Can I configure a /30 transport network and a /29 usable on the same router?

Can I configure a /30 transport network and a /29 usable on the same router, it would be a Cisco 891.  Comcast used to just give us a /29 usable which we configured on our 891 and everything was great.  Now they give us a /30 for transport and a /29 usable.  The only way I know how to do it is to have one router with one interface facing the internet with the /30 and one IP address from the /29 on the other interface.  Then use a second router with one interface with an IP address from the /29 and point the default route to the first router.  My client is not crazy about buying 2 routers for every location.  I was able to get Comcast to provision only the /29 but it was a big hassle and there internal ACLs were causing all kinds of problems.
ktylmanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jody LemoineNetwork ArchitectCommented:
Absolutely. There are multiple ways to do it, depending on your needs.

If you want to just use the /29 as a NAT pool, you can configure the /30 on the WAN interface and start adding NAT entries using the /29 addresses, keeping the LAN interface private.

If you need a different configuration, post an outline of what you'd like and I'll advise as best I can. You won't likely need two routers regardless.

Jody
ktylmanAuthor Commented:
I would like to have an IP address from the /29 on an interface, maybe a VLAN interface, and be able to control access to it with an ACL and be able to telnet into it.  However your idea is interesting.  Would the default route to the Comcast side of the /30 apply to both subnets?  Could I do static NAT's with this configuration?  I assume I would control access to both subnets with the ACL on the WAN interface.  Trying to get my head around this...
Jody LemoineNetwork ArchitectCommented:
The default route would only be on the WAN interface with the /30 and inbound ACLs would also be applied on this interface.

If you want to actually put the /29 on a VLAN so that machines can be physically assigned IP addresses from this range, that's certainly possible. On the other hand, if you're just using the /29 as a NAT pool, that gives you two more addresses to work with – NAT pools not being subject to the normal restrictions on actual IP subnets.

You could do something like this:

interface GigabitEthernet0
 description WAN
 ip address 206.0.113.2 255.255.255.252
 ip nat outside
!
interface Vlan1
 description LAN
 ip address 172.24.0.1 255.255.252.0
 ip nat inside
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 206.0.113.1
!
ip access-list extended ACL_NAT
 permit ip 172.24.0.0 0.0.3.255 any
!
ip nat pool NAT_Pool_WAN 192.0.2.0 192.0.2.0 prefix-length 29
ip nat inside source list ACL_NAT pool NAT_Pool_WAN overload
ip nat inside source static 172.24.0.2 192.0.2.1
ip nat inside source static 172.24.0.3 192.0.2.2
ip nat inside source static 172.24.0.4 192.0.2.3
ip nat inside source static 172.24.0.5 192.0.2.4
ip nat inside source static 172.24.0.6 192.0.2.5
ip nat inside source static 172.24.0.7 192.0.2.6
ip nat inside source static 172.24.0.8 192.0.2.7

This applies the /30 to the WAN, sets your NAT overload to use the first address in your /29 pool and statically assigns 1:1 NAT entries to the remaining seven addresses.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

ktylmanAuthor Commented:
I am liking this.  Wouldn't the IP NAT inside command go on the LAN interface.  Also if I need a VPN tunnel I assume the crypto map command would go on GigabitEthernet0.  And if I don't need to assign machines IP addresses on the 172.24.0.0 I don't need a VLAN interface in this network.
Jody LemoineNetwork ArchitectCommented:
The "ip nat inside" would go on the LAN interface, per the above configuration.

If you're using a crypto map for VPN, you'll definitely put that on the WAN interface and source from the /30. (I advise using Tunnel interfaces rather than crypto maps for modern configurations, but that's another topic.)

I only used 172.24.0.0 as an example of a private IPv4 address range. You would substitute that and the Vlan1 interface with whatever private IPv4 range and interface you're using for your LAN.
ktylmanAuthor Commented:
I was confusing the /29 with the private network.  My bad.  Thanks for your quick and very helpful response!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.