On Tue, 24 Apr 2001, Ben Nagy wrote:
> That's really....weird. Have you tested this, Paul?
Not personally. I don't recall what circumstances even made it come up in
conversation previously, but it's probably something like the original
questioner's situation where ISP router control wasn't negotiable
(obviously not a link I'd specified.) I'm prett sure the target got it
working though, but it was a while back...
> Theoretically, I _think_ that should work. You'd need to:
> (imaginary customer LAN IP is 128.1.1.0/24, ISP's router is 128.1.1.1)
> 1. Internal ethernet on customer router 128.1.1.2
> 2. Default gateway on clients 128.1.1.2
This is the part that I'm not certain about- there's probably a better way
to do it. Certainly adding an additional layer 3 device makes just using
the same address on the internal and ISP internal interfaces a heck of a
lot easier. (This assumes never being able to directly reach that ISP
router interface from the LAN- no loss in this case.)
> 3. External interface on customer router unnumbered off inside interface
> 4. Static route 'ip route 128.1.1.1 255.255.255.255 eth0' (eth0 is outside)
> 5. Default gateway 128.1.1.1
> 6. Hope proxy arp works
Without proxy ARP, it's a sure thing- of course, adding the internal
default routes to 128.1.1.2 is simple since they're in control of the
internal network, and that makes the entire scheme much simpler.
> 7. Probably go to hell.
>
> An alternative would be to use a spurious 1918 address on the outside, have
> a default route pointing to an adjacent 1918 address and use a static arp
> entry to relate the non-existant default router IP address with the real
> router MAC address. But that's even uglier.
I think if you can change the internal hosts' default gateway the ugliness
can be completely avoided. You could *even* do a /32 route to the outside
router's inside interface if you wanted to be able to ping it.
> I don't have a 2621 spare in the lab at the moment, or I'd run this up. "JR
> Ponce de Leon" - if you try to test this and have problems, feel free to
> email me offlist - this looks like an ugly hack, and I like those ;).
Ben, we all know you'll be trying this as soon as you get a spare
router. Please do us a favor and report back the results?
Thanks,
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
