cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
busy2
New Contributor

Need assistance routing Public IP natively w/o NAT

I need to route Public IP directly to an inside server without using NAT.

I am looking for a way to route 1 or 2 public IP address from a /29 block to an inside device.  We want to code the public IP directly on the device and do not want to use NAT (or 1:1 Nat).

Our IP gateway is on e 0/2, it is a single /30 address  and it is not associated with the /29 block. 

I listed several IP addresses in the /29 block as secondary addresses on the e 0/1 interface but cannot figure out how to route an address to the server nic. 

The configuration below was setup for 1:1 Nat, but I need to change or modify the config to be able to pass Public IP to the inside.

Can I route addresses in the new /29 block 85.25.202.90 through the existing /30 IP gateway 188.57.122.102 ?

Do I need to put an address on the unused e 0/1 interface and use that to route a Public IP address? 

Do I need to setup a DMZ?

Labels (3)
0 Kudos
28 Replies
jayh
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

On your eth 0/1 interface, configure it to have one of the addresses in the /29 block, such as:

ip address 85.25.202.89 255.255.255.248

Leave your eth 0/2 as-is if it's properly connected to your ISP now.

On the hosts connected to eth 0/1, assign each a different address from 85.25.202.90 to 85.25.202.94, each with a subnet mask of 255.255.255.248 and a gateway of 85.25.202.89 which is your eth 0/1.

These hosts will send traffic to the Adtran box which will route it out to the Internet.

You can set up a DMZ by enabling the firewall, configuring different ip access-policies to each interface and assigning policy-class statements as needed. Typically your eth 0/2 connected to your ISP would be class "Public" and your eth 0/1 would be class "DMZ". Your policy-class on the DMZ would be to allow anything out, and the policy-class for Public would be to allow just those IPs, ports, and protocols on which you have public services running on eth 0/1. If you want to rely on host-based firewalls on the public hosts, then you don't need this but it is best practice to do so for security.

Also, now that you've put your IPs out there, make sure that you have secure passwords on the Adtran device itself and preferably restrict access to the Adtran box to trusted networks.

busy2
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

First Thank you!!  for the response.  Here are a couple more questions if you can help out.

Do I drop the /29 addresses listed as secondary on eth 0/2 ?

Eth 0/2 is our internet connection?

It sounds like I will have to run Cat-5 to the new server because the /29 block won’t play on the existing 192.168.xxx.0 media.  That’s not a problem because the server is located in the same cabinets as the Adtran router. 

Later on, if we need to send a public address to a server or device in another building, I will need to route it using the 192.168… inside wire.  At that point I may also be able to use NAT 1:1.  

If so, do I then break out addresses from the /29 as secondary addresses on the eth 0/2 internet interface?  

busy2
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

Some success - but showing a loop at the gateway:

btw- these are not my actual numbers, but representation of, although I appreciate your input on security 

I setup IP on eth 0/1 and on 2 servers in their own public segment.

Now, a tracert from outside to the f 0/1 interface  85.25.202.89 /29 ip  shows a loop at our ISP gateway - .

The trace gets through the ISP and to the Adtran

Then the Adtran directs the trace back to the ISP. 

Over and over.

Tracert 85.25.202.89    the /29 Adtran eth 0/1 address

…6,7,8,9…

10    47 ms 61 ms    41 ms  GigabitEthernet from ISP.ISP.NET [188.62.14.208]

11    45 ms 46 ms    43 ms  188.57.122.102

12    48 ms 46 ms    52 ms  188.57.122.101

13    50 ms 47 ms    47 ms  188.57.122.102

14    52 ms 50 ms    50 ms  188.57.122.101

15    52 ms    51 ms    55 ms 188.57.122.102

16    54 ms 50 ms    51 ms  188.57.122.101

17    58 ms 57 ms    57 ms  188.57.122.102

18    59 ms 66 ms    55 ms  188.57.122.101

19    67 ms 57 ms    57 ms  188.57.122.102

20 …

busy2
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

Some success - but showing a loop at the gateway:

btw- these are not my actual numbers, but representation of, although I appreciate your input on security

I setup IP on eth 0/1 and on 2 servers in their own public segment.

Now, a tracert from outside to the f 0/1 interface  85.25.202.89 /29 ip  shows a loop at our ISP gateway - .

The trace gets through the ISP and to the Adtran

Then the Adtran directs the trace back to the ISP.

Over and over.

Tracert 85.25.202.89    the /29 Adtran eth 0/1 address

…6,7,8,9…

10    47 ms 61 ms    41 ms  GigabitEthernet from ISP.ISP.NET [188.62.14.208]

11    45 ms 46 ms    43 ms  188.57.122.102

12    48 ms 46 ms    52 ms  188.57.122.101

13    50 ms 47 ms    47 ms  188.57.122.102

14    52 ms 50 ms    50 ms  188.57.122.101

15    52 ms    51 ms    55 ms 188.57.122.102

16    54 ms 50 ms    51 ms  188.57.122.101

17    58 ms 57 ms    57 ms  188.57.122.102

18    59 ms 66 ms    55 ms  188.57.122.101

19    67 ms 57 ms    57 ms  188.57.122.102

20 …

jayh
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

busy2 wrote:

Some success - but showing a loop at the gateway:

btw- these are not my actual numbers, but representation of, although I appreciate your input on security

I setup IP on eth 0/1 and on 2 servers in their own public segment.

Now, a tracert from outside to the f 0/1 interface 85.25.202.89 /29 ip shows a loop at our ISP gateway - .

Is the eth 0/1 interface on the Adtran connected and up, no shutdown? Can you ping 85.25.202.89 from the connected servers?

jayh
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

busy2 wrote:

First Thank you!! for the response. Here are a couple more questions if you can help out.

Do I drop the /29 addresses listed as secondary on eth 0/2 ?

Yes.

It sounds like I will have to run Cat-5 to the new server because the /29 block won’t play on the existing 192.168.xxx.0 media. That’s not a problem because the server is located in the same cabinets as the Adtran router.

What 192.168.xxx.0 media? You didn't mention that.

Later on, if we need to send a public address to a server or device in another building, I will need to route it using the 192.168… inside wire. At that point I may also be able to use NAT 1:1.

What ethernet switches are you using? Are they managed and capable of VLANs? It sounds like you may want to trunk the public 85.25.202.88/29 and 192.168.xxx.0 subnets on two VLANs. This will allow you to have three logical interfaces: ISP in on eth 0/2, as well as public /29, and NAT 192.168 on two VLANs on eth 0/1.

busy2
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

I can ping eth 0/1 from the Adtran

but can't ping the server at xxx.xxx.xxx.90 from the Adtran

I am offsite and can't access the server from here, so cannot try pinging the Adtran from the server.

eth 0/1 is up, line protocol is up

IP address is xxx.xxx.xxx.89

net mask 255.255.255.248

MTU is 1500

BW is 100000 Kbps

Fastcaching is Enabled

IPv4 access policy is DMZ

busy2
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

there are a combination of managed and unmanaged switches across the 192.XXX.XXX.0 network.  Vlans are likely the best answer in the future, but at this time they are outside the scope of my project.  

jayh
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

Can you post the configuration with passwords redacted?

busy2
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

OK - here goes- removed a handful of port forwards on eth 0/2 to inside 192.168 servers

hopefully everything you need to see -

!

!

! ADTRAN, Inc. OS version R11.4.5.E

! Boot ROM version R10.9.3.B1

! Platform: Total Access 908e (3rd Gen), part number 4243908F2

!

!

hostname "host"

enable password encrypted!

!

clock timezone -5-Eastern-Time

!

ip subnet-zero

ip classless

ip default-gateway xxx.xxx.xxx.101

ip routing

ipv6 unicast-routing

!

!

name-server xxx.xxx.xxx.6 xxx.xxx.xxx.25

!

!

no auto-config

!

event-history on

no logging forwarding

no logging console

no logging email

!

service password-encryption

!#

!

ip policy-timeout tcp echo 60

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

!

no dot11ap access-point-contro

!

!

!

ip dhcp database local

ip dhcp excluded-address 192.168.10.0 192.168.10.100

!

ip dhcp pool "local"

  network 192.168.10.0 255.255.255.0

  domain-name "local"

dns-server xxx.xxx.xxx.6 xxx.xxx.xxx.25

default-router 192.168.10.1

!

!

ip crypto ffe

!

!

interface eth 0/1

description Eth1

  speed 100

  ip address  xxx.xxx.xxx.89  255.255.255.248

  ip access-policy DMZ

  no rtp quality-monitoring

media-gateway ip primary

  no awcp

  no shutdown

!

!

interface eth 0/2

description Eth2

  speed 100

  ip address  xxx.xxx.xxx.102  255.255.255.252

  ip mtu 1500

  ip access-policy Public

  no rtp quality-monitoring

media-gateway ip primary

  no awcp

  no shutdown

!

!

interface gigabit-eth 0/1

description local

  ip address  192.168.10.1  255.255.255.0

  ip access-policy Private

  no rtp quality-monitoring

media-gateway ip primary

  no awcp

  no shutdown

!

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

ip access-list extended self

  remark Traffic to Total Access

  permit ip any  any     log

!

!

ip access-list extended web-acl-22

  remark Allow

  permit ip any  any   

!

ip access-list extended web-acl-23

  remark https

  permit tcp any  xxx.xxx.xxx.88 0.0.0.7 eq https 

!

ip access-list extended web-acl-4

  remark ssh

  permit tcp any  host xxx.xxx.xxx.102 eq ssh 

!

ip access-list extended web-acl-5

  remark https

  permit tcp any  host xxx.xxx.xxx.102 eq https 

!

!

ip policy-class DMZ

  allow list web-acl-23 policy DMZ

  allow list web-acl-22 self

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface eth 0/2 overload

!

ip policy-class Public

  allow list web-acl-4 self

  allow list web-acl-5 self

!

!

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.101

!

no tftp server

no tftp server overwrite

http server

http session-timeout 1320

http secure-server

no snmp agent

no ip ftp server

no ip scp server

no ip sntp server

!

!

sip

sip udp 5060

no sip tcp

!

!

!

ip rtp symmetric-filter

!

ntp server us.pool.ntp.org

!

!

end

jayh
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

OK, you'll want some tweaks to your access policy.

!

ip policy-class DMZ

  no allow list web-acl-23 policy DMZ ! <- This isn't needed as it's the same subnet.

  allow list web-acl-22 self

  allow list web-acl-22 policy Public ! <- Allow the DMZ to go out to the Internet

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface eth 0/2 overload

  allow list [whatever] policy DMZ ! <- Allow the NAT devices whatever access to the DMZ you want.

!

ip policy-class Public

  allow list web-acl-4 self

  allow list web-acl-5 self

  allow list [whatever] policy DMZ ! <- Allow public to services on DMZ as needed.

!

As to why you're seeing a route loop reaching the DMZ, this isn't a firewall issue but routing. Double-check for typos in the IP addresses for the /29 from your provider vs. what you've configured. Also it usually isn't a good idea to configure the speed on an interface such as you've done on eth 0/1 and eth 0/2. This can cause problems with switch auto-negotiation. Most gear made in the last decade or more doesn't need it and I've found it to cause more harm than good. 

busy2
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

Still Not working

From router prompt, I can ping address on eth 0/1 xxx.xxx.xxx.89, but cannot ping the server xxx.xxx.xxx.90 or 91

I will be at the site this week and see if I can ping the router from the server or a pc on that segment.

Also, I checked the IP - and best I can tell it is coded per ISP -

addr:       xxx.xxx.xxx.88

netmask: 255.255.255.0

wildcard: 0.0.0.7

Network:   xxx.xxx.xxx.88/29

HostMin:   xxx.xxx.xxx.89  <- assigned to eth 0/1

HostMax:   xxx.xxx.xxx.94

Broadcast: xxx.xxx.xxx.95

  -> servers at xxx.xxx.xxx.90, xxx.xxx.xxx.91 with GW xxx.xxx.xxx.89  netmask 255.255.255.248

jayh
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

busy2 wrote:

Still Not working

From router prompt, I can ping address on eth 0/1 xxx.xxx.xxx.89, but cannot ping the server xxx.xxx.xxx.90 or 91

OK, check the server configuration. The servers should have a netmask of 255.255.255.248 and a gateway of xxx.xxx.xxx.89 . See if the servers can ping each other and if they show up in the router's ARP table. After an attempted ping type "show arp".

Also, I checked the IP - and best I can tell it is coded per ISP -

addr: xxx.xxx.xxx.88

netmask: 255.255.255.0

wildcard: 0.0.0.7

Netmask above is wrong, it should be 255.255.255.248 .

The "addr: xxx.xxx.xxx.88" is the network address, not usable for hosts or gateway.

busy2
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

Yep -

that was a typo -

the mask is 255.255.255.248

and I looked at the IP in arin.net and it is recorded correctly -

so must be something in the config.

I still need to go out to the site and check pings on the eth 0/1 segment.

busy2
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

still at it, OK - Here is another config -

masked IP addresses -

aaa.bbb.ccc     for the /32  on eth 0/2-

and xx.xxx.xxx for the /29  on eth 0/1

=================following================

Config 2018-Jan-09

- - - - - - - - - - - - - - - - - - - - - - - - - -

ip subnet-zero

ip classless

ip default-gateway aaa.bbb.ccc.101

ip routing

ipv6 unicast-routing

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

ip crypto ffe

!

interface eth 0/1

  description Eth1

  ip address  xx.xxx.xxx.89  255.255.255.248

  ip access-policy DMZ

  no rtp quality-monitoring

  media-gateway ip primary

  no awcp

  no shutdown

!

interface eth 0/2

  description Eth2

  speed 100

  ip address  aaa.bbb.ccc.102  255.255.255.252

  ip mtu 1500

  ip access-policy Public

  no rtp quality-monitoring

  media-gateway ip primary

  no awcp

  no shutdown

!

interface gigabit-eth 0/1

  description Rushford

  ip address  192.168.10.1  255.255.255.0

  ip access-policy Private

  no rtp quality-monitoring

  media-gateway ip primary

  no awcp

  no shutdown

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

ip access-list extended filterIP

  permit ip host 192.168.10.106  host 82.165.21.187   

!

ip access-list extended self

  remark Traffic to Total Access

  permit ip any  any     log

!

ip access-list extended web-acl-10

  remark 58108

  permit tcp any  host aaa.bbb.ccc.102 eq 108   log

!

ip access-list extended web-acl-14

  remark 1681053

  permit tcp any  host aaa.bbb.ccc.102 eq 1053   log

!

ip access-list extended web-acl-15

  remark 1671054

  permit tcp any  host aaa.bbb.ccc.102 eq 1054   log

!

ip access-list extended web-acl-16

  remark 56106

  permit tcp any  host aaa.bbb.ccc.102 eq 106   log

!

ip access-list extended web-acl-18

  remark 7183

  permit tcp any  host aaa.bbb.ccc.102 eq 83   log

  permit tcp any  host aaa.bbb.ccc.102 eq 3440   log

  permit tcp any  host aaa.bbb.ccc.102 eq 8000   log

!

ip access-list extended web-acl-25

  permit ip any  any   

!

ip access-list extended web-acl-27

  remark pvt2dmz

  permit ip any  any     log

!

ip access-list extended web-acl-28

  remark pub2dmz

  permit ip any  any   

!

ip access-list extended web-acl-4

  remark ssh

  permit tcp any  host aaa.bbb.ccc.102 eq ssh 

!

