11-08-2011 09:28 AM - edited 03-04-2019 02:12 PM
I am learning the 2911 router. Is there a way to set a physical single RJ45 port to handle multiple WAN IPs? Or do I need to buy a port expansion module.
Thanks.
Solved! Go to Solution.
11-09-2011 10:15 AM
Hi,
if you want these servers to be accessible from outside then your static pat entries are not correctly configured:
ip nat outside source static tcp 209.101.19.230 90 10.10.10.181 80 extendable
ip nat outside source static tcp 209.101.19.230 443 10.10.10.181 443 extendable
Should be changed to:
ip nat inside source static tcp 10.10.10.181 80 209.101.19.230 80 extendable
ip nat inside source static tcp 10.10.10.181 443 209.101.19.230 443 extendable
Regards.
Alain.
11-08-2011 09:50 AM
Michael
I am not clear quite what it is that you are trying to accomplish but in general there are several approaches that could allow the 2911 to handle multiple WAN IP addresses.
If for some reason you have several different subnets assigned to the WAN coming on a single connection then you could use secondary addressing. If for example you had these 3 subnets assigned to your connection 10.0.1.0/24, 10.0.2.0/24, and 10.0.3..0/24 then your config might look something like this
interface Gig0/0
ip address 10.0.3.0 255.255.255.0 secondary
ip address 10.0.2.0 255.255.255.0 secondary
ip address 10.0.1.0 255.255.255.0
If you have a single subnet assigned to the connection and it has multiple IP addresses that you need to use then you could use one IP for the interface address and then do Network Address Translation to use the other interfaces for devices that are on the inside of the network.
If you have a single Ethernet connection and the provider has set it up with multiple VLANs running on it then you could configure the interface of the 2911 as a trunk and have the various VLANs and their associated subnets assigned to various subinterfaces of the 2911.
So if you can explain more clearly what you are trying to achieve then we might be able to give better advice.
HTH
Rick
11-08-2011 10:00 AM
Thank you. I will be more clear.
Simply, my T1 provider has assigned me a block of real-world IPs and I want to claim all of them on my 2911.
For example, HTTP traffic arriving from one of the WAN IPs will get routed to one internal server, whereas HTTP traffic arriving from another WAN IP will get routed to a different internal server.
Thank you again. I know how to do this on Microsoft ISA but am new to Cisco.
11-08-2011 10:24 AM
Michael
This is a much better explanation of what you want to accomplish. You would use Network Address Translation and configure a set of static address translation rules so that traffic to one public address was forwarded to a particular server inside your network and that traffic to another public address was forwarded to a different server inside your network.
You certainly can do this on the 2911 and would not need any extra equipment.
HTH
Rick
11-08-2011 10:49 AM
That makes sense. However, I am not clear which particular public IP address in my block I would assign to my interface ("Gigabit EtherNet0/0"). If I use the lowest IP address in the subnet and the correct subnet mask, would the interface then handle all public IP addresses in my subnet?
11-08-2011 11:43 AM
Hi,
You assign any interface the ISP provided as the interface IP and then you can use static PAT either to interface or to another IP that was assigned to you by ISP.
The interface IP will be used for your internal clients that only initiates connection from inside using NAT overload.
Regards.
Alain.
11-08-2011 12:35 PM
While NAT overload would provide connectivity for users who need access to the Internet I believe that the functionality that Michael wants to achieve is to accept connections from the Internet and forward them to various servers within his network. To achieve this he will need to configure a set of static NAT to map an individual ISP assigned IP address to an individual server inside his network.
Michael
It does not make much difference which IP address you assign to the router. As long as the router interface has one IP address within that subnet it can do address translation for all the other addresses within the subnet.. If it were me I would choose either the lowest address in the subnet or the highest address in the subnet so that the translated addresses would be contiguous. But it really does not matter which one. It only matters that the address assigned to the router interface is in the subnet.
HTH
Rick
11-08-2011 01:19 PM
Thanks, Alain and Rick. I understand now.
Two more questions, though.
1. I have a site to site VPN configured using the particular public IP address I assigned to the router interface. (The vpn is up). But is this incorrect, i.e. should I be using one of the other public IPs in my range, rather than the one assigned to the interface?
