First Last
asked on
Break up public IP's on router?
I have one router with the public IP's used as shown below. My goal is to give one of the servers on FE0/1 its own public IP, then have the router NAT to that device. I have several unused IPs on FE0/0. How could I do that utilizing what I have available?
interface Multilink1
description TO ISP
ip address 209.209.209.74 255.255.255.252
interface FastEthernet0/0
description TO SERVERS FACING OUTSIDE WORLD
ip address 209.209.209.113 255.255.255.248
interface FastEthernet0/1
description TO LOCAL INTERNAL NETWORK
ip address 192.168.208.3 255.255.240.0
interface Multilink1
description TO ISP
ip address 209.209.209.74 255.255.255.252
interface FastEthernet0/0
description TO SERVERS FACING OUTSIDE WORLD
ip address 209.209.209.113 255.255.255.248
interface FastEthernet0/1
description TO LOCAL INTERNAL NETWORK
ip address 192.168.208.3 255.255.240.0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Your question: also I recon you'll need an outgoing nat overload to allow internal boxes access to the internet?
My Answer: Actually, this router sends everything to another device for internet access. Kind of strange, but I'm working on fixing that later.
Your Suggestion: I'd suggest adding a decent firewall, possibly with IDS,
My Feedback: Yes, we actually have a large ASA and IDS that we use for internet filtering. What I was trying to do is move some items from other office locations to this router. Then i'll migrate over to the firewall later. I don't spend much time doing cisco so I try to break it into smaller pieces especially when it comes to migrating services. So far i've had no availability problems, but things do take a bit longer.
fmarshall
Your question: Why do you want to NAT to a public range? Why not just route?
My Answer: I have the availble IP's and wanted to visually keep things separate for my own well being. That way I can say this IP is for X and another is for Y. Also, when I migrate everything over later I think it would be easier on me. If i was more experienced then I definately would do as you suggested. Until that time I break things out very small and try to keep separation.
Here is the configuration I added to make it work:
ip nat inside source static tcp 192.168.208.123 209.209.209.114 443 extendable
ip access-list extended ExpertsExchange
permit tcp host 192.168.208.123 eq 443 any
route-map external permit 90
match ip address ExpertsExchange
set ip next-hop 209.209.209.113