Dynamic IP and Static IP on same Dialer Interface
HangaS
I'm having a bit of an hard time trying to implement a configuration
that I find wierd that an ISP provides it that way to start with.
Here is the deal.
I have this ADSL service on a Cisco 836. Initially it was a simple
ADSL service with a fixed IP obtained via DHCP
(ip address negotiated). I had this IP address NATed with a 'ip nat
inside source static tcp....' - everything ok
Latter we agrred with the ISP another static IP address, delivered in
the same way, I just had to add a new set of 'ip nat inside source
static tcp ..' for the other external address and eveything was still
ok.
Now, we recently asked our ISP for two extra addresses, but the ISP
said that those addresses could no longer be provided in the same
manner as the previuous ones and they would offer an IP pool of 4
addresses in a subneted /30 network.
The trouble is.. those addreses are not obtainable with the 'ip
address negotiated' option, so I believe that they are not in the ISP
DHCP pool.
Contacting ISP support, they told me that I had to manualy configure
the interface for the /30 network and route the traffic instead of
nating it. The routing issue I could circunvent.. if I had the
addreses delivered in my router together with the other two that are
DHCP negotiated.
Can I have both setups in the same dialer? i.e an ip address
negociated and a static IP configuration. I know I can't do this
directly, but it there any trick I can use.. such as creating another
interface and bridge it or something alike?
Kind Regards,
HangaS
Bo...@hotmail.co.uk
The trick is - There is nothing to worry about.
The ISP will send all traffic destined for your allocated
addresses to you, all you have to do is deal with it
when it arrives.
So:- the address allocated to the interface does not matter.
AT ALL.
The convention is:-
Use one address for your general outbound originated
internet traffic (PAT) and put that on your outside interface.
Do what you want with the others.
If you are NATting everything then you just need to set up
the NAT statements.
Done.
If you need further assistance please post the
config with ip addresses sanitised and
usernames/passwords removed along with your request.
The best way to sanitise the addresses is to replace the
first two octets say with x.y. This is likely to preserve
useful information while still rendering you anonymous.
By the way, reading between the lines, the ISP
is not using DHCP but, IPCP which
(I suppose) is part of PPP.
HangaS
Many thanks for your reply. From your words I belive I was not very
far from the solution.
My addresses are:
xxx.yyy.86.106 - "First" address (default) negotiated by the PPP link
xxx.yyy.86.118 - "Second" address - added later to the contract - I
was told that the traffice will 'just arrive at my outside interface',
and it does
xxx.yyy.86.240/30 - "The pool" of 2 usable addresses added now to the
contract - The ones giving me the trouble
Initially I tried that approach. I assumed that the new pool of
addresses were beeing delivered
to my outside interface, so I just needed to NAT/Route them to
somewhere else.
However that didn't work in the same way as it did with the "second"
address.
So I thought that it would require some other kind of configuration
because the addresses were being delivered from the ISP
in some other way.
This is my config assuming that the pool addresses are being delivered
c836#show running-config
Building configuration...
Current configuration : 11578 bytes
!
! Last configuration change at 10:56:15 WEST Wed Aug 20 2008 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname c836
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
clock timezone WEST 1
clock summer-time WEST date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
!
!
no ip dhcp use vrf connected
!
ip dhcp pool VPNPOOL
network ccc.ddd.0.0 255.255.0.0
domain-name vpn.lan
default-router aaa.bbb.200.2
dns-server aaa.bbb.1.254
lease 30
!
!
ip cef
ip name-server aaa.bbb.1.254
no ip bootp server
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
isdn switch-type basic-net3
!
!
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
username vpn password 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group devel
key XXXXXXXX
dns xxx.yyy.1.254
pool IPSECPOOL
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
description --- 10Mbps connection to LAN ---
ip address aaa.bbb.0.1 255.255.0.0
ip access-group 112 in
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Ethernet2
description --- Connection to Cisco 877 ---
ip address ccc.ddd.200.1 255.255.255.0
ip access-group 112 in
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface BRI0
no ip address
encapsulation hdlc
isdn switch-type basic-net3
isdn point-to-point-setup
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode etsi
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Virtual-Template1
description --- PPTP VPN access interface ---
ip unnumbered Ethernet2
ip nat inside
ip virtual-reassembly
ip route-cache flow
peer default ip address dhcp-pool VPNPOOL
no keepalive
ppp encrypt mppe 128
ppp authentication ms-chap-v2
!
