28 Replies Latest reply on Jan 21, 2018 8:19 AM by busy2

    Need assistance routing Public IP  natively w/o NAT

    busy2 New Member

      I need to route Public IP directly to an inside server without using NAT.

      I am looking for a way to route 1 or 2 public IP address from a /29 block to an inside device.  We want to code the public IP directly on the device and do not want to use NAT (or 1:1 Nat).

      Our IP gateway is on e 0/2, it is a single /30 address  and it is not associated with the /29 block. 

      I listed several IP addresses in the /29 block as secondary addresses on the e 0/1 interface but cannot figure out how to route an address to the server nic. 

       

      The configuration below was setup for 1:1 Nat, but I need to change or modify the config to be able to pass Public IP to the inside.

       

      Can I route addresses in the new /29 block 85.25.202.90 through the existing /30 IP gateway 188.57.122.102 ?

      Do I need to put an address on the unused e 0/1 interface and use that to route a Public IP address? 

      Do I need to setup a DMZ?

        • Re: Need assistance routing Public IP  natively w/o NAT
          jayh Hall_of_Fame

          On your eth 0/1 interface, configure it to have one of the addresses in the /29 block, such as:

           

          ip address 85.25.202.89 255.255.255.248

           

          Leave your eth 0/2 as-is if it's properly connected to your ISP now.

           

          On the hosts connected to eth 0/1, assign each a different address from 85.25.202.90 to 85.25.202.94, each with a subnet mask of 255.255.255.248 and a gateway of 85.25.202.89 which is your eth 0/1.

           

          These hosts will send traffic to the Adtran box which will route it out to the Internet.

           

          You can set up a DMZ by enabling the firewall, configuring different ip access-policies to each interface and assigning policy-class statements as needed. Typically your eth 0/2 connected to your ISP would be class "Public" and your eth 0/1 would be class "DMZ". Your policy-class on the DMZ would be to allow anything out, and the policy-class for Public would be to allow just those IPs, ports, and protocols on which you have public services running on eth 0/1. If you want to rely on host-based firewalls on the public hosts, then you don't need this but it is best practice to do so for security.

           

          Also, now that you've put your IPs out there, make sure that you have secure passwords on the Adtran device itself and preferably restrict access to the Adtran box to trusted networks.

            • Re: Need assistance routing Public IP  natively w/o NAT
              busy2 New Member

              Some success - but showing a loop at the gateway:

               

              btw- these are not my actual numbers, but representation of, although I appreciate your input on security

               

              I setup IP on eth 0/1 and on 2 servers in their own public segment.

               

              Now, a tracert from outside to the f 0/1 interface  85.25.202.89 /29 ip  shows a loop at our ISP gateway - .

               

              The trace gets through the ISP and to the Adtran

              Then the Adtran directs the trace back to the ISP.

              Over and over.

               

              Tracert 85.25.202.89    the /29 Adtran eth 0/1 address

               

              …6,7,8,9…

              10    47 ms 61 ms    41 ms  GigabitEthernet from ISP.ISP.NET [188.62.14.208]

              11    45 ms 46 ms    43 ms  188.57.122.102

              12    48 ms 46 ms    52 ms  188.57.122.101

              13    50 ms 47 ms    47 ms  188.57.122.102

              14    52 ms 50 ms    50 ms  188.57.122.101

              15    52 ms    51 ms    55 ms 188.57.122.102

              16    54 ms 50 ms    51 ms  188.57.122.101

              17    58 ms 57 ms    57 ms  188.57.122.102

              18    59 ms 66 ms    55 ms  188.57.122.101

              19    67 ms 57 ms    57 ms  188.57.122.102

              20 …

               

               

            • Re: Need assistance routing Public IP  natively w/o NAT
              busy2 New Member

              First Thank you!!  for the response.  Here are a couple more questions if you can help out.

               

              Do I drop the /29 addresses listed as secondary on eth 0/2 ?

              Eth 0/2 is our internet connection?

