Improve company productivity with a Business Account.Sign Up


Creating Sub Int's or Secondaries, Hmmmmmm?????

Posted on 2004-09-01
Medium Priority
Last Modified: 2011-04-14
Im using a 2621 Cisco router for my personal home router.  My DSL service has 5 static IP's that are deliverd to me via  a bridge (vaguely, a DSL modem router combo that I have passing ALL the trafic to the cisco) and currently I have one of the five ip's as the outside (FA0/0) address and I have the other four rotting in cyber space so to say.  
My object is this:
I would like to Have two of the other public (wan) ip's  be an out side in to an ftp server, and second to be an outside in to a HTTP server. (one IP address for each service) At t he same time I would like to apply ACL's to each IP address.
SO...  My question is this....
Would it be better to use seconday interface ip adress scheme, or create sub interfaces, and if I create sub interfaces or secondaries, can I aplly independant acl's to each of them?
thanks in advance for your wisdom!
Question by:CCNPwanabe
  • 2
LVL 43

Expert Comment

ID: 11962415
I'm assuming you are running NAT on the router?

If so, you don't want to assign the public IP addresses to the router.  You want to create static NAT entries pointing to the inside server's IP address:

ip nat inside source static 68.x.x.10 (FTP Server)
ip nat inside source static 68.x.x.11 (WEB Server)

Where, 68.x.x.10 is one of the public IP addresses and is your FTP server...

If you want to apply ACL's to the IP addresses, you should create an inbound access-list on the interface connected to your ISP.  You can restrict what ports are allowed to be forwarded to the inside server.  For example, to restrict the web server to only HTTP traffic, define the following list:

access-list 101 permit tcp any 68.x.x.10 eq 80

This is not the complete list and will break your connection to your ISP if you apply it as is to your outside interface.  You need to specify other permits and let the "deny any" at the end of the list take care of the rest.
LVL 11

Expert Comment

ID: 11968236
It would be better to use static NAT to map these public IPs to private IPs inside your network.

Sub-interfaces are for services that encapsulate several separate subnets over a single physical link, such as frame relay DLCIs, ATM PVCs, or 802.1q VLANs.  None of these apply to your situation.

Secondary addresses are for multiple IP address ranges on the same segment.  This is never a very good idea, but is sometimes these easiest way to resolve some legacy issues that you don't have.


Author Comment

ID: 11973717
Alright, thats good.  An kinda waht I suspectde.  I was however looking for an easy way to secure (so to say) each ip address in its own special way.  Is it posible to apply multiple access-groups  in to one intercace.  I dont want to have to re-write one access list, i would rather just set up mulitle and apply each to the outside interface... can this be done or do I have to use just one?
thanks for your replies (both of you)
LVL 43

Accepted Solution

JFrederick29 earned 375 total points
ID: 11973987
You can only apply one access-list to an interface but you can have multiple access-list statements.  Using notepad to copy/modify and paste the access-list really speeds up ACL modifications.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question