ssardella
asked on
Cisco Router SB-107 and Multiple IP addresses
I am setting up an ADSL connection with a Cisco SB-107 router. The ADSL line is configured as RFC 1483 (routed with LLC) - see config below. This router is in front of a Watchguard firewall. My ISP gave me 2 IP addresses (1 for the router and 1 for the firewall), however I'm having huge issues with NAT and can never get through to my email server. What I want to achieve (very simple) is to be able to access my email and web server from outside my network using the secondary IP address (128.**.**.96). I've tried several different configs on my router, without success. Can any correct my config below? Any help would be greatly appreciated.
ROUTER IP: 77.**.**.130/255.255.255.2
FIREWALL IP: 128.**.**.96/255.255.255.2
!This is the running config of the router: 10.10.10.1
!-------------------------
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 ***********
enable password ***********
!
no aaa new-model
!
!
ip name-server 8.8.8.8
!
!
!
!
!
!
!
interface Ethernet0
description $ETH-LAN$
ip address 10.10.10.1 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 77.**.**.130 255.255.255.252
ip nat outside
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
!
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface ATM0.1 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
snmp-server community public RO
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password *****
login
!
scheduler max-task-time 5000
end
ROUTER IP: 77.**.**.130/255.255.255.2
FIREWALL IP: 128.**.**.96/255.255.255.2
!This is the running config of the router: 10.10.10.1
!-------------------------
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 ***********
enable password ***********
!
no aaa new-model
!
!
ip name-server 8.8.8.8
!
!
!
!
!
!
!
interface Ethernet0
description $ETH-LAN$
ip address 10.10.10.1 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 77.**.**.130 255.255.255.252
ip nat outside
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
!
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface ATM0.1 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
snmp-server community public RO
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password *****
login
!
scheduler max-task-time 5000
end
setup NAT to the email server on the firewall which should allow the email server to receive packets.
then since you probably do not want assymetric routing, you'd also need the server's return packets to be sent back to the firewall. doing source nat on the firewall would work but i assume your mail server needs the remote IP in order to operate properly
if you have the router in between, this would require to either have the firewall be the router's gateway, or to configure policy routing on the router so packets coming from the mail server are routed through the firewall
---
note that it would probably be MUCH simpler to connect the firewall to the mailserver directly. as i gather, the firewall is more or less dedicated to this traffic in your setup. you could easily configure the server to use the firewall as it's default gateway without breaking the traffic from the LAN probably without donig any changes, and at worse by adding a route on the mail server if it's in some kind of DMZ.
then since you probably do not want assymetric routing, you'd also need the server's return packets to be sent back to the firewall. doing source nat on the firewall would work but i assume your mail server needs the remote IP in order to operate properly
if you have the router in between, this would require to either have the firewall be the router's gateway, or to configure policy routing on the router so packets coming from the mail server are routed through the firewall
---
note that it would probably be MUCH simpler to connect the firewall to the mailserver directly. as i gather, the firewall is more or less dedicated to this traffic in your setup. you could easily configure the server to use the firewall as it's default gateway without breaking the traffic from the LAN probably without donig any changes, and at worse by adding a route on the mail server if it's in some kind of DMZ.
ASKER
That's because I haven't been able to setup the secondary IP.
10.10.10.1 is the router's LAN interface between router and firewall. Firewall is 10.10.10.2 (WAN).
INTERNET > ROUTER (1 ip) > FIREWALL (1 ip)
10.10.10.1 is the router's LAN interface between router and firewall. Firewall is 10.10.10.2 (WAN).
INTERNET > ROUTER (1 ip) > FIREWALL (1 ip)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There is no route also to reach 128.**.**.96 from the router.
Please note if you do Natting, it is not possible to connect to your host from outside, unless there is a static NAT defined. Since you do not have any spare public IP address, you have to define something as below.
If firewall Ip is 128.**.**.97 and mail server is 10.10.10.100, you have to define static nat as 10.10.10.100:25 mapped to 128.**.**.97:25.
I do not understand why 10.10.10.1 is defined in the router for lan. Router is suppose to be connected to firewall and default gateway of the hosts should be the firewall.
Best,