Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Creating Sub Int's or Secondaries, Hmmmmmm?????

Posted on 2004-09-01
4
Medium Priority
?
279 Views
Last Modified: 2011-04-14
Im using a 2621 Cisco router for my personal home router.  My DSL service has 5 static IP's that are deliverd to me via  a bridge (vaguely, a DSL modem router combo that I have passing ALL the trafic to the cisco) and currently I have one of the five ip's as the outside (FA0/0) address and I have the other four rotting in cyber space so to say.  
My object is this:
I would like to Have two of the other public (wan) ip's  be an out side in to an ftp server, and second to be an outside in to a HTTP server. (one IP address for each service) At t he same time I would like to apply ACL's to each IP address.
SO...  My question is this....
Would it be better to use seconday interface ip adress scheme, or create sub interfaces, and if I create sub interfaces or secondaries, can I aplly independant acl's to each of them?
thanks in advance for your wisdom!
0
Comment
Question by:CCNPwanabe
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11962415
I'm assuming you are running NAT on the router?

If so, you don't want to assign the public IP addresses to the router.  You want to create static NAT entries pointing to the inside server's IP address:

ip nat inside source static 192.168.0.10 68.x.x.10 (FTP Server)
ip nat inside source static 192.168.0.11 68.x.x.11 (WEB Server)

Where, 68.x.x.10 is one of the public IP addresses and 192.168.0.10 is your FTP server...

If you want to apply ACL's to the IP addresses, you should create an inbound access-list on the interface connected to your ISP.  You can restrict what ports are allowed to be forwarded to the inside server.  For example, to restrict the web server to only HTTP traffic, define the following list:

access-list 101 permit tcp any 68.x.x.10 eq 80

This is not the complete list and will break your connection to your ISP if you apply it as is to your outside interface.  You need to specify other permits and let the "deny any" at the end of the list take care of the rest.
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 11968236
It would be better to use static NAT to map these public IPs to private IPs inside your network.

Sub-interfaces are for services that encapsulate several separate subnets over a single physical link, such as frame relay DLCIs, ATM PVCs, or 802.1q VLANs.  None of these apply to your situation.

Secondary addresses are for multiple IP address ranges on the same segment.  This is never a very good idea, but is sometimes these easiest way to resolve some legacy issues that you don't have.

0
 

Author Comment

by:CCNPwanabe
ID: 11973717
Alright, thats good.  An kinda waht I suspectde.  I was however looking for an easy way to secure (so to say) each ip address in its own special way.  Is it posible to apply multiple access-groups  in to one intercace.  I dont want to have to re-write one access list, i would rather just set up mulitle and apply each to the outside interface... can this be done or do I have to use just one?
thanks for your replies (both of you)
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 375 total points
ID: 11973987
You can only apply one access-list to an interface but you can have multiple access-list statements.  Using notepad to copy/modify and paste the access-list really speeds up ACL modifications.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question