11-28-2011 04:33 AM - edited 03-04-2019 02:26 PM
Hi.
I don't know much about routers, but lately I've been playing around with router configuration and getting better but I am kind of stuck now.
The scenario is this.
I have 3 ip net from the ISP:
178.249.51.0/255.255.255.248 Gateway 178.249.51.1
178.249.51.8/255.255.255.248 Gateway 178.249.51.9
178.249.51.16/255.255.255.248 Gateway 178.249.51.17
I have a Cisco 1800 router where I have made 3 "inside" VLANs with DHCP which works just fine.
VLAN1 = 192.168.100.0
VLAN2 = 192.168.101.0
VLAN3 = 192.168.102.0
Just for testing I have assigned a vlan to a port:
VLAN1 = Port 2
VLAN2 = Port 3
VLAN3 = Port 4
I am pretty sure I have a problem with routes. If I add 0.0.0.0 0.0.0.0 178.249.51.1 (as a default route) I can access the Internet with the public IP 178.249.51.2 (my routers IP on int fa0) from all VLANs.
If I remove the default route and add these three routes I have no Internet access:
ip route 192.168.100.0 255.255.255.0 178.249.51.1
ip route 192.168.101.0 255.255.255.0 178.249.51.9
ip route 192.168.102.0 255.255.255.0 178.249.51.17
What I would like to be able to do is access the Internet from:
VLAN1 with public IP 178.249.51.2
VLAN2 with public IP 178.249.51.10
VLAN3 with public IP 178.249.51.18
The ISP deliver the 3 IP net from their router like this:
interface GigabitEthernet0/1.700
encapsulation dot1Q 700
ip address 178.249.51.1 255.255.255.248 secondary
ip address 178.249.51.17 255.255.255.248 secondary
ip address 178.249.51.9 255.255.255.248
service-policy input 100M-police
service-policy output 100M-police
I am also not sure if I have to add the secondary addresses to my WAN port Fa0? Or if I did it correctly?
I have attached my configuration from the router and hope someone can give some advice.
I am also wondering - when we get more public IP net from the ISP, is this the correct way to do it? Or is there some other way to do this?
Thanks in advance.
/Ulrik
Solved! Go to Solution.
11-28-2011 05:56 AM
Ulrik
It might look something like this:
access-list 2 permit 192.168.101.0 0.0.0.255
ip nat pool pool2 178.249.51.10 178.249.51.10 prefix-length 29
ip nat inside source list 2 pool pool2 overload
HTH
Rick
11-28-2011 04:55 AM
Ulrik
First let us deal with the obvious problem. When you configure these static routes
ip route 192.168.100.0 255.255.255.0 178.249.51.1
ip route 192.168.101.0 255.255.255.0 178.249.51.9
ip route 192.168.102.0 255.255.255.0 178.249.51.17
then you are saying that these subnets are reachable out in the Internet. But they are subnets on the inside of your router. If they are assigned on VLANs of your router then they will already be in the routing table as connected routes and you do not need to create static routes for them at all.
Now to the other parts of the question. In my experience this is a somewhat unusual implementation from the ISP to have all 3 address blocks assigned on the interface using secondaries. What I would usually expect would be one subnet assigned on the interface and the other 2 subnets just routed to you over that subnet. This would allow you to assign the other address blocks somewhere other than the outside interface of your router (perhaps on a firewall inside or something like that). But if this is what they have done then this is what we should deal with in this question.
You should be able to achieve what you want which is to access the Internet for VLAN 1 using one public address, access the Internet for VLAN 2 using another public address, and to access the Internet using another public address. What you need to do would include:
- remove the static routes for 192.168.100.0, 192.168.101.0, and 192.168.102.0.
- configure one static default route as you originally had it.
- remove the existing
ip nat inside source list 1 interface FastEthernet0 overload
and the existing access list 1.
- configure new access lists using a separate list for each VLAN subnet.
- configure 3 ip nat inside statements where each statement uses one of the access lists and translates that subnet to the appropriate public IP address.
HTH
Rick
11-28-2011 05:36 AM
Hi Rick.
Thanks for your quick reply.
I am still a little lost with the last part. The rest makes sense for me.
Can you give an example how I can make one of the ip nat inside statements? Eg. if I want VLAN2-hosts to access the Internet with the IP address 178.249.51.10.
Thanks in advance.
/Ulrik
11-28-2011 05:56 AM
Ulrik
It might look something like this:
access-list 2 permit 192.168.101.0 0.0.0.255
ip nat pool pool2 178.249.51.10 178.249.51.10 prefix-length 29
ip nat inside source list 2 pool pool2 overload
HTH
Rick
11-28-2011 06:21 AM
Hi Rick.
Thank you very much! It is working like a dream now, just like I wanted.
I can see I need to study NAT a lot more
/Ulrik
11-28-2011 07:19 AM
Ulrik
I am glad that my suggestion pointed you toward a correct solution to your question. Thank you for using the rating system to mark this question as answered (and thanks for the points). It makes the forum more useful when people can read a question and can know that there was a correct solution found. Your marking has contributed to this process.
Yes there is quite a bit to study and to understand about how to effectively use NAT. I wish you well as you continue to learn about Cisco networking. This forum is a great resource and I hope that you will continue to make use of it.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide