I need to route Public IP directly to an inside server without using NAT.
I am looking for a way to route 1 or 2 public IP address from a /29 block to an inside device. We want to code the public IP directly on the device and do not want to use NAT (or 1:1 Nat).
Our IP gateway is on e 0/2, it is a single /30 address and it is not associated with the /29 block.
I listed several IP addresses in the /29 block as secondary addresses on the e 0/1 interface but cannot figure out how to route an address to the server nic.
The configuration below was setup for 1:1 Nat, but I need to change or modify the config to be able to pass Public IP to the inside.
Can I route addresses in the new /29 block 85.25.202.90 through the existing /30 IP gateway 188.57.122.102 ?
Do I need to put an address on the unused e 0/1 interface and use that to route a Public IP address?
Do I need to setup a DMZ?
On your eth 0/1 interface, configure it to have one of the addresses in the /29 block, such as:
ip address 85.25.202.89 255.255.255.248
Leave your eth 0/2 as-is if it's properly connected to your ISP now.
On the hosts connected to eth 0/1, assign each a different address from 85.25.202.90 to 85.25.202.94, each with a subnet mask of 255.255.255.248 and a gateway of 85.25.202.89 which is your eth 0/1.
These hosts will send traffic to the Adtran box which will route it out to the Internet.
You can set up a DMZ by enabling the firewall, configuring different ip access-policies to each interface and assigning policy-class statements as needed. Typically your eth 0/2 connected to your ISP would be class "Public" and your eth 0/1 would be class "DMZ". Your policy-class on the DMZ would be to allow anything out, and the policy-class for Public would be to allow just those IPs, ports, and protocols on which you have public services running on eth 0/1. If you want to rely on host-based firewalls on the public hosts, then you don't need this but it is best practice to do so for security.
Also, now that you've put your IPs out there, make sure that you have secure passwords on the Adtran device itself and preferably restrict access to the Adtran box to trusted networks.
First Thank you!! for the response. Here are a couple more questions if you can help out.
Do I drop the /29 addresses listed as secondary on eth 0/2 ?
Eth 0/2 is our internet connection?
It sounds like I will have to run Cat-5 to the new server because the /29 block won’t play on the existing 192.168.xxx.0 media. That’s not a problem because the server is located in the same cabinets as the Adtran router.
Later on, if we need to send a public address to a server or device in another building, I will need to route it using the 192.168… inside wire. At that point I may also be able to use NAT 1:1.
If so, do I then break out addresses from the /29 as secondary addresses on the eth 0/2 internet interface?
Some success - but showing a loop at the gateway:
btw- these are not my actual numbers, but representation of, although I appreciate your input on security
I setup IP on eth 0/1 and on 2 servers in their own public segment.
Now, a tracert from outside to the f 0/1 interface 85.25.202.89 /29 ip shows a loop at our ISP gateway - .
The trace gets through the ISP and to the Adtran
Then the Adtran directs the trace back to the ISP.
Over and over.
Tracert 85.25.202.89 the /29 Adtran eth 0/1 address
…6,7,8,9…
10 47 ms 61 ms 41 ms GigabitEthernet from ISP.ISP.NET [188.62.14.208]
11 45 ms 46 ms 43 ms 188.57.122.102
12 48 ms 46 ms 52 ms 188.57.122.101
13 50 ms 47 ms 47 ms 188.57.122.102
14 52 ms 50 ms 50 ms 188.57.122.101
15 52 ms 51 ms 55 ms 188.57.122.102
16 54 ms 50 ms 51 ms 188.57.122.101
17 58 ms 57 ms 57 ms 188.57.122.102
18 59 ms 66 ms 55 ms 188.57.122.101
19 67 ms 57 ms 57 ms 188.57.122.102
20 …
Some success - but showing a loop at the gateway:
btw- these are not my actual numbers, but representation of, although I appreciate your input on security
I setup IP on eth 0/1 and on 2 servers in their own public segment.
Now, a tracert from outside to the f 0/1 interface 85.25.202.89 /29 ip shows a loop at our ISP gateway - .
The trace gets through the ISP and to the Adtran
Then the Adtran directs the trace back to the ISP.
Over and over.
Tracert 85.25.202.89 the /29 Adtran eth 0/1 address
…6,7,8,9…
10 47 ms 61 ms 41 ms GigabitEthernet from ISP.ISP.NET [188.62.14.208]
11 45 ms 46 ms 43 ms 188.57.122.102
12 48 ms 46 ms 52 ms 188.57.122.101
13 50 ms 47 ms 47 ms 188.57.122.102
14 52 ms 50 ms 50 ms 188.57.122.101
15 52 ms 51 ms 55 ms 188.57.122.102
16 54 ms 50 ms 51 ms 188.57.122.101
17 58 ms 57 ms 57 ms 188.57.122.102
18 59 ms 66 ms 55 ms 188.57.122.101
19 67 ms 57 ms 57 ms 188.57.122.102
20 …
busy2 wrote:
Some success - but showing a loop at the gateway:
btw- these are not my actual numbers, but representation of, although I appreciate your input on security
I setup IP on eth 0/1 and on 2 servers in their own public segment.
Now, a tracert from outside to the f 0/1 interface 85.25.202.89 /29 ip shows a loop at our ISP gateway - .
Is the eth 0/1 interface on the Adtran connected and up, no shutdown? Can you ping 85.25.202.89 from the connected servers?
busy2 wrote:
First Thank you!! for the response. Here are a couple more questions if you can help out.
Do I drop the /29 addresses listed as secondary on eth 0/2 ?
Yes.
It sounds like I will have to run Cat-5 to the new server because the /29 block won’t play on the existing 192.168.xxx.0 media. That’s not a problem because the server is located in the same cabinets as the Adtran router.
What 192.168.xxx.0 media? You didn't mention that.
Later on, if we need to send a public address to a server or device in another building, I will need to route it using the 192.168… inside wire. At that point I may also be able to use NAT 1:1.
What ethernet switches are you using? Are they managed and capable of VLANs? It sounds like you may want to trunk the public 85.25.202.88/29 and 192.168.xxx.0 subnets on two VLANs. This will allow you to have three logical interfaces: ISP in on eth 0/2, as well as public /29, and NAT 192.168 on two VLANs on eth 0/1.
I can ping eth 0/1 from the Adtran
but can't ping the server at xxx.xxx.xxx.90 from the Adtran
I am offsite and can't access the server from here, so cannot try pinging the Adtran from the server.
eth 0/1 is up, line protocol is up
IP address is xxx.xxx.xxx.89
net mask 255.255.255.248
MTU is 1500
BW is 100000 Kbps
Fastcaching is Enabled
IPv4 access policy is DMZ
there are a combination of managed and unmanaged switches across the 192.XXX.XXX.0 network. Vlans are likely the best answer in the future, but at this time they are outside the scope of my project.
Can you post the configuration with passwords redacted?
OK - here goes- removed a handful of port forwards on eth 0/2 to inside 192.168 servers
hopefully everything you need to see -
!
!
! ADTRAN, Inc. OS version R11.4.5.E
! Boot ROM version R10.9.3.B1
! Platform: Total Access 908e (3rd Gen), part number 4243908F2
!
!
hostname "host"
enable password encrypted!
!
clock timezone -5-Eastern-Time
!
ip subnet-zero
ip classless
ip default-gateway xxx.xxx.xxx.101
ip routing
ipv6 unicast-routing
!
!
name-server xxx.xxx.xxx.6 xxx.xxx.xxx.25
!
!
no auto-config
!
event-history on
no logging forwarding
no logging console
no logging email
!
service password-encryption
!#
!
ip policy-timeout tcp echo 60
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
no dot11ap access-point-contro
!
!
!
ip dhcp database local
ip dhcp excluded-address 192.168.10.0 192.168.10.100
!
ip dhcp pool "local"
network 192.168.10.0 255.255.255.0
domain-name "local"
dns-server xxx.xxx.xxx.6 xxx.xxx.xxx.25
default-router 192.168.10.1
!
!
ip crypto ffe
!
!
interface eth 0/1
description Eth1
speed 100
ip address xxx.xxx.xxx.89 255.255.255.248
ip access-policy DMZ
no rtp quality-monitoring
media-gateway ip primary
no awcp
no shutdown
!
!
interface eth 0/2
description Eth2
speed 100
ip address xxx.xxx.xxx.102 255.255.255.252
ip mtu 1500
ip access-policy Public
no rtp quality-monitoring
media-gateway ip primary
no awcp
no shutdown
!
!
interface gigabit-eth 0/1
description local
ip address 192.168.10.1 255.255.255.0
ip access-policy Private
no rtp quality-monitoring
media-gateway ip primary
no awcp
no shutdown
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
ip access-list extended self
remark Traffic to Total Access
permit ip any any log
!
!
ip access-list extended web-acl-22
remark Allow
permit ip any any
!
ip access-list extended web-acl-23
remark https
permit tcp any xxx.xxx.xxx.88 0.0.0.7 eq https
!
ip access-list extended web-acl-4
remark ssh
permit tcp any host xxx.xxx.xxx.102 eq ssh
!
ip access-list extended web-acl-5
remark https
permit tcp any host xxx.xxx.xxx.102 eq https
!
!
ip policy-class DMZ
allow list web-acl-23 policy DMZ
allow list web-acl-22 self
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface eth 0/2 overload
!
ip policy-class Public
allow list web-acl-4 self
allow list web-acl-5 self
!
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.101
!
no tftp server
no tftp server overwrite
http server
http session-timeout 1320
http secure-server
no snmp agent
no ip ftp server
no ip scp server
no ip sntp server
!
!
sip
sip udp 5060
no sip tcp
!
!
!
ip rtp symmetric-filter
!
ntp server us.pool.ntp.org
!
!
end
OK, you'll want some tweaks to your access policy.
!
ip policy-class DMZ
no allow list web-acl-23 policy DMZ ! <- This isn't needed as it's the same subnet.
allow list web-acl-22 self
allow list web-acl-22 policy Public ! <- Allow the DMZ to go out to the Internet
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface eth 0/2 overload
allow list [whatever] policy DMZ ! <- Allow the NAT devices whatever access to the DMZ you want.
!
ip policy-class Public
allow list web-acl-4 self
allow list web-acl-5 self
allow list [whatever] policy DMZ ! <- Allow public to services on DMZ as needed.
!
As to why you're seeing a route loop reaching the DMZ, this isn't a firewall issue but routing. Double-check for typos in the IP addresses for the /29 from your provider vs. what you've configured. Also it usually isn't a good idea to configure the speed on an interface such as you've done on eth 0/1 and eth 0/2. This can cause problems with switch auto-negotiation. Most gear made in the last decade or more doesn't need it and I've found it to cause more harm than good.
Still Not working
From router prompt, I can ping address on eth 0/1 xxx.xxx.xxx.89, but cannot ping the server xxx.xxx.xxx.90 or 91
I will be at the site this week and see if I can ping the router from the server or a pc on that segment.
Also, I checked the IP - and best I can tell it is coded per ISP -
addr: xxx.xxx.xxx.88
netmask: 255.255.255.0
wildcard: 0.0.0.7
Network: xxx.xxx.xxx.88/29
HostMin: xxx.xxx.xxx.89 <- assigned to eth 0/1
HostMax: xxx.xxx.xxx.94
Broadcast: xxx.xxx.xxx.95
-> servers at xxx.xxx.xxx.90, xxx.xxx.xxx.91 with GW xxx.xxx.xxx.89 netmask 255.255.255.248
busy2 wrote:
Still Not working
From router prompt, I can ping address on eth 0/1 xxx.xxx.xxx.89, but cannot ping the server xxx.xxx.xxx.90 or 91
OK, check the server configuration. The servers should have a netmask of 255.255.255.248 and a gateway of xxx.xxx.xxx.89 . See if the servers can ping each other and if they show up in the router's ARP table. After an attempted ping type "show arp".
Also, I checked the IP - and best I can tell it is coded per ISP -
addr: xxx.xxx.xxx.88
netmask: 255.255.255.0
wildcard: 0.0.0.7
Netmask above is wrong, it should be 255.255.255.248 .
The "addr: xxx.xxx.xxx.88" is the network address, not usable for hosts or gateway.
Yep -
that was a typo -
the mask is 255.255.255.248
and I looked at the IP in arin.net and it is recorded correctly -
so must be something in the config.
I still need to go out to the site and check pings on the eth 0/1 segment.
still at it, OK - Here is another config -
masked IP addresses -
aaa.bbb.ccc for the /32 on eth 0/2-
and xx.xxx.xxx for the /29 on eth 0/1
=================following================
Config 2018-Jan-09
- - - - - - - - - - - - - - - - - - - - - - - - - -
ip subnet-zero
ip classless
ip default-gateway aaa.bbb.ccc.101
ip routing
ipv6 unicast-routing
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
ip crypto ffe
!
interface eth 0/1
description Eth1
ip address xx.xxx.xxx.89 255.255.255.248
ip access-policy DMZ
no rtp quality-monitoring
media-gateway ip primary
no awcp
no shutdown
!
interface eth 0/2
description Eth2
speed 100
ip address aaa.bbb.ccc.102 255.255.255.252
ip mtu 1500
ip access-policy Public
no rtp quality-monitoring
media-gateway ip primary
no awcp
no shutdown
!
interface gigabit-eth 0/1
description Rushford
ip address 192.168.10.1 255.255.255.0
ip access-policy Private
no rtp quality-monitoring
media-gateway ip primary
no awcp
no shutdown
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
ip access-list extended filterIP
permit ip host 192.168.10.106 host 82.165.21.187
!
ip access-list extended self
remark Traffic to Total Access
permit ip any any log
!
ip access-list extended web-acl-10
remark 58108
permit tcp any host aaa.bbb.ccc.102 eq 108 log
!
ip access-list extended web-acl-14
remark 1681053
permit tcp any host aaa.bbb.ccc.102 eq 1053 log
!
ip access-list extended web-acl-15
remark 1671054
permit tcp any host aaa.bbb.ccc.102 eq 1054 log
!
ip access-list extended web-acl-16
remark 56106
permit tcp any host aaa.bbb.ccc.102 eq 106 log
!
ip access-list extended web-acl-18
remark 7183
permit tcp any host aaa.bbb.ccc.102 eq 83 log
permit tcp any host aaa.bbb.ccc.102 eq 3440 log
permit tcp any host aaa.bbb.ccc.102 eq 8000 log
!
ip access-list extended web-acl-25
permit ip any any
!
ip access-list extended web-acl-27
remark pvt2dmz
permit ip any any log
!
ip access-list extended web-acl-28
remark pub2dmz
permit ip any any
!
ip access-list extended web-acl-4
remark ssh
permit tcp any host aaa.bbb.ccc.102 eq ssh
!
ip access-list extended web-acl-5
remark https
permit tcp any host aaa.bbb.ccc.102 eq https
!
ip access-list extended web-acl-6
remark 50100
permit tcp any host aaa.bbb.ccc.102 eq 100 log
!
ip access-list extended web-acl-7
remark 51101
permit tcp any host aaa.bbb.ccc.102 eq hostname log
!
ip access-list extended web-acl-8
remark 54104
permit tcp any host aaa.bbb.ccc.102 eq 104 log
!
ip access-list extended web-acl-9
remark 55105
permit tcp any host aaa.bbb.ccc.102 eq 105 log
!
ip policy-class DMZ
allow list web-acl-25 policy Public
!
ip policy-class Private
allow list web-acl-27 policy DMZ
allow list self self
nat source list wizard-ics interface eth 0/2 overload
discard list filterIP
!
ip policy-class Public
allow list web-acl-4 self
allow list web-acl-5 self
nat destination list web-acl-6 address 192.168.10.50
nat destination list web-acl-7 address 192.168.10.51
nat destination list web-acl-8 address 192.168.10.54
nat destination list web-acl-9 address 192.168.10.55
nat destination list web-acl-16 address 192.168.10.56
nat destination list web-acl-10 address 192.168.10.58
nat destination list web-acl-14 address 192.168.10.168
nat destination list web-acl-15 address 192.168.10.167
nat destination list web-acl-18 address 192.168.10.71
allow list web-acl-28 policy DMZ
!
ip policy-class Public2
! Implicit discard
!
ip route 0.0.0.0 0.0.0.0 aaa.bbb.ccc.101
!
[** NOTE: added static route - but it did not help]
ip route xx.xxx.xxx.88 255.255.255.248 aaa.bbb.ccc.102
!
busy2 wrote:
!
[** NOTE: added static route - but it did not help]
ip route xx.xxx.xxx.88 255.255.255.248 aaa.bbb.ccc.102
!
You don't want this, xx.xxx.xxx.88 is directly connected.
You should add "allow list self self" to the DMZ policy-class for tests from the Adtran itself.
It sounds like eth 0/1 isn't connected.
Does "show ip route" list the xx.xxx.xxx.88/29 as a connected route?
Are the servers on xx.xxx.xxx.90 and .91 in the ARP cache after an attempted ping?
Do the servers have xx.xxx.xxx.89 configured as their gateway?
Can the servers ping each other?
"show ip route"
Yes- xx.xxx.xxx.88/29 is directly connected, eth 0/1
sh arp
Addresses in the 90 - 94 range show in the arp table
(but currently there are no devices on those addresses, the server is currently offline)
table entries look like this
ADDRESS TTL MAC ADDRESS INTERFACE TYPE
xx.xxx.xxx.91 0 (Unresolved) eth 0/1 dynamic
Also, I was able to ping xx.xxx.xxx.89 (eth 0/1) remotely from a device on the 192.168.10.0 network.
I will be onsite at this location tomorrow to check the server gateway address and run pings from the /29
appreciate your input and time on this project. Thanks
(Unresolved) in the ARP table means that the servers aren't connected. You should see the MAC address of the server when it's connected. Can you ping xx.xxx.xxx.89 from the Internet?
IT'S Working!!!
Last night's pings were promising.
Once on site today re-plugging and un-plugging connections the local crew had installed in the cabinets-
Pings started working inside. The server comes up and shows up in arp w MAC.
There is another /29 address supposedly, but it doesn't show when pinging the /29 range 89-94
Last piece of this is to restrict ports to the server connection xx.xxx.xxx.89/29
that would be and allow list in security zone dmz w destination dmz and ports selected "443,80,......" ?
^ btw ... this is a question??