jguy07
asked on
Cisco 2500 Series Question (adding sub interface)
Greetings. I have a Cisco 2500 Series Router with One Ethernet (E0) interface on it. The address to it is private (10.0.0.12). This is how my Local Network can "talk" with it. This interface is the GATEWAY to the internet. However, there is no Public IP assigned to this interface at all. I can not manage it for remote locations because of this. I read somewhere that you could add a sub-interface to the Ethernet port with a public address as SECONDARY so that I could get to it. Please advise.
ASKER
Let me show you my config file for the router that I'll be working on. It has many interfaces (all of the Connected To <sitenames> are other routers in our infrastructure). What concerns me is that the E0 interface has a private IP of 10.0.0.12, this is what someone set up before me. All PCs on the network use 10.0.0.12 as the GATEWAY. I have no public IP address that is "advertising" for us. In other words, here's my plan: Give the router a public ip address (so it can be config'd manually). Set up a proxy server with 2 NIC cards, one with a private IP and the other with a public IP on the same SubNet as the Router. Then have all IP traffic (stuff to and from the internet) come to the public IP of the Proxy Server and then on to the private network. I also plan on setting up FTP and other things on the Proxy Server's Public IP address. Anyway, here's the config file (requesting set up/config advice):
Tuscaloosa#show config
Using 2691 out of 32762 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Tuscaloosa
!
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
ip name-server 207.230.75.34
ip name-server 207.230.75.50
!
!
!
!
interface Ethernet0
ip address 10.0.0.12 255.255.255.0
ip directed-broadcast
ip nat inside
bridge-group 1
!
interface Serial0
bandwidth 512
no ip address
no ip directed-broadcast
encapsulation frame-relay
fair-queue 64 256 0
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
description connected to Decatur
ip address 192.168.100.1 255.255.255.252
no ip directed-broadcast
ip nat inside
frame-relay interface-dlci 200
bridge-group 1
!
interface Serial0.2 point-to-point
description connected to MtVernon
ip address 192.168.100.5 255.255.255.252
no ip directed-broadcast
ip nat inside
frame-relay interface-dlci 300
bridge-group 1
!
interface Serial0.3 point-to-point
description connected to Mobile
ip address 192.168.100.9 255.255.255.252
no ip directed-broadcast
ip nat inside
frame-relay interface-dlci 400
bridge-group 1
!
interface Serial0.4 point-to-point
description connected to Montgomery
ip address 192.168.100.13 255.255.255.252
no ip directed-broadcast
ip nat inside
frame-relay interface-dlci 601
bridge-group 1
!
interface Serial1
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
frame-relay lmi-type ansi
!
interface Serial1.1 point-to-point
description Connected to Internet
ip address 10.22.4.130 255.255.255.252
no ip directed-broadcast
ip nat outside
frame-relay interface-dlci 100
!
router rip
version 2
passive-interface Serial1.1
network 10.0.0.0
network 192.168.100.0
no auto-summary
!
ip nat pool Tuscaloosa-natpool-41600 209.16.241.33 209.16.241.46 netmask 255.255
.255.240
ip nat inside source list 1 pool Tuscaloosa-natpool-41600 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1.1
ip route 10.0.0.0 255.255.255.0 Ethernet0
no ip http server
!
access-list 1 permit 192.168.100.0 0.0.0.3
access-list 1 permit 192.168.100.4 0.0.0.3
access-list 1 permit 192.168.100.8 0.0.0.3
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.100.12 0.0.0.3
access-list 1 permit 192.168.6.0 0.0.0.255
snmp-server engineID local 00000009020000D058AD278D
snmp-server community public RO
bridge 1 protocol ieee
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
Tuscaloosa#exit
what to do????????????
Tuscaloosa#show config
Using 2691 out of 32762 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Tuscaloosa
!
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
ip name-server 207.230.75.34
ip name-server 207.230.75.50
!
!
!
!
interface Ethernet0
ip address 10.0.0.12 255.255.255.0
ip directed-broadcast
ip nat inside
bridge-group 1
!
interface Serial0
bandwidth 512
no ip address
no ip directed-broadcast
encapsulation frame-relay
fair-queue 64 256 0
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
description connected to Decatur
ip address 192.168.100.1 255.255.255.252
no ip directed-broadcast
ip nat inside
frame-relay interface-dlci 200
bridge-group 1
!
interface Serial0.2 point-to-point
description connected to MtVernon
ip address 192.168.100.5 255.255.255.252
no ip directed-broadcast
ip nat inside
frame-relay interface-dlci 300
bridge-group 1
!
interface Serial0.3 point-to-point
description connected to Mobile
ip address 192.168.100.9 255.255.255.252
no ip directed-broadcast
ip nat inside
frame-relay interface-dlci 400
bridge-group 1
!
interface Serial0.4 point-to-point
description connected to Montgomery
ip address 192.168.100.13 255.255.255.252
no ip directed-broadcast
ip nat inside
frame-relay interface-dlci 601
bridge-group 1
!
interface Serial1
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
frame-relay lmi-type ansi
!
interface Serial1.1 point-to-point
description Connected to Internet
ip address 10.22.4.130 255.255.255.252
no ip directed-broadcast
ip nat outside
frame-relay interface-dlci 100
!
router rip
version 2
passive-interface Serial1.1
network 10.0.0.0
network 192.168.100.0
no auto-summary
!
ip nat pool Tuscaloosa-natpool-41600 209.16.241.33 209.16.241.46 netmask 255.255
.255.240
ip nat inside source list 1 pool Tuscaloosa-natpool-41600 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1.1
ip route 10.0.0.0 255.255.255.0 Ethernet0
no ip http server
!
access-list 1 permit 192.168.100.0 0.0.0.3
access-list 1 permit 192.168.100.4 0.0.0.3
access-list 1 permit 192.168.100.8 0.0.0.3
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.100.12 0.0.0.3
access-list 1 permit 192.168.6.0 0.0.0.255
snmp-server engineID local 00000009020000D058AD278D
snmp-server community public RO
bridge 1 protocol ieee
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
Tuscaloosa#exit
what to do????????????
Take one of the adresses from the nat pool, ie 209.16.241.46 and write:
"ip nat inside source static 10.0.0.12 209.16.241.46"
Remember to adjust the pool first, so the last address is 209.16.241.45.
Also remember that now your router is accessible from the internet, meaning ANYONE can try to login, do port scan or whatever, unless you set up some filtering.
"ip nat inside source static 10.0.0.12 209.16.241.46"
Remember to adjust the pool first, so the last address is 209.16.241.45.
Also remember that now your router is accessible from the internet, meaning ANYONE can try to login, do port scan or whatever, unless you set up some filtering.
ASKER
What do you suggest that I do then when looking at the above set up?
Internet <--how do we exsist? (Public DNS needs to point to Public IP of Proxy, right??)
__________
|
|
<router>Public IP?
|
|
<Proxy>Public IP/Private IP
|
|
<email server>Private IP
Couldn't I just put a public IP address on the Proxy Server and leave the Cisco Router Alone since NAT is on? In other words, choose a Public IP from the NAT pool and place it on the proxy and forget the Public on the router?? Thanks!!
Internet <--how do we exsist? (Public DNS needs to point to Public IP of Proxy, right??)
__________
|
|
<router>Public IP?
|
|
<Proxy>Public IP/Private IP
|
|
<email server>Private IP
Couldn't I just put a public IP address on the Proxy Server and leave the Cisco Router Alone since NAT is on? In other words, choose a Public IP from the NAT pool and place it on the proxy and forget the Public on the router?? Thanks!!
So I guess, you are not interested in having the router itself accessible from internet after all? This is a very wise decision!
In your drawing above, you would need to take a /30 part (four adresses) out of your /28 (16 addresses). For instance using 209.16.241.32/30 you would have to change your pool to 209.16.241.36 - 209.16.241.36 (eliminate the netmask, it has no use here), and on "int e0" do "ip addr 209.16.241.33 255.255.255.252 secondary". The server would have to have an ip address of 209.16.241.34 using the same netmask and have the router as gateway on that interface.
This way your router will be accessible from the internet as well, without any protection.
To save addresses, you could nat the proxy/ftp/http/whatever server on the router, as in "ip nat inside source static 10.0.0.27 209.16.241.45" or whatever private ip address your proxy has.
In your drawing above, you would need to take a /30 part (four adresses) out of your /28 (16 addresses). For instance using 209.16.241.32/30 you would have to change your pool to 209.16.241.36 - 209.16.241.36 (eliminate the netmask, it has no use here), and on "int e0" do "ip addr 209.16.241.33 255.255.255.252 secondary". The server would have to have an ip address of 209.16.241.34 using the same netmask and have the router as gateway on that interface.
This way your router will be accessible from the internet as well, without any protection.
To save addresses, you could nat the proxy/ftp/http/whatever server on the router, as in "ip nat inside source static 10.0.0.27 209.16.241.45" or whatever private ip address your proxy has.
ASKER
O.k., I see what you are saying. I think that I'll go with the decision to use IP nat inside (to protect my router!). In other words, take a private IP address (I'll use actual info here so that I can get a "feel" of how to do this) of 10.0.0.13 for the private address and then use nat with the public IP of 209.16.214.33(this will be the address of the proxy server's interface).
This is what I want to do:
Quote:
"To save addresses, you could nat the proxy/ftp/http/whatever server on the router, as in "ip nat inside
source static 10.0.0.27 209.16.241.45" or whatever private ip address your proxy has."
O.k., with this in mind, I set up the nat on E0, right? Could you give me a breif walk-thru? (I'm no IOS expert!). Thanks!!!! (Your kindness is greatly appreciated!)
Joe
This is what I want to do:
Quote:
"To save addresses, you could nat the proxy/ftp/http/whatever server on the router, as in "ip nat inside
source static 10.0.0.27 209.16.241.45" or whatever private ip address your proxy has."
O.k., with this in mind, I set up the nat on E0, right? Could you give me a breif walk-thru? (I'm no IOS expert!). Thanks!!!! (Your kindness is greatly appreciated!)
Joe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Cool, dude. I shall try this and let you know!!
Thanks!!! (I'm going to go ahead and award you the points becuase you are the man!!)
Joe
Thanks!!! (I'm going to go ahead and award you the points becuase you are the man!!)
Joe
ASKER
He stuck in there with me and helped all of the way!!
Just curious:
a previous answer to this was to subnet to /30 from /28. Might this be difficult with only RIP enabled? Or, should a routing protocol that forwards 'classless' subnets be used, such as OSPF?
This might lead to other network reconfiguration, but if you are using p to p frame links, if I am reading that correctly, then you could summarize from area to area thus reducing bw usage.
using a link state protocol would also reduce topology updates and bw requirements.
Or, you could RIP on Lan, use OSPF on Wan, and redistribute in the border router.
make sense?
also, you said ethernet is connected to internet, but I am reading serial 1.1 connected to internet which would make more sense if you are using frame.
I am no expert on routers, so help me out with this.
thanks,
a previous answer to this was to subnet to /30 from /28. Might this be difficult with only RIP enabled? Or, should a routing protocol that forwards 'classless' subnets be used, such as OSPF?
This might lead to other network reconfiguration, but if you are using p to p frame links, if I am reading that correctly, then you could summarize from area to area thus reducing bw usage.
using a link state protocol would also reduce topology updates and bw requirements.
Or, you could RIP on Lan, use OSPF on Wan, and redistribute in the border router.
make sense?
also, you said ethernet is connected to internet, but I am reading serial 1.1 connected to internet which would make more sense if you are using frame.
I am no expert on routers, so help me out with this.
thanks,
Just curious:
a previous answer to this was to subnet to /30 from /28. Might this be difficult with only RIP enabled? Or, should a routing protocol that forwards 'classless' subnets be used, such as OSPF?
This might lead to other network reconfiguration, but if you are using p to p frame links, if I am reading that correctly, then you could summarize from area to area thus reducing bw usage.
using a link state protocol would also reduce topology updates and bw requirements.
Or, you could RIP on Lan, use OSPF on Wan, and redistribute in the border router.
make sense?
also, you said ethernet is connected to internet, but I am reading serial 1.1 connected to internet which would make more sense if you are using frame.
I am no expert on routers, so help me out with this.
thanks,
a previous answer to this was to subnet to /30 from /28. Might this be difficult with only RIP enabled? Or, should a routing protocol that forwards 'classless' subnets be used, such as OSPF?
This might lead to other network reconfiguration, but if you are using p to p frame links, if I am reading that correctly, then you could summarize from area to area thus reducing bw usage.
using a link state protocol would also reduce topology updates and bw requirements.
Or, you could RIP on Lan, use OSPF on Wan, and redistribute in the border router.
make sense?
also, you said ethernet is connected to internet, but I am reading serial 1.1 connected to internet which would make more sense if you are using frame.
I am no expert on routers, so help me out with this.
thanks,
Just curious:
a previous answer to this was to subnet to /30 from /28. Might this be difficult with only RIP enabled? Or, should a routing protocol that forwards 'classless' subnets be used, such as OSPF?
This might lead to other network reconfiguration, but if you are using p to p frame links, if I am reading that correctly, then you could summarize from area to area thus reducing bw usage.
using a link state protocol would also reduce topology updates and bw requirements.
Or, you could RIP on Lan, use OSPF on Wan, and redistribute in the border router.
make sense?
also, you said ethernet is connected to internet, but I am reading serial 1.1 connected to internet which would make more sense if you are using frame.
I am no expert on routers, so help me out with this.
thanks,
a previous answer to this was to subnet to /30 from /28. Might this be difficult with only RIP enabled? Or, should a routing protocol that forwards 'classless' subnets be used, such as OSPF?
This might lead to other network reconfiguration, but if you are using p to p frame links, if I am reading that correctly, then you could summarize from area to area thus reducing bw usage.
using a link state protocol would also reduce topology updates and bw requirements.
Or, you could RIP on Lan, use OSPF on Wan, and redistribute in the border router.
make sense?
also, you said ethernet is connected to internet, but I am reading serial 1.1 connected to internet which would make more sense if you are using frame.
I am no expert on routers, so help me out with this.
thanks,
#conf t
(config)#int lo0
(config-if)#ip address x.x.x.x y.y.y.y
If you insist on adding it as a secondary address:
#conf t
(config)#int e0
(config-if)#ip address x.x.x.x y.y.y.y secondary
A sub-interface on an ethernet interface is when you use isl trunking between a switch and a router. Then you can do something like:
#conf t
(config)# int e0.1
(config-if)#encap isl 10
(config-if)#ip add x.x.x.x y.y.y.y (address for vlan10)
(config)# int e0.2
(config-if)#encap isl 20
(config-if)#ip add x.x.x.x y.y.y.y (address for vlan20)