2. I am transtioning from an older Sonicwall router, which is still assigned the same publc IP address range as the new Cisco (although I assigned a different IP address to each routers' interface.) Will this create conflicts? If both routers had a static PAT directing traffic from the same public IP to an internal server, which router would the packet go to?
11-08-2011 02:27 PM
Michael
1) While you could make it work if the VPN used one of the other address I would say that it makes more sense to me to use the address assigned to the router interface for the VPN. After all the VPN session connects to the router. So I think it is better to use the router interface address.
2) This is a valid concern. You need to manage both routers so that they do not both attempt to translate the same public address.
HTH
Rick
11-08-2011 08:47 PM
I am very impressed with how much assistance each of you has been willing to give a newbie. The great community support makes me glad I chose to upgrade our company's three locations to Cisco equipment.
Thanks again.
11-09-2011 09:50 AM
When I added a static NAT rule routing traffic from the outside to an internal server which is also part of a vpn, traffic is now blocked accross the VPN to/from that internal server. How do I re-enable VPN traffic?
Building configuration...
Current configuration : 11174 bytes
!
! Last configuration change at 13:29:20 NewYork Wed Nov 9 2011 by ccpuser
! NVRAM config last updated at 12:46:41 NewYork Wed Nov 9 2011 by ccpuser
! NVRAM config last updated at 12:46:41 NewYork Wed Nov 9 2011 by ccpuser
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NYFirewall
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
enable secret 5 xxxxxx
enable password xxxxxxx
!
no aaa new-model
!
clock timezone NewYork -5 0
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name gpgallery.com
ip name-server 10.10.10.177
ip name-server 10.10.10.176
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9 sn FTX1542AKH3
license boot module c2900 technology-package securityk9
!
!
username xxxxx privilege 15 secret 5 xxxxxx
username xxxxx privilege 15 secret 5 xxxxxxx/
!
redundancy
!
!
!
!
!
class-map type inspect match-any SDM_TELNET
match access-group name SDM_TELNET
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_TELNET
match class-map SDM_HTTP
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-1
match class-map SDM_TELNET
match class-map SDM_HTTP
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxx address 65.19.62.60
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to65.19.62.60
set peer 65.19.62.60
set transform-set ESP-3DES-SHA2
match address 106
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
no ip route-cache
shutdown
!
interface GigabitEthernet0/0
description $FW_OUTSIDE$$ETH-WAN$
ip address 209.101.19.226 255.255.255.240
ip access-group 101 in
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 104 in
no ip route-cache
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
description $FW_INSIDE$$ETH-LAN$
ip address 10.10.10.161 255.255.255.224
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 3
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 6000
!
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/0 overload
ip nat outside source static tcp 209.101.19.230 90 10.10.10.181 80 extendable
ip nat outside source static tcp 209.101.19.230 443 10.10.10.181 443 extendable
ip route 0.0.0.0 0.0.0.0 209.101.19.225 permanent
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=0
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark CCP_ACL Category=0
permit tcp any any eq telnet
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.160 0.0.0.15
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.10.160 0.0.0.31
access-list 3 permit 192.168.1.2
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 65.19.62.48 0.0.0.15
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 permit 10.10.10.160 0.0.0.31
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 209.101.19.224 0.0.0.15 10.10.10.0 0.0.0.127
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
access-list 101 permit tcp 65.19.62.48 0.0.0.15 host 209.101.19.226 eq telnet
access-list 101 permit tcp 65.19.62.48 0.0.0.15 host 209.101.19.226 eq 22
