CIsco router question: Multiple public IPs and natting

[bluesdoggy]

Have a Cisco 871w with FE4 as WAN and Vlan1 for dhcp for internal network.<BR><BR>We have a block of external IPs specified for use.. x.x.x.193 specified for the default route out, and then .194 ~ .197 for some kiosks, servers, etc.. I am trying to figure out a way to utilize these external IPS without resorting to static 1:1 natting. <BR><BR>for instance, in the previous config of this environment that i inheritted, they had a static internal ip host 1:1 natted to the x.x.x.194 external IP, even though all they were using it for was VNC. I would like to maintain that mapping, but just forward the appropriate ports for the services i want to enable. <BR><BR>*EDIT* I should probably add that the reason this is a concern is because we have added a vpn tunnel to our topology and according to cisco, its impossible to have these 1:1 static natted hosts also be able to move traffic across the vpn.<BR>/EDIT<BR><BR>Is this possible? I'm working inside the SDM that was provided with the router, and that may be my first mistake... trying to use the Firewall/ACL interface is confusing to me. If need be i'll say to hell with that and fire up a telnet session.

 

[Frennzy]

One IP will be your VPN endpoint. You can add a different IP to the same interface and do port forwarding on that. Do you really want static NAT? Doesn't sound like you need it.

 

[asiegman]

I'd have to agree with Frennzy, I'm a bit confused. Why are we using a 1:1 host NAT? Put 1 IP address for VPN endpoint, and you can do a NAT pool for the rest, and statically NAT the incoming stuff you need on whatever outside IP you need by hand to retain the mappings.<BR><BR>Also, the SDM is horrible for that, I have your model with the ADSL interface on it and the SDM doesn't even work properly and couldn't get the DSL working on it. I ditched it in under 10 minutes and had the command line working in less than 5 for everything I needed.<BR><BR>If you hit the command line, do a "show run", edit out the passwords, and post it here and then explain what you're trying to do, lots of Cisco folks here can point you in the right direction.<BR><BR>Edit: Reread your post. You wouldn't be able to have your clients move traffic over the tunnel because it's set that "this client = this outside IP address" if you statically NAT it. However, if you do port address translation, and point an outside ip/port to an inside ip/port, I would think that would work. I haven't tried it. And then your hosts will follow the appropriate routing to either hit VPN, or head out your public IP to the internet or what have you.