05-26-2010 06:55 PM - edited 03-21-2019 02:37 AM
Hi,
My ISP supplies me with two (static) IP addresses
I understand the UC520 can have multiple WAN addreses but how do I configure the NAT for this.
I am trying to have 2 x SSL web servers one hosts Exchange and the other a SQL database.
I have 2 registered domain names so I want to use 1 WAN IP for each domain
Your help is arppreciated
Peter
05-27-2010 06:04 AM
You will configure something similar to:
ip nat inside source static 10.10.10.1 1.1.1.1
ip nat inside source static 10.10.10.2 1.1.1.2
access-list 1 permit tcp any host 1.1.1.1 eq 443
access-list 1 permit tcp any host 1.1.1.2 eq 443
interface FastEthernet 0/0
ip access-group 1 in
Hope this helps.
Brandon
05-27-2010 06:23 AM
Thats a good posting. maybe I'm being a bit simple, but I thought i would suggest it would be better to add that access list entries to the existing access list attached to fastethernet 0/0.
05-27-2010 06:27 AM
You're exactly right. This was just an example to give the poster the concept of how this would work.
Brandon
05-27-2010 06:46 AM
Hi Everyone,
The original post was DUAL WAN, but I am not sure if you meant two WAN interfaces on UC500 or Multiple Static IPs on the same interface?
Just want to be clear that Cisco Configuration Assistant (CCA 2.2.4) doesnt today support dual WAN or provisioning or 1:1 NAT of multiple static IPs to different internal addresses.
Is this something you will be maintaining with CLI outside of CCA?
Steve
05-27-2010 03:57 PM
Steve,
CLI is fine
Multiple Static IPs on the same interface is what I had thought would be the way to go BUT I am open to suggestions
Peter
05-27-2010 03:55 PM
Thanks for your response
05-28-2010 09:56 AM
No problem then. Just use Brandons example (work it into your Firewall ACLs).
Just wanted you to be aware the CCA probably wont recognize the firewall after that, but since it doesnt yet support it (roadmap for CCA 2.3 I believe), then you have to use CLI, if your comfortable with that.
Steve
06-05-2010 09:53 PM
I, like many other have similar needs. Based on your suggestions, here is what I think I need to add;
ip nat inside source static 192.168.10.9 173.13.231.34 (Dell Drac 80,443,5900,5901)
ip nat inside source static 192.168.10.10 173.13.231.35 (SBS 2008 TCP Ports: 25,80,443,987,1723,3389
ip nat inside source static 192.168.10.11 173.13.231.36 (WWW Server TCP Ports: 80,443,3389)
access-list 106 permit tcp any host 173.13.231.34 eq 80
access-list 106 permit tcp any host 173.13.231.34 eq 443
access-list 106 permit tcp any host 173.13.231.34 eq 5900
access-list 106 permit tcp any host 173.13.231.34 eq 5901
access-list 106 permit tcp any host 173.13.231.35 eq 25
access-list 106 permit tcp any host 173.13.231.35 eq 80
access-list 106 permit tcp any host 173.13.231.35 eq 443
access-list 106 permit tcp any host 173.13.231.35 eq 987
access-list 106 permit tcp any host 173.13.231.35 eq 1723
access-list 106 permit tcp any host 173.13.231.35 eq 3389
access-list 106 permit tcp any host 173.13.231.35 eq 80
access-list 106 permit tcp any host 173.13.231.35 eq 443
access-list 106 permit tcp any host 173.13.231.35 eq 3389
interface FastEthernet 0/0
ip access-group 106 in
Here is my existing show access-list;
UC_540#show access-list
Standard IP access list 2
10 permit 192.168.10.1
20 permit 216.170.98.242
30 permit 192.168.10.0, wildcard bits 0.0.0.255
40 permit 10.1.1.0, wildcard bits 0.0.0.255
50 permit 10.1.10.0, wildcard bits 0.0.0.3
60 deny any
Extended IP access list 100
10 deny ip 192.168.10.0 0.0.0.255 any
