Solved

Can I bridge a cisco router off to a linux server?

Posted on 2010-09-15
20
436 Views
Last Modified: 2012-05-10
Hi,

We have a scenario where we must "bridge" a cisco router to the linux server on the LAN as we want the linux server to get the public IP. The thing is, we like the debugging tool on the cisco router when it comes to PPOE/PPOA connections with the ISP (yes our ISP still uses username and passwords).

The problem is, of course, that using the PPOE command on the router means that the dialer interface gets the CPE address from the ISP, that means that I cant use those public addresses on the connecting port of the linux server.

Is there a way of connecting to the ISP on cisco router with PPOE and still bridge the router so that the linux server uses the CPE address?

Or must I essentially turn the linux into a DMZ zone on a different public subnet and use the CPE as a firewall?
0
Comment
Question by:Network_Padawan
  • 11
  • 4
  • 4
  • +1
20 Comments
 
LVL 12

Expert Comment

by:Fidelius
ID: 33679952
Hi,

I don't think it is possible.
If you have static IP (usually it is DHCP negotiated, but some ISP allow reserving static IP ) and more than one public address you can make static NAT on a router for Linux server.
Other option is to use dynamic NAT and port forward for services on Linux machine you want to be visible outside.

Hope this helps!

Regards!
0
 

Author Comment

by:Network_Padawan
ID: 33688186
If I use the static IP option, will that linux server be able to get out to the internet as there is not NAT overload doing translation on its outside interface?
0
 
LVL 5

Expert Comment

by:piwowarc
ID: 33690044
Static NAT maps public IP to LAN IP so every packet is routed to that NIC. You give your server private address nad map it to you public dialer address. As Fidelius said with static NAT you need more than one public IP as your Linux server will consume the first one. It will have internet access and it will be seen from the internet. The catch is that no one else will be able to access internet as there is no adresses left to do PAT.

HTH

Chris
0
 
LVL 2

Expert Comment

by:PSLmike
ID: 33690167
Can you get your isp to allocate you more than one IP when you login?
Many ISP's will do that for you and you can then easily create a no-nat config by using an unnumbered link to the isp.

For example, you configure your 1st ip on the inside ethernet of the router.
Then configure the dialer interface to be unnumbered (eg ip address unnumbered eth0)
The linux server then takes one of the other addresses that you've been allocated from the same subnet.

I think the only other alternative is to do a 1:1 nat on the cisco, which for most applications will give you the same result that you're looking for. Also easy to set up:

ip nat inside source static <inside ip> <outside ip>
0
 

Author Comment

by:Network_Padawan
ID: 33697653
Hey guys sorry im a little confused:

piwowarc: you said the following "You give your server private address nad map it to you public dialer address. As Fidelius said with static NAT you need more than one public IP as your Linux server will consume the first one", if I map the private address to the public address and enable NAT on the linux server via iptables (remember my client will sit BEHIND the linux server), wont that be able to NAT all the LAN ip address behind the linux server to the "mapped" pub IP? Or am I totally confused?

eg, my router IP is 203.111.1.1 on the dialer interface----> 10.10.10.1/24 is by vlan1 interface IP -----> connects directly to eth0 dev on linux server 10.10.10.3/24 -------> eth1 is 172.16.0.0/25 and all devices sit behind the eth1 and have the 172.16.0.0/25 subnet

what I did was the following......

Router ----: ip nat inside source static 10.10.10.3 interface Dialer1
On linux server --------: enabled NAT overload via iptables

Doesnt this mean that all PRIVATE ip's of 172.16.0.0/25 will NAT overload onto the 10.10.10.3 IP, and since that is mapped to the DIALER interface on the router (which happens to be PUBLIC), can't that route out to the internet?

FYI, I have tested this and it doesnt work so my logic is obviously flawed. Sorry having a hard time understanding.
0
 

Author Comment

by:Network_Padawan
ID: 33698818
Hey guys, please scratch what I wrote above, I just got more 'details' on what is needed.

Okay, because of the need to provide "conferencing" capabilities, which means that vendors like Hp, Dell etc do at this site, they "require" an unconditional amount of public ip addresses that can be reached from outside and inside users to connect to electronic hosting demo's, like IP phones, or electronic whiteboards, whatever, so I had ordered additional IP addresses from the ISP.

Is the consensus here is that all I need to do is do a 1:1 static nat from each internal device to the unique public address? Is that is all that is required? And in doing so, will internal LAN ips be routable to this address also?

Thanks and sorry for the confusion.
0
 

Author Comment

by:Network_Padawan
ID: 33698825
Also, finally, since the router also has NAT or PAT for the internal users who are not part of the conference, will PAT cause any issues with the static 1:1 NAT or vice versa?

Thanks
0
 
LVL 2

Expert Comment

by:PSLmike
ID: 33698935
If you have plenty of public ip addresses then you don't really need nat at all.
If they're all in the same subnet, then the unnumbered solution I gave you will work well.
If they're a routed subnet provided by the ISP, just use one of them for the router's inside address,and use the ppp provided one for the outside.
0
 

Author Comment

by:Network_Padawan
ID: 33698956
Hi, sorry what is ppp?

Also, I cant just map every internal private ip to a public ip, only clients that request it. We are working on a system that gives out a public depending on approved mac addresses, so it can only be for specific devices, not every device in the private network.

Regards
0
 
LVL 2

Expert Comment

by:PSLmike
ID: 33698957
If you need nat, you can combine nat and pat on different public ip addresses easily.
That was the second half of my earlier solution. Just substitute different inside and outside addresses in the nat statement. You can still overload the dialer (or any other of your addresses) for pat.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 2

Accepted Solution

by:
PSLmike earned 250 total points
ID: 33698997
Ppp is the "ppp" part of pppoa or pppoe that you mentioned in your first statement.
Perhaps you're making the solution more complicated than you need to.
Does the Linux server also do nat? IE are you using it as another router/firewall?

I don't know of a way that you could allocate a public ip based on Mac address in the cisco world, so presumably you're doing this on the linux gateway.

In which case, your best option is no nat at all on the cisco. If the pool of public ip addresses you have been given is in the subnet of the router address allocated when you login, use the unnumbered solution. You would then do all the pat and nat on the Linux server.

I think maybe we need a very simple overview/diagram to understand the connectivity between the internal clients, the Linux server, the cisco router, and the Internet.
0
 

Author Comment

by:Network_Padawan
ID: 33699042
Hi Mike, thank you for your patience, I will upload a diagram of the infrastructure tomorrow and what we need, if you could take a quick glance and offer your opinion, that would be enough and I will just test it next week when I return to the office.

Again thanks.
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 33699162
Hi,

Network diagram will definitely help to clarify situation.
As PSLmike said earlier, if you have more than one public IP address it is very easy to solve a problem with one static NAT statement for Linux server and PAT statement for all other IP's.

Regards!  
0
 

Author Comment

by:Network_Padawan
ID: 33721934
Hi Guys,

Ok, sorry for the crudeness but Ive had to rush it as I have little time. The attachment is a (very rough) diagram.

We have a cisco router, 10.100.23.0/24 is the management subnet.
This connects to a managed switch that connects to the linux server which acts as a Wifi hotspot service, this currently has NAT enabled, which means clients (laptops) that connect to the wifi from their SSID network get Natted twice.

What I need to do is, have a way I can place a laptop or some other device behind the linux server which can be given a Public IP address and be able to be routable from the outside world and be able to route outside.

I hope this makes sense. If not Ill outline more.

Again thanks for your help.
Public-IP-Network-Layout.xlsx
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 33722933
Hi,

If you need only one laptop to be routable, and you have more than one public IP address, it is not a problem. You need only two static NAT statements, one on Cisco and one on Linux server, and laptop IP should be static, not DHCP.

If you want more than one, you need multiple statements as above, and public IP for every host. In other words all has to be static.
No inside host can be routable from outside, if you use PAT or DHCP (without reservation).

Regards!
0
 

Author Comment

by:Network_Padawan
ID: 33723078
Hi Fidelius,

Thus my dilemma! Without doing some sort of DMZ, (which I can not do as clients will sit behind a device and port that is NATted), how can I give the laptops a public IP and expects the outside world to be able to route to it?
0
 
LVL 12

Assisted Solution

by:Fidelius
Fidelius earned 250 total points
ID: 33723662
Hi  Network_Padawan,

If your hosts are behind NATed interface, unfortunately there is no way to give laptops public IP.
It is only possible to do static NAT for every host.
Sorry!

Regards!
0
 

Author Comment

by:Network_Padawan
ID: 33730546
Hi,

I have not requested this to be closed! I wanted to submit points to the two users who have responded.

Can the mod please cancel this?
0
 

Author Comment

by:Network_Padawan
ID: 33730557
Object
0
 

Author Closing Comment

by:Network_Padawan
ID: 33766671
Thanks guys. Wont be implementing this for another few weeks now so Im closing this and will apply your suggestions later. Will update with results when complete.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now