Showing results for 
Search instead for 
Did you mean: 

Newbie needs help Private And Public IP's on the same Interface


Hello Everyone,

I am a newbie and need some advice for set of a network.

I have to setup a new network, I have a router and switch 2960G and I have a range of Public IP address which I need to use efficiently.

I need NAT for internal hosts and public IP for the Servers/Virtual servers accessible from outside.I also want to make sure it is secure.

I thought about the scenario:

                                       NAT & Public IP's

Hosts-------------------------------Switch-----------------ROUTER /30---------------ISP

NAT             Servers -------------|

                   Public IP's

Configure two subinterfaces on Ethernet interface of router, with two different addresses. Host will use private address and router will do NAT . The other address will be public and the servers will have public addresses. A configuration for the scenario will be helpful, do you know if this could be possible and if not then please can you suggest the best posssible solution for this? Do I need a firewall for this?

Thanks in advance



cadet alain


take a look here

Your design is not good: you can't do nat on the 2960, you must do it on the router or use a firewall.

for your servers: use static PAT



Don't forget to rate helpful posts.

Hi Alain,

Thank you for your reply.

I apologize for the wrong diagram, what I meant was that router to be configured for doing NAT and also giving out Public IP's to the servers on same interface.

                                                                            NAT & Public IP's


Hosts-------------------------Switch-----------------------------ROUTER /30---------------ISP

NAT IP's             Servers --------|

                   Public IP's

I have looked at the white paper for the NAT. My question now is if I have 100+ servers that use same port to work on so I have to do static PAT for each of Public IP, so do I have to assign secondary IP for my WAN interface on router for each server for PAT?

Also Could you please let me know if it is possible to use one IP for NAT and others directly assigned to the servers without using PAT?

Thanks in Advance


mohseen patel

Hi Jeet,

Cisco 2960 are pure layer 2 switch which dose not support NAT.

Your Natting design depends on what is user subnet and dynamic ip address .available.

Just over view design tolopogy and configuration guideline.

Layer 2

Create 2 vlan on 2960 for user and server.

Configure trunk interface to router.

Layer 3

Create two sub interface for user and server and configure as dot.1q encapsuation.

Configure your ISP connected interface.


Define your NAT Boundary Configuration.

Inside -- Lan and user segment

Outside -- ISP connected interface.

Create Dynamic Source Translation

! Create an access list to match inside local addresses
access-list 10 permit ----- LAN segment
! Create NAT pool of inside global addresses
ip nat pool MyPool prefix-length 24 ---  Public ip address
! Combine them with a translation rule
ip nat inside source list 10 pool MyPool


For refrence refer to below doc


Mohseen Patel

Hi Mohseen

Thanks for the reply. I got the idea now how this will be done, So if I implement this would it be like this that each private IP usea a Public IP that is available?


PS: I only need public IP's for servers and NAT for inside Hosts


Hi Jeet,

NAT is a valuable tool for admins, both for conserving public IP addresses and securing internal resources.

Above example dose do 1 to 1 mapping of private and public ip address , but for that you need big pool of public ip address.

Better option Port Address Translation (PAT) is a special kind of Network Address Translation (NAT). It can provide an excellent solution for you that has multiple systems that need to access the Internet but that has only a few public IP addresses.

PAT configuration Example with only 1 public ip address.

access-list 1 permit ---- LAN subnet.

ip nat pool mypool prefix 30 --- Public ip address

ip nat inside source list 1 pool mypool overload


Hope this information helps you.


Mohseen Patel


I think you should have a static mapping to your server from any outside address and use one public IP.

For the internal hosts use NAT overload or PAT to give them permission to go outside of LAN to use the router's interface public address.

hope this helps


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: