Solved

Cisco 2500 Series Question (adding sub interface)

Posted on 2001-07-11
12
792 Views
Last Modified: 2012-06-27
Greetings.  I have a Cisco 2500 Series Router with One Ethernet (E0) interface on it.  The address to it is private (10.0.0.12).  This is how my Local Network can "talk" with it.  This interface is the GATEWAY to the internet.  However, there is no Public IP assigned to this interface at all.  I can not manage it for remote locations because of this.  I read somewhere that you could add a sub-interface to the Ethernet port with a public address as SECONDARY so that I could get to it.  Please advise.
0
Comment
Question by:jguy07
  • 5
  • 4
  • 3
12 Comments
 
LVL 4

Expert Comment

by:svindler
ID: 6274075
You would be better off to add the public ip address to a loopback interface. Remember to have the isp route the traffic for this address to the router.
#conf t
(config)#int lo0
(config-if)#ip address x.x.x.x y.y.y.y

If you insist on adding it as a secondary address:
#conf t
(config)#int e0
(config-if)#ip address x.x.x.x y.y.y.y secondary

A sub-interface on an ethernet interface is when you use isl trunking between a switch and a router. Then you can do something like:
#conf t
(config)# int e0.1
(config-if)#encap isl 10
(config-if)#ip add x.x.x.x y.y.y.y (address for vlan10)
(config)# int e0.2
(config-if)#encap isl 20
(config-if)#ip add x.x.x.x y.y.y.y (address for vlan20)

0
 

Author Comment

by:jguy07
ID: 6274529
Let me show you my config file for the router that I'll be working on.  It has many interfaces (all of the Connected To <sitenames> are other routers in our infrastructure).  What concerns me is that the E0 interface has a private IP of 10.0.0.12, this is what someone set up before me.  All PCs on the network use 10.0.0.12 as the GATEWAY.  I have no public IP address that is "advertising" for us.  In other words, here's my plan:  Give the router a public ip address (so it can be config'd manually).  Set up a proxy server with 2 NIC cards, one with a private IP and the other with a public IP on the same SubNet as the Router.  Then have all IP traffic (stuff to and from the internet) come to the public IP of the Proxy Server and then on to the private network.  I also plan on setting up FTP and other things on the Proxy Server's Public IP address.  Anyway, here's the config file (requesting set up/config advice):

Tuscaloosa#show config

Using 2691 out of 32762 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Tuscaloosa
!
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
ip name-server 207.230.75.34
ip name-server 207.230.75.50
!
!
!
!
interface Ethernet0
 ip address 10.0.0.12 255.255.255.0
 ip directed-broadcast
 ip nat inside
 bridge-group 1
!
interface Serial0
 bandwidth 512
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 fair-queue 64 256 0
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 description connected to Decatur
 ip address 192.168.100.1 255.255.255.252
 no ip directed-broadcast
 ip nat inside
 frame-relay interface-dlci 200
 bridge-group 1
!
interface Serial0.2 point-to-point
 description connected to MtVernon
 ip address 192.168.100.5 255.255.255.252
 no ip directed-broadcast
 ip nat inside
 frame-relay interface-dlci 300
 bridge-group 1
!
interface Serial0.3 point-to-point
 description connected to Mobile
 ip address 192.168.100.9 255.255.255.252
 no ip directed-broadcast
 ip nat inside
 frame-relay interface-dlci 400
 bridge-group 1
!
interface Serial0.4 point-to-point
 description connected to Montgomery
 ip address 192.168.100.13 255.255.255.252
 no ip directed-broadcast
 ip nat inside
 frame-relay interface-dlci 601
 bridge-group 1
!
interface Serial1
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay IETF
 frame-relay lmi-type ansi
!
interface Serial1.1 point-to-point
 description Connected to Internet
 ip address 10.22.4.130 255.255.255.252
 no ip directed-broadcast
 ip nat outside
 frame-relay interface-dlci 100
!
router rip
 version 2
 passive-interface Serial1.1
 network 10.0.0.0
 network 192.168.100.0
 no auto-summary
!
ip nat pool Tuscaloosa-natpool-41600 209.16.241.33 209.16.241.46 netmask 255.255
.255.240
ip nat inside source list 1 pool Tuscaloosa-natpool-41600 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1.1
ip route 10.0.0.0 255.255.255.0 Ethernet0
no ip http server
!
access-list 1 permit 192.168.100.0 0.0.0.3
access-list 1 permit 192.168.100.4 0.0.0.3
access-list 1 permit 192.168.100.8 0.0.0.3
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.100.12 0.0.0.3
access-list 1 permit 192.168.6.0 0.0.0.255
snmp-server engineID local 00000009020000D058AD278D
snmp-server community public RO
bridge 1 protocol ieee
!
line con 0
 transport input none
line aux 0
line vty 0 4

 login
!
end
 
Tuscaloosa#exit

what to do????????????
0
 
LVL 4

Expert Comment

by:svindler
ID: 6274626
Take one of the adresses from the nat pool, ie 209.16.241.46 and write:
"ip nat inside source static 10.0.0.12 209.16.241.46"
Remember to adjust the pool first, so the last address is 209.16.241.45.

Also remember that now your router is accessible from the internet, meaning ANYONE can try to login, do port scan or whatever, unless you set up some filtering.
0
 

Author Comment

by:jguy07
ID: 6274751
What do you suggest that I do then when looking at the above set up?  

Internet   <--how do we exsist?  (Public DNS needs to point to Public IP of Proxy, right??)  
__________
   |
   |
<router>Public IP?
   |
   |
<Proxy>Public IP/Private IP
   |
   |
<email server>Private IP

Couldn't I just put a public IP address on the Proxy Server and leave the Cisco Router Alone since NAT is on?  In other words, choose a Public IP from the NAT pool and place it on the proxy and forget the Public on the router??  Thanks!!  
0
 
LVL 4

Expert Comment

by:svindler
ID: 6274916
So I guess, you are not interested in having the router itself accessible from internet after all? This is a very wise decision!

In your drawing above, you would need to take a /30 part (four adresses) out of your /28 (16 addresses). For instance using 209.16.241.32/30 you would have to change your pool to 209.16.241.36 - 209.16.241.36 (eliminate the netmask, it has no use here), and on "int e0" do "ip addr 209.16.241.33 255.255.255.252 secondary". The server would have to have an ip address of 209.16.241.34 using the same netmask and have the router as gateway on that interface.
This way your router will be accessible from the internet as well, without any protection.

To save addresses, you could nat the proxy/ftp/http/whatever server on the router, as in "ip nat inside source static 10.0.0.27 209.16.241.45" or whatever private ip address your proxy has.
0
 

Author Comment

by:jguy07
ID: 6277022
O.k., I see what you are saying.  I think that I'll go with the decision to use IP nat inside (to protect my router!).  In other words, take a private IP address (I'll use actual info here so that I can get a "feel" of how to do this) of 10.0.0.13 for the private address and then use nat with the public IP of 209.16.214.33(this will be the address of the proxy server's interface).

This is what I want to do:
Quote:  
"To save addresses, you could nat the proxy/ftp/http/whatever server on the router, as in "ip nat inside
source static 10.0.0.27 209.16.241.45" or whatever private ip address your proxy has."

O.k., with this in mind, I set up the nat on E0, right?  Could you give me a breif walk-thru?  (I'm no IOS expert!).  Thanks!!!!  (Your kindness is greatly appreciated!)

Joe
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 4

Accepted Solution

by:
svindler earned 300 total points
ID: 6277458
You need to add a single line in global config mode and change the pool:
#conf t
(config)#ip nat inside source static 10.0.0.13 209.16.241.45
(config)#ip nat pool Tuscaloosa-natpool-41600 209.16.241.34 209.16.241.46 netmask 255.255.255.240

The IOS already knows that "inside" is on the e0 (and the serial lines) from the "ip nat inside" on each interface. Then it uses the routing information to see where to send the packets after translating the address.
0
 

Author Comment

by:jguy07
ID: 6277482
Cool, dude.  I shall try this and let you know!!  
Thanks!!!  (I'm going to go ahead and award you the points becuase you are the man!!)

Joe
0
 

Author Comment

by:jguy07
ID: 6277490
He stuck in there with me and helped all of the way!!
0
 

Expert Comment

by:nelsonjm
ID: 7614229
Just curious:

a previous answer to this was to subnet to /30 from /28. Might this be difficult with only RIP enabled? Or, should a routing protocol that forwards 'classless' subnets be used, such as OSPF?

This might lead to other network reconfiguration, but if you are using p to p frame links, if I am reading that correctly, then you could summarize from area to area thus reducing bw usage.

using a link state protocol would also reduce topology updates and bw requirements.

Or, you could RIP on Lan, use OSPF on Wan, and redistribute in the border router.

make sense?

also, you said ethernet is connected to internet, but I am reading serial 1.1 connected to internet which would make more sense if you are using frame.

I am no expert on routers, so help me out with this.

thanks,
0
 

Expert Comment

by:nelsonjm
ID: 7614233
Just curious:

a previous answer to this was to subnet to /30 from /28. Might this be difficult with only RIP enabled? Or, should a routing protocol that forwards 'classless' subnets be used, such as OSPF?

This might lead to other network reconfiguration, but if you are using p to p frame links, if I am reading that correctly, then you could summarize from area to area thus reducing bw usage.

using a link state protocol would also reduce topology updates and bw requirements.

Or, you could RIP on Lan, use OSPF on Wan, and redistribute in the border router.

make sense?

also, you said ethernet is connected to internet, but I am reading serial 1.1 connected to internet which would make more sense if you are using frame.

I am no expert on routers, so help me out with this.

thanks,
0
 

Expert Comment

by:nelsonjm
ID: 7614249
Just curious:

a previous answer to this was to subnet to /30 from /28. Might this be difficult with only RIP enabled? Or, should a routing protocol that forwards 'classless' subnets be used, such as OSPF?

This might lead to other network reconfiguration, but if you are using p to p frame links, if I am reading that correctly, then you could summarize from area to area thus reducing bw usage.

using a link state protocol would also reduce topology updates and bw requirements.

Or, you could RIP on Lan, use OSPF on Wan, and redistribute in the border router.

make sense?

also, you said ethernet is connected to internet, but I am reading serial 1.1 connected to internet which would make more sense if you are using frame.

I am no expert on routers, so help me out with this.

thanks,
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now