Solved: ISR 4321 Public LAN IPs

Zydain · ‎11-12-2021

If provided a Public WAN IP and a set of Public LAN IPs, where would I assign the Public LAN IPs?

I have the WAN IP assigned to the Gb0/0/0 Port.

I am unable to assign the LAN Public IPs to the actual NIM card slots, so would I assign the Public LAN IPs to VLANs?

paul driver · ‎11-30-2021

Hello
Your nat configuration looks like it has statements that are not necessary, pointing to the wrong wan interface, conflicting access-list or ones that don’t even exist and multiple overload statements that just single one could accomplish?

Suggest the following:

no ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload 
no ip nat pool testnet 209.Y.Y.Y 209.Y.Y.Y netmask 255.255.255.192
no ip nat pool HbugPool 209.X.X.X 209.X.X.X netmask 255.255.255.192
no ip nat inside source list 1 interface GigabitEthernet0/0/0 overload 
no ip nat inside source list 15 interface GigabitEthernet0/0/1 overload
no ip access-list standard 1
no ip access-list standard 10
no ip access-list standard 15




ip access-list standard10
deny(specfic lan subnet)
deny host 192.168.1.100
deny host 10.10.10.197
deny host 10.10.10.7
deny host 10.10.10.32
deny host 192.168.1.101
deny host 192.168.2.50
permit 10.0.0.0 0.255.255.255
permit 192.168.2.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
permit 172.16.0.0 0.0.255.255
permit etc...


ip access-list standard newpat
permit (specfic lan subnet)


ip nat pool new-public-ip y.y.y.y y.y.y.y netmask x.x.x.x
ip nat inside source list newpat pool new-public-ip

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎11-12-2021

Hello,

indeed you can assign the public LAN IP addresses to either the SVI (Vlan) interfaces, or one of the other physical layer 3 interfaces you have...

Zydain · ‎11-22-2021

I've tried to assign it as the IP of the vlan, but when I go to ipcow or ipchicken it still shows the main WAN IP instead of my preferred Public IP from the pool of IP addresses I received from my ISP.

Georg Pauwen · ‎11-22-2021

Hello,

post your full running configuration...

Zydain · ‎11-30-2021

Here's what I've got right now. Any help would be appreciated. I want 209.X.X.X to be the public ip for all users on VLAN4 (ip range 10.x.x.x).

Note: I have a test VLAN where I can try to get VLAN5 (172.16.x.x) to look as if it's "209.G.G.G" until after hours when I could make changes for the live connection.

balaji.bandi · ‎11-13-2021

LAN Public IPs to the actual NIM card slots,

This means they are just Layer 2 Modules, best is configure SVI

config t

Interface vlan X ( vlan X  what ever vlan you like to use)

x.x.x.x 255.255.255.0

no shutdown




configure the interface belong to that vlan




config t

interface g x/x

switchport mode access

switchport access vlan x

no shutdown

hope this helps you.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎11-22-2021

Hello
you cannot assign additional public ip address thats in the same subnet of your existing public ip to another interface on the same rtr! unless yo implement VRF

You could apply them as secondaries on gig0/0/0 or use them for one to one static nat

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Zydain · ‎11-23-2021

Would I apply it to the secondary address of say, G0/0/0 or G0/0/0.4 for
example? If I only want the one vLAN4, using subinterface .4 to have that
specific Public IP.

paul driver · ‎11-23-2021

Hello

you won’t be able to assign it to a subinterface either as you will get error stating address range already being in use unless it’s in its own vrf

i said it can be assigned as a secondary on gig0/0/0

what is the reason you want to use this additional public address

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Zydain · ‎11-29-2021

The additional public IP address is whitelisted with another entity that
allows us to connect to their systems.

Richard Burts · ‎11-29-2021

I believe that the previous suggestion to use one to one static nat is the better alternative to use those addresses.

HTH

Rick

Zydain · ‎11-29-2021

Problem is I need several computers to look like they have that NAT address, so I believe I'm leaning more into PAT territory. I'm going to try the secondary IP option tonight (in case I disrupt service accidentally) and see if that works out for me. If it doesn't, I'll have to see about using the one extra Layer 3 port to use the address. I was hoping to use a Layer 2 port from the NIM expansion (in conjunction with a VLAN), but either I keep misconfiguring or it's just not possible and I need to use the Layer 3 port. I'm sure I keep misconfiguring something though.

paul driver · ‎11-30-2021

Hello
you don’t need to add a secondary ip address to accomplish this -you can have nat to point to a public ip that you own all you need is for that new ip address to be reachable to your network and if your isp is advertising it already then it should be good

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Zydain · ‎11-30-2021

Where am I assigning the second IP address to?

paul driver · ‎11-30-2021

Hello

You don’t it will only relate to the nat statement for the users you want to be natted

externally they will be seen via this additional public ip as i stated previously its already being advertised and routed to your wan rtr by your isp anyway

Can you provide your exiting nat configuration please for review

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul