Use of public IP through a Cisco 1601

[Guest_imported]

Hello everybody;

I'm running a small network for a company, recently we have bought a Cobal RaQ 4 to host some websites. Because we have a T1 we are using a Cisco 1601 with NAT enabled.

To use all the features of the Cobalt (e.g. DNS, APOP, ...), I need to assign it an external IP adress but in the cisco our public IP are statically routed to some internal IP (192.168.0.x).

DNS is not working if I assign an adress like 192.168.0.x on the Cobalt for example...

What should I do to use an IP like 212.67.x.x as the adress of the Cobalt?

Thanks a lot for your help!

Gilles.

 

[jeter]

The t1 installed to the router is it a internet connection?
If so is that pipe setup for multiple static ip? You can run NAT and use the staic ip's as well. I need a clearer understanding of your circuit ( T1 ). Jeter@LasVegas.com
J.Fisher CCNA

 

[ChrisAC]

If you're hosting web sites then you really don't want to be doing NAT on a 1600 series internet connected router. Use you router just for routing traffic to and from the internet. Put a firewall, such as a PIX behind that to take care of security and NAT. If you're running a web server you'll want to secure it and a router isn't really up to the job! It can do it (sort of) but I would leave that to the firewall.

So, you need a public routable IP address that the world can see as your web server. Don't actually give the server this address but set up DNS to point

http://www.yourwebsite.com

to this address. Then use the fw to map the public routable address to the actual private address that the server is configured with. You can then control the traffic that is allowed to access that address, ie. allow port 80 to the web server but deny icmp, if you like!!

You can also set up the fw to do PAT for all internal connections to the internet. You could set up a global NAT address of the fw's external IP or another IP. So your web server could initiate connections to an external DNS server using the global IP of the fw. Or you could set up a proxy behind the firewall and do DNS through that! You have lots of options with this!!

Either way, leave your internal servers with private IP's and only allow external access to them via NAT translations!

Good luck!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[Guest_imported]

Thanks a lot for your help, I'm very new to the exciting world of cisco routers ;-)

I cannot use the NAT static routing for my Cobalt, because I need to use the DNS server also to manage the domains that I'm going to host and I've read that the DNS server need to have a public IP to work on the internet.
I think that it's normal because if I put an A record for my cobalt I need to use the private IP (192.168.0.3) to map it so when a internet client use my DNS to resolve the domain, he will be redirected to 192.168.0.3 who cannot be reached outside my lan.

The other problem with static routing is that my host is unreachable from inside, when I'm trying to reach

http://212.xx.xx.140/

it doesn't work.

Unfortunately we do not have the funds to buy a PIX ;-) But I think that it's possible to do so with a good linux box.

So, here's the solution that I've thinked about...

For the moment, there is some static route between the public and private adress throug the NAT.
e.g.:
ip nat inside source static 192.168.0.16 212.xx.xx.142

Here's a schema of my idea...

(Internet)
|
| s0 : 212.yy.yy.62/30
+---------+
| cisco |
+---------+
| e1 : 212.xx.xx.129/28
|
|
eth0|
+-------------------+
|212.xx.xx.130/28| DMZ
| | eth2
| Linux Box |----------------------+
|(Fw. + Rout.) | 212.xx.xx.131/28 |
| | |
|192.168.0.1/24 | |
+-------------------+ +--------+
| eth1 | Cobalt |
| +--------+
| 212.xx.xx.132/28
Company LAN

I think that I can use LRP (Linux Router Project) to set up the box (

http://lrp.steinkuehler.net/).

Linux is not a real problem for me, but IOS ... ;-)

So for now I need help to configure my cisco.
Here's what I've thinked for the configuration of the router :

interface Ethernet 0
no shutdown
description connected to Firewall
ip address 212.xx.xx.129 255.255.255.240
no ip directed-broadcast
keepalive 10

interface Serial 0
no shutdown
no description
no ip address
no ip directed-broadcast
encapsulation frame-relay
frame-relay lmi-type q933a
no fair-queue

interface Serial 0.1 point-to-point
no shutdown
description connected to Internet
bandwidth 2048
ip address 212.yy.yy.62 255.255.255.252
no ip directed-broadcast
frame-relay interface-dlci 39

My idea is to use the cisco as a 'simple' modem, and make all the routing stuff from my linux box;

Did you think that this kind of solution could work?

Gilles.