Solved

Multiple static IP's on Cisco 877

Posted on 2009-03-29
8
1,408 Views
Last Modified: 2012-08-10
Hi I have just configured my first Cisco 877. The question I have is that my ATM0.1 interface on has 1 IP attached to it, this uses NAT for my others pc's internet access.

However I have 8 static IP from my ISP, how do I add them to my ATM0.1 interface (also these are not in a range, ie 70.60.50.1, 70.60.50.5, 70.60.90.2, 70.60.90.5)
0
Comment
Question by:nxmcdermott
8 Comments
 
LVL 13

Expert Comment

by:Quori
Comment Utility
You could add them as secondary IP's to the Dialer interface.

int Dialer1
ip add 70.60.50.1 255.255.255.x secondary
0
 
LVL 10

Expert Comment

by:cstosgale
Comment Utility
This will only add this address to the router.

All you need to do is set up static NAT statements to map your public addresses to the private ones. It doesn't matter if they are not in the same range as the IP on atm0.1 as the ISP will affectively route these IP addresses to your atm0.1 address.
0
 

Author Comment

by:nxmcdermott
Comment Utility
Here is my config. I did what you suggested and the internet stopped working. Where should I put my other public static ip addess?

Building configuration...

Current configuration : 8403 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
enable secret 5 *****
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2609899583
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2609899583
 revocation-check none
 rsakeypair TP-self-signed-2609899583
!
!
crypto pki certificate chain TP-self-signed-2609899583
 certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32363039 38393935 3833301E 170D3039 30333238 31333335
  31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36303938
  39393538 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A708 D0EC8A30 F7180940 C11B4F59 758548B7 C95CF89D A433ACF9 6D07424B
  6D92D00F 7DBDE19D 8EA77B77 B7C16A33 FA41E07F F2BD58EB 50135F35 3DA28CB3
  79F567FB 7E1EAAD6 43F0A3D0 BEC6BD27 15EB5ACA CF540EFF 385ED70C 4EA58FD7
  EEB83E0B 36631DC2 D3439C8D 1D4CB459 B53B2BE2 5BF9DCD6 7F2ABDC4 7125E33E
  44450203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
  551D1104 15301382 1153616C 652E6F6C 63656E74 72652E63 6F6D301F 0603551D
  23041830 168014DC E1738EDE 91D1F18C 21ADBD53 4C69E98B CEACDC30 1D060355
  1D0E0416 0414DCE1 738EDE91 D1F18C21 ADBD534C 69E98BCE ACDC300D 06092A86
  4886F70D 01010405 00038181 00456746 2CF06A04 60189C8A E3D81BF3 1E08C067
  D9156D91 7D544068 7821B43D 13F3088F BDAFA12E 2F51C7A8 99233678 19AC127E
  2D843AC4 1CD18E2E 9315CD7A 1AC0FF1F 551EF89E 4AD7EEFE 39EF2BEA 2F26D289
  6A4F2884 A7206DEA F855FEF6 08887437 61A0A86E 975353B8 E8DF75AE 485EFF88
  DBAD5C9F 88A95E0E DBA29B34 67
        quit
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.201 192.168.0.254
ip dhcp excluded-address 192.168.0.1 192.168.0.99
!
ip dhcp pool DHCP
   import all
   network 192.168.0.0 255.255.255.0
   dns-server 192.168.0.2 10.0.1.2
   domain-name *****
   default-router 192.168.0.1
   netbios-name-server 192.168.0.2 10.0.1.2
   lease 8
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip domain name *****
ip name-server 192.168.0.2
ip name-server 10.0.1.2
!
!
!
!
username ***** privilege 15 view root secret 5 *****
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ***** address ***.***.***.***
crypto isakmp key ***** address ***.***.***.***
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to*****
 set peer *****
 set transform-set ESP-3DES-SHA
 match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel to***.***.***.***
 set peer ***.***.***.***
 set transform-set ESP-3DES-SHA
 match address 106
!
archive
 log config
  hidekeys
!
!
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $FW_OUTSIDE$
 ip address ***.***.***.*** 255.255.248.0
 ip access-group 103 in
 ip verify unicast reverse-path
 ip flow ingress
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 atm route-bridged ip
 pvc 0/101
  oam-pvc manage
  encapsulation aal5snap
 !
 snmp trap ip verify drop-rate
 crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ***.***.***.***
ip http server
ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 192.168.0.2 eq domain any
access-list 102 deny   ip ***.***.***.*** 0.0.7.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit udp host ***.***.***.*** host ***.***.***.*** eq non500-isakmp
access-list 103 permit udp host ***.***.***.*** host ***.***.***.*** eq isakmp
access-list 103 permit esp host ***.***.***.*** host ***.***.***.***
access-list 103 permit ahp host ***.***.***.*** host ***.***.***.***
access-list 103 permit udp host 10.0.1.2 eq domain any
access-list 103 permit ahp host ***.***.***.*** host ***.***.***.***
access-list 103 permit esp host ***.***.***.*** host ***.***.***.***
access-list 103 permit udp host ***.***.***.*** host ***.***.***.*** eq isakmp
access-list 103 permit udp host ***.***.***.*** host ***.***.***.*** eq non500-isakmp
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.0.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 deny   ip 192.168.0.0 0.0.0.255 any
access-list 103 permit icmp any host ***.***.***.*** echo-reply
access-list 103 permit icmp any host ***.***.***.*** time-exceeded
access-list 103 permit icmp any host ***.***.***.*** unreachable
access-list 103 permit tcp host ***.***.***.*** host ***.***.***.*** eq 443
access-list 103 permit tcp host ***.***.***.*** host ***.***.***.*** eq 22
access-list 103 permit tcp host ***.***.***.*** host ***.***.***.*** eq cmd
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input telnet ssh
 transport output telnet ssh
!
scheduler max-task-time 5000
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

0
 
LVL 10

Accepted Solution

by:
cstosgale earned 50 total points
Comment Utility
something that occurs to me, is what are you actually wanting to achieve with these additional IPs? The only reason you would use them would be to make a specific inside host available on the internet.

ok, so to map your other IPs to internal hosts, use:-

ip nat inside source static internalip 70.60.50.1

access-list 103 permit tcp any host 70.60.50.1 eq www
etc.

you only need to do this if you want this host to be available on the internet for a specific service such as a mail server or web server.

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:nxmcdermott
Comment Utility
I need a web server (HTTP AND HTTPS), mail server (SMTP) and possibly VOIP. On my old router I used to have it in pass through mode and have the public IPs on the server NICs, I guess it's a bad idea to do this because I will lose the benefits of the Cisco Router?

I have seen a way of doing what I want with the command "ip address negotiated" command, so I will give that a go and try what you have suggested again.

Many thanks Nick.
0
 
LVL 10

Expert Comment

by:cstosgale
Comment Utility
the config I posted above will acheive this then.

ip address negotiated will simply allow you to pick up an address dynamically from your ISP, it won't affect this issue.

If it doesn't work with the config aove, you will need to confirm your ISP is routing those IPs to your router's IP.
0
 

Author Comment

by:nxmcdermott
Comment Utility
Many thanks cstosgale, I had tried that but I must have had a typo.
0
 

Expert Comment

by:jeff_hall82
Comment Utility
Hey Mate,
You need to plug two Ethernet cables into your router and both into the same switch or if you want to be smart and segment the real internet traffic into a separate switch.

1) Create a vlan 2 (or what ever)
2) add your PIP to this interface with the correct subnet
3) switchport access that vlan to the corresponding Ethernet port.
4) If you have a default route out your dialer with NAT outside on your dialer you need to create a NO NAT list and add your PIP range to that list (Let me know if you need help with that)
5) Set your machine up with the PIP and the DGW as the vlan2 IP.

Hey presto multiple subnets on the same dialer interface with no nat.

The nat works as long as you dont want to do IPSEC or SFTP or other protocols that have issues with NAT in the packet.

If your going to host highly recommend doing it correctly so there is not NAT between your device and the internet.

Thanks
Jeff
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now