Solved: Multiple WAN IPs

MikeCaditz · ‎11-08-2011

I am learning the 2911 router. Is there a way to set a physical single RJ45 port to handle multiple WAN IPs? Or do I need to buy a port expansion module.

Thanks.

cadet alain · ‎11-09-2011

Hi,

if you want these servers to be accessible from outside then your static pat entries are not correctly configured:

ip nat outside source static tcp 209.101.19.230 90 10.10.10.181 80 extendable

ip nat outside source static tcp 209.101.19.230 443 10.10.10.181 443 extendable

Should be changed to:

ip nat inside source static tcp 10.10.10.181 80 209.101.19.230 80 extendable

ip nat inside source static tcp 10.10.10.181 443 209.101.19.230 443 extendable

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

Richard Burts · ‎11-08-2011

Michael

I am not clear quite what it is that you are trying to accomplish but in general there are several approaches that could allow the 2911 to handle multiple WAN IP addresses.

If for some reason you have several different subnets assigned to the WAN coming on a single connection then you could use secondary addressing. If for example you had these 3 subnets assigned to your connection 10.0.1.0/24, 10.0.2.0/24, and 10.0.3..0/24 then your config might look something like this

interface Gig0/0

ip address 10.0.3.0 255.255.255.0 secondary

ip address 10.0.2.0 255.255.255.0 secondary

ip address 10.0.1.0 255.255.255.0

If you have a single subnet assigned to the connection and it has multiple IP addresses that you need to use then you could use one IP for the interface address and then do Network Address Translation to use the other interfaces for devices that are on the inside of the network.

If you have a single Ethernet connection and the provider has set it up with multiple VLANs running on it then you could configure the interface of the 2911 as a trunk and have the various VLANs and their associated subnets assigned to various subinterfaces of the 2911.

So if you can explain more clearly what you are trying to achieve then we might be able to give better advice.

HTH

Rick

HTH

Rick

MikeCaditz · ‎11-08-2011

Thank you. I will be more clear.

Simply, my T1 provider has assigned me a block of real-world IPs and I want to claim all of them on my 2911.

For example, HTTP traffic arriving from one of the WAN IPs will get routed to one internal server, whereas HTTP traffic arriving from another WAN IP will get routed to a different internal server.

Thank you again. I know how to do this on Microsoft ISA but am new to Cisco.

Richard Burts · ‎11-08-2011

Michael

This is a much better explanation of what you want to accomplish. You would use Network Address Translation and configure a set of static address translation rules so that traffic to one public address was forwarded to a particular server inside your network and that traffic to another public address was forwarded to a different server inside your network.

You certainly can do this on the 2911 and would not need any extra equipment.

HTH

Rick

HTH

Rick

MikeCaditz · ‎11-08-2011

That makes sense. However, I am not clear which particular public IP address in my block I would assign to my interface ("Gigabit EtherNet0/0"). If I use the lowest IP address in the subnet and the correct subnet mask, would the interface then handle all public IP addresses in my subnet?

cadet alain · ‎11-08-2011

Hi,

You assign any interface the ISP provided as the interface IP and then you can use static PAT either to interface or to another IP that was assigned to you by ISP.

The interface IP will be used for your internal clients that only initiates connection from inside using NAT overload.

Regards.

Alain.

Don't forget to rate helpful posts.

Richard Burts · ‎11-08-2011

While NAT overload would provide connectivity for users who need access to the Internet I believe that the functionality that Michael wants to achieve is to accept connections from the Internet and forward them to various servers within his network. To achieve this he will need to configure a set of static NAT to map an individual ISP assigned IP address to an individual server inside his network.

Michael

It does not make much difference which IP address you assign to the router. As long as the router interface has one IP address within that subnet it can do address translation for all the other addresses within the subnet.. If it were me I would choose either the lowest address in the subnet or the highest address in the subnet so that the translated addresses would be contiguous. But it really does not matter which one. It only matters that the address assigned to the router interface is in the subnet.

HTH

Rick

HTH

Rick

MikeCaditz · ‎11-08-2011

Thanks, Alain and Rick. I understand now.

Two more questions, though.

1. I have a site to site VPN configured using the particular public IP address I assigned to the router interface. (The vpn is up). But is this incorrect, i.e. should I be using one of the other public IPs in my range, rather than the one assigned to the interface?

2. I am transtioning from an older Sonicwall router, which is still assigned the same publc IP address range as the new Cisco (although I assigned a different IP address to each routers' interface.) Will this create conflicts? If both routers had a static PAT directing traffic from the same public IP to an internal server, which router would the packet go to?

Richard Burts · ‎11-08-2011

Michael

1) While you could make it work if the VPN used one of the other address I would say that it makes more sense to me to use the address assigned to the router interface for the VPN. After all the VPN session connects to the router. So I think it is better to use the router interface address.

2) This is a valid concern. You need to manage both routers so that they do not both attempt to translate the same public address.

HTH

Rick

HTH

Rick

MikeCaditz · ‎11-08-2011

I am very impressed with how much assistance each of you has been willing to give a newbie. The great community support makes me glad I chose to upgrade our company's three locations to Cisco equipment.

Thanks again.

MikeCaditz · ‎11-09-2011

When I added a static NAT rule routing traffic from the outside to an internal server which is also part of a vpn, traffic is now blocked accross the VPN to/from that internal server. How do I re-enable VPN traffic?

Building configuration...

Current configuration : 11174 bytes

!

! Last configuration change at 13:29:20 NewYork Wed Nov 9 2011 by ccpuser

! NVRAM config last updated at 12:46:41 NewYork Wed Nov 9 2011 by ccpuser

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname NYFirewall

!

boot-start-marker

boot-end-marker

!

logging buffered 52000

enable secret 5 xxxxxx

enable password xxxxxxx

!

no aaa new-model

!

clock timezone NewYork -5 0

clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ipv6 cef

ip source-route

ip cef

!

ip domain name gpgallery.com

ip name-server 10.10.10.177

ip name-server 10.10.10.176

ip name-server 8.8.8.8

ip name-server 8.8.4.4

!

multilink bundle-name authenticated

!

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

!

crypto pki token default removal timeout 0

!

license udi pid CISCO2911/K9 sn FTX1542AKH3

license boot module c2900 technology-package securityk9

!

username xxxxx privilege 15 secret 5 xxxxxx

username xxxxx privilege 15 secret 5 xxxxxxx/

!

redundancy

!

class-map type inspect match-any SDM_TELNET

match access-group name SDM_TELNET

class-map type inspect match-any SDM_HTTP

match access-group name SDM_HTTP

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any sdm-mgmt-cls-0

match class-map SDM_TELNET

match class-map SDM_HTTP

match class-map SDM_SHELL

match class-map SDM_SSH

match class-map SDM_HTTPS

class-map type inspect match-any sdm-mgmt-cls-1

match class-map SDM_TELNET

match class-map SDM_HTTP

match class-map SDM_SHELL

match class-map SDM_SSH

match class-map SDM_HTTPS

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect edonkey match-any ccp-app-edonkey

match file-transfer

match text-chat

match search-file-name

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxx address 65.19.62.60

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to65.19.62.60

set peer 65.19.62.60

set transform-set ESP-3DES-SHA2

match address 106

!

interface Embedded-Service-Engine0/0

no ip address

no ip route-cache

shutdown

!

interface GigabitEthernet0/0

description $FW_OUTSIDE$$ETH-WAN$

ip address 209.101.19.226 255.255.255.240

ip access-group 101 in

ip nat outside

ip virtual-reassembly in

no ip route-cache

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface GigabitEthernet0/1

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip access-group 104 in

no ip route-cache

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/2

description $FW_INSIDE$$ETH-LAN$

ip address 10.10.10.161 255.255.255.224

ip access-group 103 in

ip nat inside

ip virtual-reassembly in

no ip route-cache

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http access-class 3

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 10

sort-by bytes

cache-timeout 6000

!

ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/0 overload

ip nat outside source static tcp 209.101.19.230 90 10.10.10.181 80 extendable

ip nat outside source static tcp 209.101.19.230 443 10.10.10.181 443 extendable

ip route 0.0.0.0 0.0.0.0 209.101.19.225 permanent

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_HTTP

remark CCP_ACL Category=0

permit tcp any any eq www

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=0

permit tcp any any eq 443

ip access-list extended SDM_SHELL

remark CCP_ACL Category=0

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark CCP_ACL Category=0

permit tcp any any eq 22

ip access-list extended SDM_TELNET

remark CCP_ACL Category=0

permit tcp any any eq telnet

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.10.160 0.0.0.15

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 10.10.10.160 0.0.0.31

access-list 3 permit 192.168.1.2

access-list 3 remark CCP_ACL Category=1

access-list 3 permit 65.19.62.48 0.0.0.15

access-list 3 remark Auto generated by SDM Management Access feature

access-list 3 permit 10.10.10.160 0.0.0.31

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 209.101.19.224 0.0.0.15 10.10.10.0 0.0.0.127