20 deny ip host 255.255.255.255 any
30 deny ip 127.0.0.0 0.255.255.255 any
40 permit ip any any
Extended IP access list 101
10 permit udp any host 10.1.10.2 eq non500-isakmp
20 permit udp any host 10.1.10.2 eq isakmp
30 permit esp any host 10.1.10.2
40 permit ahp any host 10.1.10.2
50 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
60 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
70 deny ip 10.1.1.0 0.0.0.255 any
80 deny ip 192.168.10.0 0.0.0.255 any
90 deny ip 273.13.231.0 0.0.0.255 any
100 deny ip host 255.255.255.255 any
110 deny ip 127.0.0.0 0.255.255.255 any
120 permit ip any any (18230 matches)
Extended IP access list 102
10 permit udp any host 192.168.10.1 eq non500-isakmp
20 permit udp any host 192.168.10.1 eq isakmp
30 permit esp any host 192.168.10.1
40 permit ahp any host 192.168.10.1
50 deny ip 10.1.10.0 0.0.0.3 any
60 deny ip 10.1.1.0 0.0.0.255 any (574 matches)
70 deny ip 273.13.231.0 0.0.0.255 any
80 deny ip host 255.255.255.255 any
90 deny ip 127.0.0.0 0.255.255.255 any
100 permit ip any any (8227267 matches)
Extended IP access list 103
10 permit udp any host 10.1.1.1 eq non500-isakmp
20 permit udp any host 10.1.1.1 eq isakmp
30 permit esp any host 10.1.1.1
40 permit ahp any host 10.1.1.1
50 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
60 permit udp 10.1.10.0 0.0.0.3 any eq 2000
70 deny ip 10.1.10.0 0.0.0.3 any
80 deny ip 192.168.10.0 0.0.0.255 any
90 deny ip 273.13.231.0 0.0.0.255 any
100 deny ip host 255.255.255.255 any
110 deny ip 127.0.0.0 0.255.255.255 any
120 permit ip any any (4771441 matches)
Extended IP access list 104
10 permit tcp any host 273.13.231.33 eq 443 (203 matches)
20 permit udp any host 273.13.231.33 eq non500-isakmp
30 permit udp any host 273.13.231.33 eq isakmp (34077 matches)
40 permit esp any host 273.13.231.33
50 permit ahp any host 273.13.231.33
60 permit udp host 192.168.10.1 eq 5060 any
70 permit udp host 192.168.10.1 any eq 5060
80 permit udp host 216.170.98.242 eq 5060 any (11800 matches)
90 permit udp host 216.170.98.242 any eq 5060
100 permit udp any any range 16384 32767 (15434 matches)
110 deny ip 10.1.10.0 0.0.0.3 any
120 deny ip 10.1.1.0 0.0.0.255 any
130 deny ip 192.168.10.0 0.0.0.255 any
140 permit udp host 68.87.73.242 eq domain any (11445 matches)
150 permit udp host 68.87.71.226 eq domain any (29 matches)
160 permit icmp any host 273.13.231.33 echo-reply
170 permit icmp any host 273.13.231.33 time-exceeded (9 matches)
180 permit icmp any host 273.13.231.33 unreachable (201 matches)
190 deny ip 10.0.0.0 0.255.255.255 any
200 deny ip 172.16.0.0 0.15.255.255 any
210 deny ip 192.168.0.0 0.0.255.255 any
220 deny ip 127.0.0.0 0.255.255.255 any
230 deny ip host 255.255.255.255 any
240 deny ip host 0.0.0.0 any (4 matches)
250 deny ip any any log (4513 matches)
Extended IP access list 105
10 deny ip any host 192.168.10.240
20 deny ip any host 192.168.10.241
30 deny ip any host 192.168.10.242
40 deny ip any host 192.168.10.243
50 deny ip any host 192.168.10.244
60 deny ip any host 192.168.10.245
70 deny ip any host 192.168.10.246
80 deny ip any host 192.168.10.247
90 deny ip any host 192.168.10.248
100 deny ip any host 192.168.10.249
110 permit ip 10.1.10.0 0.0.0.3 any (6588 matches)
120 permit ip 10.1.1.0 0.0.0.255 any
130 permit ip 192.168.10.0 0.0.0.255 any (3128812 matches)
UC_540#
Is what I have (top) the best way to do this?
Will any of my server IP's 192.168.10.9-11 conflict with UC-540 default configuration IP's?
Should I use an exisitng access-list instead of 106, if so, which one?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide