Re: Routing for Verizon FIOS -- Reward for answer

On May 3, 12:24 pm, "Fletcher James" <fja...@xxxxxxxxxxxxxx> wrote:
This is your opportunity to be a Cisco hero (and to earn a tin of incredible
cookies, with the first correct answer.)  I suspect that the right person
can solve this problem in a snap, but the solution has been eluding us for
over a month.

We have been assigned a block of 64 static IP addresses (actually, 61) by
Verizon, for our Business FIOS network.  Let's call our addresses

We wish to place a Cisco 1841 directly on the FIOS connection, and then have
a handful of devices inside (perimeter network), connected by a simple
Ethernet switch.  Most of the addresses will be handled by an ISA server
(firewall/NAT, which protects our LAN and a separate Web Server zone), but a
few other devices will be independent (e.g. a videoteleconference unit which
doesn't play well inside the firewall, a wireless router for untrusted
devices, etc.)

For many reasons, it would be best if we were simply routing our traffic to
the inside of the Cisco, so that our 70.x.x.64/26 subnet is on the INSIDE of
the 1841.

The problem we have is this:  Verizon's gateway is 70.x.x.1.  Unlike our
other ISPs, they have NOT assigned us a separate 30-bit subnet with an
address for our router (in this case, that would be 70.x.x.2).  I think
Verizon just expected us to NAT everything immediately after their
interface, the way that residential customers do with their Actiontec
router/firewall units.

So the problem is:  What do we use as an address for the outside interface
of our router, which will allow it to route traffic to the gateway, OR, how
do we otherwise deal with this problem?

To demonstrate:  If we assign our router's outside to .66 (they've told us
not to use .65) then we need a netmask of so that we can
route outbound through the gateway.  Unfortunately, that then defines ALL of
our public addresses as being on the outside of the router.  We've looked at
a long list of solutions, and none of them are very good:

OPTION A: Currently, we have declared our outside interface as
70.x.x.126/24.  We then force all of our inbound traffic to the inside with
a long list of entries such as:

ip route 70.x.x.69 FastEthernet0/0

This works, but poorly -- I suspect there's a lot of unnecessary ARPing
going on.

OPTION B: We could keep the public addresses on the outside, and then NAT
them to private addresses between the Cisco and the perimeter network (e.g..
70.x.x.69 --> and then NAT them a second time in the ISA server..

OPTION C: We could "steal" the address 70.x.x.2/30 for our outside
interface,and hope that it never causes a problem (We've tried this, but
have had inconsistent results -- it works, and then when we re-boot our
router it mysteriously fails.)

OPTION D:  We could assign a PRIVATE address to the outside of our router --  
say,  But then, how would we direct traffic to our gateway?  If we
provide a default route just by interface

ip route FastEthernet0/1)

then it's got to ARP for every single outbound address.  QUESTION: would the
following solve that problem:

ip route 70.x.x.1

ip route 70.x.x.1 FastEthernet0/1

You're the genius.  Tell us Option E.

I would very much appreciate it if you could cc me directly on any reply.


Fletcher James
Levit & James, Inc.

Can you get verizon to sell you another separate /31 (yes a /31 works,
we use them all the time for point to point routing adjacencies) and
then setup routing on both sides? Else I don't see why you can't
carve out the /30 as you have said, and ensure that Verizon and you
are advertising properly on both sides. Or install a switch between
them and you for external hosts and NAT for anything going internal.
Not sure you can do that with FIOS, never had to deal with it.