Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2906
Views
0
Helpful
4
Replies

Network design to assign public IP addresses on servers?

kayasaman
Level 1
Level 1

‎01-11-2010 05:56 AM - edited ‎03-04-2019 07:10 AM

Hi,

I'm wondering how one would create a network in order to be able to assign public IP addresses on servers??

Excuse the bad wording and phrasing but I haven't done anything like this before since I've just graduated from the CCNA but have been asked to design a small data center infrastructure.

My idea is that I will use a Cisco 1801 coupled with a 2950T switch to provide NAT based access to servers.

The issue I am having however is that I would like to create 2 public DNS servers and assign public IP's to each of them. Doing this server side is easy my issue however is, how do I configure the 1800??

It will be used as primary gateway so no probs there with a simple stub network design, however is it possible to exclude some of the internal switch ports from the NAT? Of course the 1800 has a L2 managed switch but where there is a managed switch it means there are VLANs and I'm sure that the IOS will complain if the IP address of the routable port is within the same subnet as on of the VLAN's.

Is it possible for anyone to give me any hints or clues as to what and how to manage the design of this?

I mean DMz styled access would still just create a 1:1 NAT relationship with all ports being opened up but the machines still having private IP addresses.

Most likely I would need a L3 switch but haven't got the budget for that.

Many thanks for any responses!

Regards,

Kaya

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎01-11-2010 06:23 AM 

kayasaman wrote:
Hi,
I'm wondering how one would create a network in order to be able to assign public IP addresses on servers??
Excuse the bad wording and phrasing but I haven't done anything like this before since I've just graduated from the CCNA but have been asked to design a small data center infrastructure.
My idea is that I will use a Cisco 1801 coupled with a 2950T switch to provide NAT based access to servers.
The issue I am having however is that I would like to create 2 public DNS servers and assign public IP's to each of them. Doing this server side is easy my issue however is, how do I configure the 1800??
It will be used as primary gateway so no probs there with a simple stub network design, however is it possible to exclude some of the internal switch ports from the NAT? Of course the 1800 has a L2 managed switch but where there is a managed switch it means there are VLANs and I'm sure that the IOS will complain if the IP address of the routable port is within the same subnet as on of the VLAN's.
Is it possible for anyone to give me any hints or clues as to what and how to manage the design of this?
I mean DMz styled access would still just create a 1:1 NAT relationship with all ports being opened up but the machines still having private IP addresses.
Most likely I would need a L3 switch but haven't got the budget for that.
Many thanks for any responses!
Regards,
Kaya

Kaya


1) You would create a vlan for the DNS servers eg vlan 10

2) allocate 2 of the ports into vlan 10

3) create a L3 vlan interface for vlan 10

4) under the L3 vlan interface configure "ip nat inside"

5) under the WAN interface configure "ip nat outside"

6) then for each DNS server

    ip nat inside source static

Jon

0 Helpful

kayasaman
Level 1
Level 1
In response to Jon Marshall

‎01-11-2010 06:38 AM

Hi Jon,

many thanks for the response!

Actually in my current setup I have something like that:

ip nat inside source static tcp 192.168.1.100 53 interface Dialer0 53
ip nat inside source static udp 192.168.1.100 53 interface Dialer0 53

As I'm using an 857W.

What I wanted to achieve though was to configure the servers with pulic IP's: say just to use my personal public IP from home: 81.178.2.118 then give the slave DNS server whatever else the ISP has offered.

But am not sure if I'm getting confused here as if it's not industry practice to open up servers fully to the web unless in a DMz scenario.

I guess the only way as you've described would be to use something like:


ip nat inside source static udp 192.168.1.100 53 interface 81.178.2.118 53 extendable where I have given my personal public IP would be the inside global IP of the NAT???

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to kayasaman

‎01-11-2010 06:48 AM 

kayasaman wrote:
Hi Jon,
many thanks for the response!
Actually in my current setup I have something like that:
ip nat inside source static tcp 192.168.1.100 53 interface Dialer0 53
 ip nat inside source static udp 192.168.1.100 53 interface Dialer0 53
As I'm using an 857W.
What I wanted to achieve though was to configure the servers with pulic IP's: say just to use my personal public IP from home: 81.178.2.118 then give the slave DNS server whatever else the ISP has offered.
But am not sure if I'm getting confused here as if it's not industry practice to open up servers fully to the web unless in a DMz scenario.
I guess the only way as you've described would be to use something like:

 ip nat inside source static udp 192.168.1.100 53 interface 81.178.2.118 53 extendable where I have given my personal public IP would be the inside global IP of the NAT???

If you want to configure the DNS servers with their public IPs then they cannot be out of the same subnet as the outside interface of your 1801 - is this your problem ? If so you can do one of 2 things

1) Can you further subnet down yur public address space so eg. if your subnet space was 195.17.17.0 255.255.255.240 you could create 2 subnets -

195.17.17.0 255.255.255.248 & 195.17.17.8 255.255.255.248

and then use the subnet that does not include the outside interface address for your DNS servers. Problem is you are wasting public IPs this way.

2) As per previous post use private addressing on the DNS servers and NAT to a public IP. This way it doesn't matter if the public IPs for the DNS servers are in the same subnet as the outside interface IP.

Jon

0 Helpful

kayasaman
Level 1
Level 1
In response to Jon Marshall

‎01-11-2010 07:06 AM

Thanks Jon I think you hit it right on what I'm trying to achieve with result no.1:

[quote]

If you want to configure the DNS servers with their public IPs then they cannot be out of the same subnet as the outside interface of your 1801 - is this your problem ? If so you can do one of 2 things

1) Can you further subnet down yur public address space so eg. if your subnet space was 195.17.17.0 255.255.255.240 you could create 2 subnets -

195.17.17.0 255.255.255.248 & 195.17.17.8 255.255.255.248

and then use the subnet that does not include the outside interface address for your DNS servers. Problem is you are wasting public IPs this way.

2) As per previous post use private addressing on the DNS servers and NAT to a public IP. This way it doesn't matter if the public IPs for the DNS servers are in the same subnet as the outside interface IP.

[/quote]

I mean I am only after assigning public IP addresses as I am not sure if the DNS software Bind can do zone tranfers over WAN by using private IP's??

I guess I need to get on to the ISC Bind mainling list about it but that's really my only concern as I will run master/slave configuration.

Kaya

P.s. Times like this I wish I worked in a live data center with high speed L3 fiber switches as I would at least begin to understand how things are configured!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card