Hi I've been wrestling with this for a few weeks and would appreciate pointers, I haven't seen this type of configuration anywhere, but assume it's pretty standard. I started working on 2911 hardware with EHWIC VDSL card but due to faulty card (now replaced) decided to test out on a c887VAG router instead. I have this from my ISP: A fixed IP Address say 126.96.36.199 and as I need additional fixed IP's for other equipment I've been assigned a routed range of say 188.8.131.52/28. I'm hoping to use one GE/FE port for the inside network and have the remaining ports available to access fixed addresses within my routed range to connect the other network gear- IP PBX and ASA as examples. I've always had a pre-configured Modem which has gone in front of the router and just plugged the other devices with their fixed IP's in the back. I have access to additional 2 FE ports and a 4port Switch Card on EHWIC for the main router when i migrate.
The config below establishes the PPP session and allows traffic to flow with DHCP allocated addresses to the local LAN via a FE port on VLAN10. It's using the main 184.108.40.206 address which is assigned to the Dialer0 interface to pass traffic. Connecting a PC with one of the static IP's within the routed range to the 887 FE/Switch port only shows an internet connection but won't ping. The ISP static and Routed range IP addresses show in the routing table assigned to VLAN 10 and 20 respectively.
All other examples I've found don't show how to handle the routed range, some fixed addresses can be static NATs to LAN addresses but the external gear is confounding me. Its all in a small business network with Cisco GE switches.
I've tried the obvious IP routes, but nothing's working- help very much appreciated.
version 15.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname C887VA ! boot-start-marker boot-end-marker ! ! ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local aaa authorization network local-group-author-list local ! ! ! ! ! aaa session-id common ! memory-size iomem 10 crypto pki token default removal timeout 0 ! ! ip source-route ! ! ! ip dhcp excluded-address 192.168.0.1 192.168.0.30 ! ip dhcp pool LAN import all network 192.168.0.0 255.255.255.0 dns-server 220.127.116.11 18.104.22.168 default-router 192.168.0.1 ! ! ip cef ip domain name xxxx.com ip name-server 22.214.171.124 no ipv6 cef ! ! multilink bundle-name authenticated license udi pid C887VAG+7-K9 sn ! ! vtp mode transparent username xxx privilege 15 password 0 ! ! ! ! controller VDSL 0 ! controller Cellular 0 ! vlan 10 name LAN:DATA ! vlan 20 name ISP_Routed_Range ! vlan 999 name NOT_USED ! ip ssh version 2 ! ! ! ! ! ! ! interface Ethernet0 no ip address ! interface Ethernet0.101 description Tagging for PPPoE (VDSL 0) encapsulation dot1Q 101 no ip redirects no ip proxy-arp ip virtual-reassembly in pppoe-client dial-pool-number 1 ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface FastEthernet0 description LAN_Inside switchport access vlan 10 no ip address ! interface FastEthernet1 switchport access vlan 10 no ip address ! interface FastEthernet2 switchport access vlan 10 no ip address ! interface FastEthernet3 switchport access vlan 20 no ip address ! interface Cellular0 no ip address encapsulation slip shutdown ! interface Vlan1 no ip address ip nat inside ip virtual-reassembly in ! interface Vlan10 ip address 192.168.0.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Vlan20
<!-- This is the Routed Range
ip address 126.96.36.199 255.255.255.240 ! interface Dialer0 mtu 1492
<!-- The static IP assigned by the ISP
ip address 188.8.131.52 255.255.255.254 ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ppp authentication pap chap ms-chap callin ppp chap hostname ispusername ppp chap password 0 password ppp ipcp address accept no cdp enable ! ip forward-protocol nd ip http server ip http secure-server ! ! ip nat inside source list NAT interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 184.108.40.206 255.255.255.240 Dialer0 ! ip access-list standard NAT permit 192.168.0.0 0.0.0.255 ! ! ! ! ! ! ! ! control-plane ! ! line con 0 no modem enable line aux 0 line 3 no exec line vty 0 4 privilege level 15 transport input all ! end
Thanks Balaji I tried without the static route as well. Because the Routed Range is on a completely different network from the one provided by the ISP ie the 220.127.116.11/28 and the 18.104.22.168 ISP static I was thinking I needed some way of routing between the two. I'm sure as you suggest (and I've done it before) the static NAT or Dynamic via a Pool- to a single internal network address will work just fine ie Ip nat inside source static 192.168.0.250 22.214.171.124 with an attached route map will be fine for accessing an internal device on the inside network using an external static address. What I'm trying to do however is to have physically a port on the router (either a GE or Switched Port) I can connect our Avaya IP Office with it's own outside Network Address and Session Border Controller and our remote Access device Cisco ASA5505's outside interface which are effectively off network- if it's clearer: 126.96.36.199 will connect to the Avaya 188.8.131.52 will connect to the ASA (the IP Addresses are fictitious of course hence the typo- but are of the same order) The way the ISP has set things up allows the routed range to 'appear' somehow, I guess it'll be some configuration that an ISP uses on a pre-configured router I'm looking for, just that mine hasn't got any other solution. All help is appreciated!
in that case what ever interface you like to use should be outside interface.
for testing :
configure the IP addredd with outside interface, for testing run some http service and try to access from ourside for that IP, and check also debug logs in the Router, is the packet reaching to your network before it going to http Server ?