Need to convert all public ip addr network to mostly private ip

Unanswered Question
May 2nd, 2008
User Badges:

This may be a newbie Q, but I only have experience with a totally public IP address network. I need to be able to start using private IP addresses and have my CAT 5000 (SUP II & RSM), 2524 Router, and 2924 switches be able to handle private IP addresses. Plus I have a Microsoft ISA 2006 server (firewall) bewtween the 2524 and the CAT 5000. This may or may not be complicated. I am willing to get down and dirty, but I have no idea where to begin.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Rick Morris Fri, 05/02/2008 - 08:00
User Badges:
  • Silver, 250 points or more

Couple of fact finding questions:


All these resources that use public IP's, will they need to be accessed from a public network at any point in time?


Are you running DNS for all these resources?


One thing that may be a little bit of a pain is to add the private blocks in your network, provide DHCP for workstations, static assign the servers. build a VLAN topology and assign each host to the specific VLAN it needs to be in, this will in turn pull the DHCP info, you will also have to make sure you provide the routing function in your network for this setting as well. You can use secondary IP's on your ethernet interfaces to provide access to both networks.


It will help with pointing you in the right direction if you can provide a topology.


What I see is this so far.


2524 --- firewall --- 5000


2524 Ethernet Interface:

ip address 10.0.0.1 255.0.0.0 secondary


*if needed for intervlan routing:

interface Ethernet 0.1

Description VLAN 1 Management

ip address 10.0.1.1 255.255.255.0

!

interface Ethernet 0.10

Description VLAN 10 Host Connections

ip address 10.0.10.1 255.255.255.0

!

interface Ethernet 0.20

Description VLAN 20 Server Connections

ip address 10.0.20.1 255.255.255.0

This will be the default gateway for your firewall.


5000 I am not sure if the 5000 does layer 3 or not, you may need to use the router for intervlan routing.

VLAN Database:

VLAN 1 - Management

VLAN 10 - Host Connections

VLAN 20 - Server Connections


The default gateways for the devices will be the IP address of the VLAN they are connected to.


When a workstation boots, it sends out a broadcast for the DHCP server. The DCHP will have to be set up to send out the new IP address, default gateway, DNS, WINS info as well to make this work.


It is a little headache but something that can be worked through.


You will then need to set up NAT to send your private IP to a public IP for internet access. The best way to do this is to do NAT overload to one IP address.

OptimusBob Fri, 05/02/2008 - 08:39
User Badges:

Well, where to begin?


Topology:

========


2524 router (199.171.140.1)

|

2924 switch (199.171.140.2)

|

(199.171.140.20) {In front of FW)

MS ISA 2006 Firewall (Windows 2003 R2 SP2)

(199.171.141.1) {Behind FW}

|

CAT 5000 (Supervisor II & RSM routing modules)

| | |

2924 switch 2924 switch 2924 switch

(199.171.141.0 (204.253.154.0 (204.253.155.0

segment) segment) segment)

| | |

... ... ...


I have two Windows 2003 domain controllers (204.253.155.25 & 204.253.155.28), which are also the DNS servers.


I have a DHCP, RAS, WINS server (INT #1 - 204.253.154.109, INT #2 - 204.253.155.109)


The CAT 5000 has VLANs setup for each segment.


None of the 2924 switches have more than one VLAN. I use the whole switch for a given segment.


FYI, almost all devices have static ip addresses.


Reasoning: we downsized years ago and I had more network hardware than we needed. I basically kept the same setup we had, I just moved it to our new location. We have 8 full class C address blocks. I had not need to 4 of them, but I kep using the other 4 because everything was setup and worked.

Now, I need to cut costs and change ISP, so I will only get a few class C addresses.


So, what I am trying to do (for now) is have a PC on any current segment use a private static ip address and be able to communicate with all internal and external newtork devices. Like said, I'm no expert, so am I way off base? Is there a way to mix private and pulic ip on the same segment?


BTW, my 2524 and CAT 5000 do not have recent software, both are on IOS 11.2. The 2924 switches have the latest available for them.

OptimusBob Fri, 05/02/2008 - 11:00
User Badges:

OK, I got it working!


1. I had to "route add" to my firewall

2. I had to specify the private address range as "internal" on my firewall

3. I had to configure the routing module (RSM) on my CAT 5000 so that each VLAN had a private address as a secondary "ip address"


My firewall was already performing NAT functions, so nothing to do there. Eventually almost all my class C addresses will become private ip addresses, except a few servers that need to be reached publically.

Rick Morris Sun, 05/04/2008 - 15:53
User Badges:
  • Silver, 250 points or more

Awesome!


Sorry I was out and not available to log on. When I did, I see you have everything working.


great job.

hobbe Mon, 05/05/2008 - 01:19
User Badges:
  • Gold, 750 points or more

I hope you do not use the ISA server directly towards the internet without a firewall between the internet and it.


AFIK not even MS recomends that.


Actions

This Discussion