?
Solved

Break up public IP's on router?

Posted on 2011-10-20
3
Medium Priority
?
300 Views
Last Modified: 2012-08-13
I have one router with the public IP's used as shown below. My goal is to give one of the servers on FE0/1 its own public IP, then have the router NAT to that device. I have several unused IPs on FE0/0. How could I do that utilizing what I have available?

interface Multilink1
description TO ISP
  ip address 209.209.209.74 255.255.255.252

interface FastEthernet0/0
description TO SERVERS FACING OUTSIDE WORLD
  ip address 209.209.209.113 255.255.255.248

interface FastEthernet0/1
 description TO LOCAL INTERNAL NETWORK
 ip address 192.168.208.3 255.255.240.0
0
Comment
Question by:First Last
3 Comments
 
LVL 18

Accepted Solution

by:
Garry Glendown earned 1000 total points
ID: 37002331
all you need to do is set up the NAT, e.g.

ip nat inside source static 192.168.208.123 209.209.209.114 ext

(don't forget the "ip nat inside" and "ip nat outside" on the LAN/provider facing interfaces)

Also, you could move the server network to some other RFC network and do NAT for them too, maybe cutting it down to just PAT ... also I recon you'll need an outgoing nat overload to allow internal boxes access to the internet?
Apart from that, I'd suggest adding a decent firewall, possibly with IDS, to protect the systems accessible from the internet from attacks ...
0
 
LVL 26

Assisted Solution

by:Fred Marshall
Fred Marshall earned 1000 total points
ID: 37003560
Why do you want to NAT to a public range?  Why not just route?  The reason revealed may help with answers.

Seems like a waste of public addresses to me!  That's because the outside public address is all that's seen on the outside.  So why not make those internal addresses private ones since they're invisible anyway?  At least then I'd understand why you'd need NAT there.

This often gets involved with the model of router you have.
In a Cisco RV042, for example, the device can be set up in "Gateway" mode (which means NAT) and "Router" mode (which means "no NAT").  

See Scenario 3 at http://www.dslreports.com/faq/15918

0
 
LVL 1

Author Closing Comment

by:First Last
ID: 37006891
Garry-G

Your question: also I recon you'll need an outgoing nat overload to allow internal boxes access to the internet?

My Answer: Actually, this router sends everything to another device for internet access. Kind of strange, but I'm working on fixing that later.

Your Suggestion: I'd suggest adding a decent firewall, possibly with IDS,

My Feedback: Yes, we actually have a large ASA and IDS that we use for internet filtering. What I was trying to do is move some items from other office locations to this router. Then i'll migrate over to the firewall later. I don't spend much time doing cisco so I try to break it into smaller pieces especially when it comes to migrating services. So far i've had no availability problems, but things do take a bit longer.

fmarshall

Your question: Why do you want to NAT to a public range?  Why not just route?

My Answer: I have the availble IP's and wanted to visually keep things separate for my own well being. That way I can say this IP is for X and another is for Y. Also, when I migrate everything over later I think it would be easier on me. If i was more experienced then I definately would do as you suggested. Until that time I break things out very small and try to keep separation.


Here is the configuration I added to make it work:

ip nat inside source static tcp 192.168.208.123 209.209.209.114 443 extendable


ip access-list extended ExpertsExchange
 permit tcp host 192.168.208.123 eq 443 any

route-map external permit 90
 match ip address ExpertsExchange
 set ip next-hop 209.209.209.113
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question