Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1323
Views
0
Helpful
0
Replies

How to NAT and Bridge on the same interface

Eric Fox
Level 1
Level 1

‎07-19-2013 10:18 AM - edited ‎03-07-2019 02:29 PM

Preamble: I'm studying for CCNA, but I'm jumping ahead a little to get my home internet coming in through a Cisco router. I understand the basic ideas but obviously not enough...

My current setup

I have a /29 subnet through ADSL, with a noname modem/router in a sort-of half bridge mode, followed by an OpenBSD box doing firewall and routing duties. Let's say my public network is 84.0.0.0/29.

The BSD box has a public IP, 84.0.0.2, on interface FE0 and uses the modem as default gateway (84.0.0.1).

The BSD box performs NAT overload with 84.0.0.2 for the internal network 192.168.0.0/24 on interface FE1 (192.168.0.1)

It also transparently bridges FE0 with FE2, allowing servers on that seperate network to have public IP addresses.

The benefit of that is it allows full firewalling of all traffic from FE0 to FE2 (and vice versa of course), so the servers with the public addresses are protected.

Finally, I have a seperate software router on a VMware ESXi host, connected to the public network (84.0.0.3, gateway 84.0.0.1) behind the BSD box. This runs pfSense and connects to one of those 'internet privacy' VPN services. It also performs NAT overload going out through that VPN, with the inside interface connected to the same 192.168.0.0 network as the BSD box. pfSense's address there is 192.168.0.2.

This allows me to configure a PC to go out through the VPN, instead of directly through the BSD box, by simply changing the PCs default gateway from 192.168.0.1 to 192.168.0.2.

That was all trivial to set up and works perfectly.

What I'm trying to do, and so far not succeeding

I want to replicate the above with my Cisco kit. I have an 1801, but am trying it all out on a 2811 first, with the outside connected into the 84.0.0.0 network behind the BSD box instead of an actual ADSL WAN interface. That way, I can play about without breeching my security, and don't keep losing my internet connection when I get it wrong. I am trying to put the inside interfaces (192.168.0.0 and 84.0.0.0) on VLANs on the remaining physical interface.

Is it possible to do the above with a 2811?

Could anyone point me in the right direction? At least for the main NAT and bridging parts. I guess the VPN would need to be done on a seperate VLAN if done on the same router rather than having another IP address in the same network..

I've tried a few things. Getting NAT to work alone is easy, but I can't get the bridging to work. I've tried setting IRB and a BVI interface but simply lost connection to the outside interface. I'm not sure that is exactly relevent to what I want to acheive.

Any ideas folks? Am I heading in the right direction?

In the meantime, I'll keep playing...

Rick.

Edit - Update:

This is getting to be a habit - I keep finding answers myself (after trying for ages) as soon as I ask for help.

I was doing it roughly correctly, the only thing I did  differently this time was that I created the BVI (and tested it) before  doing the NAT configuration. That, and I entered 'bridge 1 route ip'  which I thought was done automatically by enabling irb. Anyway, this  time it all worked. Nat and bridging, from one interface, out of another  interface now in VLANs.

Now to work on the VPN...

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card