rtlemke
asked on
Use vlan to isolate a computer
First off, let me apologize for my inexperience in the networking world. I am part of a small company and I AM are IT guy and I am learning as I go.
Here is my situation:
I have 5 static IP address asssigned to me by my internet provider. Lets say they are 67.67.140.201 - 205.
I currently have one ethernet cable entering into the building that supplies my internet connection. That cable is connected into port 1 of my router which is set up as its very own vlan (vlan 2). The rest of the ports on my router are set up on a seperate vlan (vlan 1). I use NAT to direct traffic from the incoming (vlan 2) feed to the rest of the network connected on vlan2.
I have a need to allow someone to access a computer on my network using one of the static IPs (67.67.140.203) that have been assigned to me by my internet provider. It seems to me that setting up a new vlan for that computer to connect to and then forward the incoming traffic from the 67.67.140.203 IP address to the new vlan would be a reasonable answer to this issue.
Does this seem like a good way to do this? And if so, how exactly do I go about it.
My initial thought is to assign the incoming IP (67.67.140.203) to the vlan, assign a port on the router to that vlan and than connect the computer to that port. My only question is; what do I set the computers IP, gateway, etc to? Does this sound right?
If there is a cleaner, better way to do this, please let me know.
Thanks for any help.
Rick
Here is my situation:
I have 5 static IP address asssigned to me by my internet provider. Lets say they are 67.67.140.201 - 205.
I currently have one ethernet cable entering into the building that supplies my internet connection. That cable is connected into port 1 of my router which is set up as its very own vlan (vlan 2). The rest of the ports on my router are set up on a seperate vlan (vlan 1). I use NAT to direct traffic from the incoming (vlan 2) feed to the rest of the network connected on vlan2.
I have a need to allow someone to access a computer on my network using one of the static IPs (67.67.140.203) that have been assigned to me by my internet provider. It seems to me that setting up a new vlan for that computer to connect to and then forward the incoming traffic from the 67.67.140.203 IP address to the new vlan would be a reasonable answer to this issue.
Does this seem like a good way to do this? And if so, how exactly do I go about it.
My initial thought is to assign the incoming IP (67.67.140.203) to the vlan, assign a port on the router to that vlan and than connect the computer to that port. My only question is; what do I set the computers IP, gateway, etc to? Does this sound right?
If there is a cleaner, better way to do this, please let me know.
Thanks for any help.
Rick
I will be interested in participating once you answer PsychoFelix's question. Usually, configs, a little sketch or so can help in the quick understanding of your situation.
ASKER
I thought about using NAT to direct traffic from the spare IP address ((67.67.140.203) to an internal IP and then assigning that IP to the computer in question, but my concern was with security. If someone is accessing the computer through the NAT, can they access other computer on the network? I dont want the users that will have access to this computer to be able to gt ot anything else on the network. If usin NAT will accomplish this then I am all for it. Thanks again for any help.
The router is a Netvanta 1335 and the current config file is:
!
!
! ADTRAN, Inc. OS version 17.02.01.00.E
! Boot ROM version 15.01.B1
! Platform: NetVanta 1335 PoE, part number 1700525E2
! Serial number LBADTN
!
!
hostname "Router"
no enable password
!
clock timezone -6-Central-Time
!
ip subnet-zero
ip classless
ip default-gateway 67.63.148.201
ip routing
!!ip host "mxmail.company.com" 192.168.88.2
ip host "tc.company.com" 192.168.88.6
ip host "xfer.company.com" 192.168.88.3
ip domain-name "company.com"
ip domain-proxy
ip name-server 64.89.100.2 8.8.8.8
!
!
no ip route-cache express
!
auto-config
!
event-history on
no logging forwarding
no logging email
logging email priority-level info
!
service password-encryption
!
username "administrator" password encrypted ""
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg h323
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
!
!
!
!
!
!
!
vlan 1
name "Default"
!
vlan 2
name "Public"
!
vlan 3
name "Phones"
!
!
interface switchport 0/1
description Internet
speed 10
no shutdown
switchport access vlan 2
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
interface switchport 0/5
no shutdown
!
interface switchport 0/6
no shutdown
!
interface switchport 0/7
no shutdown
!
interface switchport 0/8
no shutdown
!
interface switchport 0/9
no shutdown
!
interface switchport 0/10
no shutdown
!
interface switchport 0/11
no shutdown
!
interface switchport 0/12
no shutdown
!
interface switchport 0/13
no shutdown
!
interface switchport 0/14
no shutdown
!
interface switchport 0/15
no shutdown
!
interface switchport 0/16
no shutdown
!
interface switchport 0/17
no shutdown
!
interface switchport 0/18
no shutdown
!
interface switchport 0/19
no shutdown
!
interface switchport 0/20
no shutdown
!
interface switchport 0/21
no shutdown
!
interface switchport 0/22
no shutdown
!
interface switchport 0/23
no shutdown
!
interface switchport 0/24
no shutdown
!
!
interface gigabit-switchport 0/1
no shutdown
!
interface gigabit-switchport 0/2
no shutdown
!
!
!
interface vlan 1
description IntrAnet
ip address 192.168.88.1 255.255.255.0
access-policy Private
ip route-cache express
no shutdown
!
interface vlan 2
description Public IntErnet
ip address 67.67.140.202 255.255.255.248
ip address 67.67.140.203 255.255.255.248 secondary
ip address 67.67.140.204 255.255.255.248 secondary
ip address 67.67.140.205 255.255.255.248 secondary
access-policy Public
no rtp quality-monitoring
no ip route-cache express
no shutdown
!
interface vlan 3
description Phones
ip address 0.0.0.0 255.255.255.255
ip route-cache express
shutdown
!
!
!
!
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended Serv-u
permit tcp host 192.168.88.3 any log
!
ip access-list extended web-acl-10
remark Admin Access
permit tcp any any eq www log
permit tcp any any eq telnet log
permit tcp any any eq ssh log
!
ip access-list extended web-acl-11
remark Deltek
permit tcp any host 67.67.140.205 eq 7009 log
!
ip access-list extended web-acl-12
remark Phones
permit ip any host 67.67.140.203 log
!
ip access-list extended web-acl-9
remark Email Server
permit ip host 192.168.88.2 any
!
ip access-list extended wizard-pfwd-1
remark SMTP Mail
permit tcp any host 67.67.140.202 eq smtp log
!
ip access-list extended wizard-pfwd-2
remark HTTP
permit tcp any host 67.67.140.202 eq www log
!
ip access-list extended wizard-pfwd-3
remark HTTPS
permit tcp any host 67.67.140.202 eq https log
!
ip access-list extended wizard-pfwd-4
remark Serv-U
permit tcp any host 67.67.140.204 eq https log
!
ip policy-class Email
! Implicit discard!
ip policy-class Private
allow list self self
nat source list wizard-ics interface vlan 2 overload
nat source list web-acl-9 address 67.67.140.202 overload
!
ip policy-class Public
nat destination list wizard-pfwd-4 address 192.168.88.3
nat destination list wizard-pfwd-1 address 192.168.88.2
nat destination list wizard-pfwd-2 address 192.168.88.2
nat destination list wizard-pfwd-3 address 192.168.88.2
allow list web-acl-10 self
nat destination list web-acl-11 address 192.168.88.6
nat destination list web-acl-12 address 192.168.88.7
!
!
!
ip route 0.0.0.0 0.0.0.0 67.67.140.201
!
no ip tftp server
no ip tftp server overwrite
no ip http server
ip http session-limit 5
ip http secure-server 8443
ip http language English
no ip snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
!!!!!
!
line con 0
login
!
line telnet 0 4
login
shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
!
!
!
!
!
!
end
The router is a Netvanta 1335 and the current config file is:
!
!
! ADTRAN, Inc. OS version 17.02.01.00.E
! Boot ROM version 15.01.B1
! Platform: NetVanta 1335 PoE, part number 1700525E2
! Serial number LBADTN
!
!
hostname "Router"
no enable password
!
clock timezone -6-Central-Time
!
ip subnet-zero
ip classless
ip default-gateway 67.63.148.201
ip routing
!!ip host "mxmail.company.com" 192.168.88.2
ip host "tc.company.com" 192.168.88.6
ip host "xfer.company.com" 192.168.88.3
ip domain-name "company.com"
ip domain-proxy
ip name-server 64.89.100.2 8.8.8.8
!
!
no ip route-cache express
!
auto-config
!
event-history on
no logging forwarding
no logging email
logging email priority-level info
!
service password-encryption
!
username "administrator" password encrypted ""
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg h323
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
!
!
!
!
!
!
!
vlan 1
name "Default"
!
vlan 2
name "Public"
!
vlan 3
name "Phones"
!
!
interface switchport 0/1
description Internet
speed 10
no shutdown
switchport access vlan 2
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
interface switchport 0/5
no shutdown
!
interface switchport 0/6
no shutdown
!
interface switchport 0/7
no shutdown
!
interface switchport 0/8
no shutdown
!
interface switchport 0/9
no shutdown
!
interface switchport 0/10
no shutdown
!
interface switchport 0/11
no shutdown
!
interface switchport 0/12
no shutdown
!
interface switchport 0/13
no shutdown
!
interface switchport 0/14
no shutdown
!
interface switchport 0/15
no shutdown
!
interface switchport 0/16
no shutdown
!
interface switchport 0/17
no shutdown
!
interface switchport 0/18
no shutdown
!
interface switchport 0/19
no shutdown
!
interface switchport 0/20
no shutdown
!
interface switchport 0/21
no shutdown
!
interface switchport 0/22
no shutdown
!
interface switchport 0/23
no shutdown
!
interface switchport 0/24
no shutdown
!
!
interface gigabit-switchport 0/1
no shutdown
!
interface gigabit-switchport 0/2
no shutdown
!
!
!
interface vlan 1
description IntrAnet
ip address 192.168.88.1 255.255.255.0
access-policy Private
ip route-cache express
no shutdown
!
interface vlan 2
description Public IntErnet
ip address 67.67.140.202 255.255.255.248
ip address 67.67.140.203 255.255.255.248 secondary
ip address 67.67.140.204 255.255.255.248 secondary
ip address 67.67.140.205 255.255.255.248 secondary
access-policy Public
no rtp quality-monitoring
no ip route-cache express
no shutdown
!
interface vlan 3
description Phones
ip address 0.0.0.0 255.255.255.255
ip route-cache express
shutdown
!
!
!
!
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended Serv-u
permit tcp host 192.168.88.3 any log
!
ip access-list extended web-acl-10
remark Admin Access
permit tcp any any eq www log
permit tcp any any eq telnet log
permit tcp any any eq ssh log
!
ip access-list extended web-acl-11
remark Deltek
permit tcp any host 67.67.140.205 eq 7009 log
!
ip access-list extended web-acl-12
remark Phones
permit ip any host 67.67.140.203 log
!
ip access-list extended web-acl-9
remark Email Server
permit ip host 192.168.88.2 any
!
ip access-list extended wizard-pfwd-1
remark SMTP Mail
permit tcp any host 67.67.140.202 eq smtp log
!
ip access-list extended wizard-pfwd-2
remark HTTP
permit tcp any host 67.67.140.202 eq www log
!
ip access-list extended wizard-pfwd-3
remark HTTPS
permit tcp any host 67.67.140.202 eq https log
!
ip access-list extended wizard-pfwd-4
remark Serv-U
permit tcp any host 67.67.140.204 eq https log
!
ip policy-class Email
! Implicit discard!
ip policy-class Private
allow list self self
nat source list wizard-ics interface vlan 2 overload
nat source list web-acl-9 address 67.67.140.202 overload
!
ip policy-class Public
nat destination list wizard-pfwd-4 address 192.168.88.3
nat destination list wizard-pfwd-1 address 192.168.88.2
nat destination list wizard-pfwd-2 address 192.168.88.2
nat destination list wizard-pfwd-3 address 192.168.88.2
allow list web-acl-10 self
nat destination list web-acl-11 address 192.168.88.6
nat destination list web-acl-12 address 192.168.88.7
!
!
!
ip route 0.0.0.0 0.0.0.0 67.67.140.201
!
no ip tftp server
no ip tftp server overwrite
no ip http server
ip http session-limit 5
ip http secure-server 8443
ip http language English
no ip snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
!!!!!
!
line con 0
login
!
line telnet 0 4
login
shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
!
!
!
!
!
!
end
ASKER
No more input after I supplied the requested information?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
You've neglected to tell us what brand / model your router is, and we'd also need a copy of the config (remove your passwords) so we can advise better..