Hi guys i have a problem and i really don't know how to resolve this.
I have the next topology:
Switch1 <-> Router1 <-> Router2 <-> Switch2 <-> ISP
so in the Switch1 we have our LAN and the Router2 is physicly far away, my ISP gave to me a pool of public IP addreses and they are in the Switch2, so far i use NAT in order to have a public server in the LAN connected to Switch1.
Now i have a software that does not work with NAT, so i have to set the Public IP address directly in the server's ethernet interface.
How can i use one of my public ip addresses connected directly in the Switch2 in the LAN that is connected in the Switch1???? it's possible??
I can subnet if necesary the public ip addresses but my ISP still continue in Switch2.
My routers and switches are Cisco, C3700 for routers and C2950 for switches.
I tried to explain the best i could the problem so I hope that you understand my problem in order to get ideas for resolve my problem.
Probably the easiest way would be to set up a one-to-one NAT (firewall pipe / whatever) at the boundary to the ISP, then create a GRE tunnel to the inside, terminating at the server's router port.
The tunnel is the only way to keep the same subnet across the two routers.
You could probably do something really spiffy with MPLS and VRFs & such, but that would likely be much more complex than it needs to be (for a single server / small number of servers).
The above also assumes that you can't physically move the servers closer to the ISP boundary (so ou move the boundary closer to the server via the GRE tunnel).
thks scott, yeah we can't move the servers.
Do you have an example about the configuration por GRE tunnel and one-to-one NAT???
Thks a lot for your help.
Before a tried doing a one-to-one NAT and this didn't work using my ASA5520.
But i did not use until know GRE tunnel.
I am not clear how your suggestion of using GRE tunnels would work to keep the same subnet on two routers. Are you suggesting bridging over the tunnel? Bridging over GRE is not officially supported. And bridging the subnet to the router would also imply introducing bridging to the LAN interface of the router, which adds another complication to the implementation.
Jose indicates in the original post that it may be possible to split the ISP provided address space. It seems to me that this approach would be better. The provider will still consider it one address space and route all of the addresses to the outside router. And if the address space were subdivided and subnetted then the outside router would just forward addresses to the subnet on the inside router. (note that depending on the type of connection to the ISP, it might be necessary to be sure that proxy arp is enabled on the outside router interface to the provider).
Richards suggest is your best one if you can do subnets.
Say for example you were give
You could chop a /30 off the top ie 188.8.131.52/30. and then change your internal routing so that it knew this network hung off siwtch1. The ISP does not know you did this so it will send all the data to switch 2 which does know about this new subnet and will send it on the path to switch 1
Ok guys i subneted my pool of public IP's and i use this network behind a Switch Layer 3.
INTERNET<->ASA5520 <-> ROUTER1 <-> ROUTER2 <-> SWITCHL31 <-> PC1
In my switch layer 3 i connected a pc with one public address from the new subneting and i can ping to ASA5520 but not internet and from outside either, so now my question is do i have to configure anything else y my ASA5520? i tried many things but nothing
Your original post did not mention that there was an ASA in the path to the ISP and this does present a bit of a complication. I believe that there are at least 2 things that you need to do to be able to use the ISP assigned IP address on the server in the LAN:
- you need to configure a route in the ASA pointing to the subnet of public addresses inside the network (the ASA will default to believing that all public addresses are on its outside interface).
- you need to configure a NAT rule (actually a nonat rule) so that the address from the server comes into the ASA and is forwarded outside without translation.
I am not clear whether you may have done these already, but they would be essential to getting this to work. The details of how to do it may depend on some aspects of your situation which you would know better than we would.