12-04-2018 11:08 AM - edited 12-04-2018 11:25 AM
We are opening a new branch office and recieved notice that the carrier will not be providing a router and that it was our responsibility to perform the WAN to LAN routing.
The carrier provided a layer 3 WAN block and a Customer Useable block containing 6 IP addresses.
If I configure ethernet 1/1 with the WAN block IP address I can send/receive traffic using that IP address, I can send traffic (snat) out the interface using one of the Customer IP addresses. The problem is that I can't receive (dnat) data from any of the customer IP addresses. The NAT and Security policies are not used (counters are not incrementing).
I believe the problem is that I need to add a route from the WAN ip address for the 6 customer IP addresses.
Can I use a static route or is this a case for 2 virtual routers? Routing is not my strong suit so any help will be greatly appreciated!
TIA!
Here is the the cutsheet data (randomized)
WAN
Link IP: 40.202.237.172/30
GW: 40.202.237.173
Layer 3 IP:: 40.202.237.174
Mask: 255.255.255.252
Customer useable address block
Block: 50.206.224.144/29
Range: 50.206.224.145-50.206.224.150
Mask: 255.255.255.248
12-04-2018 11:47 AM
For this to work your ISP has to route subnet 50.206.224.144/29 towards 40.202.237.174
Has this been configured in ISP routing table?
12-04-2018 01:21 PM - edited 12-04-2018 01:29 PM
Thats's a good question..
I would assume the routes are in their forwarding table since I can use SNAT rules to direct traffic over each of the 6 IP addresses which I visually confirmed with showmyip.net. The response page wouldn't show if the route was missing.
Inbound (DNAT) is being tested using the default IIS page with the system used in the outbound test. Requests to the default page time out. The security and NAT rules never increment. Both rules at the tops of their respective lists. The page displays when requested from systems on the local LAN.
12-04-2018 03:45 PM
This is a typical service provider setup expecting a packet based router as the customer device on the site. The second range would be on the router interface that connects then to the customer firewall (PAN) using that on the WAN firewall port.
As noted the second range is routed to the first ip address.
So you should be able to use the full routed /29 as dnat or snat addresses on the PAN using the first /30 as you are. And your snat test does validate this.
So there is an error in your security or NAT policy on the PAN. Verified by the lack of hits with your known traffic. I would start by confirming the zone to zone assignment for the addresses involved.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
