06-08-2013 01:13 PM - edited 03-04-2019 08:08 PM
I am almost done with ny new internet setup and need help with the last bit. (see attached)
Everything works so far. I can reach the internet with this curent configuration, but I need to add another device with a public IP (55.55.x.x) and want to use one of the 2901's GE switchports to achieve this. what would be the config for one of the ports?
**edit** On the attachment I said to B) access the internet via GB0/1. What I meant to say is server#1 needs access to the internet via GB0/1.
06-08-2013 01:50 PM
Hi Chris,
Can you post the config of the 2901? Make sure you remove any passwords and sensitive information.
Thanks,
Paul
****Please rate useful posts****
06-08-2013 08:30 PM
hree is is running-config
Building configuration...
Current configuration : 1981 bytes
!
! Last configuration change at 03:23:22 UTC Sun Jun 9 2013 by XXXXXX
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CLT-ROUTER
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
no logging console
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
ip name-server 216.136.95.2
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2901/K9 sn FTX17138507
!
!
username ccpuser privilege 15 secret 4 XXX
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
description $ETH-LAN$
ip address 50.55.X.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ETH-WAN$
ip address 66.X.X.X 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 66.X.X.X
!
!
!
!
control-plane
!
!
!
line con 0
transport preferred none
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport preferred none
transport input telnet
line vty 5 15
login local
transport preferred none
transport input telnet
!
scheduler allocate 20000 1000
!
end
06-08-2013 06:40 PM
Hi Chris,
Why are you natting a public subnet with another? From the diagram you are natting 55.55.xx.xx with 66.66.xx.xx. .......
About the answer... You can do a simple thing. Just install a switch off the 2901 and change the g0/0 as it follows:
In g0/0
No IP address
No sh
Int g0/0.55
Description ****To Server1***
Encapsulation dot1q 55
IP address 55.55.xx.xy 255.255.255.zzz
No sh
Int g0/0.192
Description ****To Firewall ****
Encapsulation dot1q 192
IP address 192.168.xx.zz
IP nat inside
Int g0/1
Description **** To Internet*****
IP address 66.16.zz.zz 255.255.255.252
IP nat outside
No sh
IP route 0.0.0.0 0.0.0.0 ge0/1
Or you can add an interface to the 2901 (providing none is available and to set a point to point communication with your server). In both case I would not nat your server if it owns a public IP address and if it does not need nat protection . If you want to nat the server too, remove the public subnet and set a private one. Configuration wise would be:
Int g0/0.55
Description ****To Server1***
Encapsulation dot1q 55
IP address 192.168.55.55 255.255.255.0
IP nat inside
No sh
Don't forget to change the server ip accordingly.
READING again your diagram I see a useless double nat. If you nat on your sonic FW you do not need to nat on your router again and viceversa... If you nat on your router there is no need natting on the FW. If I were you I would nat on the FW and I would just perform routing on the 2901 with a universal IOS with security license.
Hope to help
Alessio
Sent from Cisco Technical Support iPad App
06-08-2013 08:20 PM
to answer your first question: I was given an email from my ISP. it stated "this is your external IP address "66.x.x.x." this address is for the device connected directly to our device" (in this case the cisco 3650 switch they provided).
I had asked for 5 public IP addresses (55.55.x.x1-5) to be used for publically accessible devices,
I could only make the 2901 work by assigning GE0/1 as 66.x.x.x., nat outside, and making GE0/0 (nat inside)to be one of the public IP addressses (in this case 55.55.x.1).
I made the "wan" ip adress for my firewall to be 55.55.x.2 which connected to GE0/0.
What I need is to connect an external server (its actually a remote support device) to have an IP address of 55.55.x.3. I need that device to be able to reach the internet. I'm assuming it will have to use the same GE0/1 gateway as it needs to access the outside world.
None of the switchports 1-4 have been configured.
I guess what I'm trying to do is replicate the old DSL modem w/4 port switch we had. All I had to do then was to plug in my firewall to one port, and my support device to another and they both had "public IP" addresses (55.55.x.x.).
06-09-2013 07:00 AM
Hi Chris,
You can do the following:
For example:
!
interface Gi0/0
no ip address
no ip nat inside
!
!
interface vlan 10
ip address 50.55.X.1 255.255.255.248
ip nat inside
no shut
!
!
interface Gi0/0/0
switchport mode access
switchport access vlan 10
no shut
!
!
interface Gi0/0/1
switchport mode access
switchport access vlan 10
no shut
!
This will put both devices on the same network where they can reach 50.55.x.1 to be able to get out to the Internet
HTH
Paul
****Please rate useful posts****
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide