05-08-2006 10:57 AM - edited 03-03-2019 12:37 PM
Hello.
I have a 2620 and new addressing scheme from ISP. They say:
SSIP = 38.x.x.129 /30 (configured on S0/0.
LAN (new) = 38.x.x.8 /29 (not configured - they will route to 38.x.x.129 /30)
I need to host 2 webservers on SSL ports, different public IP addresses from new LAN mapped to static NATs.
Interfaces I have on 2620 are S0/0, E0/0 and E0/1.
Attached is my current config. I want static 38.x.x.9 mapped to 10.1.1.4 (port 443)and static 38.x.x.130 mapped to 10.1.1.17 (ports 443 and 444).
I can't figure this out . . .
05-08-2006 01:06 PM
Hello,
This is not clear enough to me.
what do you mean by:
LAN (new) = 38.112.56.8 /29 (not configured - they will route to 38.99.212.129 /30)
if ISP route 38.99.212.129/30. where are you going to use 38.112.56.8 /29 ?
for this request:
static 38.99.212.130 mapped to 10.1.1.17 (ports 443 and 444).
try
ip nat inside source static tcp 10.1.1.4 443 interface serial0/0 443
ip nat inside source static tcp 10.1.1.4 444 interface serial0/0 444
HTH
regards
cisand
05-08-2006 02:06 PM
I have 38.112.56.9 as an A record to get SSL service hosted inside my firewall on 10.1.1.4.
I also have 38.99.212.130 as a A record. The problem is coming in when I need to use the same port (443) for a different URL I'm hosting inside.
Under current config, stuff is getting in, but sometimes you have to refresh a couple of times - so not consistently.
If I try your suggestion:
ip nat inside source static tcp 10.1.1.4 443 interface serial0/0 443
ip nat inside source static tcp 10.1.1.4 444 interface serial0/0 444
This would replace:
ip nat inside source static tcp 10.1.1.4 443 38.112.56.9 443 extenable
ip nat inside source static tcp 10.1.1.4 444 38.112.56.9 444 extendable
Right? Binding the NAT directly to the serial . . .
Could I then use your suggestion to map all static "NAT'D" addresses?
Continuing like this:
ip nat inside source static tcp 10.1.1.17 443 interface serial0/0 443
ip nat inside source static tcp 10.1.1.17 444 interface serial0/0 444
Was I just over-complicating it?
Thanks so much for your time!
05-09-2006 03:42 AM
Hello again,
I got your setup now.
I beleive that with a /30 network you will not be able to achieve this.
if you have:
ip nat inside source static tcp 10.1.1.4 443 interface serial0/0 443
ip nat inside source static tcp 10.1.1.4 444 interface serial0/0 444
ip nat inside source static tcp 10.1.1.17 443 interface serial0/0 443
ip nat inside source static tcp 10.1.1.17 444 interface serial0/0 444
this will not work. what happen when tarffic come to router using ouside global ip address on port 443. will it use 10.1.1.4 or 10.1.1.17 ? can not say.
What I suggest:
- either have a /29 from isp (price can be different)
- change outside global tcp port, i.e
ip nat inside source static tcp 10.1.1.4 443 interface serial0/0 443
ip nat inside source static tcp 10.1.1.4 444 interface serial0/0 444
ip nat inside source static tcp 10.1.1.17 443 interface serial0/0 11443
ip nat inside source static tcp 10.1.1.17 444 interface serial0/0 11444
but in this case remote end MUST be aware that to connect to 10.1.1.17 443 use serial0/0 11443
This can be with no added cost if you manage remote servers/ends.
HTH, if yes please rate.
cisand
05-09-2006 06:52 AM
You are sooooo close.
I have 38.112.56.8/29 that my ISP has assigned to me as my LAN. They say I must configure serial0/0 as 38.99.212.130/30. They are using 38.99.212.129/30 as their gateway and say they will route all 38.112.56.8/29 traffic to my router's serial0/0 (38.99.212.130/30).
So, what I'm trying to do is have an A record URL = 38.112.56.9 without remapping ports.
Is this a weird configuration from my ISP? I think they are using BGP. Do you think the only way is to remap the ports?
Thank you for your input!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: