Solved

ISP Static IP setup on ISP provided router

Posted on 2014-10-16
8
835 Views
Last Modified: 2014-10-21
This is going to be a hard one to explain.  If you are up to the challenge get a cup of coffee and here we go.

Our company has a factory operating in Vietnam.  I was tasked with getting the facility connected to the main office via VPN Tunnel.  The factory obtained internet access in advance of my trip and ordered internet access and six static IP addresses.  The ISP installed the equipment and gave us the static address range of 131.116.107.73-78.

I told them I needed to know other information.  Subnetmask, Default Gateway, preferred DNS but I didn't get anything in advance.  The ISP in Vietnam is VERY difficult to work with along with significant language barriers.  When I arrived the internet was working and I did a check at whatismyip and it returned a similar but very different address.  131.126.280.42

I found this to be very odd.  If we have a static address I should be accessing the internet under one of our static addresses.

I program my equipment PA 200 FW and set the outside interface to match the ISP information.  My outside interface gets set to 131.116.107.73/29 (guessing the subnet based off the range provided) but I am stuck without a default gateway.  I try a few guesses using .71 .70 and .1 but get no where on the internet.

I reset everything back and am unable to get any information out of the ISP.  They have no answers for my questions so I log into the wireless router device that was left by the ISP.

I find that the outside WAN connection on the router is set not as static but as a PPoE connection.  I find that occasionally the outside interface of the router will change when I browse the web as if it is DHCP.  I find that the LAN side of the router has the subnet 255.255.255.248 assigned with DHCP ON using the static range of 131.116.107.74-78.  The LAN address is 131.116.107.73.

Using this information I configure the Palo Alto with it's outside interface to be 131.116.107.74 with a default gateway of 131.116.107.73 and set up NAT behind the firewall and we are able to access the internet just fine using the PA at that point.

My next hurdle is to set up a few servers... I need to get SSH through to one and a web services port to another.  I can not access any of the static addresses directly through the ISP device.  If I ping any of the 131.116.107.73-78 addresses I receive no response.  In my thought processes this makes perfect sense because these static addresses do not seem public at all as they are on the inside interface of the ISP router.  It would seem to me I could use any address on that side and the effect would be the same.  Why are we paying for static addresses on the lan side of the interface???

Anyway, I do get the services through by using Port Forwarding on the ISP provided device.  Basically saying any traffic on port 22 go to this address on the LAN.

I set up the VPN tunnel through the palo alto devices and the tunnel does get established however I can not route traffic between them.  Palo alto spent a couple of hours troubleshooting this and it was determined that the ports are getting allowed through so the tunnel can estabish however it can not route any esp packets.  They are sent out but never received.

It is believed this is because the ISP device is only allowing port forwarding and not allowing a static mapping of public IP's 131.116.107.73-78 to Private IPS (My internal addresses).

I have never seen a ISP setup like this before.  Usually this process is quite straightforward so I'm really confused by this setup and I'm wondering if anyone has any advice here or if I am completely missing something.

As added information the ISP did provide a different router for a bit that did have some ability to map IPs and I was able to route traffic through the tunnel.  However this device had a lot of other issues that degraded performance significantly.  The tunnel did work though (not really sure how as the static addresses were still on the inside of the device, The only differences is I could map the provided static address to my Palo Alto.  I can't find anything like that on the current ISP device.

For reference the ISP device currently in place is called TOTO Link Model No F1.
The other device was called TP-Link (no model number available on that one)

Any advice here?
0
Comment
Question by:-Darvin-
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
8 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40384666
Hm, did you define any of these public IP addresses on your FW and create some rule for inbound access to the server, using NAT?
0
 

Author Comment

by:-Darvin-
ID: 40384709
Yes, I have NAT rules in place on the Palo Alto firewall to route traffic based on the static addresses for the servers that need them.  The problem now is the vpn tunnel though and that doesn't require any nat rules as it's outside interface to outside interface.

I can not ping the outside interface of the palo alto from the main office at this time even though it is enabled to answer ping requests.  If I use port forwarding on the ISP device and forward SSH or 443 to the firewalls outside interface I can reach it but still can not ping it.  Since ping (i am told) is not port specific but rather rides on the IP layer it's the same with the esp packets.  They can't make it through because I can not port forward them.
0
 

Accepted Solution

by:
-Darvin- earned 0 total points
ID: 40384725
I think I may have this thing working.

I set up port forwarding to forward UDP packets on port 4500 to the outside interface of the palo alto and I can now ping the inside network in vietnam.  Testing it further at this time.
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 

Author Comment

by:-Darvin-
ID: 40384784
This problem is resolved.  I still don't fully understand how this is working and why it works but I am able to use the vpn tunnel correctly at this time.  Thanks Matt for chiming in and taking the time to read all of that but in the end I guess there is nothing to do here.
0
 
LVL 30

Expert Comment

by:Predrag
ID: 40385428
I told them I needed to know other information.  Subnetmask, Default Gateway, preferred DNS but I didn't get anything in advance.


Subnet mask you know from range of addresses 131.116.107.72 255.255.255.248 (range 131.116.107.73-78 is ip range and 131.116.107.79 is broadcast address). So your network address is 131.116.107.72.
Default gateway is not needed, it is needed only for layer 2 network this is L3, so you need default route.
ip route 0.0.0.0 0.0.0.0 131.116.107.73
Preferred DNS you can use whatever you want, you can have your own DNS server, use public DNS (like google DNS) etc...

So, all you asked them was unnecessary except IP address of next-hop for default route (not gateway). But there's solution for that too (I just improvised situation and it is later in post), but I don't think you will often be in situation that ISP did not give you next hop address.

I try a few guesses using .71 .70 and .1 but get no where on the internet.
Those addresses are not in same IP address range ISP gave you. So unless you have already established default route (but that's problem you were trying to solve) pings were dying on your router (router did not know where ping need to be sent, through which interface).

This is all just info for next time, when you get into similar situation. :)

Way that you can learn what is next-hop address on link is:
You can set your default route as
ip route 0.0.0.0 0.0.0.0 FastEthernet 0/0 (your WAN interface - this is not efficient way to set route but it is temporary anyway)
after that you can do traceroute to google DNS (or any other IP address out of range of your scope of addresses)
traceroute 8.8.8.8
First result should be your next-hop address in your case that would be something like
1. 131.116.107.73  32 msec    30 msec    28 msec  
2.  
and after that remove inefficient route with
no ip route 0.0.0.0 0.0.0.0 FastEthernet 0/0
and set default route as
ip route 0.0.0.0 0.0.0.0 131.116.107.73

I just simulated solution in GNS3, I was not sure will it work - but it works.
:)
0
 

Author Comment

by:-Darvin-
ID: 40385452
Interesting, thanks for the information!  This set up was very different from what I have always done previously so it really caused some issues.  Very glad that it is working now though.
0
 
LVL 30

Expert Comment

by:Predrag
ID: 40386027
I forgot to add that you need to configure IP address on WAN interface.
If you get message %IP-4-DUPADDR: Duplicate address 131.116.107.73 on FastEthernet0/0 you don't need procedure to find next-hop address :) in that  case - you already know what is IP address of next hop.
:)
And it is great that your network it is working.
0
 

Author Closing Comment

by:-Darvin-
ID: 40393880
I ended up port forwarding both port 500 and 4500 udp to the outside interface of the network firewall.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question