11-22-2011 11:32 PM - edited 03-04-2019 02:22 PM
Hi Everyone,
Can someone please help me with the following suitation urgently?
I am working for a company based in Sydney Australia, the company recently open an office in London UK, therefore we are going to get leased lined based on MPLS.
We were advised that Customer Edge router will be CISCO1941/K9. We want to our UK client to access our web-based applications via MPLS network instead of internet. The UK office is using BT Business ADSL with 5 Static IP address (please note the modem IP address is actually dynamic), we are going to get a Cisco 857/K9 router which will be used for the entry for the UK client to access the MPLS network. My question will be how do I configure the Cisco 857 router to allow one of the public ip to access the MPLS network. It appears that there are two options, and I am not sure if this is going to work or which one is working better. I have attached two diagrams for clarification of my case.
Option 1
Cisco WAN interface get Dynamic IP (PPPoA) from BT
LAN Interface (4 Port) get the assigned 5 Static IP addresses
One of the five IPs (217.xx.xx.169) will be assigned to the FE1 (Cisco 1941), any traffic to 217.xx.xx.169 will be routed to the WAN interface of Cisco 1941 to access Sydney service (located in Sydney LAN, mostly http and https traffic)
One of the five IPs to 217.xx.xx.170 will be assigned to the WAN interface of Sonicwall Firewall Router which also serve as Internet Access Gateway for LAN users, All trafiic destined for Sydney LAN will be using FE0 (Cisco 1941) as gateway
Option 2
Many thanks,
Rupert
Cisco WAN interface get Dynamic IP (PPPoA) from BT
LAN Interface (4 Port) will get 192.168.0.1, Cisco 857 router will be the default gateway for LAN users, using one to many NAT, also one to one NAT, One of the five IPs (217.xx.xx.169) will be forwarded to the FE0 (Cisco 1941), any traffic to 217.xx.xx.169 will be routed to the WAN interface of Cisco 1941 to access Sydney service (located in Sydney LAN, mostly http and https traffic)
11-22-2011 11:57 PM
Hi,
why don't you simply interconnect your offices through MPLS using private IP addresses?
All you might need then would be an internal DNS server translating "internal" server names to their private IP addresses.
IMHO, that would be much easier than complicated routing/NATing while using public Ip addressing.
HTH,
Milan
11-23-2011 12:05 AM
Hi Milan,
Thank you for your quick response. The inter-office will be through MPLS using private IP address. Apart from our UK staff to use the MPLS, we also want our UK client to use MPLS as soon as the client connect to one particular IP address, that's why I am not sure which is the best way to route it.
Thanks,
Rupert
11-27-2011 09:32 AM
Hi Rupert,
none of your scernarios is 100% clear to me from NATing and routing back to London points of view.
As you have a FW in London involved, why don't you configure NATing necessary on the FW?
You could configure the FW to accept the packets with 217.xx.xx.169 destination address and forward them to Sydney using private source and destination addresses with no routing changes necessary.
(I've done something similar in the past on a Checkpoint FW.)
BTW, this is not a good idea from security point of view: a traffic coming from the Internet should not be sent to your internal servers directly, it should be terminated in a DMZ only.
But my understanding is you want to permit that anyway?
HTH,
Milan
11-28-2011 03:52 AM
Hi Milan,
Thank you for your suggestion. That is what I menat to do orioginally. However, due to the British Telecom using PPPoA as authentication type, the FW can only take one public ip address, the only option will using port forwarding from FW to the Customer Edge (CE) router's LAN ip address. We are going to try to see if we can configure the Cisco 857 router as pure brige mode, trying to use FW's PPPoE as authtication type, if it succeds, that means that FW gets 5 Public addresses, then we will have no problem to do NATing to route the particular IP address to CE's LAN ip address. This is the best option as indicated by without compromising security.
Thank you once again for your input.
Rupert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide