Link to home
Start Free TrialLog in
Avatar of First Last
First LastFlag for United States of America

asked on

Break up public IP's on router?

I have one router with the public IP's used as shown below. My goal is to give one of the servers on FE0/1 its own public IP, then have the router NAT to that device. I have several unused IPs on FE0/0. How could I do that utilizing what I have available?

interface Multilink1
description TO ISP
  ip address 209.209.209.74 255.255.255.252

interface FastEthernet0/0
description TO SERVERS FACING OUTSIDE WORLD
  ip address 209.209.209.113 255.255.255.248

interface FastEthernet0/1
 description TO LOCAL INTERNAL NETWORK
 ip address 192.168.208.3 255.255.240.0
ASKER CERTIFIED SOLUTION
Avatar of Garry Glendown
Garry Glendown
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of hypercube
hypercube
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of First Last
First Last
Flag of United States of America image

ASKER

Garry-G

Your question: also I recon you'll need an outgoing nat overload to allow internal boxes access to the internet?

My Answer: Actually, this router sends everything to another device for internet access. Kind of strange, but I'm working on fixing that later.

Your Suggestion: I'd suggest adding a decent firewall, possibly with IDS,

My Feedback: Yes, we actually have a large ASA and IDS that we use for internet filtering. What I was trying to do is move some items from other office locations to this router. Then i'll migrate over to the firewall later. I don't spend much time doing cisco so I try to break it into smaller pieces especially when it comes to migrating services. So far i've had no availability problems, but things do take a bit longer.

fmarshall

Your question: Why do you want to NAT to a public range?  Why not just route?

My Answer: I have the availble IP's and wanted to visually keep things separate for my own well being. That way I can say this IP is for X and another is for Y. Also, when I migrate everything over later I think it would be easier on me. If i was more experienced then I definately would do as you suggested. Until that time I break things out very small and try to keep separation.


Here is the configuration I added to make it work:

ip nat inside source static tcp 192.168.208.123 209.209.209.114 443 extendable


ip access-list extended ExpertsExchange
 permit tcp host 192.168.208.123 eq 443 any

route-map external permit 90
 match ip address ExpertsExchange
 set ip next-hop 209.209.209.113