How to assign IP addresses ?

Unanswered Question

Hello everyone,


I am very new in networking field. I want some help from you expert peoples.


I am having a network in which i am having router, firewall & switch.


the ISP leased line is connected to router (in FA0/0), FA 0/1 is connected to firewall outside (E 0/0), Firewall input connected to switch to LAN.


i want to configure Site - to - site VPN on firewall.


now i assigned ips such as:


For example :


Router (FA 0/0 connected to ISP) : 1.1.1.1 /29

Router (FA 0/1 conneted to firewall) : 175.172.10.1 (private IP)


Firewall (E 0/0 conncted to Router) : 175.172.10.2 (private IP)

Firewall (E 0/1 connected to switch) : 10.0.0.1 (private IP)



is this configuration is right ? if so then which IP i should give to my peer end to establish site-to-site VPN ?


Is it possibal to use ip's as :


For example :

Router (FA 0/0 connected to ISP) : 1.1.1.1 /29  (Public IP)

Router (FA 0/1 conneted to firewall) : 1.1.1.2 (Public IP)


Firewall (E 0/0 conncted to Router) : 1.1.1.3 (Public IP)

Firewall (E 0/1 connected to switch) : 10.0.0.1


Then i will give the Public IP 1.1.1.3 to peer site to establish site-to-site VPN...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Wed, 09/08/2010 - 20:30
User Badges:
  • Cisco Employee,

Hello,


You can go for your initial configuration i.e. Router's outside having a

public IP and the interface connecting to the firewall having a private IP.

You can use NAT on the router to map the private IP of the firewall to a

public IP and then give that public IP to the VPN peers.


Sample configuration:


interface fastethernet 0/0

ip address 1.1.1.1 255.255.255.248

ip nat outside

exit


interface fastethernet 0/1

ip address 175.172.10.1 255.255.255.0

ip nat inside

exit


ip nat source static 175.172.10.2 1.1.1.2 extendable


If you want to block certain traffic on the outside interface of the router,

you can use an access-list over there. If not, you can let the firewall

handle all the filtering.


Also, on another thought, if you have such a straight topology, you can

bypass the Router and connect the ISP handoff (Ethernet) directly to the

firewall. That will avoid the need for additional NAT configurations.


Hope this helps.


Regards,


NT

Dear Nagaraja,


I tried It. It works.


But when i give command "sh ip nat translations"  it still showing the firewalls outside IP (i.e 175.172.10.2)


It has to show 1.1.1.2 ???


is there anything i need to change in firewall coz in firewall i given


globle(outside) 1 interface (i.e outside interface 175.172.10.2)

Nagaraja Thanthry Wed, 09/08/2010 - 20:51
User Badges:
  • Cisco Employee,

Hello,


You should see both firewall outside ip and the translated address. Can you

post the output of "show ip nat translation" command here?


Regards,


NT

Hello,


In "sh ip nat translation" i am still getting same ip as of firewalls outside ip..


#sh ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
udp 114.143.201.*:1134  175.172.10.2:1134     24.212.98.214:2520    24.212.98.214:2520
udp 114.143.201.*:1134  175.172.10.2:1134     46.118.193.138:44782  46.118.193.138:44782
udp 114.143.201.*:1134  175.172.10.2:1134     67.81.201.181:17279   67.81.201.181:17279
udp 114.143.201.*:1134  175.172.10.2:1134     67.169.62.194:12580   67.169.62.194:12580

Nagaraja Thanthry Wed, 09/08/2010 - 21:02
User Badges:
  • Cisco Employee,

Hello,


If you notice, the inside global corresponds to the global address you are

mapping to and inside local corresponds to the actual ip of the firewall.


Inside global Inside local

114.143.201.*:1134 175.172.10.2:1134


So, NAT translation is working.


Regards,


NT

Nagaraja Thanthry Wed, 09/08/2010 - 21:15
User Badges:
  • Cisco Employee,

Hello,


As per your output, 175.172.10.2 is being advertised as 114.143.201.*. The

"inside global" means the global address (public address) corresponding to

the inside local address.


If 114.143.201.* is not the correct address the firewall should use, can you

post the output of "show run | include ip nat" here?


Regards,


NT

Actions

This Discussion