Merging two router config

radek.w.1996 · ‎12-05-2020

Hi!

I need to merge two seperate networks, with seperate public addresses, seperate address etc. (first network has 192.168.x.x/23 addresation and the second - 172.16.x.x/23 addresation).

I have an idea to use simple "router" on a stick config. But I have to questions.

1. Is it possible to make router on a stick config using Cisco SG250-26 switch?

2. Is it possible to set up a difrent public address to each VLAN using sub interfaces? For example

GigabitEthernet0/0/0.10 - 91.222.69.28/24

GigabitEthernet0/0/0.20 - 91.222.69.58/24

3. Is it possible to make port forwarding on subinterfaces? For example
ip nat inside source static tcp 172.16.0.22 80 GigabitEthernet0/0/0.10 80

I need port forwarding for diffrent public addresses because some websites are set up on one server and some websites on the other server, and I don't want to change any server addresses or DNS config. I won't to leave all set up addresses as it is.

The destination router is CISCO ISR 4321. The old from which I want to "copy and paste" the config is an old CISCO 2911.

Georg Pauwen · ‎12-05-2020

Hello,

the answer to all three questions is yes. On the SG250, the uplink to the router needs to be (obviously) a trunk.

The question is if both ISPs accept or even allow you to configure tagged Vlans to connect to their routers, you would need to check with your ISPs. If not, you need two physical interfaces on your 4321 to connect to your ISPs.

paul driver · ‎12-05-2020

Hello

@radek.w.1996 wrote:

Hi!

2. Is it possible to set up a difrent public address to each VLAN using sub interfaces? For example

GigabitEthernet0/0/0.10 - 91.222.69.28/24

GigabitEthernet0/0/0.20 - 91.222.69.58/24

No it isnt, Unless these sub-interfaces are in Virtual Routing Forwarding (VRF) interfaces.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎12-05-2020

Hello,

Paul is right. I didn't see that both public IP addresses are from the same address space.

I was thinking maybe you could use a pool for the second public IP address:

ip nat pool ISP_2 91.222.68.58 91.222.68.58 prefix-length 24
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source list 2 pool ISP_2 overload
!
access-list 1 permit 192.168.x.x 0.0.1.255
access-list 2 permit 172.16.x.x 0.0.1.255

radek.w.1996 · ‎12-05-2020

Thanks for the quick reply. I will try this out later. First I want to setup all VLANs on the switch.
I set up GE4 port to the access mode. But now I can't attach any VLAN to this port. Why? Are the names of the VLAN modes are diffrent on the SG200-26 switch?

Georg Pauwen · ‎12-05-2020

Hello,

looks like port GE4 is selected as 'Forbidden' ?

According to the addmin guide (page 183):

--> When a port is forbidden default VLAN membership, that port is not allowed membership in any other
VLAN. An internal VID of 4095 is assigned to the port.

https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbss/sf20x_sg20x/administration_guide/Cisco_200Sx_v1_4_AG.pdf

radek.w.1996 · ‎12-06-2020

Hello,

I already set up VLANs. The problem was with the firmware. When I updated firmware then I was able to attach VLANs to ports. But now I am trying to configure internet access and it doesn't even using only one public IP address.

EDIT

Never mind, I have forget about DNS address in the config <facepalm>. I have tested your "ip nat pool ISP_2 91.222.68.58 91.222.68.58 prefix-length 24" method and it works. Now each VLAN have diffrent public IP address. But know there is the problem with port forwarding. I have now idea how can I do it.

interface GigabitEthernet0/0/0
 description WAN
 ip address 91.222.69.58 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 load-interval 30
 negotiation auto
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1
 description SC LAN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 load-interval 30
 negotiation auto
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1.10
 encapsulation dot1Q 10
 ip address 172.16.0.1 255.255.254.0
 ip nat inside
!
interface GigabitEthernet0/0/1.20
 encapsulation dot1Q 20
 ip address 192.168.0.1 255.255.254.0
 ip nat inside
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
ip nat settings interface-overload block port tcp 8080
ip nat pool ISP_2 91.222.69.167 91.222.69.167 prefix-length 24
ip nat inside source static tcp 192.168.0.218 80 91.222.69.167 80 extendable
ip nat inside source static tcp 172.16.0.22 80 interface GigabitEthernet0/0/0 80
ip nat inside source static tcp 172.16.0.189 8080 interface GigabitEthernet0/0/0 8080
ip nat inside source static tcp 172.16.0.189 22 interface GigabitEthernet0/0/0 18922
ip nat inside source list 10 interface GigabitEthernet0/0/0 overload
ip nat inside source list 20 pool ISP_2 overload
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 91.222.69.1
!
!
access-list 10 permit 172.16.0.0 0.0.1.255
access-list 20 permit 192.168.0.0 0.0.1.255

Georg Pauwen · ‎12-06-2020

Hello,

you need to specify the IP addresses in your static NAT statements. I assume the first entry works :

ip nat inside source static tcp 192.168.0.218 80 91.222.69.167 80 extendable

?

ip nat inside source static tcp 172.16.0.22 80 ip_address 80
ip nat inside source static tcp 172.16.0.189 8080 ip_address 8080
ip nat inside source static tcp 172.16.0.189 22 ip_address 18922

radek.w.1996 · ‎12-06-2020

Hello,

No. The first entry doesn't work. I tried to change those entries
ip nat inside source static tcp 172.16.0.22 80 GigabitEthernet0/0/0 80
ip nat inside source static tcp 172.16.0.22 443 GigabitEthernet0/0/0 443

to

ip nat inside source static tcp 172.16.0.22 80 91.222.69.58 80

ip nat inside source static tcp 172.16.0.22 443 91.222.69.58 443

and with second line a got an error "Non-static entry allready exists"

EDIT

Ok, I have forgotten to add 172.16.0.22 server to VLAN, that's why the port forwarding didn't work.

But I have still no idea how can I do port forwarding on the 192.168.0.218 server.

paul driver · ‎12-06-2020

Hello

multiple static pat entries with the same inside local ip requires “extendable “ keyword

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

radek.w.1996 · ‎12-07-2020

Ok, everything is working like I want. Thank you for help.

radek.w.1996 · ‎04-20-2021

I have another problem with this config. Form outside of the network everything works fine. But when I want access some server via ssh that is in network 172.16.0.0 from 192.168.0.0 network I can't. In oposite way it works fine I can reach every address. The same when I want some server using external IP and port number.

Ok, never mind. I just had error in nat configuration. There was two lines which made similar thing.

Can I route somehow traffic from network 192.168.0.0 to 172.168.0.0 via "internet" (I don't know how to call it)?