2811 with 4ESW - public IP on port e0/0/3

Answered Question
Sep 21st, 2009

Does anyone have any information/advice on how to perform the following setup:

I have 2 networks running on the router:

fa0/0 has a 29 bit subnet with 6 usable public IP addresses - one being used by the router, and another being used by an internal device.

fa0/1 has a public IP that is subnetted with a 27 bit subnet.

I want to have a public IP address (in the same network as fa0/0) on fa0/0/3 - switch port.

I am running Version 12.4(3a).

Since this is one network, is it possible to setup the router to send all traffic to an ip address in that range?

Thanks for any advice or help.

I have this problem too.
0 votes
Correct Answer by Paolo Bevilacqua about 7 years 2 months ago

I would not use ACL for this, also considering that it's a FW you're connecting, should be able to look after himself.

Please remember to rate useful posts with the scrollbox below.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Paolo Bevilacqua Mon, 09/21/2009 - 08:01

Ys, the most common setup is that you give your device a private address, the set static NAT for an IP of your to got to it.

This gives to it "firewall protection.

If you want to have it public address and no NAT protection, either put a small switch, or move fa0/0 configiuration to vlan 1 then connect another port of the esw4 to isp router.

stoneystone Mon, 09/21/2009 - 12:01

Paolo,

Thanks for you thoughts and input. Because of my current config, I didn't want to go with the vlan; I may eventually have to.

The router, fa0/0 and fa0/1, uses public IP addresses, and I don't want to disturb them.

Since the 4ESW is a layer 2 card, it doesn't let me give it an ip address, but I can put it on a vlan.

The static NAT may be a good solution, but I'm not exactly sure of the static config on the router. I'm more familar with e PIX/ASA, and It's not the same command(s).

I looked on Cisco's website but the static configs were a little unclear. Are routers basically the same? I have a block of public IP addresses and I can do a static NAT to an inside address? From the router?

Placing a switch in front of the router would give another point of failure, but may be the most simple and fast solution.

Once I get an interface passing traffic, I want to install a PIX firewall on it.

BTW, my software version: (C2800NM-ADVSECURITYK9-M), Version 12.4(3a).

Thanks a lot for your help.

Paolo Bevilacqua Mon, 09/21/2009 - 14:27

Apologies for the truly poor spelling of my first message - please ask for any clarification you may need.

stoneystone Mon, 09/21/2009 - 17:47

No problem with the spelling; I didn't even notice. I really appreciate your help with this.

So, the static is close to the same as the firewall. After the static, are there access-lists that need to be added?

Correct Answer
Paolo Bevilacqua Tue, 09/22/2009 - 00:24

I would not use ACL for this, also considering that it's a FW you're connecting, should be able to look after himself.

Please remember to rate useful posts with the scrollbox below.

stoneystone Tue, 09/22/2009 - 04:41

Well, I must be missing something. Here's the command I used:

ip nat inside source static

My IOS wouldn't let me use that exact command. I still can not pass traffic.

Paolo Bevilacqua Tue, 09/22/2009 - 05:34

Can you check "show ip nat trnslation verbose" ?

Assuming you can ping the private address, the public is correctly routed by ISP, etc.

stoneystone Tue, 09/22/2009 - 06:12

The 'ip nat translations verbose' comes up with nothing.

Because of the 4ESW card, does the fa0/0/2 interface need to be assigned to vlan1 - the default vlan?

stoneystone Tue, 09/22/2009 - 06:42

I take that back. I think I have to get back to basics. I have a laptop connected to the switch port. I replaced the straight cable with a cross-over, and I get this, for the 'ip nat trans verb':

---

RT01#sh ip nat trans verb

Pro Inside global Inside local Outside local Outside global

--- xxx.xxx.xxx.190 192.168.123.1 --- ---

create 00:04:02, use 00:04:02 timeout:0,

flags:

static, use_count: 0, entry-id: 5, lc_entries: 0

I take it the 4ESW isn't auto-sensing.

Paolo Bevilacqua Tue, 09/22/2009 - 08:17

Strange, for connecting a laptop to ESW ports, a straight cable should work, but not a crossed one.

Actions

This Discussion