Re: 4 + 1 IPs outside to 2 IPs inside w/ 677 router?

davidstodolsky · ‎06-07-2003

I currently have a Cisco 677 in a default configuration where the

server is at 192.168.1.2 and the other machines on the LAN get to the

Internet via NAT. We now have been assigned another IP set (4 IPs, 1

allocateable to a machine). The new IP was needed so 2 web servers

could operate at port 80 as seen from outside. Originally, I was going

to map the second IP port 80 to port 8100 on the same internal IP. Now

I am thinking maybe it would be better to config the server with 2

IPs. This would allow other services to run on the new IP without

configuration and later we might move that IP to another server. We

are using fixed IPs, inside and outside. The instructions from our ISP

don't seem to allow NAT and assumes a different router IP than the

current (191.168.1.1, while this setup would make it 191.168.1.2):

Assuming 10.1.1.x addresses:

enable

set nat disable

set int vip0 ip 10.1.1.1

set int vip0 mask 255.255.255.252

set route add ip (net address) mask (255.255.255.252) gw (10.1.1.2)

write

reboot

So, my question is how to add the new IP and keep the old one and NAT

working? Or maybe the new IP configuration offered will not work?

tepatel · ‎06-07-2003

I am little confuse about the ip address scheme that you have mentioned.

You have one privet ip address 192.168.1.1 allocated to internal web server and wants to add another one like 192.168.1.2? The wan ip address is 10.1.1.1?

with that, you can map port 80 of both the internal ip address like

set nat entry add 192.168.1.1 80 10.1.1.1 80 tcp

set nat entry add 192.168.1.2 80 10.1.1.1 80 tcp

So request to port 80 on 10.1.1.1 will be load balanced between 192.168.1.1 and .2.

You can visit following link for PAT on 600 cpe's.

http://www.cisco.com/warp/customer/794/600pat.html

If i am misunderstanding it, pl. explain what ip address you have and where with which new one that you want to add.

davidstodolsky · ‎06-08-2003

Everything after 'Assuming 10.1.1.x addresses: ' in my original post is part of the example from my ISP. Thus, their idea of how to set up a private 10.x.x.x net. My private net is currently 192.168.x.x, however.

Current setup is that the 677 is at 192.168.1.1, the server is at 192.168.1.2., NAT is on. This is the default config for a single outside IP, which is something like 287.65.11.10.

Now, I have been given an additional 4 IP block at something like 287.65.13.8 thru 287.65.13.11 externally speaking. The 'free' IP, the one not preassigned to the network, router, or broadcast should be directed to the same server, ideally at a different private IP. Thus, I want to have two 287.65.x.x IPs on the WAN be routed one-to-one to two 192.168.x.x IPs on the LAN.

My permissions don't allow access to:

http://www.cisco.com/warp/customer/794/600pat.html

tepatel · ‎06-09-2003

Try following link.

http://www.cisco.com/en/US/products/hw/routers/ps295/products_tech_note09186a0080093e32.shtml

Its the same as the other link.

Now you can have two 287.65.x.x (.1 and .2 for exa) IPs on the WAN be routed one-to-one to two 192.168.x.x ( .2 and .3 for exa) IPs on the LAN by configuring following way.

set nat entry add 192.168.1.2 80 287.65.11.1 80 tcp

set nat entry add 192.168.1.3 80 287.65.11.2 80 tcp

You can also use the same without static port mapping.

The link above disucss the same.

davidstodolsky · ‎06-13-2003

You said:

You can also use the same without static port mapping.

I don't see what that means in this situation. I have multiple inside machines, but only one is reachable from the outside normally. Does this count as one machine, as far as the manual is concerned?

As far as I can see from the manual, each port has to be specified as well as the protocol. I'd like to have all incoming on the new external IP go to the new internal IP. This would avoid having to update the router entries with each new service.

If I can't do that, then can I just leave the present configuration and add the following for the new external IP?

set nat entry add 192.168.1.3 80 287.65.11.2 80 tcp

or maybe

set nat entry add 192.168.1.2 8080 287.65.11.2 80 tcp

Thus, doing port forwarding for tcp, since 192.168.1.2 is the current default internal IP. Would this continue to let everything thru on the old IP?

davidstodolsky · ‎07-21-2003

I still haven't been able to get this to work. It appears I need an external interface for the second IP. That is, I need to increase the max number of virtual circuits (from 1 to 2) and then use the Set Interface command to assign the new global IP to wan0-1. Can someone confirm this?

dss

---------------------------------------------------

cbos>show interface

IP Address Mask

eth0 192.168.1.1 255.255.255.0

vip0 0.0.0.0 255.255.255.0

vip1 0.0.0.0 255.255.255.0

vip2 0.0.0.0 255.255.255.0

wan0 Physical Port: Trained

Dest IP Address Mask

wan0-0 213.237.127.76 255.255.255.255

cbos>show multicast

Multicast Forwarding is currently enabled

cbos>show route

[TARGET] [MASK] [GATEWAY] [M][P] [TYPE] [IF] [AGE]

0.0.0.0 0.0.0.0 0.0.0.0 1 SA WAN0-0 0

192.168.1.0 255.255.255.0 0.0.0.0 1 LA ETH0 0

213.237.127.0 255.255.255.0 0.0.0.0 1 AR WAN0-0 0

192.168.0.0 255.255.0.0 192.168.1.254 1 SA ETH0 0

WAN Interfaces...

213.237.127.76 255.255.255.255 0.0.0.0 1 HA WAN0-0 0

cbos>show nat

NAT is currently enabled

Port Network Global

eth0 Inside

wan0-0 Outside 213.237.42.211

vip0 Outside

vip1 Outside

vip2 Outside

Local IP : Port Global IP : Port Timer Flags Proto Interface

192.168.1.1:23 *****:23000 0 0x00041 tcp eth0

192.168.1.2:***** *****:***** 0 0x03041 *** eth0

192.168.1.2:8100 213.237.69.65:80 0 0x00041 tcp eth0

192.168.1.2:8100 213.237.69.65:80 0 0x00041 udp eth0

192.168.1.2:8100 213.237.69.65:80 0 0x00041 icmp eth0