Using Public IP addresses from ISP

Answered Question

Hi All

Another question.

I have a /29 range op IP addresses issued by my ISP. Is it possible using a Cisco 877 router to configure 1 or more of the 4 Ethernet ports in some way so that I could assign some of the public IP addresses to nodes, connect them to the relevant ports on the 877 and have the nodes publicly accessible over the Internet?

Best Regards & TIA,

Michael

I have this problem too.
0 votes
Correct Answer by Richard Burts about 7 years 8 months ago

Michael

It would be easy if you got a second address block from the ISP and you could put it directly onto a second VLAN. But it is not necessary.

The main point of doing the static NAT (providing a one to one translation of the private address on the node to a public address) would be that you could sit in an Internet cafe and access these nodes directly by the translated public address. This would not have any requirement for DDNS.

Note that the static NAT makes them accessible by IP address. A DNS entry (but not necessarily dynamic DNS) would be needed if you want to access them by name. Note that this same requirement applies if you get a second block of addresses from the ISP.

[edit] the config that you posted shows dynamic NAT. And the problem with that is that while inside nodes can get publis addresses that it is variable what public address they would get and this prevents them from being accessible from the Internet. With the static NAT that I suggest you could map specific inside addresses to specific outside addresses. For example you could translate 192.168.0.5 to 159.xxx.xxx.58, and you could translate 192.168.0.22 to 159.xxx.xxx.59. This allows you to be in the Internet cafe and to directly access 192.168.0.22 by using 159.xxx.xxx.59.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Giuseppe Larosa Mon, 05/18/2009 - 02:26

Hello Michael,

if you have the /29 address range in addition to ip addresses used on the WAN links you can setup a DMZ on a FE port:

you can also use subinterfaces, one of them for this public DMZ subnet.

Note: actually in a 877 Fe ports are like switch ports so you need to use two vlans one for internal side

one for dmz

create second vlan

conf t

vlan 2

individual ports can be associated to the new vlan with

int f0/x

switchport access vlan 2

create logical interface for vlan 2

conf t

int vlan2

ip address x.x.x.z 255.255.255.248

no shut

You can also use part of these addresses for NAT.

Note2: possibility to create second vlan is ios version dependent so if it doesn't allow you to create vlan2 you need an IOS upgrade

Hope to help

Giuseppe

Hi Giuslar

Thanks for taking the time to reply.

My /29 range is not in addition to the IP address(es) used on the WAN link.

I was given a /29 range for the WAN connection to the ISP and one of these IP addresses is assigned to the Dialer1 interface. There is also a VLAN1 interface which acts as the default gateway for the internal private (192.168.0.0/16) IP range.

At present, all four Ethernet ports are associated the internal VLAN and I was wondering if there is some way that I can use some of the remaining 5 public IP addreses, assign them to nodes and then assign some of the 4 Ethernet ports on the 877 as part of the external network.

Forinstance could I create an VLAN, assign the Dialer1 interface and 2 of the Ethernet ports to this VLAN. Then connect two nodes with public IP addresses to these ports and have them reachable from the Internet?

I have attached a sanitised version of the currnet configuration of the 877 to this post, in case it is of any use.

Best Regards & Thanks again,

Michael

Attachment: 
Richard Burts Mon, 05/18/2009 - 03:45

Michael

If you have only the single address block from the ISP and if one of the addresses in that block is assigned to the dialer interface then I do not know of a good way to put some of those addresses into your VLAN (splitting the ISP block into two parts could let you put some addresses into another interface, but that would not give you many addresses to work with if you start with /29).

But I believe that there is a way that you can use the addresses to make your devices accessible with public addresses. If you set up the nodes with fixed addresses (rather than DHCP) and you configure static address translations for the nodes using addresses in the ISP address block in the translation, then each of the nodes would appear to the Internet as reachable through the ISP address.

HTH

Rick

Hi Rick

Thanks for you input, much appreciated.

If I understand your post correctly you suggest giving the nodes static private (1921.68.0.0/16) IP addresses and then using static NAT to statically map the private IP addresses the public IP addresses.

However a requirement would be that I could say for instance sit in a Internet cafe and access these nodes via their public IP addresses. Would this be possible using the static NAT solution without involving DDNS or would DDNS also be required.

I suppose that the easiest way would be if I could get another /29 subnet from the ISP and create a second publicly addresses VLAN, like a DMZ.

Best Regards & again thanks for your input,

Michael

Correct Answer
Richard Burts Mon, 05/18/2009 - 04:40

Michael

It would be easy if you got a second address block from the ISP and you could put it directly onto a second VLAN. But it is not necessary.

The main point of doing the static NAT (providing a one to one translation of the private address on the node to a public address) would be that you could sit in an Internet cafe and access these nodes directly by the translated public address. This would not have any requirement for DDNS.

Note that the static NAT makes them accessible by IP address. A DNS entry (but not necessarily dynamic DNS) would be needed if you want to access them by name. Note that this same requirement applies if you get a second block of addresses from the ISP.

[edit] the config that you posted shows dynamic NAT. And the problem with that is that while inside nodes can get publis addresses that it is variable what public address they would get and this prevents them from being accessible from the Internet. With the static NAT that I suggest you could map specific inside addresses to specific outside addresses. For example you could translate 192.168.0.5 to 159.xxx.xxx.58, and you could translate 192.168.0.22 to 159.xxx.xxx.59. This allows you to be in the Internet cafe and to directly access 192.168.0.22 by using 159.xxx.xxx.59.

HTH

Rick

Actions

This Discussion