Link to home
Start Free TrialLog in
Avatar of rtlemke
rtlemke

asked on

Use vlan to isolate a computer

First off, let me apologize for my inexperience in the networking world.  I am part of a small company and I AM are IT guy and I am learning as I go.

Here is my situation:
I have 5 static IP address asssigned to me by my internet provider.  Lets say they are 67.67.140.201 - 205.
I currently have one ethernet cable entering into the building that supplies my internet connection.  That cable is connected into port 1 of my router which is set up as its very own vlan (vlan 2).  The rest of the ports on my router are set up on a seperate vlan (vlan 1).  I use NAT to direct traffic from the incoming (vlan 2) feed to the rest of the network connected on vlan2.

I have a need to allow someone to access a computer on my network using one of the static IPs (67.67.140.203) that have been assigned to me by my internet provider.  It seems to me that setting up a new vlan for that computer to connect to and then forward the incoming traffic from the 67.67.140.203 IP address to the new vlan would be a reasonable answer to this issue.

Does this seem like a good way to do this?  And if so, how exactly do I go about it.

My initial thought is to assign the incoming IP (67.67.140.203) to the vlan, assign a port on the router to that vlan and than connect the computer to that port.  My only question is; what do I set the computers IP, gateway, etc to?  Does this sound right?

If there is a cleaner, better way to do this, please let me know.

Thanks for any help.
Rick
Avatar of Steve
Steve
Flag of Australia image
why not just use NAT to one of your spare LIVE IP addresses ?

You've neglected to tell us what brand / model your router is, and we'd also need a copy of the config (remove your passwords) so we can advise better..

Avatar of Oliver
Oliver
Flag of United States of America image
I will be interested in participating once you answer PsychoFelix's question. Usually, configs, a little sketch or so can help in the quick understanding of your situation.
Avatar of rtlemke
rtlemke

ASKER

I thought about using NAT to direct traffic from the spare IP address ((67.67.140.203) to an internal IP and then assigning that IP to the computer in question, but my concern was with security.  If someone is accessing the computer through the NAT, can they access other computer on the network?  I dont want the users that will have access to this computer to be able to gt ot anything else on the network.  If usin NAT will accomplish this then I am all for it.  Thanks again for any help.

