Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1676
Views
0
Helpful
6
Replies

Newbie needs help Private And Public IP's on the same Interface

kjsrandhawa
Level 1
Level 1

‎01-19-2011 10:27 PM - edited ‎03-06-2019 03:05 PM

Hello Everyone,

I am a newbie and need some advice for set of a network.

I have to setup a new network, I have a router and switch 2960G and I have a range of Public IP address which I need to use efficiently.

I need NAT for internal hosts and public IP for the Servers/Virtual servers accessible from outside.I also want to make sure it is secure.

I thought about the scenario:

                                       NAT & Public IP's

Hosts-------------------------------Switch-----------------ROUTER /30---------------ISP

NAT             Servers -------------|

                   Public IP's

Configure two subinterfaces on Ethernet interface of router, with two different addresses. Host will use private address and router will do NAT . The other address will be public and the servers will have public addresses. A configuration for the scenario will be helpful, do you know if this could be possible and if not then please can you suggest the best posssible solution for this? Do I need a firewall for this?

Thanks in advance

Jeet

Labels:
0 Helpful
6 Replies 6

cadet alain
VIP Alumni
VIP Alumni

‎01-20-2011 12:42 AM

Hi,

take a look here http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

Your design is not good: you can't do nat on the 2960, you must do it on the router or use a firewall.

for your servers: use static PAT

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

kjsrandhawa
Level 1
Level 1
In response to cadet alain

‎01-20-2011 08:07 AM

Hi Alain,

Thank you for your reply.

I apologize for the wrong diagram, what I meant was that router to be configured for doing NAT and also giving out Public IP's to the servers on same interface.

                                                                            NAT & Public IP's

                                                                                         |

Hosts-------------------------Switch-----------------------------ROUTER /30---------------ISP

NAT IP's             Servers --------|

                   Public IP's

I have looked at the white paper for the NAT. My question now is if I have 100+ servers that use same port to work on so I have to do static PAT for each of Public IP, so do I have to assign secondary IP for my WAN interface on router for each server for PAT?

Also Could you please let me know if it is possible to use one IP for NAT and others directly assigned to the servers without using PAT?

Thanks in Advance


Jeet

0 Helpful

mohseen patel
Level 1
Level 1

‎01-20-2011 08:07 AM

Hi Jeet,

Cisco 2960 are pure layer 2 switch which dose not support NAT.

Your Natting design depends on what is user subnet and dynamic ip address .available.

Just over view design tolopogy and configuration guideline.

Layer 2

Create 2 vlan on 2960 for user and server.

Configure trunk interface to router.

Layer 3

Create two sub interface for user and server and configure as dot.1q encapsuation.

Configure your ISP connected interface.

NAT

Define your NAT Boundary Configuration.

Inside -- Lan and user segment

Outside -- ISP connected interface.

Create Dynamic Source Translation

! Create an access list to match inside local addresses
access-list 10 permit 10.0.0.0 0.0.255.255 ----- LAN segment
!
! Create NAT pool of inside global addresses
ip nat pool MyPool 192.0.2.1 192.0.2.254 prefix-length 24 ---  Public ip address
!
! Combine them with a translation rule
ip nat inside source list 10 pool MyPool


=======================================================================

For refrence refer to below doc

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094c32.shtml


Cheers

Mohseen Patel

0 Helpful

kjsrandhawa
Level 1
Level 1
In response to mohseen patel

‎01-20-2011 08:16 AM

Hi Mohseen

Thanks for the reply. I got the idea now how this will be done, So if I implement this would it be like this that each private IP usea a Public IP that is available?

Thanks

PS: I only need public IP's for servers and NAT for inside Hosts

Jeet

0 Helpful

mohseen patel
Level 1
Level 1
In response to kjsrandhawa

‎01-20-2011 06:35 PM

Hi Jeet,


NAT is a valuable tool for admins, both for conserving public IP addresses and securing internal resources.


Above example dose do 1 to 1 mapping of private and public ip address , but for that you need big pool of public ip address.


Better option Port Address Translation (PAT) is a special kind of Network Address Translation (NAT). It can provide an excellent solution for you that has multiple systems that need to access the Internet but that has only a few public IP addresses.


PAT configuration Example with only 1 public ip address.


access-list 1 permit 10.10.10.0 0.0.0.255 ---- LAN subnet.


ip nat pool mypool 63.63.63.2 63.63.63.2 prefix 30 --- Public ip address


ip nat inside source list 1 pool mypool overload


=================================================================

Hope this information helps you.

Cheers,

Mohseen Patel

0 Helpful

ebarticel
Level 4
Level 4

‎01-20-2011 08:50 PM

I think you should have a static mapping to your server from any outside address and use one public IP.

For the internal hosts use NAT overload or PAT to give them permission to go outside of LAN to use the router's interface public address.

hope this helps

Eugen

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card