Need some help with multi IP on single LAN

Posted on 2005-04-30
Last Modified: 2010-04-10
I have a DSL line with 5 static IP, going into an modem/router, the network has 12 work stations and 3 servers (2xNT4 and 1x2000srv), I cant figure out how I can run Exchange on each of the server (ES55 on the NT4 boxes and ES2000 on 2000srv each hosting a separate MX) but still have the router running DHCP so each workstation will obtain an IP automatically and able to access the servers.

How can I map 3 of the static IP to the 3 servers and then the forth one for the router's DHCP to spread to the workstations ?

If this is not the way to do it, what would be the solution ?

Thanks for any help
Question by:robertdims
    LVL 1

    Expert Comment

    There are two possible solutions your ability to do what you need will depend on your hardware (most Cisco routers will allow you to do this)

    - give each server a real IP without any NAT , use one IP for NAT and have users share one IP
    - all servers and workstations get private IPs, the external IPs are then assigned a one to one NAT mappping while the workstations share.

    Let us know what hardware you have and we can take it from there.
    LVL 5

    Expert Comment

    I am a little confused by exactly what you mean here. I think what you are saying is you want to NAT (breaks one ip into multiple ips) behind the router, but your servers are also behind the router and you want them to use real ips. I am pretty sure you cant do this, but I need a little more information about what harware your using, mainly the router model. The alternative solution would to run NAT and DHCP on one of the servers instead of the router.
    LVL 1

    Expert Comment

    Lets define the terms NAT and PAT (the terms get confused and abused)

    NAT = One Outside IP Mapped to One Inside IP - translation is just IP to IP, no port flipping takes place
    PAT = One Outside IP Mapped to Many Inside IPs - translation is done on port and internal IP

    Here is how I would set things up (this is a somewhat inexpensive solution)

    Plug a small switch directly into the modem, give each server a public IP (easiser than NAT),  plug a small DSL/Cable router into the same switch and give its outside interface a public IP.  All internal workstations can be given private IPs by the DSL router.

    Should you need enhanced security and if you want your workstations to talk to the mail servers on a private network either get two network cards for each server or go the NAT route.  Going NAT will rasise consts significantly as having a router with multiple routed interfaces is expensive.

    LVL 16

    Expert Comment

    Sadly, ender78, your definition only works for Cisco kit, everyone else refers to these differetly.
    LVL 16

    Expert Comment

    Whatever your router/firewall device is will have to cope - you chose not to tell us what that is so we can only give you generic hints. :-)

    But you need to set up your NAT maping something like this. Assuming your "public" IP range is through 8 - your router - one-to-one - First server (say - - one-to-one - Second server (say - - one-to-one - Third server (say - - one-to-many - DHCP scope (say -

    LVL 4

    Author Comment

    Many thanks for the replies, I think ccomley's theory/method is just what I have in mind on how to make the setup work, the router I have for this setup is an Safecom SWAMRU-54108 type model ADSL Modem Router with PS and Wireless, I got 4 of these as they were very cheap at the time when I needed ones with VPN tunnels for testing.

    I also have a Edimax ADSL router.

    The IPs coming in are ( some digits changed for ID privacy)

     Number of IP addresses: 8
     IP addresses: -
     Subnet mask:
     Subnet in slash notation: /29
     Network address:
     Broadcast address:
     Router address:
     Number of IP addresses usable by your hosts: 5

    Thanks again for all your help.

    LVL 10

    Expert Comment

    Have you tried the Safecom support forum, this thread covers using multiple routable IPs

    Maybe asking a question on that forum will get you specific help with this.
    LVL 6

    Expert Comment

    the one to one NAT is the way to go.

    However, if you don't want all the servers to be public to the internet(DC shouldn't be publicised), Exchannge should be 1to1NAT, the Web/whateverserver should be 1to1nNAT.  However, after reading your original post (which I should have to begin with), you just need to setup the onetoone nat for the three IPS and you really don't need to setup a public IP for the workstations, just let them get DCHP from behind the router/firewall.

    LVL 27

    Accepted Solution

    I've read this whole thread looking for someone to mention firewall.  Finally, Biljax did.

    Yes, a firewall is what you need.

    Your public IP's should sit in a DMZ network and your inside machines in another.  So, a 3 port Ethernet firewall at a minimum.

    I would put the machines you want accessible in a DMZ and do a STATIC NAT to them so that your public IP 82.x.x.10 = (for instance).  In your firewall rules, you allow the Internet to access this network with whichever port/service you want to advertise, but ONLY those ports you want to allow.  The machines in your DMZ need to be "locked down" so that ONLY the services you need are running, they don't contain ANY other sensitve data, and they're well maintained with OS and App service packs and patches.

    In your private space, you can use NAT/PAT One to Many translation so that only one of your IP's becomes the rest of your private network.  So, 82.x.x.14 = for instance.

    Then your firewall is configured to drop all incoming spoofed IP's which are private coming from the Internet, so you would DROP ALL INBOUND 10.x.x.x or 192.168.x.x or 172.16.x.x traffic.  Your firewall would have a rule which would allow inside network to communicate with DMZ network network with full communication, and limited comm from your DMZ back into your internal network.

    You can take your pick of firewalls to do this, ranging from free (Linux IP tables machine) up to a Sonicwall, PIX, or Checkpoint.

    Hope this helps.
    LVL 10

    Expert Comment

    I believe the OP got his answer from the site I posted a link for see

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    6 Experts available now in Live!

    Get 1:1 Help Now