Today I've received a strange request from a customer.
They have 3 servers currently directly connected to the cloud. For the sake of easy translation let's say they're on IP addresses:
The customer wants these servers to sit behind a router but does not want to change the server IP addresses and does not want to change any dns records. They need to filter out ports though.
The equipment I have available to make this happen is a Cisco 2901.
So basically I need a wan port with 3 addresses (100.100.100.100, etc...) and then 3 servers with those same three addresses connected to the lan interfaces. Then all traffic just needs to pass through with an access list blocking what needs to be blocked.
Is this even possible? And if so, how do I do the 1:1 wan/lan part on the same address? If I could at least set up a normal nat situation with diffirent wan IP's it'd be easy enough. However, with the wan addies being the the lan subnets, I anticipate some weirdness.
Thanks in advance,
What ports dose these servers use, in the other word what services are running on these servers , I am not really sure but I have used destination NAT with differnt port numbers to access different routers in the past but that was with private IPs , I do not know it will work for you in the situation or not , but just wanted to share an idea with you.
Hope it will help
have a look at BVI feature:
Keep in mind that this can turn easily into a big mess, what your customer wants and
what you are supposed to do might be very different: what about reachability and routing?
Btw, this is what you can do to have same IPS on both interfaces of your 2901... PLEASE
think before you type, as this will cut you out of your device
bridge 1 protocol ieee
bridge 1 route ip
ip address 100.100.100.100 255.255.255.0
ip address 184.108.40.206 255.255.255.0 secondary
ip address 220.127.116.11 255.255.255.0 secondary
PS think twice about routing, what do the servers really need?
Well the server and wan are on the same IP, not 2 interfaces on the router
However, bridging does give me some ideas (didn't consider it!).
Would it be possible to bridge a lan and wan interface without having an IP on the wan interface (so basically everything connected to the lan interface is directly connected to the cloud). I presume it would be.
However, if so, is it still possible to put an access list on the internal interface filtering out the ports for the three servers?
Gonna try that. A bridged interface basically acts as a switch, so I should be able to put an access-list on the bridge and filter out unwanted traffic to the three IP addies.
This router isn't live. I currently have it set in a lab environment so I can play around with it.
If it works I'll rate you for pointing me in the right direction
You can bridge (almost) any routed port (no switchports afaik): a BVI will appear, where
you can set one or more IP addresses.
I cannot understand what you mean by cloud... :-) uplink or gateway?
Beware of ACL (without IOS firewall) if you apply it to the BVI, because *INBOUND* packets
with destination (e.g.) the servers will also come back with the server as the source, still
*INBOUND*: the router is behaving statelessly.
Furthermore, if you use dynamic routing protocols, adjacencies will not be formed with secondary
addresses: RIP is the only exception i guess.