Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Routing the internet through a EHWIC port

This is a basic question but I am new to configuring Cisco routers.

I currently have a Cisco 2921 router taking in the Internet from interface GigabitEthernet0/0 and it is spitting out the Internet for the office LAN on interface GigabitEthernet0/1.

I have a EHWIC card installed and I would like one of the ports on that card to connected to a machine that will have a different external IP than GigabitEthernet0/0.  I want the device that will plug into the EHWIC port to be available straight to the Internet without any firewalling and it's IP should be 1.2.3.4 (an externally reachable IP).

Is below the correct configuration?

interface FastEthernet0/0

ip address 1.2.3.4 subnet 

duplex auto
 speed auto
 no mop enabled

 

Thanks!

 

 

  • LAN Switching and Routing
6 REPLIES
Cisco Employee

Hi Nick,

Hi Nick,

I am afraid it will be more complicated than that.

First, the EHWIC card is most probably a Layer2 switch only, meaning none of its interfaces can have an IP address configured and act like a routed interface. Instead, what you need to do is to assign the switched interface to a specific VLAN, and assign the IP address to a virtual interface we call Switched Virtual Interface that represents the router port for all members of the particular VLAN, so for example:

vlan 11
 name Internet
!
interface FastEthernet 0/1/0
 switchport mode access
 switchport access vlan 11
 spanning-tree portfast
!
interface Vlan11
 ip address address netmask

The other issue is more complex, though. You have indicated that you want the attached station to directly have an externally visible and reachable address.

This is, generally, a routing problem. Your ISP currently assigns some IP address to the Gi0/0 interface of your router. How should your ISP know that the IP address 1.2.3.4 can be reached over the IP address it has assigned to your Gi0/0? If you do not tell it, or if the ISP is not configured for it, it will simply not recognize that exactly your router, out of thousands of routers it knows about, is the gateway to 1.2.3.4.

One of ways of accomplishing this is doing a static NAT that would map an internal private IP address to some external public IP address you have agreed with your ISP upon. Another way of doing this is having the internet connection drop itself connect to the switching module, with the interface Vlan11 retaking the role of Gi0/0, and having another port, say, Fa0/1/1 also assigned to the VLAN11 where your station requiring the direct connection would be connected. In both these cases, it would be required to ask your ISP for a standalone IP address for the station, and another IP address to hide your remaining network behind (the one that is currently assigned to your Gi0/0).

Does all of this make sense? Please feel welcome to ask further!

Best regards,
Peter

New Member

Thank you.I will try that out

Thank you.

I will try that out and let you know how it goes.

New Member

So if I understand this

So if I understand this correctly...

vlan 11
name Internet
!
interface FastEthernet 0/1/0
switchport mode access
switchport access vlan 11
spanning-tree portfast
!
interface Vlan11
ip address 1.2.3.4 (outside IP) 255.255.255.248

 

ip nat inside source static 192.168.100.3 (inside IP of the machine) 1.2.3.4 (outside IP)

---

And I will not have to make any changes to interface GigabitEthernet0/0 or make a vlan for it?

Thanks!

Cisco Employee

Hi Nick,

Hi Nick,

I apologize for my late response.

More correctly, it should be something like this:

vlan 11
 name DMZ
 exit
!
interface FastEthernet 0/1/0
 switchport mode access
 switchport access vlan 11
 spanning-tree portfast
!
interface Vlan11
 ip address 192.168.100.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/0
 ip address 1.2.3.4 255.255.255.248 ! outside address
 ip nat outside
!
ip nat inside source static 192.168.100.3 1.2.3.4

The interface Vlan11 must be in the same IP subnet as your internal PC, and its address must be used by the PC as its default gateway - in other words, the PC will be using the IP address 192.168.100.3/24 as its own address and will be using 192.168.100.1 as its default gateway. If you are already using the 192.168.100.1 for some other stations, just assign the interface Vlan11 any other unused address in the 192.168.100.0/24 network and make sure the PC uses that as its default gateway.

I have a question, though: do you want to make the entire PC exposed to the outside internet (which is what the config shown above will do), or just some selected services?

The only change to the Gi0/0 is to declare it as NAT outside interface (already shown in my config above). You do not create any extra VLAN for that as that interface is a Layer3 interface already.

Best regards,
Peter

New Member

I would like the whole

I would like the whole machine exposed.

I do have an additional consideration though. I am not sure how our office network will work with the above config. 

This is the current setup:

interface GigabitEthernet0/0

description WAN
 ip address 1.2.3.4 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip nat enable
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description LAN
 ip address 192.168.100.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip nat enable
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled

interface GigabitEthernet0/2
 description WAN Secondary - DSL
 ip address 1.1.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip nat enable
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled

 

-----

Wouldn't 0/1 have to be part of the VLAN also?

I essentially want it to do this:

Internet come in through Gb0/0

Have our office network on Gb0/1 192.168.100.*

Have the machine I have been wanting to be exposed to the Internet be connected to fe/0/1/0 192.168.11.* and be fully exposed to the internet via 1.2.3.4 (extenral IP)

 

Cisco Employee

Nick,

Nick,

You are asking whether the Gi0/1 should be made part of VLAN 11. The answer is clearly no and you have answered the question yourself by specifying the requirements: your Gi0/1 is 192.168.100.0/24 while the exposed machine is supposed to be 192.168.11.x, obviously in a different IP subnet. A single VLAN is a single IP subnet so if the Gi0/1 was also a part of VLAN 11, it would have to use the same IP address space. In addition, Gi0/1 is a routed interface, separate and independent of the added switch module and its switched interfaces, and it does not support the switchport access vlan command. Making it a part of VLAN 11 would be more complicated - it would need to be done using software-based bridging.. let's just say we do not want to go into it.

So based on your current configuration you have posted, this is the resulting configuration I suggest:

interface GigabitEthernet0/0
 description WAN
 ip address 1.2.3.4 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip nat enable ! This command MUST be removed
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description LAN
 ip address 192.168.100.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip nat enable ! This command MUST be removed
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/2
 description WAN Secondary - DSL
 ip address 1.1.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip nat enable ! This command MUST be removed
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet 0/1/0
 switchport mode access
 switchport access vlan 11
 spanning-tree portfast
!
interface Vlan11
 ip address 192.168.11.1 255.255.255.0
 ip nat inside
!
ip access-list standard NAT
 deny host 192.168.11.11
 permit 192.168.0.0 0.0.255.255
!
route-map NAT_G0/0 permit 10
 match ip address NAT
 match interface Gi0/0
!
route-map NAT_G0/2 permit 10
 match ip address NAT
 match interface Gi0/2
!
ip nat inside source static 192.168.11.11 1.2.3.4 extendable
ip nat inside source route-map NAT_G0/0 interface Gi0/0 overload
ip nat inside source route-map NAT_G0/2 interface Gi0/2 overload

This configuration should entirely expose the interface machine 192.168.11.11 connected to Fa0/1/0 and using the default gateway of 192.168.11.1 under the public IP address 1.2.3.4. All other traffic coming from inside and from the 192.168.x.x private range will be translated either to 1.2.3.4 or to 1.1.1.1 depending on what interface it is routed out to internet.

Best regards,
Peter

 

 

79
Views
0
Helpful
6
Replies