access-list 101 permit tcp 65.19.62.48 0.0.0.15 host 209.101.19.226 eq www
access-list 101 permit tcp 65.19.62.48 0.0.0.15 host 209.101.19.226 eq 443
access-list 101 permit tcp 65.19.62.48 0.0.0.15 host 209.101.19.226 eq cmd
access-list 101 deny tcp any host 209.101.19.226 eq telnet
access-list 101 deny tcp any host 209.101.19.226 eq 22
access-list 101 deny tcp any host 209.101.19.226 eq www
access-list 101 deny tcp any host 209.101.19.226 eq 443
access-list 101 deny tcp any host 209.101.19.226 eq cmd
access-list 101 deny udp any host 209.101.19.226 eq snmp
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.10.10.0 0.0.0.127 209.101.19.224 0.0.0.15
access-list 101 permit udp host 65.19.62.60 host 209.101.19.226 eq non500-isakmp
access-list 101 permit udp host 65.19.62.60 host 209.101.19.226 eq isakmp
access-list 101 permit esp host 65.19.62.60 host 209.101.19.226
access-list 101 permit ahp host 65.19.62.60 host 209.101.19.226
access-list 101 remark IPSec Rule
access-list 101 permit ip 65.19.62.48 0.0.0.15 209.101.19.224 0.0.0.15
access-list 101 permit ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 65.19.62.48 0.0.0.15 any
access-list 102 permit ip 10.10.10.160 0.0.0.31 any
access-list 102 permit ip host 192.168.1.2 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp 10.10.10.160 0.0.0.31 host 10.10.10.161 eq telnet
access-list 103 permit tcp 10.10.10.160 0.0.0.31 host 10.10.10.161 eq 22
access-list 103 permit tcp 10.10.10.160 0.0.0.31 host 10.10.10.161 eq www
access-list 103 permit tcp 10.10.10.160 0.0.0.31 host 10.10.10.161 eq 443
access-list 103 permit tcp 10.10.10.160 0.0.0.31 host 10.10.10.161 eq cmd
access-list 103 deny tcp any host 10.10.10.161 eq telnet
access-list 103 deny tcp any host 10.10.10.161 eq 22
access-list 103 deny tcp any host 10.10.10.161 eq www
access-list 103 deny tcp any host 10.10.10.161 eq 443
access-list 103 deny tcp any host 10.10.10.161 eq cmd
access-list 103 deny udp any host 10.10.10.161 eq snmp
access-list 103 permit ip any any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark CCP_ACL Category=1
access-list 104 permit tcp host 192.168.1.2 host 192.168.1.1 eq telnet
access-list 104 permit tcp host 192.168.1.2 host 192.168.1.1 eq 22
access-list 104 permit tcp host 192.168.1.2 host 192.168.1.1 eq www
access-list 104 permit tcp host 192.168.1.2 host 192.168.1.1 eq 443
access-list 104 permit tcp host 192.168.1.2 host 192.168.1.1 eq cmd
access-list 104 deny tcp any host 192.168.1.1 eq telnet
access-list 104 deny tcp any host 192.168.1.1 eq 22
access-list 104 deny tcp any host 192.168.1.1 eq www
access-list 104 deny tcp any host 192.168.1.1 eq 443
access-list 104 deny tcp any host 192.168.1.1 eq cmd
access-list 104 deny udp any host 192.168.1.1 eq snmp
access-list 104 permit ip any any
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 209.101.19.224 0.0.0.15 65.19.62.48 0.0.0.15
access-list 106 remark CCP_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127
access-list 108 remark CCP_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 deny ip 10.10.10.160 0.0.0.31 10.10.10.160 0.0.0.31
access-list 108 permit ip 10.10.10.160 0.0.0.31 any
access-list 111 remark CCP_ACL Category=2
access-list 111 remark IPSec Rule
access-list 111 deny ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127
access-list 111 permit ip 10.0.0.0 0.255.255.255 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 108
!
route-map SDM_RMAP_2 permit 1
match ip address 111
!
!
!
control-plane
!
!
banner login ^CCCGerald Peters Gallery New York.^C
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 102 in
password #Fire11!##
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
11-09-2011 10:15 AM
Hi,
if you want these servers to be accessible from outside then your static pat entries are not correctly configured:
ip nat outside source static tcp 209.101.19.230 90 10.10.10.181 80 extendable
ip nat outside source static tcp 209.101.19.230 443 10.10.10.181 443 extendable
Should be changed to:
ip nat inside source static tcp 10.10.10.181 80 209.101.19.230 80 extendable
ip nat inside source static tcp 10.10.10.181 443 209.101.19.230 443 extendable
Regards.
Alain.
11-16-2011 02:57 PM
Thank you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: