Configure carrier data feed without dedicated router?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Configure carrier data feed without dedicated router?

L2 Linker

We are opening a new branch office and recieved notice that the carrier will not be providing a router and that it was our responsibility to perform the WAN to LAN routing.

The carrier provided a layer 3 WAN block and a Customer Useable block containing 6 IP addresses.

If I configure ethernet 1/1 with the WAN block IP address I can send/receive traffic using that IP address, I can send traffic (snat) out the interface using one of the Customer IP addresses.  The problem is that I can't receive (dnat) data from any of the customer IP addresses.  The NAT and Security policies are not used (counters are not incrementing).

I believe the problem is that I need to add a route from the WAN ip address for the 6 customer IP addresses.
Can I use a static route or is this a case for 2 virtual routers?  Routing is not my strong suit so any help will be greatly appreciated!

TIA!

Here is the the cutsheet data (randomized)
WAN

Link IP: 40.202.237.172/30

GW: 40.202.237.173 

Layer 3 IP:: 40.202.237.174

Mask: 255.255.255.252

Customer useable address block
Block: 50.206.224.144/29

Range: 50.206.224.145-50.206.224.150
Mask: 255.255.255.248

3 REPLIES 3

Cyber Elite
Cyber Elite

For this to work your ISP has to route subnet 50.206.224.144/29 towards 40.202.237.174

Has this been configured in ISP routing table?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thats's a good question..
I would assume the routes are in their forwarding table since I can use SNAT rules to direct traffic over each of the 6 IP addresses which I visually confirmed with showmyip.net.  The response page wouldn't show if the route was missing.

 

Inbound (DNAT) is being tested using the default IIS page with the system used in the outbound test.  Requests to the default page time out.  The security and NAT rules never increment.  Both rules at the tops of their respective lists.  The page displays when requested from systems on the local LAN.

This is a typical service provider setup expecting a packet based router as the customer device on the site.  The second range would be on the router interface that connects then to the customer firewall (PAN) using that on the WAN firewall port.

 

As noted the second range is routed to the first ip address.

 

So you should be able to use the full routed /29 as dnat or snat addresses on the PAN using the first /30 as you are.  And your snat test does validate this.

 

So there is an error in your security or NAT policy on the PAN.  Verified by the lack of hits with your known traffic.  I would start by confirming the zone to zone assignment for the addresses involved.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 2796 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!