02-04-2009 09:49 PM - edited 03-04-2019 01:06 AM
We connect our Cisco 1812 with PPPoE to our ISP. We have a /29 subnet of public IP addresses. The ISP basically forwards all 6 addresses of the subnet through the PPPoE connection. The dialer interface is currently configured with one of these public IP addresses. Our LAN is a private IP address subnet and the router does NAT between the public IP address and the LAN.
Now we would like to make some use of those other IP addresses and set up an FTP server which is accessible through one of the other public IP addresses. The server should be in some DMZ outside the normal LAN. Only FTP should be accessible from the internet while the LAN should have full access to all services on the server.
However, I am not sure what the best way would be to go about this. I guess, it should be possible to setup a separate VLAN and do static NAT between one of the other public IP addresses and a DMZ IP address.
But I was wondering if it was possible to even assign a public IP address directly to the server and use some transparent firewalling to filter the traffic from the internet. The FTP server would be connected to one of the LAN ports of the 1812 and bridges the traffic from the internet to the FTP server, filtering everything except FTP if access it from the internet. Is this feasible?
02-05-2009 08:51 AM
Hello Gerald,
you probably could try to combine IRB (integrated routing and bridging) with the dialer.
the vlan SVI and the dialer interface would be configured with
int vlan 10
no ip address
bridge-group 1
int dialer1
no ip address
bridge-group 1
bridge 1 protocol ieee
bridge 1 route ip
int bvi1
! here the public ip address before on dialer
int fas0/x
switchport
switchport mode access
switchport access vlan 10
desc switch port for FTP server
you need to update the default route using the BVI as outgoing interface
in this way you don't need NAT.
Hope to help
Giuseppe
02-15-2009 03:21 AM
Thx, Giuseppe.
I have tried what you have suggested but it did not work. Nothing went through.
I eventually managed to get it working with ip unnumbered.
Basic setup:
int Vlan2
ip address (public ip address & mask)
int dialer 0
ip unnumbered Vlan2
Then dialer0 "borrows" the IP address of Vlan2 and I can use other public IP addresses on devices in vlan2.
I also had to modify the "ip nat inside" to overload with the IP address of Vlan2 instead of Dialer0. Anything else (default route, crypto maps, gre tunnels, filters/firewall, etc.) could remain on Dialer0 as it used to.
Filtering to the other public IP addresses is possible on the dialer 0 interface as well.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: