itsimp
asked on
Cisco 1811 Additional WAN IP Address'
I need to add the range of IP's provided by ISP to the FE0 interface, but really have no idea where to start..
Have now realised that loopbacks are only internal, and can't quite qork out what IP Unumbered do, or how you would bind them to the fe0 interface, and then the additional IP's that I wish to add to that interface
Have now realised that loopbacks are only internal, and can't quite qork out what IP Unumbered do, or how you would bind them to the fe0 interface, and then the additional IP's that I wish to add to that interface
I have used "IP Unumbered" in the past but on a Dialer interface and it points to the loopback interface, e.g.
Interface loopback 10
IP address 81.22.22.10 255.255.255.255
Interface dialer 1
IP unnumbered loopback 10
The loopback address is used to simulate the customer LAN and plays a very important role in the management of the router, e.g. as TACACS source, TFTP source, SNMP source etc.
If you have public IP addresses to add to your WAN FastEthernet interface, why not add them directly, e.g.
Interface FastEthernet 0
Description WAN link to ISP
IP address 201.32.5.1 255.255.255.252
no shut
So you should expect the other end to fall within the same subnet, e.g. 201.32.5.2/30
However, if the FastEthernet was a customer LAN interface, then you could do:
Interface FastEthernet 0
Description Customer LAN interface
IP address 10.1.1.1 255.255.255.240
no shut
Interface dialer 1
IP unnumbered FastEthernet 0
[see also http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00800940b9.shtml
]
Good luck
Koudry
Interface loopback 10
IP address 81.22.22.10 255.255.255.255
Interface dialer 1
IP unnumbered loopback 10
The loopback address is used to simulate the customer LAN and plays a very important role in the management of the router, e.g. as TACACS source, TFTP source, SNMP source etc.
If you have public IP addresses to add to your WAN FastEthernet interface, why not add them directly, e.g.
Interface FastEthernet 0
Description WAN link to ISP
IP address 201.32.5.1 255.255.255.252
no shut
So you should expect the other end to fall within the same subnet, e.g. 201.32.5.2/30
However, if the FastEthernet was a customer LAN interface, then you could do:
Interface FastEthernet 0
Description Customer LAN interface
IP address 10.1.1.1 255.255.255.240
no shut
Interface dialer 1
IP unnumbered FastEthernet 0
[see also http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00800940b9.shtml
]
Good luck
Koudry
I would imagine that if you are attempting to add multiple IP's to the outside interface it would be to provide access from the outside to a host on the inside. ie you want to have a webserver on your network accessible from the outside using one of the IP's provided by your ISP. In this case you would use an ip nat statement. For instance if your web server's internal address was 10.10.10.10 and your outside IP was 192.168.10.2 255.255.255.240 and you wanted your web server to be accessed using the IP 192.168.10.3 the command would be:
ip nat inside source static 10.10.10.10 192.168.10.3
I would assume that you have an access-list applied to your outside interface so don't forget to allow the necessary lines to allow access to the appropriate ports...
If you are actually just trying to make your router addressable by multiple IP's you can use the following on the "outside interface":
ip address <ipaddress> <mask> secondary
I don't know what the limit is on secondary addresses but I know you can do a few at least.
ip nat inside source static 10.10.10.10 192.168.10.3
I would assume that you have an access-list applied to your outside interface so don't forget to allow the necessary lines to allow access to the appropriate ports...
If you are actually just trying to make your router addressable by multiple IP's you can use the following on the "outside interface":
ip address <ipaddress> <mask> secondary
I don't know what the limit is on secondary addresses but I know you can do a few at least.
How are you going to use the new IPs? If you are bringing up a new network for servers or what ever
then all you need is an interface on the router with an IP in the range of the new block, then address your other resources on that segment with the remaining IPs.
The last part is to ensure your provider is routing that block to you, once traffic gets to the router and because it has a directly connected interface in the new network it will route appropriately to the correct destination.
then all you need is an interface on the router with an IP in the range of the new block, then address your other resources on that segment with the remaining IPs.
The last part is to ensure your provider is routing that block to you, once traffic gets to the router and because it has a directly connected interface in the new network it will route appropriately to the correct destination.
ASKER
They are not new IP's, they are for various other services (have a number of web apps, a number of services that use the same port etc, and need to come in via different IP's)
I will try adding the secondary this evening (has to be done out of hours)
harbor235, I am really confused by your reply, " an interface on the router with an IP in the range of the new block, then address your other resources on that segment with the remaining IPs." how would the interface ever know that it should answer to the other IP's???
