cisco router help : how to setup a direct route with NO NAT

[cyr0nk0r]

I have a cisco 2611XM dual fast ethernet router. It's running IOS 12.3.

We have several static NAT's defined. we have a /28 IP block established.

I am trying to setup a server to be outside of our NAT. How would I do this?

Our primary IP is aaa.bbb.231.65
However, our /28 is aaa.bbb.229.80 - aaa.bbb.229.95

The 231.65 is what is defined as our WAN IP
which is what our fast ethernet 0/0 (wan) is set to.

How would I assign a server behind our router to say aaa.bbb.229.94 ??
I have the server set with the public IP already, however the router isn't allowing the traffic through.

Any help?

 

[Tommouse]

I do most of my NAT on ASAs or a PIX, so this might not be completely relevant for you, but hopefully helpful.

I would setup a static forward. IE
static (outside,inside) aaa.bbb.229.194 192.168.ccc.ddd netmask 255.255.255.255

This is more or less a complete port forward for anything coming to that external address it will pump to the internal address. On the way out it will NAT it back behind the external address associated with the private one. (This is assuming your router works like an ASA/PIX)

This is only part of it though, you need to make sure that your ACL on the external interface will allow traffic to aaa.bbb.229.94. Without the ACL letting in the traffic then it will never get to the forwarding statement.

Hope that helps a bit. If not, maybe a sanitized version of your config would be helpful

 

[jlazzaro]

typically, you would have one of your routable ips like aaa.bbb.229.80 assigned to your other fast ethernet interface. the server aaa.bbb.229.94 would be behind the router on a switch using aaa.bbb.229.80 as its default gateway.

 

[drebo]

If you have a dynamic NAT set up already, the only way to expose a server on the other side would be to set up a static NAT.

Alternatively, you could possibly use a sub-interface and VLANs...though I see no reason why you wouldn't want to use a NAT.

A third option would be to invest in a second firewall device such as a PIX or an ASA to go behind the original Cisco router and have the PIX/ASA perform your NAT to your clients and then put your servers on the outside.

 

[cyr0nk0r]

yeah.. usually the 229.80 would be the gateway.. but thats not the case here. Were in a data center and the 231.65 is our gateway.. so we get to use all 16 addresses of the /28 instead of just 14.

We don't want to use static NAT's.

If I could put the server on a DMZ that would be fine too. How would I do that with a router?

 

[drebo]

You would need a third (fast) ethernet port or would need to employ VLANs and a sub-interface on the inside physical interface. So, you'd need a managed switch. To this third interface, you'd assign an IP in your /28 subnet (229.80, for example). This would become the gateway for all devices on this leg of the network. So, if you wanted your server to be 229.83, it would have a subnet of 255.255.255.240, and a default gateway of 229.80. Any of the IPs in this subnet, of course, would work for either interface.

The theory is sound, but whether or not it actually works or is implemented is another story...I've never tried.

Still not sure why static NATs are an issue...what you're describing is the purpose for which static NATs were designed...