Re: Routing for Verizon FIOS -- Reward for answer
- From: Darren Green <darrenfgreen@xxxxxxxxxxxxx>
- Date: Sun, 4 May 2008 04:16:46 -0700 (PDT)
On 4 May, 08:14, "Thrill5" <nos...@xxxxxxxxxxxxx> wrote:
It is never "best" to simply route traffic to your inside network. The
only reason you need a public IP is if you are accepting connections from an
internet source, which should only be a few devices (your mail server, web
server and VPN concentrator, etc.) All of your inside traffic for web
browsing can be NATed to a singe outside address Your video conference
station should be able to have two addresses, the inside address on your
LAN, and the outside address that it is NATed to.
You can also request a separate address from Verizon so that the connection
between your router and their connection is on a different subnet than the
block they assigned you. If you can't do that, your only option is to
bridge the traffic which, in my opinion, is the worst case option.
"Fletcher James" <fja...@xxxxxxxxxxxxxx> wrote in message
news:Ek0Tj.523$Ve.520@xxxxxxxxxxx
This is your opportunity to be a Cisco hero (and to earn a tin of
incredible cookies, with the first correct answer.) I suspect that the
right person can solve this problem in a snap, but the solution has been
eluding us for over a month.
We have been assigned a block of 64 static IP addresses (actually, 61) by
Verizon, for our Business FIOS network. Let's call our addresses
70.x.x.64/26.
We wish to place a Cisco 1841 directly on the FIOS connection, and then
have a handful of devices inside (perimeter network), connected by a
simple Ethernet switch. Most of the addresses will be handled by an ISA
server (firewall/NAT, which protects our LAN and a separate Web Server
zone), but a few other devices will be independent (e.g. a
videoteleconference unit which doesn't play well inside the firewall, a
wireless router for untrusted devices, etc.)
For many reasons, it would be best if we were simply routing our traffic
to the inside of the Cisco, so that our 70.x.x.64/26 subnet is on the
INSIDE of the 1841.
The problem we have is this: Verizon's gateway is 70.x.x.1. Unlike our
other ISPs, they have NOT assigned us a separate 30-bit subnet with an
address for our router (in this case, that would be 70.x.x.2). I think
Verizon just expected us to NAT everything immediately after their
interface, the way that residential customers do with their Actiontec
router/firewall units.
So the problem is: What do we use as an address for the outside interface
of our router, which will allow it to route traffic to the gateway, OR,
how do we otherwise deal with this problem?
To demonstrate: If we assign our router's outside to .66 (they've told us
not to use .65) then we need a netmask of 255.255.255.128 so that we can
route outbound through the gateway. Unfortunately, that then defines ALL
of our public addresses as being on the outside of the router. We've
looked at a long list of solutions, and none of them are very good:
OPTION A: Currently, we have declared our outside interface as
70.x.x.126/24. We then force all of our inbound traffic to the inside
with a long list of entries such as:
ip route 70.x.x.69 255.255.255.255 FastEthernet0/0
This works, but poorly -- I suspect there's a lot of unnecessary ARPing
going on.
OPTION B: We could keep the public addresses on the outside, and then NAT
them to private addresses between the Cisco and the perimeter network
(e.g. 70.x.x.69 --> 10.0.0.69) and then NAT them a second time in the ISA
server. Yuch.
OPTION C: We could "steal" the address 70.x.x.2/30 for our outside
interface,and hope that it never causes a problem (We've tried this, but
have had inconsistent results -- it works, and then when we re-boot our
router it mysteriously fails.)
OPTION D: We could assign a PRIVATE address to the outside of our
router -- say, 10.1.1.1. But then, how would we direct traffic to our
gateway? If we provide a default route just by interface
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1)
then it's got to ARP for every single outbound address. QUESTION: would
the following solve that problem:
ip route 0.0.0.0 0.0.0.0 70.x.x.1
ip route 70.x.x.1 255.255.255.255 FastEthernet0/1
OPTION E:
You're the genius. Tell us Option E.
I would very much appreciate it if you could cc me directly on any reply..
Thanks!
Fletcher James
President
Levit & James, Inc.
703-771-1549
http://www.levitjames.com- Hide quoted text -
- Show quoted text -
Out of interest, could you not assign the ip address to the LAN side
of the router and on the WAN port use ip unnumbered to the LAN
interface.
int Fa0/X
ip address 70.x.x.X /26
int Serial X/X
ip unnumbered Fa0/X
I seem to recall I have have done this in the past mainly on ADSL
boxes where the client wanted to present a public IP address
internally..
Regards
Darren
.
- Follow-Ups:
- References:
- Routing for Verizon FIOS -- Reward for answer
- From: Fletcher James
- Re: Routing for Verizon FIOS -- Reward for answer
- From: Thrill5
- Routing for Verizon FIOS -- Reward for answer
- Prev by Date: Re: Routing for Verizon FIOS -- Reward for answer
- Next by Date: Re: Router Stack??
- Previous by thread: Re: Routing for Verizon FIOS -- Reward for answer
- Next by thread: Re: Routing for Verizon FIOS -- Reward for answer
- Index(es):
Relevant Pages
|
