I've set up a Cisco 1601 router (yes, I know it's outdated, but no use purchasing a new one if this one is doing the job), the WAN interface is serial link to a Network Terminating Unit which establishes the company internet connection.
The setup is like this:
x.x.4.181 netmask 255.255.255.252
gateway x.x.4.182 (ESR on the other side of the NTU - belongs to the ISP)
x.x.17.185 netmask 255.255.255.248
x.x.186.49 netmask 255.255.255.240 secondary
x.x.14.49 netmask 255.255.255.240 secondary
Very straightfoward at the moment, one port of a bridge is connected to the LAN port, the other work is connected to a Catalyst 2950 switch (x.x.186.61).
The Catalyst 2950 connects all the company servers (in networks x.x.17.184, x.x.186.48 and x.x.14.4 together and the LAN firewall, the LAN firewall is performing NAT for the company network. LAN firewall has IP x.x.186.62 on WAN side.
Now, where I need your input and help if you could please spare the time...
The main problem is, we are trying to minimize the use of public IPs, at the moment, besides the servers, we are using 3 public IPs on the router and another on the LAN firewall, as well as the one on the switch, and the switch IP should not be public anyway.
So far, I have considered the following:
1) The switch IP can be removed (or set to a private IP and a notebook connected to the switch when it should be configured) or just using the console port for configuration.
2) If I can somehow do away with the LAN firewall using a public IP, maybe using a private IP on the WAN side and another private IP on the router's LAN side (as another secondary), however, I've tried this configuration and couldn't get it working, I'm assuming I need to implement some form of NAT on the router as well, I know more or less how to do that, but I don't want to affect the existing setup by my changes (I don't want the servers to use NAT on the router side at all, only the LAN firewall, so I just need to NAT 1 IP on that side), or if someone has a better idea than NAT?
3) Is there some remote possibility that we don't have to use so many IPs on the router? I know in a previous setup we used 3 static routes to forward to a firewall, but this has been replaced by a very intelligence bridge which does most of the work previously accomplished by the firewall, the bridge has no IP address associated with it, the router on the ESR side (x.x.4.182) has 3 static routes set up as follows:
route x.x.17.184 netmask 255.255.255.248 x.x.4.181
route x.x.186.48 netmask 255.255.255.240 x.x.4.181
route x.x.14.48 netmask 255.255.255.240 x.x.4.181
So they are not using any IP addresses in these ranges, would it be somehow possible for us to do something similar? I have considered some kind of bridging but have no clue how to implement it.
4) And another question, would it be possible to configure the Catalyst to use VLANs or something to connect both sides of the LAN firewall to the Catalyst (meaning splitting the x.x.17.184, x.x.186.48 & x.x.14.48 IPs from the private IPs, yet connecting them on the same physical switch)? Is this a very bad idea? Would it be safe? And how should it be accomplised? This would also help in moving the Catalyst's management to a private IP.
Any suggestions or ideas on any of these would be highly appreciated, we need to conserve as many IPs as possible since we are running many servers on our network and we're adding about 1 extra server a month, this also means that the 'IP waste' will become a lot more as we add more public IP blocks (1 IP wasted for every block setup).