ip access-list extended web-acl-5

  remark https

  permit tcp any  host aaa.bbb.ccc.102 eq https 

!

ip access-list extended web-acl-6

  remark 50100

  permit tcp any  host aaa.bbb.ccc.102 eq 100   log

!

ip access-list extended web-acl-7

  remark 51101

  permit tcp any  host aaa.bbb.ccc.102 eq hostname   log

!

ip access-list extended web-acl-8

  remark 54104

  permit tcp any  host aaa.bbb.ccc.102 eq 104   log

!

ip access-list extended web-acl-9

  remark 55105

  permit tcp any  host aaa.bbb.ccc.102 eq 105   log

!

ip policy-class DMZ

  allow list web-acl-25 policy Public

!

ip policy-class Private

  allow list web-acl-27 policy DMZ

  allow list self self

  nat source list wizard-ics interface eth 0/2 overload

  discard list filterIP

!

ip policy-class Public

  allow list web-acl-4 self

  allow list web-acl-5 self

  nat destination list web-acl-6 address 192.168.10.50

  nat destination list web-acl-7 address 192.168.10.51

  nat destination list web-acl-8 address 192.168.10.54

  nat destination list web-acl-9 address 192.168.10.55

  nat destination list web-acl-16 address 192.168.10.56

  nat destination list web-acl-10 address 192.168.10.58

  nat destination list web-acl-14 address 192.168.10.168

  nat destination list web-acl-15 address 192.168.10.167

  nat destination list web-acl-18 address 192.168.10.71

  allow list web-acl-28 policy DMZ

!

ip policy-class Public2

  ! Implicit discard

!

ip route 0.0.0.0 0.0.0.0 aaa.bbb.ccc.101

!

[** NOTE: added static route - but it did not help]

ip route xx.xxx.xxx.88 255.255.255.248 aaa.bbb.ccc.102

!

jayh
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

busy2 wrote:

!

[** NOTE: added static route - but it did not help]

ip route xx.xxx.xxx.88 255.255.255.248 aaa.bbb.ccc.102

!

You don't want this, xx.xxx.xxx.88 is directly connected.

You should add "allow list self self" to the DMZ policy-class for tests from the Adtran itself.

It sounds like eth 0/1 isn't connected.

Does "show ip route" list the xx.xxx.xxx.88/29 as a connected route? 

Are the servers on xx.xxx.xxx.90 and .91 in the ARP cache after an attempted ping?

Do the servers have  xx.xxx.xxx.89 configured as their gateway?

Can the servers ping each other?

busy2
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

"show ip route" 

Yes-   xx.xxx.xxx.88/29 is directly connected, eth 0/1

sh arp

Addresses in the 90 - 94 range show in the arp table

(but currently there are no devices on those addresses, the server is currently offline)

table entries look like this

ADDRESS          TTL   MAC ADDRESS   INTERFACE   TYPE

xx.xxx.xxx.91    0      (Unresolved)       eth 0/1         dynamic

Also, I was able to ping xx.xxx.xxx.89  (eth 0/1) remotely from a device on the 192.168.10.0 network.

I will be onsite at this location tomorrow to check the server gateway address and run pings from the /29

appreciate your input and time on this project.  Thanks

jayh
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

(Unresolved) in the ARP table means that the servers aren't connected. You should see the MAC address of the server when it's connected. Can you ping xx.xxx.xxx.89 from the Internet?

busy2
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

IT'S Working!!! 

Last night's pings were promising.

Once on site today re-plugging and un-plugging connections the local crew had installed in the cabinets- 

Pings started working inside. The server comes up and shows up in arp w MAC.

There is another /29 address supposedly, but it doesn't show when pinging the /29 range 89-94

Last piece of this is to restrict ports to the server connection xx.xxx.xxx.89/29

that would be and allow list in security zone dmz w destination dmz and ports selected "443,80,......" ?

^ btw ... this is a question??