I have a customer that has been allocated an IP range by the ISP.
126.96.36.199/29 for example.
The Cisco router gets its IP of 110.x.x.x which is fine, and I can add a sub-interface with an IP in that 188.8.131.52 range and am able to ping that.
However the problem is that I need the router to be connecting to the internet but my firewall using the IP's in that public ip range as well as doing all the port forwarding. We have this same configuration working with other customers, only in those scenarios the router is a Cisco 877 and is managed by the ISP.
Is what I am describing possible with the SRP 527?
Any suggestions would be great!
The SRP520 only supports a single WAN IP address - it is not possible to forward traffic sent to any other address.
Thanks for your reply.
Can you please elaborate though?
To explain my confusion - I have set the SRP527 up with a PPPoE connection, it gets the IP of 110.x.x.x - I can ping this external once it is setup. I can then add a sub-interface with an IP of 203.x.x.x. and can ping that externally.
Sorry if this all sounds really dumb, this is not usually something I concern my self with
I'm not sure if I follow you completely. You have an SRP527 - I assume that you are connecting using PPPoE over an ADSL PVC interface?
Can you explain how you are creating a subinterface? (You can have another PVC, but a PVC cannot have a sub-interface)
Sure, hopefully this helps.
If I go to Interface Setup - WAN.
I have "WAN1" interface.
Under this there is PVC0 which is setup with PPPoE username+password, this interface gets a 110.x.x.x address from the ISP.
I can then create a sub-interface (PVC1) on that same screen and select IPoA and enter in the IP, Subnet Mask + Gateway (203.x.x.x) that has been allocated as an additional IP Range. From what I understand the ISP has added a route so that I can get to the 203.x.x.x. IP through the 110.x.x.x IP.
Maybe Sub-Interface is not the right word, but thats what the button says
They both work, but what I need to do is to some how pass on that PVC1 so that those additional IP's are setup on the firewall. It simply may not be possible with this particular router but I suppose I have to try.
I may not have all the terminology right but I know what I am describing is possible with a Cisco 877 which I suppose is a different kettle of fish anyway
That's interesting - I need to take a closer look at what you are seeing. The device is not intended to work that way though - so currently, there is no supported way of passing traffic to multiple WAN IP addresses through the firewall.
I am a little confused by your reply, the whole Sub-Interface thing is documented in the manual?
I dont need anything to go through the firewall, no port forwarding etc. Essentially I just need the device to connect to the internet and get its static IP of 110.x.x.x while our separate firewall device plugged into the Cisco 527W is configured with the public IP range allocated by the ISP.
As mentioned I have seen this exact configuration (just not with an SRP527w) many times
The different PVC interfaces are intended to terminate different services - where they are offered by a service provider. Typically for broadband access only one PVC is ever used.
What you are asking for is 1:1 Network Address Translation (sometimes also called software or hosted DMZ) of a public IP address assigned to your account - but different to the one used for the DSL interface. Basically, the Service Provider routes traffic to these addresses via your 110... address.
It is this feature that the SRP520 does not support (for others reading this thread, the SRP540 does support this).
It would be possible to disable NAT on the SRP520 and route traffic directly to clients addressed with these other public addresses - but NAT is a global configuration on the SRP520, implying that all of your clients would have to be publically addressed to gain access to the internet - which I appreciate may not be practical.
The part I was going to look in to was about being able to access the IP address on second PVC via the main one. I don't have access to a system to try this right now, but with that configuration, try adding a port forwarding rule for the client and ports you require - but ensure that you select PVC1 for the WAN interface in that configuration. It's not really intended to work this way, but could be a workaround for you if it works.
Sorry to bring an old thread back to life.. but i wondered if the NAT features you discuss above are now available on the SRP527W-U? I think they are, but I couldnt find any detailed reference to them online.
Quote "What you are asking for is 1:1 Network Address Translation (sometimes also called software or hosted DMZ) of a public IP address assigned to your account - but different to the one used for the DSL interface. Basically, the Service Provider routes traffic to these addresses via your 110... address"
Basically I need an affordable Cisco router (To compete with a Draytek Vigor 2830N) which will support multiple BT public IP addresses and LAN-LAN VPN concurerently. I have had issues with this in the past so I wondered if it was now possible? (The SRP would only terminate VPN on the WAN IP@ which is dynamic with BT multiple IP's)
We also need the Ethernet WAN option with PPPoE for FTTC. I know the SRP527 can do this so if the VPN/NAT features are available it will be perfect for us!
Thanks in advance..
If you have an SRP527W-U, then you should be able to use the "Software DMZ" feature to forward traffic for multiple WAN IP addresses to internal clients.