public ip subnet routing

Liviu Craciun · ‎01-19-2016

Hello!

On a Cisco 2911 I have 2 public ip addresses allocated by the ISP on port Ge0/0:

aaa.bbb.ccc.85/24 and aaa.bbb.ccc.87/24 (both use the same gateway)

Private lan is vlan based (I also have voip configured) on Ge0/1

Recently the ISP allocated an extra public ip subnet x.y.z.0/29 that is provided to me through ip aaa.bbb.ccc.85

How can I configure this new subnet behind the router (just like the private subnet used for computers, but without nat for internet traffic) so I can assign some of these ip's to a few devices and these devices be reachable from the internet on the assigned public ip and with all ports unfiltered

Jon Marshall · ‎01-19-2016

It depends on whether the vlans/IP subnets are currently routed.

If the L3 interface(s) for your current vlan(s)/IP subnet(s) are on the router you need another interface or subinterface for the public IPs.

If you have a L3 switch internally that routes between vlans you just need to add a route to the router pointing to the L3 switch and add a new vlan and SVI ("int vlan x") for the public subnet.

One thing I would say is that if you use public IPs internally then you cannot use the same IP for multiple different inside devices so you are using up your IPs and secondly if you are allowing access to those devices from the internet those devices really should be on a DMZ not on your internal network.

Jon

Liviu Craciun · ‎01-20-2016

It does not matter what subnets I have on dmz or lan (on the vlans) - they all exit to the internet with nat through aaa.bbb.ccc.85; only a single ip fron lan goes to the internet with nat on aaa.bbb.ccc.87

The problem is that I have no clue how to configure a public subnet on a Cisco router to make it available on the internet without setting nat on it

For example on a Fortigate router you need to assign one of the public subnet ip's on a interface (that will be used as a gateway for devices with the other ip's from the subnet) and create a firewall policy that allows the traffic to the internet without nat ...

So, how can I do this setup on Cisco if I have a physical interface available on the router?

Jon Marshall · ‎01-20-2016

Is the router the only L3 device you have ie. you don't have a L3 switch or anything ?

Jon

Liviu Craciun · ‎01-22-2016

I don't get why you guys ask for unrelated details :)

Anyway, I've asked a friend and he told me that all I have to do is to set one of the ip addresses from the public subnet on an interface/subinterface and not to specify nat inside on it - the traffic will be forwarded automatically to the internet through the default route without nat ... if I need to use a subinterface then it's normal to add the new vlan on the other switches that are behind the router, but my question was strictly related to how a public subnet must be configured, so I was expecting a very basic answer

Since I'm working 90% of the time on routers from other vendors, I was expecting to need a route/policy that defines the behavior of the bublic subnet

Jon Marshall · ‎01-22-2016

The details I was asking for were not unrelated.

I needed to understand whether you had a L3 switch because you would then configure it there or whether you only had a router in which case, as your friend says, you just need a subinterface.

I could not tell you what to do until I understood your current setup because to do otherwise would be irresponsible on my part and I did not want to break what you already have.

Many posters on here coming for help often miss out important details which are needed but they think are irrelevant and all I can say is what would you rather we do, give an answer that doesn't work or spend some time trying to understand the full picture so the answers we give do work.

Glad you got your answer.

Jon