Public IPS

Unanswered Question
Feb 4th, 2009


i have leased line connected to cisco router through int serial0/0/0 ip address 194.x.x.x

, along with free public ip address

what iwant is to configure mail server and ftp server

and the confusion is , do i need to asign acl in the router to port forwarding my public ip address to the local mail and ftp server

or do i need to assign one of the fastehternet in the router with public ip and thier subnet mask and use these public ips for the servers,

or what shoud i do please i need some one to imagine the case .

any advice will be appreciated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Giuseppe Larosa Wed, 02/04/2009 - 04:53

Hello Ala,

if the provider has given you a public address block in addition to the public address you use on serial interface you can build your DMZ and assign the subnet to one FE interface.

In this way you don't need to do any NAT but I recommend to protect servers with ACLs that allow only traffic to the intended ports (SMTP and FTP)

Hope to help


alaeldien Wed, 02/04/2009 - 23:50

Hello Guiseppe,

thank you for being always in time. the only things that is missing is useful links, or documentation of detailed configs,



alaeldien Mon, 03/02/2009 - 05:10

hello Giuseppe

iam still can not finish up this one,

and the noticeable thing here

ip access-group xx out

do i need to apply access group like this

ip access-list xx permit ip any host

is it going to work this way ?

please advice.

thank you


Giuseppe Larosa Mon, 03/02/2009 - 05:22

Hello Alaa,

I would think of an extended ACL here not a standard one.

the target of the ACL should be that of permitting access to the DMZ from the internet.

Probably a better formulation is an ACL inbound:

where you deny access to your intranet = private ip subnet

access-list 101 deny ip dmz dmz-wildcard private-addr priv-addr-wild

access-list 101 permit ip dmz dmz-wildcard any

this is to avoid that someone taking control of a DMZ server can then access the intranet.

But this is not mandatory.

If your scenario is small or you want to allow some controlled communication between internal and DMZ when started from internal you can use

access-list 102 permit tcp dmz dmz-wildcard private-addr priv-addr-wild established

access-list 102 deny ip dmz dmz-wildcard private-addr priv-addr-wild

access-list 102 permit ip dmz dmz-wildcard any

Hope to help


alaeldien Mon, 03/02/2009 - 23:24


it's clear and become obvious now.

but i want to use the server with 2 interfaces, one with public ip address to be shown to the public as (FTP server ,DNS and web server).

the other interface to be configured with private ip for local intranet .

now i just want to assign one public ip address to the router so the server can communicate with router .

so i hit the keyboard with this command

ip nat inside source static tcp 53 53

but i can not ping to the server by public ip address

what could be wrong

could you possibly please advise.


Giuseppe Larosa Tue, 03/03/2009 - 00:26

Hello Alaa,

the command you have given is protocol and port specific

TCP port 53 is DNS when used for zone transfers between DNS servers

icmp is a different thing is not based on TCP and has its own header.

try to map TCP port 80 and try to access it from the public side (if it is a web server too) with a web server

Hope to help


alaeldien Tue, 03/03/2009 - 22:37

Hello Giuseppe

thank for being patient and cooperative with me

my scenario is like this

i have around 16 public ip address 83.x.x.x

and i want to assign one of those public ip to my server to reachable form out ineed to map port 53 like this

ip nat inside source static tcp 53 83.x.x.x 53

or what to do, i have tried to map port 80 also, but its not accessible form out.

please advice



again the confusion is taking place,

alaeldien Tue, 03/03/2009 - 23:18


this is the config file, hopefully you can find time to check it out

i blocked my server into PPPoE running router and i add

ip nat inside source static tcp 53 interface dialer1 53

and after note down the dialer interface ip address i can successfully access it from out side,

thank you


Giuseppe Larosa Tue, 03/03/2009 - 23:55

Hello Alaa,

I think the simpler solution can be that of using

fas0/1 on the leased line router

provide it with an ip address from that /28 public addresss block.

in a previous post you said you want to have two NICs on your server.

you can assign a second ip address from the public block to the second NIC.

connect router:fas0/1 --- Server:NIC2 directly or using two ports on a lan switch (the two ports must be in the same vlan).

Another option:

after having assigned the ip address to fas0/1

you can dedicate an whole ip address to the server like

ip nat static source 83.x.y.z reversible

to allow reachability from outside before the entry is created from inside add the option reversible

one possible problem is that the ip address block needs an anchor in router to be used

Hope to help


alaeldien Wed, 03/04/2009 - 00:13

hello Giuseppe

your words sound very cool.

but what do you mean by Anchor. could you possibly explain with thanks.


alaeldien Wed, 03/04/2009 - 21:19

hello Giuseppe

iam still waiting for your explanation to the concept ANCHOR and the way we do it.

thank you


Giuseppe Larosa Wed, 03/04/2009 - 22:33

Hello Alaa,

sorry I might have used a wrong term:

the difference between using interface overload and a a NAT pool is that in the first case the single public ip address is associated clearly to the WAN interface.

In the second case you define an ip nat pool.

Then comes your specific need:

a static NAT with an ip address taken from the pool

So ignore my "anchor" nothing technically relevant.

Instead, note that when you define the NAT pool you need to exclude the router interface ip address (int fas0/1 that is unused) and the ip address that is dedicated to the server: this is important

so if the public address is


83.x.y.1/28 router

83.x.y.2 ip dedicated to the server

83.x.y.3-14 usable in a pool to NAT all other devices

Hope to help



This Discussion