               

              It sounds like I will have to run Cat-5 to the new server because the /29 block won’t play on the existing 192.168.xxx.0 media.  That’s not a problem because the server is located in the same cabinets as the Adtran router. 

               

              Later on, if we need to send a public address to a server or device in another building, I will need to route it using the 192.168… inside wire.  At that point I may also be able to use NAT 1:1.  

               

              If so, do I then break out addresses from the /29 as secondary addresses on the eth 0/2 internet interface?  

               

               

                • Re: Need assistance routing Public IP  natively w/o NAT
                  jayh Hall_of_Fame

                  busy2 wrote:

                   

                  First Thank you!! for the response. Here are a couple more questions if you can help out.

                   

                  Do I drop the /29 addresses listed as secondary on eth 0/2 ?

                  Yes.

                   

                  It sounds like I will have to run Cat-5 to the new server because the /29 block won’t play on the existing 192.168.xxx.0 media. That’s not a problem because the server is located in the same cabinets as the Adtran router.

                   

                   

                  What 192.168.xxx.0 media? You didn't mention that.

                   

                   

                  Later on, if we need to send a public address to a server or device in another building, I will need to route it using the 192.168… inside wire. At that point I may also be able to use NAT 1:1.

                   

                  What ethernet switches are you using? Are they managed and capable of VLANs? It sounds like you may want to trunk the public 85.25.202.88/29 and 192.168.xxx.0 subnets on two VLANs. This will allow you to have three logical interfaces: ISP in on eth 0/2, as well as public /29, and NAT 192.168 on two VLANs on eth 0/1.

                • Re: Need assistance routing Public IP  natively w/o NAT
                  busy2 New Member

                  Some success - but showing a loop at the gateway:

                   

                  btw- these are not my actual numbers, but representation of, although I appreciate your input on security 

                   

                  I setup IP on eth 0/1 and on 2 servers in their own public segment.

                   

                  Now, a tracert from outside to the f 0/1 interface  85.25.202.89 /29 ip  shows a loop at our ISP gateway - .

                   

                  The trace gets through the ISP and to the Adtran

                  Then the Adtran directs the trace back to the ISP. 

                  Over and over.

                   

                  Tracert 85.25.202.89    the /29 Adtran eth 0/1 address

                   

                  …6,7,8,9…

                  10    47 ms 61 ms    41 ms  GigabitEthernet from ISP.ISP.NET [188.62.14.208]

                  11    45 ms 46 ms    43 ms  188.57.122.102

                  12    48 ms 46 ms    52 ms  188.57.122.101

                  13    50 ms 47 ms    47 ms  188.57.122.102

                  14    52 ms 50 ms    50 ms  188.57.122.101

                  15    52 ms    51 ms    55 ms 188.57.122.102

                  16    54 ms 50 ms    51 ms  188.57.122.101

                  17    58 ms 57 ms    57 ms  188.57.122.102

                  18    59 ms 66 ms    55 ms  188.57.122.101

                  19    67 ms 57 ms    57 ms  188.57.122.102

                  20 …

                    • Re: Need assistance routing Public IP  natively w/o NAT
                      jayh Hall_of_Fame

                      busy2 wrote:

                       

                      Some success - but showing a loop at the gateway:

                       

                      btw- these are not my actual numbers, but representation of, although I appreciate your input on security

                       

                      I setup IP on eth 0/1 and on 2 servers in their own public segment.

                       

                      Now, a tracert from outside to the f 0/1 interface 85.25.202.89 /29 ip shows a loop at our ISP gateway - .

                       

                      Is the eth 0/1 interface on the Adtran connected and up, no shutdown? Can you ping 85.25.202.89 from the connected servers?

                        • Re: Need assistance routing Public IP  natively w/o NAT
                          busy2 New Member

                          I can ping eth 0/1 from the Adtran

                          but can't ping the server at xxx.xxx.xxx.90 from the Adtran

                          I am offsite and can't access the server from here, so cannot try pinging the Adtran from the server.

