cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

Need assistance routing Public IP natively w/o NAT

I need to route Public IP directly to an inside server without using NAT.

I am looking for a way to route 1 or 2 public IP address from a /29 block to an inside device.  We want to code the public IP directly on the device and do not want to use NAT (or 1:1 Nat).

Our IP gateway is on e 0/2, it is a single /30 address  and it is not associated with the /29 block. 

I listed several IP addresses in the /29 block as secondary addresses on the e 0/1 interface but cannot figure out how to route an address to the server nic. 

The configuration below was setup for 1:1 Nat, but I need to change or modify the config to be able to pass Public IP to the inside.

Can I route addresses in the new /29 block 85.25.202.90 through the existing /30 IP gateway 188.57.122.102 ?

Do I need to put an address on the unused e 0/1 interface and use that to route a Public IP address? 

Do I need to setup a DMZ?

Labels (3)
0 Kudos
Reply
28 Replies
Highlighted
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

On your eth 0/1 interface, configure it to have one of the addresses in the /29 block, such as:

ip address 85.25.202.89 255.255.255.248

Leave your eth 0/2 as-is if it's properly connected to your ISP now.

On the hosts connected to eth 0/1, assign each a different address from 85.25.202.90 to 85.25.202.94, each with a subnet mask of 255.255.255.248 and a gateway of 85.25.202.89 which is your eth 0/1.

These hosts will send traffic to the Adtran box which will route it out to the Internet.

You can set up a DMZ by enabling the firewall, configuring different ip access-policies to each interface and assigning policy-class statements as needed. Typically your eth 0/2 connected to your ISP would be class "Public" and your eth 0/1 would be class "DMZ". Your policy-class on the DMZ would be to allow anything out, and the policy-class for Public would be to allow just those IPs, ports, and protocols on which you have public services running on eth 0/1. If you want to rely on host-based firewalls on the public hosts, then you don't need this but it is best practice to do so for security.

Also, now that you've put your IPs out there, make sure that you have secure passwords on the Adtran device itself and preferably restrict access to the Adtran box to trusted networks.

0 Kudos
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

First Thank you!!  for the response.  Here are a couple more questions if you can help out.

Do I drop the /29 addresses listed as secondary on eth 0/2 ?

Eth 0/2 is our internet connection?

It sounds like I will have to run Cat-5 to the new server because the /29 block won’t play on the existing 192.168.xxx.0 media.  That’s not a problem because the server is located in the same cabinets as the Adtran router. 

Later on, if we need to send a public address to a server or device in another building, I will need to route it using the 192.168… inside wire.  At that point I may also be able to use NAT 1:1.  

If so, do I then break out addresses from the /29 as secondary addresses on the eth 0/2 internet interface?  

0 Kudos
Highlighted
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

Some success - but showing a loop at the gateway:

btw- these are not my actual numbers, but representation of, although I appreciate your input on security 

I setup IP on eth 0/1 and on 2 servers in their own public segment.

Now, a tracert from outside to the f 0/1 interface  85.25.202.89 /29 ip  shows a loop at our ISP gateway - .

The trace gets through the ISP and to the Adtran

Then the Adtran directs the trace back to the ISP. 

Over and over.

Tracert 85.25.202.89    the /29 Adtran eth 0/1 address

…6,7,8,9…

10    47 ms 61 ms    41 ms  GigabitEthernet from ISP.ISP.NET [188.62.14.208]

11    45 ms 46 ms    43 ms  188.57.122.102

12    48 ms 46 ms    52 ms  188.57.122.101

13    50 ms 47 ms    47 ms  188.57.122.102

14    52 ms 50 ms    50 ms  188.57.122.101

15    52 ms    51 ms    55 ms 188.57.122.102

16    54 ms 50 ms    51 ms  188.57.122.101

17    58 ms 57 ms    57 ms  188.57.122.102

18    59 ms 66 ms    55 ms  188.57.122.101

19    67 ms 57 ms    57 ms  188.57.122.102

20 …

0 Kudos
Highlighted
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

Some success - but showing a loop at the gateway:

btw- these are not my actual numbers, but representation of, although I appreciate your input on security

I setup IP on eth 0/1 and on 2 servers in their own public segment.

Now, a tracert from outside to the f 0/1 interface  85.25.202.89 /29 ip  shows a loop at our ISP gateway - .

The trace gets through the ISP and to the Adtran

Then the Adtran directs the trace back to the ISP.

Over and over.

Tracert 85.25.202.89    the /29 Adtran eth 0/1 address

…6,7,8,9…

10    47 ms 61 ms    41 ms  GigabitEthernet from ISP.ISP.NET [188.62.14.208]

11    45 ms 46 ms    43 ms  188.57.122.102

12    48 ms 46 ms    52 ms  188.57.122.101

13    50 ms 47 ms    47 ms  188.57.122.102

14    52 ms 50 ms    50 ms  188.57.122.101

15    52 ms    51 ms    55 ms 188.57.122.102

16    54 ms 50 ms    51 ms  188.57.122.101

17    58 ms 57 ms    57 ms  188.57.122.102

18    59 ms 66 ms    55 ms  188.57.122.101

19    67 ms 57 ms    57 ms  188.57.122.102

20 …

0 Kudos
Highlighted
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

busy2 wrote:

Some success - but showing a loop at the gateway:

btw- these are not my actual numbers, but representation of, although I appreciate your input on security

I setup IP on eth 0/1 and on 2 servers in their own public segment.

Now, a tracert from outside to the f 0/1 interface 85.25.202.89 /29 ip shows a loop at our ISP gateway - .

Is the eth 0/1 interface on the Adtran connected and up, no shutdown? Can you ping 85.25.202.89 from the connected servers?

0 Kudos
Highlighted
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

busy2 wrote:

First Thank you!! for the response. Here are a couple more questions if you can help out.

Do I drop the /29 addresses listed as secondary on eth 0/2 ?

Yes.

It sounds like I will have to run Cat-5 to the new server because the /29 block won’t play on the existing 192.168.xxx.0 media. That’s not a problem because the server is located in the same cabinets as the Adtran router.

What 192.168.xxx.0 media? You didn't mention that.

Later on, if we need to send a public address to a server or device in another building, I will need to route it using the 192.168… inside wire. At that point I may also be able to use NAT 1:1.

What ethernet switches are you using? Are they managed and capable of VLANs? It sounds like you may want to trunk the public 85.25.202.88/29 and 192.168.xxx.0 subnets on two VLANs. This will allow you to have three logical interfaces: ISP in on eth 0/2, as well as public /29, and NAT 192.168 on two VLANs on eth 0/1.

0 Kudos
Highlighted
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

I can ping eth 0/1 from the Adtran

but can't ping the server at xxx.xxx.xxx.90 from the Adtran

I am offsite and can't access the server from here, so cannot try pinging the Adtran from the server.

eth 0/1 is up, line protocol is up

IP address is xxx.xxx.xxx.89

net mask 255.255.255.248

MTU is 1500

BW is 100000 Kbps

Fastcaching is Enabled

IPv4 access policy is DMZ

0 Kudos
Highlighted
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

there are a combination of managed and unmanaged switches across the 192.XXX.XXX.0 network.  Vlans are likely the best answer in the future, but at this time they are outside the scope of my project.  

0 Kudos
Highlighted
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

Can you post the configuration with passwords redacted?

0 Kudos