interface Dialer1
description ADSL link to ISP (xxx.yyy.86.106)
ip address negotiated
ip access-group FROMINET in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer remote-name VDF
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname username@isp
ppp chap password 7 XXXXXXXXXXXXXXXXX
ppp pap sent-username username@isp password 7 XXXXXXXXXXXXXXXXXX
crypto map clientmap
!
ip local pool IPSECPOOL aaa.bbb.20.100 aaa.bbb.20.200
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route ccc.ddd.0.0 255.255.0.0 aaa.bbb.200.2
ip route aaa.bbb.1.0 255.255.255.0 aaa.bbb.200.2
ip route aaa.bbb.2.0 255.255.255.0 aaa.bbb.200.2
ip route aaa.bbb.3.0 255.255.255.0 aaa.bbb.200.2
!
no ip http server
no ip http secure-server
!
no ip nat service sip udp port 5060
ip nat inside source route-map NAT interface Dialer1 overload
ip nat inside source static tcp aaa.bbb.1.5 80 xxx.yyy.86.106 80
extendable
ip nat inside source static tcp aaa.bbb.3.10 110 xxx.yyy.86.106 110
extendable
ip nat inside source static tcp aaa.bbb.3.10 143 xxx.yyy.86.106 143
extendable
ip nat inside source static tcp aaa.bbb.1.5 443 xxx.yyy.86.106 443
extendable
ip nat inside source static tcp aaa.bbb.3.10 993 xxx.yyy.86.106 993
extendable
ip nat inside source static tcp aaa.bbb.3.10 995 xxx.yyy.86.106 995
extendable
/* for the second address */
ip nat inside source static aaa.bbb.1.4 xxx.yyy.86.118
/* for the new pool of addresses */
/* the isp refered to them as xxx.yyy.86.240/30 */
ip nat inside source static aaa.bbb.1.5 xxx.yyy.86.241
ip nat inside source static aaa.bbb.1.6 xxx.yyy.86.242
!
!
ip access-list extended FROMINET
remark Filter Traffic from INET
/* no restrictions here just in case */
permit ip any any
permit gre any any
ip access-list extended INTERNAL
permit ip aaa.bbb.0.0 0.0.255.255 any
permit ip ccc.ddd.0.0 0.0.255.255 any
!
access-list 108 permit ip aaa.bbb.200.0 0.0.0.255 any
access-list 108 permit ip aaa.bbb.1.0 0.0.0.255 any
access-list 108 permit ip aaa.bbb.3.0 0.0.0.255 any
access-list 112 permit tcp host aaa.bbb.3.10 any eq smtp
access-list 112 deny tcp any any eq smtp
access-list 112 permit ip any any
no cdp run
!
route-map NAT permit 10
match ip address INTERNAL
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
length 0
line vty 5 15
privilege level 15
transport input telnet
!
scheduler max-task-time 5000
ntp clock-period 17179923
ntp server 194.117.9.136
no rcapi server
!
!
end
One more thing that I just tested and may help is
pinging the several IP addresses from another router on a different
link (from the outside world)
Sending 5, 100-byte ICMP Echos to xxx.yyy.86.106, timeout is 2
seconds:
!!!!!
OK here
-----
Sending 5, 100-byte ICMP Echos to xxx.yyy.86.118, timeout is 2
seconds:
!!!!!
OK here
-----------------
Sending 5, 100-byte ICMP Echos to xxx.yyy.86.241, timeout is 2
seconds:
U.U.U
Success rate is 0 percent (0/5)
A traceroute on this shows..
Tracing the route to xxx.yyy.86.241
1 2.224.54.77.rev.vodafone.pt (77.54.224.2) 32 msec 20 msec 20 msec
2 82.50.174.83.rev.vodafone.pt (83.174.50.82) 16 msec 20 msec 20
msec
3 * * *
4 71.95.yyy.xxx.rev.vodafone.pt (xxx.yyy.95.71) 24 msec 24 msec 56
msec
5 241.86.yyy.xxx.static.rev.vodafone.pt (xxx.yyy.86.241) 32 msec *
44 msec
So I believe that the packets do arrive at my router, right?
I will try to ping it from the outside and do some debug on this
latter when there is less traffic in the link and I can bring it down
if needed.
Meanwhile, any ideias?
Many thanks!
> (I suppose) is part of PPP.- Hide quoted text -
>
> - Show quoted text -