Advice on bridge with NAT, plus locking down bridge to single IP address
I have a 2911 router that has been in service for about 3 years now, and not really been touched in that time. There are 5 VLANs on the private side all on sub-interfaces of Gi0/0, these are configured with private IP addresses and "ip nat inside". Gi0/1 has a public IP address in a /29 range and "ip nat outside" connected to a leased line a.
There is going to be a tenant in the building who are to use our internet connection, but nothing else, so now we have to provide them with a single IP address which they will assign to their own firewall.
My Intention is to add another VLAN as Gi0/0.100, assign the IP address that is currently on Gi0/1 to this, then set Gi0/1 as ip unnumbered to Gi0/0.100.
I have 2 questions with this:
Firstly, will it work and does this look like the correct way to achieve what is needed?
Secondly, i want to limit the tenant to only be able to use the public IP address from the /29 range we allocate to them, and if they try to use any other then it doesn't allow them AND has no negative impact on the rest of the network/setup including any NAT rules that include other IP addresses in the /29 range. Could you offer some guidance on this point please?
This sounds like an interesting setup, but your provided solution does not sound good at all. There are ways you can work that in, but it is not a good idea. Your router is a router and not a firewall. This setup could best be done on a firewall for the restrictions.
I think the best solution would be to put a new switch in front of your router, and then you would connect your WAN link into that switch – your router to the switch and their firewall to the switch. This would allow your router and their firewall to both be on the same /29 WAN IP block.
Since their link is not directly attached to your router that dramatically improves your security. You could go a step farther and put an outbound ACL on your inside interface to block the IP you provided them. This prevents them from coming to your inside network via your WAN interface. I would assume you have some ACL on your WAN interface to block generic traffic attacks (if not look into it), but if so, just add that new IP to the deny list and lock it out there too.
You can use a high end or dummy switch. It depends on your network and level of control. Obviously at managed switch will give you greater controls including SNMP, NetFlow, and other things if desired, but an unmanaged switch would work for this situation as well.
If you wanted to use your existing LAN switch you could do that too. You would isolate your WAN traffic on a pure L2 VLAN. This is a safe method but does put a heavy burden on your switch. This, however, is an option if you don’t have a budget for another switch. It would be my last option though if I could avoid it.
Please don't forget to rate any helpful post.
_____________________________________ There are no great limits to growth because there are no limits of human intelligence, imagination, and wonder. - Ronald Reagan
Hi, here is an example how to configure IP-NAT, GRE, IPSEC. I've seen plenty of questions and this might be a good solution! (Mostly the use of commands that might remind u) IP NAT======================================================================...
Hi everyone.I have a problem in my Network.So i have 3 routers and a firewall in my topology. I have configured OSPF and all routers works expect R3 (see in the image below)When I watch my neignbor in R3 it says :192.168.7.7 1 INIT/DROTHER 00:00:37 10.0.2...
Host Onboarding is the term used when connecting an endpoint (hosts , IOT , Other devices) to the fabric , and can be accomplished in a couple of ways.One option is the "static" approach as oppose to the dynamic and secure approach using&nbs...
good morning I have this report from users, saying that they encounter connection issue only when they are wired , but the wireless I fine. both connection are using the same path to the internet ...please advised a troubleshooting plan.