[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Use vlan to isolate a computer

Posted on 2011-10-04
5
Medium Priority
?
413 Views
Last Modified: 2012-08-13
First off, let me apologize for my inexperience in the networking world.  I am part of a small company and I AM are IT guy and I am learning as I go.

Here is my situation:
I have 5 static IP address asssigned to me by my internet provider.  Lets say they are 67.67.140.201 - 205.
I currently have one ethernet cable entering into the building that supplies my internet connection.  That cable is connected into port 1 of my router which is set up as its very own vlan (vlan 2).  The rest of the ports on my router are set up on a seperate vlan (vlan 1).  I use NAT to direct traffic from the incoming (vlan 2) feed to the rest of the network connected on vlan2.

I have a need to allow someone to access a computer on my network using one of the static IPs (67.67.140.203) that have been assigned to me by my internet provider.  It seems to me that setting up a new vlan for that computer to connect to and then forward the incoming traffic from the 67.67.140.203 IP address to the new vlan would be a reasonable answer to this issue.

Does this seem like a good way to do this?  And if so, how exactly do I go about it.

My initial thought is to assign the incoming IP (67.67.140.203) to the vlan, assign a port on the router to that vlan and than connect the computer to that port.  My only question is; what do I set the computers IP, gateway, etc to?  Does this sound right?

If there is a cleaner, better way to do this, please let me know.

Thanks for any help.
Rick
0
Comment
Question by:rtlemke
5 Comments
 
LVL 12

Expert Comment

by:Steve
ID: 36913489
why not just use NAT to one of your spare LIVE IP addresses ?

You've neglected to tell us what brand / model your router is, and we'd also need a copy of the config (remove your passwords) so we can advise better..

0
 
LVL 3

Expert Comment

by:Bokis
ID: 36916957
I will be interested in participating once you answer PsychoFelix's question. Usually, configs, a little sketch or so can help in the quick understanding of your situation.
0
 

Author Comment

by:rtlemke
ID: 36919913
I thought about using NAT to direct traffic from the spare IP address ((67.67.140.203) to an internal IP and then assigning that IP to the computer in question, but my concern was with security.  If someone is accessing the computer through the NAT, can they access other computer on the network?  I dont want the users that will have access to this computer to be able to gt ot anything else on the network.  If usin NAT will accomplish this then I am all for it.  Thanks again for any help.

The router is a Netvanta 1335 and the current config file is:
!
!
! ADTRAN, Inc. OS version 17.02.01.00.E
! Boot ROM version 15.01.B1
! Platform: NetVanta 1335 PoE, part number 1700525E2
! Serial number LBADTN
!
!
hostname "Router"
no enable password
!
clock timezone -6-Central-Time
!
ip subnet-zero
ip classless
ip default-gateway 67.63.148.201
ip routing
!!ip host "mxmail.company.com" 192.168.88.2
ip host "tc.company.com" 192.168.88.6
ip host "xfer.company.com" 192.168.88.3
ip domain-name "company.com"
ip domain-proxy
ip name-server 64.89.100.2 8.8.8.8
!
!
no ip route-cache express
!
auto-config
!
event-history on
no logging forwarding
no logging email
logging email priority-level info
!
service password-encryption
!
username "administrator" password encrypted "" 
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg h323
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
!
!
!
!
!
!
!
vlan 1
  name "Default"
!
vlan 2
  name "Public"
!
vlan 3
  name "Phones"
!
!
interface switchport 0/1
  description Internet
  speed 10
  no shutdown
  switchport access vlan 2
!
interface switchport 0/2
  no shutdown
!
interface switchport 0/3
  no shutdown
!
interface switchport 0/4
  no shutdown
!
interface switchport 0/5
  no shutdown
!
interface switchport 0/6
  no shutdown
!
interface switchport 0/7
  no shutdown
!
interface switchport 0/8
  no shutdown
!
interface switchport 0/9
  no shutdown
!
interface switchport 0/10
  no shutdown
!
interface switchport 0/11
  no shutdown
!
interface switchport 0/12
  no shutdown
!
interface switchport 0/13
  no shutdown
!
interface switchport 0/14
  no shutdown
!
interface switchport 0/15
  no shutdown
!
interface switchport 0/16
  no shutdown
!
interface switchport 0/17
  no shutdown
!
interface switchport 0/18
  no shutdown
!
interface switchport 0/19
  no shutdown
!
interface switchport 0/20
  no shutdown
!
interface switchport 0/21
  no shutdown
!
interface switchport 0/22
  no shutdown
!
interface switchport 0/23
  no shutdown
!
interface switchport 0/24
  no shutdown
!
!
interface gigabit-switchport 0/1
  no shutdown
!
interface gigabit-switchport 0/2
  no shutdown
!
!
!
interface vlan 1
  description IntrAnet
  ip address  192.168.88.1  255.255.255.0
  access-policy Private
  ip route-cache express
  no shutdown
!
interface vlan 2
  description Public IntErnet
  ip address  67.67.140.202  255.255.255.248
  ip address  67.67.140.203  255.255.255.248 secondary
  ip address  67.67.140.204  255.255.255.248 secondary
  ip address  67.67.140.205  255.255.255.248 secondary
  access-policy Public
  no rtp quality-monitoring
  no ip route-cache express
  no shutdown
!
interface vlan 3
  description Phones
  ip address  0.0.0.0  255.255.255.255
  ip route-cache express
  shutdown
!
!
!
!
!
!
!
ip access-list standard wizard-ics
  remark Internet Connection Sharing
  permit any
!
!
ip access-list extended self
  remark Traffic to NetVanta
  permit ip any  any     log
!
ip access-list extended Serv-u
  permit tcp host 192.168.88.3  any    log
!
ip access-list extended web-acl-10
  remark Admin Access
  permit tcp any  any eq www   log
  permit tcp any  any eq telnet   log
  permit tcp any  any eq ssh   log
!
ip access-list extended web-acl-11
  remark Deltek
  permit tcp any  host 67.67.140.205 eq 7009   log
!
ip access-list extended web-acl-12
  remark Phones
  permit ip any  host 67.67.140.203     log
!
ip access-list extended web-acl-9
  remark Email Server
  permit ip host 192.168.88.2  any    
!
ip access-list extended wizard-pfwd-1
  remark SMTP Mail
  permit tcp any  host 67.67.140.202 eq smtp   log
!
ip access-list extended wizard-pfwd-2
  remark HTTP
  permit tcp any  host 67.67.140.202 eq www   log
!
ip access-list extended wizard-pfwd-3
  remark HTTPS
  permit tcp any  host 67.67.140.202 eq https   log
!
ip access-list extended wizard-pfwd-4
  remark Serv-U
  permit tcp any  host 67.67.140.204 eq https   log
!
ip policy-class Email
  ! Implicit discard!
ip policy-class Private
  allow list self self
  nat source list wizard-ics interface vlan 2 overload
  nat source list web-acl-9 address 67.67.140.202 overload
!
ip policy-class Public
  nat destination list wizard-pfwd-4 address 192.168.88.3
  nat destination list wizard-pfwd-1 address 192.168.88.2
  nat destination list wizard-pfwd-2 address 192.168.88.2
  nat destination list wizard-pfwd-3 address 192.168.88.2
  allow list web-acl-10 self
  nat destination list web-acl-11 address 192.168.88.6
  nat destination list web-acl-12 address 192.168.88.7
!
!
!
ip route 0.0.0.0 0.0.0.0 67.67.140.201
!
no ip tftp server
no ip tftp server overwrite
no ip http server
ip http session-limit 5
ip http secure-server 8443
ip http language English
no ip snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
!!!!!
!
line con 0
  login
!
line telnet 0 4
  login
  shutdown
line ssh 0 4
  login local-userlist
  no shutdown
!
!
!
!
!
!
!
!
end


0
 

Author Comment

by:rtlemke
ID: 36969180
No more input after I supplied the requested information?
0
 
LVL 26

Accepted Solution

by:
Soulja earned 2000 total points
ID: 37138394
The only thing you should have to do is set up a one to one nat from one of your external ip's to the internal ip of the computer the customer is trying to access. You can keep the computer on your internet network, no need to put it on the public side.

Then just restrict the nat to certain ports that are needed to access the computer.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question