The router is a Netvanta 1335 and the current config file is:
!
!
! ADTRAN, Inc. OS version 17.02.01.00.E
! Boot ROM version 15.01.B1
! Platform: NetVanta 1335 PoE, part number 1700525E2
! Serial number LBADTN
!
!
hostname "Router"
no enable password
!
clock timezone -6-Central-Time
!
ip subnet-zero
ip classless
ip default-gateway 67.63.148.201
ip routing
!!ip host "mxmail.company.com" 192.168.88.2
ip host "tc.company.com" 192.168.88.6
ip host "xfer.company.com" 192.168.88.3
ip domain-name "company.com"
ip domain-proxy
ip name-server 64.89.100.2 8.8.8.8
!
!
no ip route-cache express
!
auto-config
!
event-history on
no logging forwarding
no logging email
logging email priority-level info
!
service password-encryption
!
username "administrator" password encrypted "" 
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg h323
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
!
!
!
!
!
!
!
vlan 1
  name "Default"
!
vlan 2
  name "Public"
!
vlan 3
  name "Phones"
!
!
interface switchport 0/1
  description Internet
  speed 10
  no shutdown
  switchport access vlan 2
!
interface switchport 0/2
  no shutdown
!
interface switchport 0/3
  no shutdown
!
interface switchport 0/4
  no shutdown
!
interface switchport 0/5
  no shutdown
!
interface switchport 0/6
  no shutdown
!
interface switchport 0/7
  no shutdown
!
interface switchport 0/8
  no shutdown
!
interface switchport 0/9
  no shutdown
!
interface switchport 0/10
  no shutdown
!
interface switchport 0/11
  no shutdown
!
interface switchport 0/12
  no shutdown
!
interface switchport 0/13
  no shutdown
!
interface switchport 0/14
  no shutdown
!
interface switchport 0/15
  no shutdown
!
interface switchport 0/16
  no shutdown
!
interface switchport 0/17
  no shutdown
!
interface switchport 0/18
  no shutdown
!
interface switchport 0/19
  no shutdown
!
interface switchport 0/20
  no shutdown
!
interface switchport 0/21
  no shutdown
!
interface switchport 0/22
  no shutdown
!
interface switchport 0/23
  no shutdown
!
interface switchport 0/24
  no shutdown
!
!
interface gigabit-switchport 0/1
  no shutdown
!
interface gigabit-switchport 0/2
  no shutdown
!
!
!
interface vlan 1
  description IntrAnet
  ip address  192.168.88.1  255.255.255.0
  access-policy Private
  ip route-cache express
  no shutdown
!
interface vlan 2
  description Public IntErnet
  ip address  67.67.140.202  255.255.255.248
  ip address  67.67.140.203  255.255.255.248 secondary
  ip address  67.67.140.204  255.255.255.248 secondary
  ip address  67.67.140.205  255.255.255.248 secondary
  access-policy Public
  no rtp quality-monitoring
  no ip route-cache express
  no shutdown
!
interface vlan 3
  description Phones
  ip address  0.0.0.0  255.255.255.255
  ip route-cache express
  shutdown
!
!
!
!
!
!
!
ip access-list standard wizard-ics
  remark Internet Connection Sharing
  permit any
!
!
ip access-list extended self
  remark Traffic to NetVanta
  permit ip any  any     log
!
ip access-list extended Serv-u
  permit tcp host 192.168.88.3  any    log
!
ip access-list extended web-acl-10
  remark Admin Access
  permit tcp any  any eq www   log
  permit tcp any  any eq telnet   log
  permit tcp any  any eq ssh   log
!
ip access-list extended web-acl-11
  remark Deltek
  permit tcp any  host 67.67.140.205 eq 7009   log
!
ip access-list extended web-acl-12
  remark Phones
  permit ip any  host 67.67.140.203     log
!
ip access-list extended web-acl-9
  remark Email Server
  permit ip host 192.168.88.2  any    
!
ip access-list extended wizard-pfwd-1
  remark SMTP Mail
  permit tcp any  host 67.67.140.202 eq smtp   log
!
ip access-list extended wizard-pfwd-2
  remark HTTP
  permit tcp any  host 67.67.140.202 eq www   log
!
ip access-list extended wizard-pfwd-3
  remark HTTPS
  permit tcp any  host 67.67.140.202 eq https   log
!
ip access-list extended wizard-pfwd-4
  remark Serv-U
  permit tcp any  host 67.67.140.204 eq https   log
!
ip policy-class Email
  ! Implicit discard!
ip policy-class Private
  allow list self self
  nat source list wizard-ics interface vlan 2 overload
  nat source list web-acl-9 address 67.67.140.202 overload
!
ip policy-class Public
  nat destination list wizard-pfwd-4 address 192.168.88.3
  nat destination list wizard-pfwd-1 address 192.168.88.2
  nat destination list wizard-pfwd-2 address 192.168.88.2
  nat destination list wizard-pfwd-3 address 192.168.88.2
  allow list web-acl-10 self
  nat destination list web-acl-11 address 192.168.88.6
  nat destination list web-acl-12 address 192.168.88.7
!
!
!
ip route 0.0.0.0 0.0.0.0 67.67.140.201
!
no ip tftp server
no ip tftp server overwrite
no ip http server
ip http session-limit 5
ip http secure-server 8443
ip http language English
no ip snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
!!!!!
!
line con 0
  login
!
line telnet 0 4
  login
  shutdown
line ssh 0 4
  login local-userlist
  no shutdown
!
!
!
!
!
!
!
!
end


Avatar of rtlemke
rtlemke

ASKER

No more input after I supplied the requested information?
ASKER CERTIFIED SOLUTION
Avatar of Soulja
Soulja
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial