Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1637
Views
10
Helpful
7
Replies

Using a 2nd NIC with a diff vlan/subnet than NIC #1 but restricting I-Net Access

Go to solution
fbeye
Level 4
Level 4

‎07-09-2021 05:09 PM

Hello

 

This is sort of a weird scenario and maybe not Cisco related but I still kind of think it is a routing issue..

I have a NAS connected to a Router (10.0.2.1) which uses 10.0.126 as it's IP. It connect directly to the 10.0.2.1 Router (outside of Cisco and my main Network).

My PC and other network uses 192.168.1.X as their IP Subnet and their own vlan. 192.168.1.x devices are connected to a Catalyst in L3 config (192.168.1.5) when then connects to a Cisco 5508-X GE 1/2 (192.168.1.1).

On the 5508-X I have GE 1/3 connected to the 10.0.2.1 Router and is statically set as 10.0.2.124. The GE 1/3 is the "gateway" in which 192.168.1.x and 10.0.2.x communicate.

 

What I have found is at random times my PC (192.168.1.6) loses access to the GUI of the NAS but can oddly communicate to it's shares.

Even if I have complicated the issue at hand, my goal is to add the NAS' 2nd NIC to the 192.168.1.x subnet through the Catalyst vlan1 but not have internet access.

I have achieved this in a sense but when I did some tests I noticed that at random my NAS would drop NIC 1 (10.0.2.126) and come up with the 192.168.1.x Static IP. This is a grave no no.

I want NIC 2 on the NAS to be solely available for access via 192.168.1.x but it itself no Internet access.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to fbeye

‎07-11-2021 03:39 PM - edited ‎07-12-2021 02:54 AM

 

You don't make the gateway anything, if the NAS has an IP in the 192.168.1.x subnet then it does not need a gateway to talk to the other devices in that subnet. 

 

And without a gateway in that subnet it should not use that NIC for internet traffic but I would still make sure you exclude the IP from NAT. 

 

I assume you had setup NAT on the firewall but you may not have. 

 

Jon

View solution in original post

7 Replies 7

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎07-11-2021 05:51 AM

 

Not sure I fully follow but if you want the NAS not to use the internet - 

 

1) make sure the NAS does not have a default gateway in the 192.168.1.x range

 

and 

 

2) make sure you have excluded the NAS 192.168.1.x static IP from NAT on your firewall

 

Jon

0 Helpful

Go to solution
fbeye
Level 4
Level 4
In response to Jon Marshall

‎07-11-2021 11:09 AM

For #1 I assume I would make the Gateway 192.168.1.5 as that is a "common" IP address that any 192.168.1.x uses to gain Internet access to the 192.168.1.1 and would allow me LAN access but not internet? Currently all 192.168.1.x use 192.168.1.1 as Gateway so setting NIC 2 Gateway 192.168.1.5 (IP of Catalyst) would allow LAN but no Net.

As far as #2 I have no idea where to even begin.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to fbeye

‎07-11-2021 03:39 PM - edited ‎07-12-2021 02:54 AM

 

You don't make the gateway anything, if the NAS has an IP in the 192.168.1.x subnet then it does not need a gateway to talk to the other devices in that subnet. 

 

And without a gateway in that subnet it should not use that NIC for internet traffic but I would still make sure you exclude the IP from NAT. 

 

I assume you had setup NAT on the firewall but you may not have. 

 

Jon

Go to solution
fbeye
Level 4
Level 4
In response to Jon Marshall

‎07-11-2021 06:46 PM

Interesting. I had never thought about no Gateway.

 

As far as NAT goes I have a simple NAT going on so anything 192.168.1.x hits the Internet with the static 207.108.121.x IP address.

 

I will let you know how it goes.

0 Helpful

Go to solution
fbeye
Level 4
Level 4
In response to Jon Marshall

‎07-11-2021 06:54 PM

Alright. So that works fine as I see no IP Leak at all. I thank you.

 

I was wondering though.. I simply assumed I would PAT as a whole "anything 192.168.1.x would use x.x.x.x as Internet IP" but now I am thinking this may be too broad and even unsafe security wise. What would the correct ideal setup be in this situation or any using PAT?

 

I have PAT because in my understanding it would be various IP's and Ports at random times all using the 207.108.121.x IP.  I am hoping PAT is correct.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to fbeye

‎07-12-2021 02:56 AM - edited ‎07-12-2021 02:57 AM

 

What you have in terms of NAT is a pretty standard setup ie. the internal LAN is translated to a public IP (presumably assigned to the outside interface of your firewall). 

 

So nothing wrong with what you have, 

 

Jon

Go to solution
fbeye
Level 4
Level 4
In response to Jon Marshall

‎07-12-2021 05:29 PM

Is there any documentation or example of other configurations where like you initially said to exclude an IP from the NAT pool from internet access? I’d like to mess around with this on my Catalyst for fun. 
Also at the end of the day if someone (or myself) says they use PAT is that still in reference to NAT for simplicity sake?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card