28 msec  
and after that remove inefficient route with
no ip route FastEthernet 0/0
and set default route as
ip route

I just simulated solution in GNS3, I was not sure will it work - but it works.
-Darvin-Author Commented:
Interesting, thanks for the information!  This set up was very different from what I have always done previously so it really caused some issues.  Very glad that it is working now though.
I forgot to add that you need to configure IP address on WAN interface.
If you get message %IP-4-DUPADDR: Duplicate address on FastEthernet0/0 you don't need procedure to find next-hop address :) in that  case - you already know what is IP address of next hop.
And it is great that your network it is working.
-Darvin-Author Commented:
I ended up port forwarding both port 500 and 4500 udp to the outside interface of the network firewall.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.