Showing results for 
Search instead for 
Did you mean: 

Dynamic NAT pool for inside addresses

Kevin Melton
Level 2
Level 2

I am installing a 1721 router for a customer. The customer is gettin a T1 to connect to the internet. The ISP is providing addressing for the router. In the data is the public address that I need to configure on the Serial 0 interface. They have also provided the next hop to their network. All is well.

Herein lies my issue:

For the inside, they have provided the following:

Network address:

Broadcast address:

They have indicated that I should use as my E0 address. Effectively this means I need to use the remaining 5 available addresses for my clients. And this also means that my clients will be exposed to the public.

I would rather use an IANA class C address inside (ex. Why do I have to use the pool they are giving me? Can I not simply configure as my E0 interface, and then use and do dynamic NAT overload to that address? And then set up DHCP on the router to hand out a pool of addresses to my few inside clients??

Also how can I secure this more effectively...

4 Replies 4

Level 11
Level 11

Usually ISPs assign you two public blocks one for the wan side (/30 mask typically) and another block for your inside LAN. Usually between your private network and the Internet router, there will be firewall which protects the network. The firewall would also do NAT (rather than doing at the router). For this the firewall needs a public IP (say on the outside interface. Also an IP ( would need to be configured on the router's ethernet interface. The firewall's inside interface can be configured as with the hosts having IP address from the network.

If you do not plan to use any firewall (but plan to use an IOS based firewall on the router - which is recommended) then you can request the ISP to remove this IP block from their routing table (This will also save you money, if you are paying additional money/month for that pool of public IPs).

If you do intend to use a web server or a vpn concentrator, which needs to be accessed from the Internet, you will need this IP block.

Hope that helps!

PS: Its advisable to mask the IPs assigned to your company while posting in a public forum like Netpro.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Thanks very much and indeed it did help!

I searched the Cisco Web for information regarding "configuring firewall features on the 1700 series" and came up blank. I am not certain how to tell if I have the correct IOS to even run the Stateful inspection type features; how can I tell?

I went to the Software Center, and was able to pull down a Feature set that had FW in the chain, but I am still not sure if this is correct because it had ADSL in the chain also, and we are getting a T-1...

I also remember using the configuration tool, and I had thought that it was a separate purchase for the IOS containing the Firewall and IDS mechanisms...

Cisco Employee
Cisco Employee

I agree with you that, for the most part, the inside IP addresses are irrelevant to the overall schema and can be anything you want. There will be 3 challenges to the design

1.) Ensure everyone is onboard to the same schema. Noone can be on the /29 while everyone else on /24 subnet.

2.) The end customer may not want to change their IP addressing if they already have servers w/ static IP addresses already and especially if they have to do static NAT for those servers

3.) Watch the memory and CPU resources in the 1700 router.

I think at this point it is simply a few end users needing internet access from a Contruction Trailer.

I want to do DHCP at the router for the few clients...