cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
812
Views
0
Helpful
10
Replies

How to assign IP addresses ?

vinayak
Level 1
Level 1

Hello everyone,

I am very new in networking field. I want some help from you expert peoples.

I am having a network in which i am having router, firewall & switch.

the ISP leased line is connected to router (in FA0/0), FA 0/1 is connected to firewall outside (E 0/0), Firewall input connected to switch to LAN.

i want to configure Site - to - site VPN on firewall.

now i assigned ips such as:

For example :

Router (FA 0/0 connected to ISP) : 1.1.1.1 /29

Router (FA 0/1 conneted to firewall) : 175.172.10.1 (private IP)

Firewall (E 0/0 conncted to Router) : 175.172.10.2 (private IP)

Firewall (E 0/1 connected to switch) : 10.0.0.1 (private IP)

is this configuration is right ? if so then which IP i should give to my peer end to establish site-to-site VPN ?

Is it possibal to use ip's as :

For example :

Router (FA 0/0 connected to ISP) : 1.1.1.1 /29  (Public IP)

Router (FA 0/1 conneted to firewall) : 1.1.1.2 (Public IP)

Firewall (E 0/0 conncted to Router) : 1.1.1.3 (Public IP)

Firewall (E 0/1 connected to switch) : 10.0.0.1

Then i will give the Public IP 1.1.1.3 to peer site to establish site-to-site VPN...

10 Replies 10

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

You can go for your initial configuration i.e. Router's outside having a

public IP and the interface connecting to the firewall having a private IP.

You can use NAT on the router to map the private IP of the firewall to a

public IP and then give that public IP to the VPN peers.

Sample configuration:

interface fastethernet 0/0

ip address 1.1.1.1 255.255.255.248

ip nat outside

exit

interface fastethernet 0/1

ip address 175.172.10.1 255.255.255.0

ip nat inside

exit

ip nat source static 175.172.10.2 1.1.1.2 extendable

If you want to block certain traffic on the outside interface of the router,

you can use an access-list over there. If not, you can let the firewall

handle all the filtering.

Also, on another thought, if you have such a straight topology, you can

bypass the Router and connect the ISP handoff (Ethernet) directly to the

firewall. That will avoid the need for additional NAT configurations.

Hope this helps.

Regards,

NT

Dear Nagaraja,

I tried It. It works.

But when i give command "sh ip nat translations"  it still showing the firewalls outside IP (i.e 175.172.10.2)

It has to show 1.1.1.2 ???

is there anything i need to change in firewall coz in firewall i given

globle(outside) 1 interface (i.e outside interface 175.172.10.2)

Hello,

You should see both firewall outside ip and the translated address. Can you

post the output of "show ip nat translation" command here?

Regards,

NT

Hello,

In "sh ip nat translation" i am still getting same ip as of firewalls outside ip..

#sh ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
udp 114.143.201.*:1134  175.172.10.2:1134     24.212.98.214:2520    24.212.98.214:2520
udp 114.143.201.*:1134  175.172.10.2:1134     46.118.193.138:44782  46.118.193.138:44782
udp 114.143.201.*:1134  175.172.10.2:1134     67.81.201.181:17279   67.81.201.181:17279
udp 114.143.201.*:1134  175.172.10.2:1134     67.169.62.194:12580   67.169.62.194:12580

Hello,

If you notice, the inside global corresponds to the global address you are

mapping to and inside local corresponds to the actual ip of the firewall.

Inside global Inside local

114.143.201.*:1134 175.172.10.2:1134

So, NAT translation is working.

Regards,

NT

Hello,

175.172.10.2 is a actual IP of my firewall. if we done static nat (ip nat source static 175.172.10.2 1.1.1.2 extendable) then in nat translation it has to show

1.1.1.2 na instade of firewalls actual IP (175.172.10.2).

This ip is being advertise to global na ???

Hello,

As per your output, 175.172.10.2 is being advertised as 114.143.201.*. The

"inside global" means the global address (public address) corresponding to

the inside local address.

If 114.143.201.* is not the correct address the firewall should use, can you

post the output of "show run | include ip nat" here?

Regards,

NT

Hello,

Ok i got it. Means the Inside Global address (i.e. my ISP PUBLIC IP 1.1.1.2) is being advertised to extrernal world not my firewalls IP (i.e my Private IP 175.172.10.2) ???

Now can i use 1.1.1.2 for site-to-site VPN ??

1.1.1.2 is now peer ip for remote site na ??

Hello NAGARAJA,

Can you tell me the command for remote telnet to firewall by using PUTTY software ???

My firewalls Ip is (175.172.10.2) which we natted on router to 1.1.1.2 ??

Hello NAGARAJA,

Thanks a lot. It Works..

Now i am able to ping 1.1.1.2 also from my Router & also from outside..

Thanks a lot.. God Bless you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: