wan and lan on same ip?

WimRegelbrugge · ‎10-24-2012

Heya,

Today I've received a strange request from a customer.

They have 3 servers currently directly connected to the cloud. For the sake of easy translation let's say they're on IP addresses:

100.100.100.100

110.110.110.110

120.120.120.120

The customer wants these servers to sit behind a router but does not want to change the server IP addresses and does not want to change any dns records. They need to filter out ports though.

The equipment I have available to make this happen is a Cisco 2901.

So basically I need a wan port with 3 addresses (100.100.100.100, etc...) and then 3 servers with those same three addresses connected to the lan interfaces. Then all traffic just needs to pass through with an access list blocking what needs to be blocked.

Is this even possible? And if so, how do I do the 1:1 wan/lan part on the same address? If I could at least set up a normal nat situation with diffirent wan IP's it'd be easy enough. However, with the wan addies being the the lan subnets, I anticipate some weirdness.

Any ideas?

Thanks in advance,

Wim

AhmedSonba · ‎10-24-2012

Hello Wim,

What ports dose these servers use, in the other word what services are running on these servers , I am not really sure but I have used destination NAT with differnt port numbers to access different routers in the past but that was with private IPs , I do not know it will work for you in the situation or not , but just wanted to share an idea with you.

Hope it will help

Ahmed Sonba

Francesco Pettene · ‎10-24-2012

Hello Wim

have a look at BVI feature:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_tech_note09186a0080094663.shtml

Keep in mind that this can turn easily into a big mess, what your customer wants and

what you are supposed to do might be very different: what about reachability and routing?

Btw, this is what you can do to have same IPS on both interfaces of your 2901... PLEASE

think before you type, as this will cut you out of your device

bridge irb

bridge 1 protocol ieee

bridge 1 route ip

int gi0/0

bridge-group 1

int gi0/1

bridge-group 1

int bvi1

ip address 100.100.100.100 255.255.255.0

ip address 110.110.110.110 255.255.255.0 secondary

ip address 120.120.120.120 255.255.255.0 secondary

PS think twice about routing, what do the servers really need?

Regards

Francesco

WimRegelbrugge · ‎10-24-2012

Well the server and wan are on the same IP, not 2 interfaces on the router

However, bridging does give me some ideas (didn't consider it!).

Would it be possible to bridge a lan and wan interface without having an IP on the wan interface (so basically everything connected to the lan interface is directly connected to the cloud). I presume it would be.

However, if so, is it still possible to put an access list on the internal interface filtering out the ports for the three servers?

Gonna try that. A bridged interface basically acts as a switch, so I should be able to put an access-list on the bridge and filter out unwanted traffic to the three IP addies.

This router isn't live. I currently have it set in a lab environment so I can play around with it.

If it works I'll rate you for pointing me in the right direction

gr

W

Francesco Pettene · ‎10-24-2012

You can bridge (almost) any routed port (no switchports afaik): a BVI will appear, where

you can set one or more IP addresses.

I cannot understand what you mean by cloud... :-) uplink or gateway?

Beware of ACL (without IOS firewall) if you apply it to the BVI, because *INBOUND* packets

with destination (e.g.) the servers will also come back with the server as the source, still

*INBOUND*: the router is behaving statelessly.

Furthermore, if you use dynamic routing protocols, adjacencies will not be formed with secondary

addresses: RIP is the only exception i guess.