• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 303
  • Last Modified:

Break up public IP's on router?

I have one router with the public IP's used as shown below. My goal is to give one of the servers on FE0/1 its own public IP, then have the router NAT to that device. I have several unused IPs on FE0/0. How could I do that utilizing what I have available?

interface Multilink1
description TO ISP
  ip address 209.209.209.74 255.255.255.252

interface FastEthernet0/0
description TO SERVERS FACING OUTSIDE WORLD
  ip address 209.209.209.113 255.255.255.248

interface FastEthernet0/1
 description TO LOCAL INTERNAL NETWORK
 ip address 192.168.208.3 255.255.240.0
0
First Last
Asked:
First Last
2 Solutions
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
all you need to do is set up the NAT, e.g.

ip nat inside source static 192.168.208.123 209.209.209.114 ext

(don't forget the "ip nat inside" and "ip nat outside" on the LAN/provider facing interfaces)

Also, you could move the server network to some other RFC network and do NAT for them too, maybe cutting it down to just PAT ... also I recon you'll need an outgoing nat overload to allow internal boxes access to the internet?
Apart from that, I'd suggest adding a decent firewall, possibly with IDS, to protect the systems accessible from the internet from attacks ...
0
 
Fred MarshallPrincipalCommented:
Why do you want to NAT to a public range?  Why not just route?  The reason revealed may help with answers.

Seems like a waste of public addresses to me!  That's because the outside public address is all that's seen on the outside.  So why not make those internal addresses private ones since they're invisible anyway?  At least then I'd understand why you'd need NAT there.

This often gets involved with the model of router you have.
In a Cisco RV042, for example, the device can be set up in "Gateway" mode (which means NAT) and "Router" mode (which means "no NAT").  

See Scenario 3 at http://www.dslreports.com/faq/15918

0
 
First LastAuthor Commented:
Garry-G

Your question: also I recon you'll need an outgoing nat overload to allow internal boxes access to the internet?

My Answer: Actually, this router sends everything to another device for internet access. Kind of strange, but I'm working on fixing that later.

Your Suggestion: I'd suggest adding a decent firewall, possibly with IDS,

My Feedback: Yes, we actually have a large ASA and IDS that we use for internet filtering. What I was trying to do is move some items from other office locations to this router. Then i'll migrate over to the firewall later. I don't spend much time doing cisco so I try to break it into smaller pieces especially when it comes to migrating services. So far i've had no availability problems, but things do take a bit longer.

fmarshall

Your question: Why do you want to NAT to a public range?  Why not just route?

My Answer: I have the availble IP's and wanted to visually keep things separate for my own well being. That way I can say this IP is for X and another is for Y. Also, when I migrate everything over later I think it would be easier on me. If i was more experienced then I definately would do as you suggested. Until that time I break things out very small and try to keep separation.


Here is the configuration I added to make it work:

ip nat inside source static tcp 192.168.208.123 209.209.209.114 443 extendable


ip access-list extended ExpertsExchange
 permit tcp host 192.168.208.123 eq 443 any

route-map external permit 90
 match ip address ExpertsExchange
 set ip next-hop 209.209.209.113
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now