Link to home
Start Free TrialLog in
Avatar of CCNPwanabe
CCNPwanabeFlag for United States of America

asked on

Creating Sub Int's or Secondaries, Hmmmmmm?????

Im using a 2621 Cisco router for my personal home router.  My DSL service has 5 static IP's that are deliverd to me via  a bridge (vaguely, a DSL modem router combo that I have passing ALL the trafic to the cisco) and currently I have one of the five ip's as the outside (FA0/0) address and I have the other four rotting in cyber space so to say.  
My object is this:
I would like to Have two of the other public (wan) ip's  be an out side in to an ftp server, and second to be an outside in to a HTTP server. (one IP address for each service) At t he same time I would like to apply ACL's to each IP address.
SO...  My question is this....
Would it be better to use seconday interface ip adress scheme, or create sub interfaces, and if I create sub interfaces or secondaries, can I aplly independant acl's to each of them?
thanks in advance for your wisdom!
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

I'm assuming you are running NAT on the router?

If so, you don't want to assign the public IP addresses to the router.  You want to create static NAT entries pointing to the inside server's IP address:

ip nat inside source static 192.168.0.10 68.x.x.10 (FTP Server)
ip nat inside source static 192.168.0.11 68.x.x.11 (WEB Server)

Where, 68.x.x.10 is one of the public IP addresses and 192.168.0.10 is your FTP server...

If you want to apply ACL's to the IP addresses, you should create an inbound access-list on the interface connected to your ISP.  You can restrict what ports are allowed to be forwarded to the inside server.  For example, to restrict the web server to only HTTP traffic, define the following list:

access-list 101 permit tcp any 68.x.x.10 eq 80

This is not the complete list and will break your connection to your ISP if you apply it as is to your outside interface.  You need to specify other permits and let the "deny any" at the end of the list take care of the rest.
Avatar of PennGwyn
PennGwyn

It would be better to use static NAT to map these public IPs to private IPs inside your network.

Sub-interfaces are for services that encapsulate several separate subnets over a single physical link, such as frame relay DLCIs, ATM PVCs, or 802.1q VLANs.  None of these apply to your situation.

Secondary addresses are for multiple IP address ranges on the same segment.  This is never a very good idea, but is sometimes these easiest way to resolve some legacy issues that you don't have.

Avatar of CCNPwanabe

ASKER

Alright, thats good.  An kinda waht I suspectde.  I was however looking for an easy way to secure (so to say) each ip address in its own special way.  Is it posible to apply multiple access-groups  in to one intercace.  I dont want to have to re-write one access list, i would rather just set up mulitle and apply each to the outside interface... can this be done or do I have to use just one?
thanks for your replies (both of you)
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial