Solved

CISCO 877 and mutiple public IP addresses

Posted on 2009-04-08
9
680 Views
Last Modified: 2012-05-06
Hi Guy's, I hope somebody can help me with my current issue. I recieved a 877 from my ISP vendor and everything is working as it should be. The boss now wants another IIS server made public. The IP address of the router is already NAT'd to an internal IIS server using port 80 and we need to use port 80 again for the new IIS server.
Below is provided to us by our ISP.
 IP: xxx.xxx.xxx.24
 Net bits: /29
 Subnet mask: 255.255.255.248
 Total addresses: 8 ( 6 usable)

I tried adding the above using the below:
interface dialer0
 ip add xxx.xxx.xxx.24 255.255.255.248
 ip nat outside

but get this mask eror
Bad mask /29 for address xxx.xxx.xxx.24
I take it i'm going about this completely wrong.

I've pasted an parts of my current config below
Massive thanks indvance for any information..
Wayne

---------------------------------------------
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret x xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!

!
aaa session-id common
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00

class-map type inspect match-all sdm-nat-smtp-2
 match access-group 103
 match protocol smtp
class-map type inspect match-all sdm-nat-http-1
 match access-group 102
 match protocol http
class-map type inspect match-any SSH
 match protocol ssh
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
 match class-map SSH
 match access-group name SSH
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 101
 match protocol smtp
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
 match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-smtp-1
  inspect
 class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
  inspect
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-smtp-2
  inspect
 class class-default
  drop log
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  pass
policy-map type inspect sdm-permit
 class type inspect SDM_EASY_VPN_SERVER_PT
  pass
 class class-default
  drop log
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $FW_OUTSIDE$$ES_WAN$
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 snmp trap link-status
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
 ip unnumbered Dialer0
 zone-member security ezvpn-zone
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.xxx.xxx 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname eircom
 ppp chap password x xxxxxxxxxxxxxxxxxxx
!
ip local pool SDM_POOL_1 192.168.xxx.xxx 192.168.xxx.xxx
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip flow-cache timeout active 1
ip flow-export source FastEthernet0
ip flow-export version 5
ip flow-export destination 192.168.xxx.xxx 2048
ip flow-top-talkers
 top 30
 sort-by bytes
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.xxx.xxx 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.6 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.6 22 interface Dialer0 22
ip nat inside source static tcp 192.168.1.7 8081 interface Dialer0 8081
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
ip access-list extended SDM_IP
 remark SDM_ACL Category=1
 permit ip any any
ip access-list extended SSH
 remark SDM_ACL Category=128
 permit ip any host 192.168.1.6
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.1.7
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 22
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.1.6
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.1.7
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 deny   ip any any
dialer-list 1 protocol ip permit
snmp-server community xxxxxxx RW
snmp-server location 192.168.xxx.xxx
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps tty
snmp-server enable traps pw vc
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps flash insertion removal
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ipsla
no cdp run
!
!
!
control-plane
!
!
line con 0
 login authentication
 no modem enable
 transport output
line aux 0
 login authentication
 transport output
line vty 0 4
 access-class 104 in
 privilege level 15
 authorization exec
 login authentication
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500


0
Comment
Question by:Blondzer
  • 6
  • 3
9 Comments
 
LVL 7

Assisted Solution

by:EmpKent
EmpKent earned 250 total points
ID: 24100415
Blondzer,

.24 is not a valid IP with a /29 mask. You have to use from .25 to .30 and then .31 is your broadcast.

Thanks,

Kent
0
 

Accepted Solution

by:
Blondzer earned 0 total points
ID: 24102205
Thanks EmpKent
That has helped, after adding
interface dialer0
 ip add xxx.xxx.xxx.24 255.255.255.248
 ip nat outside
without an error..
I can now see the below in my config,
ip nat inside source static tcp 192.168.1.19 xxx.xxx.xxx..26 80 extendable
ip nat inside source static 192.168.1.19 xxx.xxx.xxx.26

i've tried testing using telnet xxx.xxx.xxx.26 80
but its failing, I assume I need to permit...??
access-list 101 permit ip any host 192.168.1.19
access-list 101 permit tcp any any eq www
or similar? Sorry I've not a lot of cisco experience
0
 

Author Comment

by:Blondzer
ID: 24102426
meant to say .25 not .24

interface dialer0
 ip add xxx.xxx.xxx.25 255.255.255.248
 ip nat outside
without an error..
Now I think i need to permit access to 192.168.1.19/xxx.xxx.xxx.26?

thanks again
wayne
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 24106673
Wayne,
 
 Certainly you will have to allow that traffic in the appropriate ACL..
 
 I am a bit confused, though. You are adding .25 but then forwarding .26 through to 1.19...

I thought you were adding a new IP so that you could host a new web server on it. Maybe this is just a typo.

Thanks,

Kent
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Blondzer
ID: 24106827
Sorry for the confusion, I'm also confused. ;-)
currently the router is using .25. I would like to make the next public ip .26 available and NAT incoming port 80 traffic to internal 1.19
The router ip .25 has port 80 nat'd to internal 1.6

Have I make things more confusing ;-)?
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 24106866
Not at all. So you need to add .26 to the Dialer0 interface and forward anything on port 80 to 1.19. Then allow it in the ACL just as you described.

Kent
0
 

Author Comment

by:Blondzer
ID: 24106976
Thats is exactly. Hopefuly this is possible and not too complicated?

0
 

Author Comment

by:Blondzer
ID: 24107792
I had used SDM to configure the router but after my laptop died I had to reinstall everything. now SDM doesnt connect so I'll need to use CLI.(my preference of course!!)
0
 

Author Comment

by:Blondzer
ID: 24112106
Have this working now!!!
ip nat inside source static tcp 192.168.1.19 80 xxx.xxx.xxx.26 80 extendable
access-list 102 permit ip any host 192.168.1.19

Thanks for your help EmpKent

Wayne
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now