It will not route to any destination, unless the interface is aware that it needs to respond to the traffic sent at it...??
I am used to configuring Linux boxes that simply reuire an "alias" IP to be added to the interface.
I will try adding the secondary this evening (has to be done out of hours)
harbor235, I am really confused by your reply, " an interface on the router with an IP in the range of the new block, then address your other resources on that segment with the remaining IPs." how would the interface ever know that it should answer to the other IP's???
It will not route to any destination, unless the interface is aware that it needs to respond to the traffic sent at it...??
I am used to configuring Linux boxes that simply reuire an "alias" IP to be added to the interface.
Are the IPs in the same network as the IP(s) curently being used? If so the secondary will not work.
If you are adding a different IP range to the same VLAN then you use secondaries.
More information is needed on how the IPs are used and your current IP assigment.
good luck
harbor235 ;}
ASKER
fe0 is on a /30 subnet, and I have a further 8 useable IP address' that are subsequent to the primary that I want to use.
as a really dirty fix last night I killed the failover interface fe1 (that was connected to a different ISP) and added one of the other allocated IPs to fe1, that way I have at least 2 useable IP's!!
as a really dirty fix last night I killed the failover interface fe1 (that was connected to a different ISP) and added one of the other allocated IPs to fe1, that way I have at least 2 useable IP's!!
ok we are getting somewhere now ;}
The 8 addresses are in a different block than the /30 !!! Good
Next question is do you wish to use the 8 other addresses for interal services (servers, etc ..) ?
If they are being used for internal services like web apps from above then you need a seprate interface for a new network. One of the IPs is used for the new router interface.
Now if you were going to use they new range for the internal netwoks and us IP unumbered on the WAN then that is doable. that way you only need the one range internally and the WAN interface borrows the internal IP for external communication.
Is this what you mean?
here is a good IP unumbered doc
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094e8d.shtml
harbor235 ;}
harbor235 ;}
The 8 addresses are in a different block than the /30 !!! Good
Next question is do you wish to use the 8 other addresses for interal services (servers, etc ..) ?
If they are being used for internal services like web apps from above then you need a seprate interface for a new network. One of the IPs is used for the new router interface.
Now if you were going to use they new range for the internal netwoks and us IP unumbered on the WAN then that is doable. that way you only need the one range internally and the WAN interface borrows the internal IP for external communication.
Is this what you mean?
here is a good IP unumbered doc
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094e8d.shtml
harbor235 ;}
harbor235 ;}
I have a proposed config for the WAN but this config is not 100% correct. I just wanted to know if it looks like what you wanted to do:
!--- Configure primary WAN interface
!
Interface FastEthernet 0
Description Primary WAN Interface
IP address 86.32.5.1 255.255.255.252
no shut
!
!
!--- Configure secondary WAN interface
!
Interface FastEthernet 1
Description Primary WAN Interface
IP address 81.100.5.1 255.255.255.252
no shut
!
!--- Configure RIP routing
!
router rip
version 2
passive-interface Loopback10
network 81.0.0.0
network 86.0.0.0
redistribute connected
Redistribute static
no auto-summary
!
!
!-----Configure floating static route for backup / secondary WAN
ip route 0.0.0.0 0.0.0.0 81.100.5.1 200
I have added a floating static route pointing to the failover interface (interface 1 IP address).The admin distance is set to 200 because it needs to be higher than the admin distance of RIP which is 120.
Please note that I have not used dialer interfaces here. I will find out if this is required.
As already mentioned, you may need NAT / PAT to allow the internal private addresses to be translated into public IP addresses.
Good luck
Koudry
!--- Configure primary WAN interface
!
Interface FastEthernet 0
Description Primary WAN Interface
IP address 86.32.5.1 255.255.255.252
no shut
!
!
!--- Configure secondary WAN interface
!
Interface FastEthernet 1
Description Primary WAN Interface
IP address 81.100.5.1 255.255.255.252
no shut
!
!--- Configure RIP routing
!
router rip
version 2
passive-interface Loopback10
network 81.0.0.0
network 86.0.0.0
redistribute connected
Redistribute static
no auto-summary
!
!
!-----Configure floating static route for backup / secondary WAN
ip route 0.0.0.0 0.0.0.0 81.100.5.1 200
I have added a floating static route pointing to the failover interface (interface 1 IP address).The admin distance is set to 200 because it needs to be higher than the admin distance of RIP which is 120.
Please note that I have not used dialer interfaces here. I will find out if this is required.
As already mentioned, you may need NAT / PAT to allow the internal private addresses to be translated into public IP addresses.
Good luck
Koudry
Please post your current config. Feel free to scrub you IPs... (10.1.1.1 becomes x.x.1.1, etc, passwords are blanked, etc). but I think it will help us to understand what your primary goal is. Basically you mentioned that the IP are to be used for other services. I am assuming that the server for these services are on the inside of your network. If this is the case, then NAT is what you are looking for. I believe that this is what the alias command you mentioned would be doing. As long as your ISP is routing the block of IP's to your outside interface the router will handle traffic appropriately once the NAT statements have been configured.
The NAT commands will also allow you to redirect traffic to alternate ports. For instance, you have inside host 10.10.10.10 that is running three websites on ports 80 1080 and 2080. You could provide external access to these websites on port 80 by using the following commands:
ip nat inside source tcp 10.10.10.10 80 <externalIP1> 80
ip nat inside source tcp 10.10.10.10 1080 <externalIP2> 80
ip nat inside source tcp 10.10.10.10 2080 <externalIP3> 80
Below is a Cisco doc that might help. But again if you post a scrubbed config it may help us determine the best way for you to accomplish your end goal....
The NAT commands will also allow you to redirect traffic to alternate ports. For instance, you have inside host 10.10.10.10 that is running three websites on ports 80 1080 and 2080. You could provide external access to these websites on port 80 by using the following commands:
ip nat inside source tcp 10.10.10.10 80 <externalIP1> 80
ip nat inside source tcp 10.10.10.10 1080 <externalIP2> 80
ip nat inside source tcp 10.10.10.10 2080 <externalIP3> 80
Below is a Cisco doc that might help. But again if you post a scrubbed config it may help us determine the best way for you to accomplish your end goal....
ASKER
Hi
to make this simpler;
My Primary IP from ISP is 99.99.180.170. FE0 - outside
I have a further 7 IP's that I need to add, and perform NAT to the internal network.
these address are;
Adding the IP's as secondary does not allow any form of NAT to be performed on the addition IP address'
I have added the config that I think is relevant, if it helps / clarifies:
interface FastEthernet0
description WAN1 Connection$FW_OUTSIDE$$ES_ WAN$$ETH-W AN$
ip address 99.99.180.170 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet1
description $ETH-WAN$
ip address dhcp client-id FastEthernet1
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO- FE 2$$ES_LAN$$FW_INSIDE$
ip address 172.16.10.5 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 99.99.180.169
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 172.16.10.31 443 interface FastEthernet0 443
ip nat inside source static tcp 10.10.100.27 8080 interface FastEthernet0 80
ip nat inside source static tcp 172.16.10.31 25 interface FastEthernet0 25
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static tcp 172.16.10.25 41121 interface FastEthernet0 41121
ip nat inside source static tcp 172.16.10.150 4228 interface FastEthernet0 53
ip nat inside source static tcp 172.16.10.32 3389 interface FastEthernet0 3389
ip nat inside source static tcp 172.16.10.14 3389 interface FastEthernet0 1971
ip nat inside source static tcp 172.16.10.27 3389 interface FastEthernet0 1972
ip nat inside source static tcp 172.16.10.48 3389 interface FastEthernet0 1974
ip nat inside source static tcp 172.16.10.30 3389 interface FastEthernet0 1975
ip nat inside source static tcp 172.16.10.31 3389 interface FastEthernet0 1970
!
to make this simpler;
My Primary IP from ISP is 99.99.180.170. FE0 - outside
I have a further 7 IP's that I need to add, and perform NAT to the internal network.
these address are;
- 99.99.180.172
- 99.99.180.175
- 99.99.180.177
- 99.99.180.180
- 99.99.180.181
- 99.99.180.183
- 99.99.180.186
Adding the IP's as secondary does not allow any form of NAT to be performed on the addition IP address'
I have added the config that I think is relevant, if it helps / clarifies:
interface FastEthernet0
description WAN1 Connection$FW_OUTSIDE$$ES_
ip address 99.99.180.170 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet1
description $ETH-WAN$
ip address dhcp client-id FastEthernet1
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 172.16.10.5 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 99.99.180.169
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 172.16.10.31 443 interface FastEthernet0 443
ip nat inside source static tcp 10.10.100.27 8080 interface FastEthernet0 80
ip nat inside source static tcp 172.16.10.31 25 interface FastEthernet0 25
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static tcp 172.16.10.25 41121 interface FastEthernet0 41121
ip nat inside source static tcp 172.16.10.150 4228 interface FastEthernet0 53
ip nat inside source static tcp 172.16.10.32 3389 interface FastEthernet0 3389
ip nat inside source static tcp 172.16.10.14 3389 interface FastEthernet0 1971
ip nat inside source static tcp 172.16.10.27 3389 interface FastEthernet0 1972
ip nat inside source static tcp 172.16.10.48 3389 interface FastEthernet0 1974
ip nat inside source static tcp 172.16.10.30 3389 interface FastEthernet0 1975
ip nat inside source static tcp 172.16.10.31 3389 interface FastEthernet0 1970
!
Your primary assigned IP range: 99.99.180.168 255.255.255.252
-----The usable addresses are 99.99.180.169 and 99.99.180.170
-----The gateway address is 99.99.180.169
-----The interface address is 99.99.180.170
So to verify, above is what you were assigned by your ISP, correct?
You have also been given additional IPs. The IP's you listed are not all in order (gaps). Were you assigned the individual addresses or did they give you a larger subnet and those are the ones you would like to use?
Assuming that the range you have assigned to your outside interface is correct AND that the IP's you listed are individually being routed to your 99.99.180.170 address by your ISP, then all you need is the NAT statements and to modify your outside access-list (of course at this point you don't have one which is probably not a good idea).
For example you can NAT the entire IP to an inside address
ip nat inside source static 172.16.10.X 99.99.180.172
Or just a port
ip nat inside source static tcp 172.16.10.X 3389 99.99.180.172 3389
It is unusual however for an ISP to assign IP's that are not in blocks... and I cannot find any block of IP's that makes sense for the IP's that you listed. Might want to verify what addresses/blocks were assigned by your ISP.
The missing access list is a big deal, especially since you posted the full addresses instead of masking them. Keep in mind that you apply an ACL you will also need to configure the firewall via ip inspect statements so that outbound return traffic is allowed appropriately.......
-----The usable addresses are 99.99.180.169 and 99.99.180.170
-----The gateway address is 99.99.180.169
-----The interface address is 99.99.180.170
So to verify, above is what you were assigned by your ISP, correct?
You have also been given additional IPs. The IP's you listed are not all in order (gaps). Were you assigned the individual addresses or did they give you a larger subnet and those are the ones you would like to use?
Assuming that the range you have assigned to your outside interface is correct AND that the IP's you listed are individually being routed to your 99.99.180.170 address by your ISP, then all you need is the NAT statements and to modify your outside access-list (of course at this point you don't have one which is probably not a good idea).
For example you can NAT the entire IP to an inside address
ip nat inside source static 172.16.10.X 99.99.180.172
Or just a port
ip nat inside source static tcp 172.16.10.X 3389 99.99.180.172 3389
It is unusual however for an ISP to assign IP's that are not in blocks... and I cannot find any block of IP's that makes sense for the IP's that you listed. Might want to verify what addresses/blocks were assigned by your ISP.
The missing access list is a big deal, especially since you posted the full addresses instead of masking them. Keep in mind that you apply an ACL you will also need to configure the firewall via ip inspect statements so that outbound return traffic is allowed appropriately.......
ASKER
These are not my actual IP address' I have changed the first 2 octets for security, likewise I have changed my private IP's
They are the correct IP address' and that is how this particular ISP assign address (yes I know it is completely bizzare)
I have re-subnetted the FE0 interface before to a /27 in order to cover all the IP's but simply adding the NAT statement as you suggest does not work. as I can only assume that the 1811 is in no way aware that it is to respond/allow/deal with the traffic, as the IP that its destined for is not assigned to any interface.
I can assure that the detials are correct, and that this has been working in a production environment for a long time on a Linux based firewall. (and its so easy to add an fe0:1, fe0:2 etc!). I have had to change to the 1811 so that I can replicate a client problem.
I am aware that there is no ACL, the configuration has been cut down to ensure that other parts are not confusing the issue.
Thanks
They are the correct IP address' and that is how this particular ISP assign address (yes I know it is completely bizzare)
I have re-subnetted the FE0 interface before to a /27 in order to cover all the IP's but simply adding the NAT statement as you suggest does not work. as I can only assume that the 1811 is in no way aware that it is to respond/allow/deal with the traffic, as the IP that its destined for is not assigned to any interface.
I can assure that the detials are correct, and that this has been working in a production environment for a long time on a Linux based firewall. (and its so easy to add an fe0:1, fe0:2 etc!). I have had to change to the 1811 so that I can replicate a client problem.
I am aware that there is no ACL, the configuration has been cut down to ensure that other parts are not confusing the issue.
Thanks
Can you post your scrubbed config after adding the NAT statements for the additional IP's?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER