IOS config for public IP pass-through?

[Boppa]

Hi all,

I need some help on this one. I have a Cisco 2611 router, IOS 12.3.6a.

I'm uncertain as to whether I can use a public IP for a firewall on the LAN side of my router when I'm already using public IPs from the same subnet for NAT (64.x.x.0). For lack of a term, I'll call it transparent pass-through. Do I need to configure my router to allow traffic to the 64.x.x.1 firewall, and will this conflict with dynamic and static NAT already configured for 64.x.x.0?

Here is a portion of my config:

interface serial0/0.1
ip address 64.z.z.130
ip nat outside
frame-relay interface-dlci 16 IETF
no ip unreachables
.
.
.
interface Ethernet0/0.2 (just one of my 5 subinterfaces)
ecapsulation dot1Q 2
ip address 192.168.50.99 255.255.255.0
ip nat inside
ip access-group No-Inter-vlan-Routing-2
no ip unreachables
.
.
.
ip nat pool natpool-1 64.x.x.101 64.x.x.254 netmask 255.255.255.0
ip nat inside source list 15 pool natpool-1
ip nat inside source static 192.168.50.201 64.x.x.2
ip nat inside source static 192.168.1.201 64.x.x.3
ip nat inside source static 192.168.99.201 64.x.x.4
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
!
logging trap notifications
access-list 15 permit 192.168.0.0 0.0.255.255
!
! Deny Inter-VLAN routing to vlan1, 3, and 4. Allow traffic out.
ip access-list extended No-Inter-vlan-Routing-2
Deny ip 192.168.50.0 0.0.0.255 192.168.99.0 0.0.0.255
Deny ip 192.168.50.0 0.0.0.255 192.168.0.0 0.0.0.255
Deny ip 192.168.50.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
!
etc.

 

[computerhighguy]

You need to explain in a little furhter detail what you are trying to do. For lack of understanding what you are trying to do, I would say you need to use the ip unnumbered interface .... command. Try to give us more of the config and a better understanding of what it is you are trying to accomplish.


It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)

 

[Boppa]

Computerhighguy:

Thanks for the response. The three static NATs that you see in my configuration are for firewalls also. So I know I can statically map a public IP address to a private address. The firewalls have the private address configured on their "WAN" port. And the firewall gateway address is the subinterface IP address.

What I'm trying to figure out is how to avoid static mapping of public IP to private IP, i.e., configure the firewall with the public IP address directly. But the firewall needs a gateway address. What do I use for the gateway address? Doesn't the gateway address have to be in the same subnet as the firewall's IP address? Here's one solution I thought of, where 64.x.x.99 would be the gateway address used in the firewall:

interface Ethernet0/0.5
ecapsulation dot1Q 2
ip address 64.x.x.99 255.255.255.0
ip access-group No-Inter-vlan-Routing-5
no ip unreachables

But is my thinking correct, and is it really necessary to use up one of the public IP addresses to create a gateway? I'm a novice at routing and IOS, so mainly I want to make sure I'm not out in left field.

I also had a concern whether it is wise for the firewall IP to be in the same subnet as the dynamic NAT users.

 

[computerhighguy]

Not sure if this will work on a subinterface, but it probably will.

interface Ethernet0/0.5
ecapsulation dot1Q 2
ip address unnumbered serial 0/0.1
ip access-group No-Inter-vlan-Routing-5
no ip unreachables

This will make a sort of bridging between the sub interface the serial sub interface. Then you would use the address you where NATing to the firewall on the firewall.


It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)

 

[Boppa]

But what gateway address would I use on the firewall?

 

[computerhighguy]

The serial interface on the router. In this case it is 64.z.z.130



It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)

 

[Boppa]

Thanks, computerhighguy. I was under the impression the gateway address had to be in the same subnet. So actually I probably don't need to configure anything in the router, correct?

 

[computerhighguy]

That is a difficult statement. It is hard to imagine that your default gateway is on a different subnet right? Well it is possible. But I would like to say that I am not setting you up for sucess here. I did not fully read your config. You will need to add an IP address in the x.x range to the ethernet interface of the router and then you can add one of the x.x addresses to the firewall. I apologize, I did not see the z.z in the serial config.


It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)

 

[Boppa]

computerhighguy:

Thanks for the clarification. Sounds like I do need a subinterface with 64.x.x. assigned to each subinterface. Can I break up my 64.x.x.0/24 allotment into 64.x.x. /29 subnets? If so, how would I use several of those subnets for general NAT pool?

 

[computerhighguy]

Why are you using sub interfaces on the ethernet side anyway?

Unless you have a good reason, get rid of the subinterfaces and assign the interface a static IP address.

Lets say, 64.x.x.1

Then assign your firewalls 64.x.x.2-7 and then the rest can be divided up amungst the firewalls for NAT/PAT purposes.


I understand why you have subinteraces on the serial side, but not the ethernet side (unless you are running vlans, but why do that?).


It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)

 

[Boppa]

computerhighguy:

Would 64.x.x.1 be assigned to a serial subinterface? I'm presently dynamically and statically NAT'ing the 64.x.x.0 subnet, and have not had to assign 64.x.x.1 to any interface. I guess what I hear you saying is if I assign firewalls 64.x.x.2-7, each would need the 64.x.x.1 as its gateway.

I am using VLANs because some subscribers need access to an application server. So I just set up VLANs for all subscribers, not knowing who may want application services. However, these are port-based VLANs on a HP ProCurve (Layer 2) switch. I don't want inter-VLAN routing. The application server is connected to one of the switch ports, as are all subscribers. So possibly I don't need dot1Q encapsulation in the router. That's the part I'm not sure of, and I just included router dot1Q support in case. However, I then found myself using ACLs so there would be no inter-VLAN routing.

 

[hvfreestyler]

From my understanding of your problem you have a few solutions. The solution I will outline is the one that I find offers most reliabilty vs ease for your config. If you already have established vlans I would take and make each vlan subnet on itself based on traffic or your organization. Then simply setup your router with an interface on each subnet as the default gateway, since each subnet is directly connected they will automatically route.