Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

877 adsl and multiple public IPs- NAT and no-NAT mixture

Hi,

i'am very new to cisco kit and have just purchased a 877 adsl router for my home network. i'am currently using SDM and have it working fine in a NAT only scenerio, using one of my public IP's and using NAT to provide my private LAN machines with internet access.

however, what i would ideally like todo is the following:

i have a wireless access point connected to the fastethernet0 which has ip address 192.168.0.2 and is providing dhcp for machines on my LAN which use wireless. for these clients i want to continue to use NAT and the first assigned public IP (Dialer0), which is what it is currently doing.

however, on fastethernet1 i have a unmanaged switch attached which my servers are connected to.

for these machines, i want to assign them public IP's from the range my ISP has assigned me. i do not want to give them private IP's and use NAT at all, i want them to use the fully routable public IP's my ISP has provided with me.

so to summarise, i'am trying to setup a mixture of a NAT and a no-nat enviroment.

If anyone could tell me how id go about setting this up, i would be extremely grateful.

here is the relevent section of my current config:

interface ATM0

no ip address

ip nat outside

ip virtual-reassembly

no ip mroute-cache

no atm ilmi-keepalive

dsl operating-mode auto

dsl enable-training-log

hold-queue 224 in

!

interface ATM0.1 point-to-point

no snmp trap link-status

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

ip address 192.168.0.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname xxx@adsl.xx.co.uk

ppp chap password 0 passwordd

ppp pap sent-username xxxx@adsl.xxx.co.uk password 0 passwordhere

!

ip route 0.0.0.0 0.0.0.0 212.87.77.54

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source list 2 interface Dialer0 overload

!

8 REPLIES
New Member

Re: 877 adsl and multiple public IPs- NAT and no-NAT mixture

Hi,

I am in a similar situation to you, except that I have 1 FastEthernet connected to an external ASDL router.

After some reading, and exprimentation with the "Advanced NAT setup wizard" in the SDM, I believe that using static NAT for the public servers is the only way possible.

New Member

Re: 877 adsl and multiple public IPs- NAT and no-NAT mixture

Thats right , as far as I know it isn't possible using an 877 router.

Its always advisable to go for a higher series when u r hosting servers(public ip's assigned) which wud also support ur requirement.( u cud have 2 fastethernet interfaces , one with public ip and the other with private and NAT configured for it)

Hope it helps.

Please do rate it if it does.

Thanks,

Pallavi

Re: 877 adsl and multiple public IPs- NAT and no-NAT mixture

Hi Jamie,

Think what the purpose of NAT is...

To allow private (non-routable) IP addresses access to the public 'internet'.

To allow the conservation of IP addressing on the public internet.

The best way forward is to setup a static one-to-one NAT translation for each server you have. i.e.

1.1.1.1 -> 192.168.0.1 (all ports)

1.1.1.2 -> 192.168.0.2 (all ports)

Probably not the best move, as now every service running on your servers are exposed to potential attacks from the internet because all open ports are exposed by the public IP address statically NATed internally.

I think the best solutuion for you is to assign your servers a static private IP and statically map individual ports.

ip nat inside source static tcp 192.168.0.1 80 interface Dialer0 80

then open the associated ports on the IOS Firewall ACL.

Now saying all that - to directly answer your question. You could actually configure the type of network you are proposing.

If your ISP gave you, for example, 5 Public IPs. you could configure a LAN inside your router with public IP addresses. This means configuring your router (877) as a Bridge with the ISP. You could assign your servers with the public IP's assigned to you from your ISP. You can then use a firewall device or some sort or cheap (or expensive) ethernet router that provides NAT facility to handle traffic from your private IP address LAN. This device would have one public IP address also.

Unfortunatly you would not be able to provide bridging and NAT on the same 877.

See Attached Drawing.

HTH, Please rate if it does.

Thanks

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
New Member

Re: 877 adsl and multiple public IPs- NAT and no-NAT mixture

Hi Stephen,

Could you explain what you mean by bridging

on a router ?

Would the 877 in this case also have an IP address, which would be the default gateway for the internet, for all internal servers / nat devices ?

Thanks

Re: 877 adsl and multiple public IPs- NAT and no-NAT mixture

Hi,

Well, what i mean is allow the outside DSL interface to act as just that a interface to connect to the DSL network, without IP parameters. Then having Vlan1 on the 877 and all other hosts on this LAN to have a public pool of address. See config below...

!

interface ATM0/0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/0.1 point-to-point

pvc 8/35

pppoe-client dial-pool-number 1

!

!

interface FastEthernet0/0

ip address X.X.X.X 255.255.255.248

ip tcp adjust-mss 1452

speed 100

hold-queue 100 out

!

interface Dialer0

ip unnumbered FastEthernet0/0

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname USER

ppp chap password PASS

!

The 877 must have one of the Public IP addresses. Dialer 0 would unnumbered and VLan1 gets one of the public IP's. S default route is set on the router through interface dialer0 and for any hosts using a public IP address i.e. webserver, it can use a gateway of the VLAN1 interface of the router.

I hope this helps. I have carried out this type of scenario before, and it wokrs a treat. If i can answer anymore quesitons, please fire them.

Please rate posts

Thanks

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
New Member

Re: 877 adsl and multiple public IPs- NAT and no-NAT mixture

what stephen says is correct, and thats very similiar to my setup which i eventually figured out. it is possible on the 877 to allow some machines to use public IP addresses in the manner stephen has described, and also use NAT for machines using private IP addresses - thus creating the NAT and no-nat mixed enviroment i spoke of. apoligies if it was unclear what i ment.

thank yo ufor your replies

edit: oh yes, this cannot be done using SDM alone, you must do it via the CLI or editing the config. it is impossible as far as i can see to do this via SDM.

New Member

Re: 877 adsl and multiple public IPs- NAT and no-NAT mixture

Hi Stephen,

I think you have answered 95% of my questions !!

Just a few quick clarifications.

I plan on using a 2811 with a similar setup

and have 2 Fa ports on that.

Am I right in understanding :-

1. In the senario above, I could plug fa0/0 into a switch and connect servers with

public IP and set gateway to be IP address of fa0/0 ? (VLAN 1 being fa 0/0)

2. Could I also enable NAT on fa 0/0 to selectively NAT networks attached to fa 0/1 (another fa on my router 2811) ?

3. Why do you need ATM0/0.1 ?? Is that config related to the 877 only ? Cant I just use ATM0 ?

Regards

Shahed.

Re: 877 adsl and multiple public IPs- NAT and no-NAT mixture

Jamie,

you are right about SDM. a great - fantastic tool. But always, more advanced configurations need to be carried out via CLI. Glad to help.

shahedvoicerite,

I will try to answer your questions inline (I will assume that you will also have an adsl WIC in the router for internet connectivity)

->1. In the senario above, I could plug fa0/0 into a switch and connect servers with

public IP and set gateway to be IP address of fa0/0 ? (VLAN 1 being fa 0/0)

Ans: Short answer - yes. Longer answer - see diagram above. You would configure your router the same as Jamies, with an ip umnumbered command under dialer0. You can then configure your servers with Public IP's. read above posts for more info.

->2. Could I also enable NAT on fa 0/0 to selectively NAT networks attached to fa 0/1 (another fa on my router 2811) ?

Ans: Short answer - No. Long Answer - When configuring above design, your router cannot perfom NAT at the same time. It will either be a bridge device or a NAT device.

->3. Why do you need ATM0/0.1 ?? Is that config related to the 877 only ? Cant I just use ATM0 ?

Ans: Short answer - 'just because' :) Long Answer - it is the way i have always done it. I have a whole bunch of configurations that i use for various Cisco kit. When configuring ADSL interfaces i pull the commands from a previous config and paste it into a new router. The first ADSL config i came accross had the ATM0/1 subinterface and I have not bothered to changed it since. But you can configure all commands under ATM0 on any Cisco ADSL interface.

HTH

Cheers

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
1271
Views
20
Helpful
8
Replies