UC500 Multiple WAN Addresses

Unanswered Question
May 26th, 2010
User Badges:

Hi,

My ISP supplies me with two (static) IP addresses

I understand the UC520 can have multiple WAN addreses but how do I configure the NAT for this.

I am trying to have 2 x SSL web servers one hosts Exchange and the other a SQL database.

I have 2 registered domain names so I want to use 1 WAN IP for each domain

Your help is arppreciated


Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Brandon Buffin Thu, 05/27/2010 - 06:04
User Badges:
  • Purple, 4500 points or more

You will configure something similar to:


ip nat inside source static 10.10.10.1 1.1.1.1

ip nat inside source static 10.10.10.2 1.1.1.2


access-list 1 permit tcp any host 1.1.1.1 eq 443
access-list 1 permit tcp any host 1.1.1.2 eq 443


interface FastEthernet 0/0

ip access-group 1 in



Hope this helps.


Brandon

David Hornstein Thu, 05/27/2010 - 06:23
User Badges:
  • Gold, 750 points or more

Thats a good posting. maybe I'm being a bit simple, but I thought i  would suggest it would be better to add that access list entries to the existing access list attached to fastethernet 0/0.

Brandon Buffin Thu, 05/27/2010 - 06:27
User Badges:
  • Purple, 4500 points or more

You're exactly right. This was just an example to give the poster the concept of how this would work.


Brandon

Steven DiStefano Thu, 05/27/2010 - 06:46
User Badges:
  • Blue, 1500 points or more

Hi Everyone,

The original post was DUAL WAN, but I am not sure if  you meant two WAN interfaces on UC500 or Multiple Static IPs on the same interface?


Just want to be clear that Cisco Configuration Assistant (CCA 2.2.4) doesnt today support dual WAN or provisioning or 1:1 NAT of multiple static IPs to different internal addresses.


Is this something you will be maintaining with CLI outside of CCA?


Steve

peter.mcgarry Thu, 05/27/2010 - 15:57
User Badges:

Steve,


CLI is fine


Multiple Static IPs on the same interface is what I had thought would be the way to go BUT I am open to suggestions


Peter

Steven DiStefano Fri, 05/28/2010 - 09:56
User Badges:
  • Blue, 1500 points or more

No problem then.  Just use Brandons example (work it into your Firewall ACLs).

Just wanted you to be aware the CCA probably wont recognize the firewall after that, but since it doesnt yet support it (roadmap for CCA 2.3 I believe), then you have to use CLI, if your comfortable with that.


Steve

Brook Powers Sat, 06/05/2010 - 21:53
User Badges:

I, like many other have similar needs. Based on your suggestions, here is what I think I need to add;


ip nat inside source static 192.168.10.9 173.13.231.34 (Dell Drac 80,443,5900,5901)

ip nat inside source static 192.168.10.10 173.13.231.35 (SBS 2008 TCP Ports: 25,80,443,987,1723,3389

ip nat inside source static 192.168.10.11 173.13.231.36 (WWW Server TCP Ports: 80,443,3389)

access-list 106 permit tcp any host 173.13.231.34 eq 80

access-list 106 permit tcp any host 173.13.231.34 eq 443

access-list 106 permit tcp any host 173.13.231.34 eq 5900

access-list 106 permit tcp any host 173.13.231.34 eq 5901

access-list 106 permit tcp any host 173.13.231.35 eq 25

access-list 106 permit tcp any host 173.13.231.35 eq 80

access-list 106 permit tcp any host 173.13.231.35 eq 443

access-list 106 permit tcp any host 173.13.231.35 eq 987

access-list 106 permit tcp any host 173.13.231.35 eq 1723

access-list 106 permit tcp any host 173.13.231.35 eq 3389

access-list 106 permit tcp any host 173.13.231.35 eq 80

access-list 106 permit tcp any host 173.13.231.35 eq 443

access-list 106 permit tcp any host 173.13.231.35 eq 3389

interface FastEthernet 0/0

ip access-group 106 in

Here is my existing show access-list;

UC_540#show access-list

Standard IP access list 2

    10 permit 192.168.10.1

    20 permit 216.170.98.242

    30 permit 192.168.10.0, wildcard bits 0.0.0.255

    40 permit 10.1.1.0, wildcard bits 0.0.0.255

    50 permit 10.1.10.0, wildcard bits 0.0.0.3

    60 deny   any

Extended IP access list 100

    10 deny ip 192.168.10.0 0.0.0.255 any

    20 deny ip host 255.255.255.255 any

    30 deny ip 127.0.0.0 0.255.255.255 any

    40 permit ip any any

Extended IP access list 101

    10 permit udp any host 10.1.10.2 eq non500-isakmp

    20 permit udp any host 10.1.10.2 eq isakmp

    30 permit esp any host 10.1.10.2

    40 permit ahp any host 10.1.10.2

    50 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any

    60 permit udp 10.1.1.0 0.0.0.255 eq 2000 any

    70 deny ip 10.1.1.0 0.0.0.255 any

    80 deny ip 192.168.10.0 0.0.0.255 any

    90 deny ip 273.13.231.0 0.0.0.255 any

    100 deny ip host 255.255.255.255 any

    110 deny ip 127.0.0.0 0.255.255.255 any

    120 permit ip any any (18230 matches)

Extended IP access list 102

    10 permit udp any host 192.168.10.1 eq non500-isakmp

    20 permit udp any host 192.168.10.1 eq isakmp

    30 permit esp any host 192.168.10.1

    40 permit ahp any host 192.168.10.1

    50 deny ip 10.1.10.0 0.0.0.3 any

    60 deny ip 10.1.1.0 0.0.0.255 any (574 matches)

    70 deny ip 273.13.231.0 0.0.0.255 any

    80 deny ip host 255.255.255.255 any

    90 deny ip 127.0.0.0 0.255.255.255 any

    100 permit ip any any (8227267 matches)

Extended IP access list 103

    10 permit udp any host 10.1.1.1 eq non500-isakmp

    20 permit udp any host 10.1.1.1 eq isakmp

    30 permit esp any host 10.1.1.1

    40 permit ahp any host 10.1.1.1

    50 permit tcp 10.1.10.0 0.0.0.3 any eq 2000

    60 permit udp 10.1.10.0 0.0.0.3 any eq 2000

    70 deny ip 10.1.10.0 0.0.0.3 any

    80 deny ip 192.168.10.0 0.0.0.255 any

    90 deny ip 273.13.231.0 0.0.0.255 any

    100 deny ip host 255.255.255.255 any

    110 deny ip 127.0.0.0 0.255.255.255 any

    120 permit ip any any (4771441 matches)

Extended IP access list 104

    10 permit tcp any host 273.13.231.33 eq 443 (203 matches)

    20 permit udp any host 273.13.231.33 eq non500-isakmp

    30 permit udp any host 273.13.231.33 eq isakmp (34077 matches)

    40 permit esp any host 273.13.231.33

    50 permit ahp any host 273.13.231.33

    60 permit udp host 192.168.10.1 eq 5060 any

    70 permit udp host 192.168.10.1 any eq 5060

    80 permit udp host 216.170.98.242 eq 5060 any (11800 matches)

    90 permit udp host 216.170.98.242 any eq 5060

   100 permit udp any any range 16384 32767 (15434 matches)

    110 deny ip 10.1.10.0 0.0.0.3 any

    120 deny ip 10.1.1.0 0.0.0.255 any

    130 deny ip 192.168.10.0 0.0.0.255 any

    140 permit udp host 68.87.73.242 eq domain any (11445 matches)

    150 permit udp host 68.87.71.226 eq domain any (29 matches)

    160 permit icmp any host 273.13.231.33 echo-reply

    170 permit icmp any host 273.13.231.33 time-exceeded (9 matches)

    180 permit icmp any host 273.13.231.33 unreachable (201 matches)

    190 deny ip 10.0.0.0 0.255.255.255 any

    200 deny ip 172.16.0.0 0.15.255.255 any

    210 deny ip 192.168.0.0 0.0.255.255 any

    220 deny ip 127.0.0.0 0.255.255.255 any

    230 deny ip host 255.255.255.255 any

    240 deny ip host 0.0.0.0 any (4 matches)

    250 deny ip any any log (4513 matches)

Extended IP access list 105

    10 deny ip any host 192.168.10.240

    20 deny ip any host 192.168.10.241

    30 deny ip any host 192.168.10.242

    40 deny ip any host 192.168.10.243

    50 deny ip any host 192.168.10.244

    60 deny ip any host 192.168.10.245

    70 deny ip any host 192.168.10.246

    80 deny ip any host 192.168.10.247

    90 deny ip any host 192.168.10.248

    100 deny ip any host 192.168.10.249

    110 permit ip 10.1.10.0 0.0.0.3 any (6588 matches)

    120 permit ip 10.1.1.0 0.0.0.255 any

    130 permit ip 192.168.10.0 0.0.0.255 any (3128812 matches)

UC_540#


Is what I have (top) the best way to do this?

Will any of my server IP's 192.168.10.9-11 conflict with UC-540 default configuration IP's?

Should I use an exisitng access-list instead of 106, if so, which one?

Actions

This Discussion

Related Content