                           

                          eth 0/1 is up, line protocol is up

                          IP address is xxx.xxx.xxx.89

                          net mask 255.255.255.248

                          MTU is 1500

                          BW is 100000 Kbps

                          Fastcaching is Enabled

                          IPv4 access policy is DMZ

                            • Re: Need assistance routing Public IP  natively w/o NAT
                              jayh Hall_of_Fame

                              Can you post the configuration with passwords redacted?

                                • Re: Need assistance routing Public IP  natively w/o NAT
                                  busy2 New Member

                                  OK - here goes- removed a handful of port forwards on eth 0/2 to inside 192.168 servers

                                  hopefully everything you need to see -

                                   

                                   

                                  !

                                  !

                                  ! ADTRAN, Inc. OS version R11.4.5.E

                                  ! Boot ROM version R10.9.3.B1

                                  ! Platform: Total Access 908e (3rd Gen), part number 4243908F2

                                  !

                                  !

                                  hostname "host"

                                  enable password encrypted!

                                  !

                                  clock timezone -5-Eastern-Time

                                  !

                                  ip subnet-zero

                                  ip classless

                                  ip default-gateway xxx.xxx.xxx.101

                                  ip routing

                                  ipv6 unicast-routing

                                  !

                                  !

                                  name-server xxx.xxx.xxx.6 xxx.xxx.xxx.25

                                  !

                                  !

                                  no auto-config

                                  !

                                  event-history on

                                  no logging forwarding

                                  no logging console

                                  no logging email

                                  !

                                  service password-encryption

                                  !#

                                  !

                                  ip policy-timeout tcp echo 60

                                  !

                                  ip firewall

                                  no ip firewall alg msn

                                  no ip firewall alg mszone

                                  no ip firewall alg h323

                                  !

                                  !

                                  no dot11ap access-point-contro

                                  !

                                  !

                                  !

                                  ip dhcp database local

                                  ip dhcp excluded-address 192.168.10.0 192.168.10.100

                                   

                                  !

                                  ip dhcp pool "local"

                                    network 192.168.10.0 255.255.255.0

                                    domain-name "local"

                                  dns-server xxx.xxx.xxx.6 xxx.xxx.xxx.25

                                  default-router 192.168.10.1

                                  !

                                  !

                                  ip crypto ffe

                                  !

                                  !

                                  interface eth 0/1

                                  description Eth1

                                    speed 100

                                    ip address  xxx.xxx.xxx.89  255.255.255.248

                                    ip access-policy DMZ

                                    no rtp quality-monitoring

                                  media-gateway ip primary

                                    no awcp

                                    no shutdown

                                  !

                                  !

                                  interface eth 0/2

                                  description Eth2

                                    speed 100

                                    ip address  xxx.xxx.xxx.102  255.255.255.252

                                    ip mtu 1500

                                    ip access-policy Public

                                    no rtp quality-monitoring

                                  media-gateway ip primary

                                    no awcp

                                    no shutdown

                                  !

                                  !

                                  interface gigabit-eth 0/1

                                  description local

                                    ip address  192.168.10.1  255.255.255.0

                                    ip access-policy Private

                                    no rtp quality-monitoring

                                  media-gateway ip primary

                                    no awcp

                                    no shutdown

                                  !

                                  !

                                  ip access-list standard wizard-ics

                                    remark Internet Connection Sharing

                                    permit any

                                  !

                                  ip access-list extended self

                                    remark Traffic to Total Access

                                    permit ip any  any     log

                                  !

                                  !

                                  ip access-list extended web-acl-22

                                    remark Allow

                                    permit ip any  any   

                                  !

                                  ip access-list extended web-acl-23

                                    remark https

                                    permit tcp any  xxx.xxx.xxx.88 0.0.0.7 eq https 

                                  !

                                  ip access-list extended web-acl-4

                                    remark ssh

                                    permit tcp any  host xxx.xxx.xxx.102 eq ssh 

                                  !

                                  ip access-list extended web-acl-5

                                    remark https

                                    permit tcp any  host xxx.xxx.xxx.102 eq https 

                                  !

                                  !

