topic Re: Configure carrier data feed without dedicated router? in General Topics

Configure carrier data feed without dedicated router?

BDS_Vince — Tue, 04 Dec 2018 19:25:23 GMT

We are opening a new branch office and recieved notice that the carrier will not be providing a router and that it was our responsibility to perform the WAN to LAN routing.

The carrier provided a layer 3 WAN block and a Customer Useable block containing 6 IP addresses.

If I configure ethernet 1/1 with the WAN block IP address I can send/receive traffic using that IP address, I can send traffic (snat) out the interface using one of the Customer IP addresses. The problem is that I can't receive (dnat) data from any of the customer IP addresses. The NAT and Security policies are not used (counters are not incrementing).

I believe the problem is that I need to add a route from the WAN ip address for the 6 customer IP addresses.
Can I use a static route or is this a case for 2 virtual routers? Routing is not my strong suit so any help will be greatly appreciated!

TIA!

Here is the the cutsheet data (randomized)
WAN

Link IP: 40.202.237.172/30

GW: 40.202.237.173

Layer 3 IP:: 40.202.237.174

Mask: 255.255.255.252

Customer useable address block
Block: 50.206.224.144/29

Range: 50.206.224.145-50.206.224.150
Mask: 255.255.255.248

Re: Configure carrier data feed without dedicated router?

Raido_Rattameister — Tue, 04 Dec 2018 19:47:22 GMT

For this to work your ISP has to route subnet 50.206.224.144/29 towards 40.202.237.174

Has this been configured in ISP routing table?

Re: Configure carrier data feed without dedicated router?

BDS_Vince — Tue, 04 Dec 2018 21:29:06 GMT

Thats's a good question..
I would assume the routes are in their forwarding table since I can use SNAT rules to direct traffic over each of the 6 IP addresses which I visually confirmed with showmyip.net. The response page wouldn't show if the route was missing.

Inbound (DNAT) is being tested using the default IIS page with the system used in the outbound test. Requests to the default page time out. The security and NAT rules never increment. Both rules at the tops of their respective lists. The page displays when requested from systems on the local LAN.

Re: Configure carrier data feed without dedicated router?

pulukas — Tue, 04 Dec 2018 23:45:16 GMT

This is a typical service provider setup expecting a packet based router as the customer device on the site. The second range would be on the router interface that connects then to the customer firewall (PAN) using that on the WAN firewall port.

As noted the second range is routed to the first ip address.

So you should be able to use the full routed /29 as dnat or snat addresses on the PAN using the first /30 as you are. And your snat test does validate this.

So there is an error in your security or NAT policy on the PAN. Verified by the lack of hits with your known traffic. I would start by confirming the zone to zone assignment for the addresses involved.