Multiple public IPs usefulness - UC520 WAN design

Answered Question

Hi,

I'm messing around with our new UC520 and was wondering a thing.

We happen to have a few public IPs at work, but since we want to have the UC520 as our gateway, I was wondering if all those IPs would be useful. I've read the Design Guide but it's only mentionning that SBS networks rarely have more than one public IP so that topic isn't covered in the document.


The thing is, I want to make sure we'll be able to do all we need with only one public IP :

- 4 or 5 Tunnels between us and a few clients' networks (ASA/PIX on their side) including 2 with clients owning a UC520 so we'll be able to route calls directly

- Host different services on a SBS server (mail, PPTP, DNS, HTTP, FTP) -> static nating to the internal server

- Connect remotely to other clients networks with Cisco VPN Client and PPTP (up to 5-6 users connecting remotely at the same time)


I'm pretty sure all this can be done with a single IP, got the static nating, and remote connections with VPN client and PPTP working.


But was wondering if there would be an advantage of using another public IP for this setup, maybe to use for the NAT?

Say everyone connects to remote networks and to the Internet using a (this is fictive public IP address) 2.2.2.2 and all hosted services would be on 2.2.2.1


Now, if this would be a better setup, could someone point me out a documentation on how to do this?

If not, well thanks for taking the time to respond!


Mathieu

Correct Answer by Steven Smith about 7 years 9 months ago

You can do all of this with a single IP.  I think the only thing another IP would get you is if you wanted to have 2 static NAT configs with the same port, ie two web servers.


If you wanted a second IP address, you config simply put it under the fastethernet 0/0 config.


config t

int fa 0/0

ip address 10.0.0.1 255.255.255.0

ip address 10.0.0.2 255.255.255.0 secondary


That would get you a second IP address.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Steven Smith Wed, 08/12/2009 - 09:38
User Badges:
  • Gold, 750 points or more

You can do all of this with a single IP.  I think the only thing another IP would get you is if you wanted to have 2 static NAT configs with the same port, ie two web servers.


If you wanted a second IP address, you config simply put it under the fastethernet 0/0 config.


config t

int fa 0/0

ip address 10.0.0.1 255.255.255.0

ip address 10.0.0.2 255.255.255.0 secondary


That would get you a second IP address.

JOHN NIKOLATOS Wed, 08/12/2009 - 20:11
User Badges:
  • Bronze, 100 points or more

Remember the uc500 can handle 10 ipsec connections at once only..


If you have multiple IP address I would use different ones for different internal devices.  So if you have VPN to the UC500 (that is one IP address), if you have webserver (different ip address), etc.  It will make the configuration cleaner and easier to manage.


Also some applications can not support PAT translations and only work over NAT.


Also it is useful for troubhshooting outside connections because the packets would be originating from different IP addresses.


Also when your PC's get spyware the IP address to the internet will be on blacklists...  then if you have a mail server sharing the same IP address is will get blocked.  If it is on its own IP address, then you do not have that issue.


Also some machines are going to share service port numbers...  Like FTP servers, webservers, etc.  Maybe nothing now but most likely something in the future..

Steven DiStefano Fri, 06/11/2010 - 07:53
User Badges:
  • Blue, 1500 points or more

The ability to configure 1:1 NAT is on the roadmap for CCA and is ranking pretty high on the survey current

ly open in this community (see Announcements and take it; just 5 minutes(.


So today, not supported with CCA.   OOB CLI will not be supported within CCA either for this.


Are you using CCA or CLI?


You may get some advise on the community or open a case.

Brook Powers Fri, 06/11/2010 - 08:13
User Badges:

Steve,


Thanks for your reply.


I, like Cisco would prefer to do this in the CCA. I've taken the CCA survey and voted for that as the #1 desired feature.


Since we made the UC540 our gateway we cant access our Microsoft Webmail (TCP 80/443) and our web based line of business application (TCP 80/443) and our web based security camera's (TCP 80/443) and all the other things we need to via one public IP.


The bottom line is this is now a business imperative and it has to be completed.


I don't care if it makes the firewall/NAT module of the CCA inoperative. In fact, its becoming so urgent I might not care if it breaks the whole CCA, which I hope and doubt it will.


I didn't think I could open a case on this with the STAC, since I thought they only work in the CCA. I'll try that now and if I make progress, I'll post the resulting commands for the benefit of others who are also requesting it.

Actions

This Discussion