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark CCP_ACL Category=1

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31

access-list 101 permit tcp 65.19.62.48 0.0.0.15 host 209.101.19.226 eq telnet

access-list 101 permit tcp 65.19.62.48 0.0.0.15 host 209.101.19.226 eq 22

access-list 101 permit tcp 65.19.62.48 0.0.0.15 host 209.101.19.226 eq www

access-list 101 permit tcp 65.19.62.48 0.0.0.15 host 209.101.19.226 eq 443

access-list 101 permit tcp 65.19.62.48 0.0.0.15 host 209.101.19.226 eq cmd

access-list 101 deny tcp any host 209.101.19.226 eq telnet

access-list 101 deny tcp any host 209.101.19.226 eq 22

access-list 101 deny tcp any host 209.101.19.226 eq www

access-list 101 deny tcp any host 209.101.19.226 eq 443

access-list 101 deny tcp any host 209.101.19.226 eq cmd

access-list 101 deny udp any host 209.101.19.226 eq snmp

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.127 209.101.19.224 0.0.0.15

access-list 101 permit udp host 65.19.62.60 host 209.101.19.226 eq non500-isakmp

access-list 101 permit udp host 65.19.62.60 host 209.101.19.226 eq isakmp

access-list 101 permit esp host 65.19.62.60 host 209.101.19.226

access-list 101 permit ahp host 65.19.62.60 host 209.101.19.226

access-list 101 remark IPSec Rule

access-list 101 permit ip 65.19.62.48 0.0.0.15 209.101.19.224 0.0.0.15

access-list 101 permit ip any any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark CCP_ACL Category=1

access-list 102 permit ip 65.19.62.48 0.0.0.15 any

access-list 102 permit ip 10.10.10.160 0.0.0.31 any

access-list 102 permit ip host 192.168.1.2 any

access-list 103 remark Auto generated by SDM Management Access feature

access-list 103 remark CCP_ACL Category=1

access-list 103 permit tcp 10.10.10.160 0.0.0.31 host 10.10.10.161 eq telnet

access-list 103 permit tcp 10.10.10.160 0.0.0.31 host 10.10.10.161 eq 22

access-list 103 permit tcp 10.10.10.160 0.0.0.31 host 10.10.10.161 eq www

access-list 103 permit tcp 10.10.10.160 0.0.0.31 host 10.10.10.161 eq 443

access-list 103 permit tcp 10.10.10.160 0.0.0.31 host 10.10.10.161 eq cmd

access-list 103 deny tcp any host 10.10.10.161 eq telnet

access-list 103 deny tcp any host 10.10.10.161 eq 22

access-list 103 deny tcp any host 10.10.10.161 eq www

access-list 103 deny tcp any host 10.10.10.161 eq 443

access-list 103 deny tcp any host 10.10.10.161 eq cmd

access-list 103 deny udp any host 10.10.10.161 eq snmp

access-list 103 permit ip any any

access-list 104 remark Auto generated by SDM Management Access feature

access-list 104 remark CCP_ACL Category=1

access-list 104 permit tcp host 192.168.1.2 host 192.168.1.1 eq telnet

access-list 104 permit tcp host 192.168.1.2 host 192.168.1.1 eq 22

access-list 104 permit tcp host 192.168.1.2 host 192.168.1.1 eq www

access-list 104 permit tcp host 192.168.1.2 host 192.168.1.1 eq 443

access-list 104 permit tcp host 192.168.1.2 host 192.168.1.1 eq cmd

access-list 104 deny tcp any host 192.168.1.1 eq telnet

access-list 104 deny tcp any host 192.168.1.1 eq 22

access-list 104 deny tcp any host 192.168.1.1 eq www

access-list 104 deny tcp any host 192.168.1.1 eq 443

access-list 104 deny tcp any host 192.168.1.1 eq cmd

access-list 104 deny udp any host 192.168.1.1 eq snmp

access-list 104 permit ip any any

access-list 105 remark CCP_ACL Category=4

access-list 105 remark IPSec Rule

access-list 105 permit ip 209.101.19.224 0.0.0.15 65.19.62.48 0.0.0.15

access-list 106 remark CCP_ACL Category=4

access-list 106 remark IPSec Rule

access-list 106 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127

access-list 108 remark CCP_ACL Category=2

access-list 108 remark IPSec Rule

access-list 108 deny ip 10.10.10.160 0.0.0.31 10.10.10.160 0.0.0.31

access-list 108 permit ip 10.10.10.160 0.0.0.31 any

access-list 111 remark CCP_ACL Category=2

access-list 111 remark IPSec Rule

access-list 111 deny ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127

access-list 111 permit ip 10.0.0.0 0.255.255.255 any

!

route-map SDM_RMAP_1 permit 1

match ip address 108

!

route-map SDM_RMAP_2 permit 1

match ip address 111

!

control-plane

!

banner login ^CCCGerald Peters Gallery New York.^C

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 102 in

password #Fire11!##

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

cadet alain · ‎11-09-2011

Hi,

if you want these servers to be accessible from outside then your static pat entries are not correctly configured:

ip nat outside source static tcp 209.101.19.230 90 10.10.10.181 80 extendable

ip nat outside source static tcp 209.101.19.230 443 10.10.10.181 443 extendable

Should be changed to:

ip nat inside source static tcp 10.10.10.181 80 209.101.19.230 80 extendable

ip nat inside source static tcp 10.10.10.181 443 209.101.19.230 443 extendable

Regards.

Alain.

Don't forget to rate helpful posts.

MikeCaditz · ‎11-16-2011

Thank you.