                                  ip policy-class DMZ

                                    allow list web-acl-23 policy DMZ

                                    allow list web-acl-22 self

                                  !

                                  ip policy-class Private

                                    allow list self self

                                    nat source list wizard-ics interface eth 0/2 overload

                                   

                                  !

                                  ip policy-class Public

                                    allow list web-acl-4 self

                                    allow list web-acl-5 self

                                  !

                                  !

                                  ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.101

                                  !

                                  no tftp server

                                  no tftp server overwrite

                                  http server

                                  http session-timeout 1320

                                  http secure-server

                                  no snmp agent

                                  no ip ftp server

                                  no ip scp server

                                  no ip sntp server

                                  !

                                  !

                                  sip

                                  sip udp 5060

                                  no sip tcp

                                  !

                                  !

                                  !

                                  ip rtp symmetric-filter

                                  !

                                  ntp server us.pool.ntp.org

                                  !

                                  !

                                  end

                                    • Re: Need assistance routing Public IP  natively w/o NAT
                                      jayh Hall_of_Fame

                                      OK, you'll want some tweaks to your access policy.

                                       

                                      !

                                      ip policy-class DMZ

                                        no allow list web-acl-23 policy DMZ ! <- This isn't needed as it's the same subnet.

                                        allow list web-acl-22 self

                                        allow list web-acl-22 policy Public ! <- Allow the DMZ to go out to the Internet

                                      !

                                      ip policy-class Private

                                        allow list self self

                                        nat source list wizard-ics interface eth 0/2 overload

                                        allow list [whatever] policy DMZ ! <- Allow the NAT devices whatever access to the DMZ you want.

                                       

                                      !

                                      ip policy-class Public

                                        allow list web-acl-4 self

                                        allow list web-acl-5 self

                                        allow list [whatever] policy DMZ ! <- Allow public to services on DMZ as needed.

                                      !

                                       

                                      As to why you're seeing a route loop reaching the DMZ, this isn't a firewall issue but routing. Double-check for typos in the IP addresses for the /29 from your provider vs. what you've configured. Also it usually isn't a good idea to configure the speed on an interface such as you've done on eth 0/1 and eth 0/2. This can cause problems with switch auto-negotiation. Most gear made in the last decade or more doesn't need it and I've found it to cause more harm than good. 

                            • Re: Need assistance routing Public IP  natively w/o NAT
                              busy2 New Member

                              Still Not working

                              From router prompt, I can ping address on eth 0/1 xxx.xxx.xxx.89, but cannot ping the server xxx.xxx.xxx.90 or 91

                              I will be at the site this week and see if I can ping the router from the server or a pc on that segment.

                               

                              Also, I checked the IP - and best I can tell it is coded per ISP -

                              addr:       xxx.xxx.xxx.88

                              netmask: 255.255.255.0

                              wildcard: 0.0.0.7

                               

                              Network:   xxx.xxx.xxx.88/29

                              HostMin:   xxx.xxx.xxx.89  <- assigned to eth 0/1

                              HostMax:   xxx.xxx.xxx.94

                              Broadcast: xxx.xxx.xxx.95

                               

                                -> servers at xxx.xxx.xxx.90, xxx.xxx.xxx.91 with GW xxx.xxx.xxx.89  netmask 255.255.255.248

                                • Re: Need assistance routing Public IP  natively w/o NAT
                                  jayh Hall_of_Fame

                                  busy2 wrote:

                                   

                                  Still Not working

                                  From router prompt, I can ping address on eth 0/1 xxx.xxx.xxx.89, but cannot ping the server xxx.xxx.xxx.90 or 91

                                   

                                  OK, check the server configuration. The servers should have a netmask of 255.255.255.248 and a gateway of xxx.xxx.xxx.89 . See if the servers can ping each other and if they show up in the router's ARP table. After an attempted ping type "show arp".

                                   

                                   

                                  Also, I checked the IP - and best I can tell it is coded per ISP -

                                  addr: xxx.xxx.xxx.88

                                  netmask: 255.255.255.0

                                  wildcard: 0.0.0.7

                                   

                                  Netmask above is wrong, it should be 255.255.255.248 .

                                  The "addr: xxx.xxx.xxx.88" is the network address, not usable for hosts or gateway.

                                • Re: Need assistance routing Public IP  natively w/o NAT
                                  busy2 New Member

                                  Yep -

                                  that was a typo -

                                  the mask is 255.255.255.248

                                  and I looked at the IP in arin.net and it is recorded correctly -

                                  so must be something in the config.

                                  I still need to go out to the site and check pings on the eth 0/1 segment.

                                  • Re: Need assistance routing Public IP  natively w/o NAT
                                    busy2 New Member

                                    still at it, OK - Here is another config -

                                    masked IP addresses -

                                    aaa.bbb.ccc     for the /32  on eth 0/2-

                                    and xx.xxx.xxx for the /29  on eth 0/1

                                    =================following================

                                    Config 2018-Jan-09

                                    - - - - - - - - - - - - - - - - - - - - - - - - - -

                                    ip subnet-zero

                                    ip classless

                                    ip default-gateway aaa.bbb.ccc.101

                                    ip routing

                                    ipv6 unicast-routing

                                    !

                                    ip firewall

                                    no ip firewall alg msn

                                    no ip firewall alg mszone

                                    no ip firewall alg h323

                                    !

                                    ip crypto ffe

                                    !

                                    interface eth 0/1

                                      description Eth1

                                      ip address  xx.xxx.xxx.89  255.255.255.248

                                      ip access-policy DMZ

                                      no rtp quality-monitoring

                                      media-gateway ip primary

                                      no awcp

                                      no shutdown

                                    !

                                    interface eth 0/2

                                      description Eth2

                                      speed 100

                                      ip address  aaa.bbb.ccc.102  255.255.255.252

                                      ip mtu 1500

                                      ip access-policy Public

                                      no rtp quality-monitoring

                                      media-gateway ip primary

                                      no awcp

                                      no shutdown

                                    !

                                    interface gigabit-eth 0/1

                                      description Rushford

                                      ip address  192.168.10.1  255.255.255.0

                                      ip access-policy Private

                                      no rtp quality-monitoring

                                      media-gateway ip primary

                                      no awcp

                                      no shutdown

                                    !

                                    ip access-list standard wizard-ics

                                      remark Internet Connection Sharing

                                      permit any

                                    !

                                    ip access-list extended filterIP

                                      permit ip host 192.168.10.106  host 82.165.21.187   

                                    !

                                    ip access-list extended self

                                      remark Traffic to Total Access

                                      permit ip any  any     log

                                    !

                                    ip access-list extended web-acl-10

                                      remark 58108

                                      permit tcp any  host aaa.bbb.ccc.102 eq 108   log

                                    !

                                    ip access-list extended web-acl-14

                                      remark 1681053

                                      permit tcp any  host aaa.bbb.ccc.102 eq 1053   log

                                    !

                                    ip access-list extended web-acl-15

                                      remark 1671054

                                      permit tcp any  host aaa.bbb.ccc.102 eq 1054   log

                                    !

                                    ip access-list extended web-acl-16

                                      remark 56106

                                      permit tcp any  host aaa.bbb.ccc.102 eq 106   log

                                    !

                                    ip access-list extended web-acl-18

                                      remark 7183

                                      permit tcp any  host aaa.bbb.ccc.102 eq 83   log

                                      permit tcp any  host aaa.bbb.ccc.102 eq 3440   log

                                      permit tcp any  host aaa.bbb.ccc.102 eq 8000   log

                                    !

                                    ip access-list extended web-acl-25

                                      permit ip any  any   

                                    !

                                    ip access-list extended web-acl-27

                                      remark pvt2dmz

                                      permit ip any  any     log

                                    !

                                    ip access-list extended web-acl-28

                                      remark pub2dmz

                                      permit ip any  any   

                                    !

                                    ip access-list extended web-acl-4

                                      remark ssh

                                      permit tcp any  host aaa.bbb.ccc.102 eq ssh 

                                    !

                                    ip access-list extended web-acl-5

                                      remark https

                                      permit tcp any  host aaa.bbb.ccc.102 eq https 

                                    !

                                    ip access-list extended web-acl-6

                                      remark 50100

                                      permit tcp any  host aaa.bbb.ccc.102 eq 100   log

                                    !

                                    ip access-list extended web-acl-7

                                      remark 51101

                                      permit tcp any  host aaa.bbb.ccc.102 eq hostname   log

                                    !

                                    ip access-list extended web-acl-8

                                      remark 54104

                                      permit tcp any  host aaa.bbb.ccc.102 eq 104   log

                                    !

                                    ip access-list extended web-acl-9

                                      remark 55105

                                      permit tcp any  host aaa.bbb.ccc.102 eq 105   log

                                    !

                                    ip policy-class DMZ

                                      allow list web-acl-25 policy Public

                                    !

                                    ip policy-class Private

                                      allow list web-acl-27 policy DMZ

                                      allow list self self

                                      nat source list wizard-ics interface eth 0/2 overload

                                      discard list filterIP

                                    !

                                    ip policy-class Public

                                      allow list web-acl-4 self

                                      allow list web-acl-5 self

                                      nat destination list web-acl-6 address 192.168.10.50

                                      nat destination list web-acl-7 address 192.168.10.51

                                      nat destination list web-acl-8 address 192.168.10.54

                                      nat destination list web-acl-9 address 192.168.10.55

                                      nat destination list web-acl-16 address 192.168.10.56

                                      nat destination list web-acl-10 address 192.168.10.58

                                      nat destination list web-acl-14 address 192.168.10.168

                                      nat destination list web-acl-15 address 192.168.10.167

                                      nat destination list web-acl-18 address 192.168.10.71

                                      allow list web-acl-28 policy DMZ

                                    !

                                    ip policy-class Public2

                                      ! Implicit discard

                                    !

                                    ip route 0.0.0.0 0.0.0.0 aaa.bbb.ccc.101

                                    !

                                    [** NOTE: added static route - but it did not help]

                                    ip route xx.xxx.xxx.88 255.255.255.248 aaa.bbb.ccc.102

                                    !

                                      • Re: Need assistance routing Public IP  natively w/o NAT
                                        jayh Hall_of_Fame

                                        busy2 wrote:

                                        !

                                        [** NOTE: added static route - but it did not help]

                                        ip route xx.xxx.xxx.88 255.255.255.248 aaa.bbb.ccc.102

                                        !

                                        You don't want this, xx.xxx.xxx.88 is directly connected.

                                         

                                        You should add "allow list self self" to the DMZ policy-class for tests from the Adtran itself.

                                         

                                        It sounds like eth 0/1 isn't connected.

                                         

                                        Does "show ip route" list the xx.xxx.xxx.88/29 as a connected route? 

                                         

                                        Are the servers on xx.xxx.xxx.90 and .91 in the ARP cache after an attempted ping?

                                         

                                        Do the servers have  xx.xxx.xxx.89 configured as their gateway?

                                         

                                        Can the servers ping each other?

                                      • Re: Need assistance routing Public IP  natively w/o NAT
                                        busy2 New Member

                                        "show ip route" 

                                        Yes-   xx.xxx.xxx.88/29 is directly connected, eth 0/1

                                         

                                        sh arp

                                        Addresses in the 90 - 94 range show in the arp table

                                        (but currently there are no devices on those addresses, the server is currently offline)

                                        table entries look like this

                                         

                                        ADDRESS          TTL   MAC ADDRESS   INTERFACE   TYPE

                                        xx.xxx.xxx.91    0      (Unresolved)       eth 0/1         dynamic

                                         

                                        Also, I was able to ping xx.xxx.xxx.89  (eth 0/1) remotely from a device on the 192.168.10.0 network.

                                         

                                        I will be onsite at this location tomorrow to check the server gateway address and run pings from the /29

                                         

                                        appreciate your input and time on this project.  Thanks

                                         

                                         

                                         

                                          • Re: Need assistance routing Public IP  natively w/o NAT
                                            jayh Hall_of_Fame

                                            (Unresolved) in the ARP table means that the servers aren't connected. You should see the MAC address of the server when it's connected. Can you ping xx.xxx.xxx.89 from the Internet?

                                              • Re: Need assistance routing Public IP  natively w/o NAT
                                                busy2 New Member

                                                IT'S Working!!! 

                                                Last night's pings were promising.

                                                Once on site today re-plugging and un-plugging connections the local crew had installed in the cabinets- 

                                                Pings started working inside. The server comes up and shows up in arp w MAC.

                                                There is another /29 address supposedly, but it doesn't show when pinging the /29 range 89-94

                                                 

                                                Last piece of this is to restrict ports to the server connection xx.xxx.xxx.89/29

                                                 

                                                that would be and allow list in security zone dmz w destination dmz and ports selected "443,80,......" ?

                                                ^ btw ... this is a question??    

                                                  • Re: Need assistance routing Public IP  natively w/o NAT
                                                    jayh Hall_of_Fame

                                                    busy2 wrote:

                                                     

                                                    Last piece of this is to restrict ports to the server connection xx.xxx.xxx.89/29

                                                     

                                                    that would be and allow list in security zone dmz w destination dmz and ports selected "443,80,......" ?

                                                    ^ btw ... this is a question??

                                                    This would be applied to the access-class for zone Public. You presently have allow list web-acl-28 policy DMZ there and that ACL allows all traffic. The policy-class sets where traffic can go to from the applied interface, so you want to limit the Public zone to those services on the DMZ that should be public.

                                                     

                                                    Modify web-acl-28 as follows:

                                                     

                                                    no permit ip any  any

                                                    permit tcp any host xx.xxx.xxx.90 eq 80

                                                    permit tcp any host xx.xxx.xxx.90 eq 443

                                                    permit tcp any host xx.xxx.xxx.91 eq 80

                                                    permit tcp any host xx.xxx.xxx.91 eq 443

                                                    ...etc.

                                              • Re: Need assistance routing Public IP  natively w/o NAT
                                                busy2 New Member

                                                Thanks!!  Jay

                                                We're up and running. 

                                                • Re: Need assistance routing Public IP  natively w/o NAT
                                                  busy2 New Member

                                                  One more quick question:

                                                  We want to subnet the inside 192.168.x.x network with a handful of 10.x.x.x /24 subnets on managed Cisco switches.

                                                  10.1.1.0, 10.1.2.0, 10.1.3.0

                                                  Should these (10.x.x.x) networks these be listed as secondary networks on the 192.168.x.x interface?

                                                    • Re: Need assistance routing Public IP  natively w/o NAT
                                                      jayh Hall_of_Fame

                                                      busy2 wrote:

                                                       

                                                      One more quick question:

                                                      We want to subnet the inside 192.168.x.x network with a handful of 10.x.x.x /24 subnets on managed Cisco switches.

                                                      10.1.1.0, 10.1.2.0, 10.1.3.0

                                                      Should these (10.x.x.x) networks these be listed as secondary networks on the 192.168.x.x interface?

                                                      You can, but it would be more scalable and flexible to create 802.1q subinterfaces on gigabit-eth 0/1 and create a trunk. Then split the networks by access VLANs on the Cisco switches. Something like:

                                                       

                                                      interface gigabit-eth 0/1

                                                        description trunk to LAN switches

                                                        encapsulation 802.1q

                                                      !

                                                      interface gigabit-eth 0/1.101

                                                        vlan-id 101

                                                      description [whatever]

                                                      ip access-policy Private

                                                      ip address 10.1.1.1 255.255.255.0

                                                      !

                                                      interface gigabit-eth 0/1.102

                                                        vlan-id 102

                                                      description [whatever]

                                                      ip access-policy Private

                                                      ip address 10.1.2.1 255.255.255.0

                                                      !

                                                      interface gigabit-eth 0/1.103

                                                        vlan-id 103

                                                      description [whatever]

                                                      ip access-policy Private

                                                      ip address 10.1.3.1 255.255.255.0

                                                      !

                                                      interface gigabit-eth 0/1.192

                                                        vlan-id 192

                                                        description Rushford

                                                        ip address  192.168.10.1  255.255.255.0

                                                        ip access-policy Private

                                                        no rtp quality-monitoring

                                                        media-gateway ip primary

                                                        no awcp

                                                        no shutdown

                                                      !

                                                      !

                                                      Then connect the Cisco switch to this as a trunk port and configure access ports on the Cisco switch for the VLANs 101, 102, 103, 192 to connect to the various inside LANs. You can create different access policies for each as needed. This gives you the logical equivalent of a different layer 3 routed port for each subnet.

                                                    • Re: Need assistance routing Public IP  natively w/o NAT
                                                      busy2 New Member

                                                      Thanks for the tip.

                                                      Question:

                                                      Will devices on the various subnets be able to communicate with each other without policies?

                                                      or will they need to be provisioned in router - and/or  trunked in the switches to permit access

                                                      say printers are on the A network and computers are on the C network and bridges are on the B network. 

                                                      10.1.A.0 

                                                      10.1.B.0

                                                      10.1.C.0

                                                        • Re: Need assistance routing Public IP  natively w/o NAT
                                                          jayh Hall_of_Fame

                                                          busy2 wrote:

                                                           

                                                          Thanks for the tip.

                                                          Question:

                                                          Will devices on the various subnets be able to communicate with each other without policies?

                                                          Put them all in policy-class Private, then modify the Private class to include:

                                                           

                                                          allow list web-acl-25 policy Private

                                                           

                                                          They'll route through the TA900. If later you want to modify any of the policies it's much easier. Hosts on each subnet need to have their gateway configured to be the IP of that subinterface. You can also assign IPs by DHCP, just add the DHCP pools with appropriate networks.

                                                            • Re: Need assistance routing Public IP  natively w/o NAT
                                                              busy2 New Member

                                                              Getting ready to make the move.

                                                               

                                                               

                                                              Since all of the LAN equipment across various links via bridges and managed cisco to cisco switch connections operate on the 192.x.x.0 network.  And I want to roll the vlan 101,102,103  subnets out without (stepping into it) & dropping connections in the process.

                                                               

                                                              Does it make sense to set a trunk port for all of the 802.1q subinterfaces across all of the cisco switches first.

                                                              But to include in the trunk, the 192.168.x.x Lan as it is, on the main ge o/1 interface? -

                                                              And then begin to sort out the switch ports.

                                                               

                                                              Or does it matter. Meaning I could also create the 192 Vlan subinterface for them as above and they will all come into the switch trunk port. And everything will stay up.  

                                                               

                                                              Side note- Once this is completed, if I move printers to 10.x.1.0  will they be easily available to computers on the 10.x.2.0 subnet.   I believe you said yes it would work with web-acl-25 below

                                                               

                                                              allow list web-acl-25 policy Private

                                                                • Re: Need assistance routing Public IP  natively w/o NAT
                                                                  jayh Hall_of_Fame

                                                                  If you want to disturb the 192 subnet as little as possible, you can make it the native VLAN on the trunk. This means that you won't need to specify its tag on access interfaces. You'll still have some minimal downtime while configuring the trunk itself. To do this:

                                                                   

                                                                  interface gigabit-eth 0/1.192

                                                                    vlan-id 192 native

                                                                   

                                                                  However, I would take the time to tag it for consistency in troubleshooting later. This way all of the LAN subnets are configured the same way.

                                                                   

                                                                  Yes, the printers and computers on different subnets will be able to communicate with each other. Because they're not in the same broadcast domain, you may need local DNS entries or to specify the printers by IP address, The Bonjour protocol which is often used to discover printers only works within a single broadcast domain.

                                                            • Re: Need assistance routing Public IP  natively w/o NAT
                                                              busy2 New Member

                                                              Good point -

                                                              tagging and consistency across all interfaces looks like the way to go.

                                                              thnks