Nigel, The router itself calls the 100M interface fastethernet0/0, which is why I referred to it as such, and the trunking was because I am running lab configurations with more than two subnets on the private side and I need to be able to route between them as well as filter between them for security.
The ISP is PacBell and for enhanced DSL they only give you a /29, and they take one of the addresses for their side of the connection. The reason I am leaving a host with a public address in the DMZ is because it is a DNS server, and there are issues with BIND and Solaris when the DNS server does not use the same IP address and name as that which is listed as authoritive for the domain (i.e. the domain server knows itself as on 10.50.0.65 in /etc/hosts but has the address 216.103.77.99 as its address within its zone.) If I want to protect that host with CBAC, I need to put the router between it and the ISP. Remember that the traffic is coming from the ISP via a DSL MODEM 10 M ethernet connection and not a WAN connection to the router. The addresses which would be valid in the /29 but not in the /30 would only be referenced as static NAT entries which would be translated on the interface with the /29 which is facing the ISP. Once the traffic for that address enters the Fa0/0 it would be translated to an RFC1918 address and sent out to the host on the 10. net, so the host would not know it is being referenced by the public address. I realize that this is not a standard type configuration for this, but PacBell will only give me a /29, and I'm trying to find a way to meet BIND's requirements for the DNS server and have the server protected by CBAC plus have other public IP addresses for static NAT entries for other servers on my net (I've got a number of different servers on my net and want to have public address to different services i.e. web server, mail server, application servers. Thanks! -- James D. Wilson, CCDA, MCP Sr. Network/Security Engineer "non sunt multiplicanda entia praeter necessitatem" William of Ockham (1285-1347/49) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Nigel Taylor Sent: Sunday, August 11, 2002 11:51 AM To: [EMAIL PROTECTED] Subject: Re: * Routing/Subnetting question [7:51193] James, See Inline.. ----- Original Message ----- From: "James Wilson" To: Sent: Sunday, August 11, 2002 12:34 PM Subject: * Routing/Subnetting question [7:51193] > I have a 1750 with a /29 assigned to me, and I need to create a DMZ to put > a DNS server on so that I can control access using CBAC. My FastEthernet > interface is trunked to a Cat 2924. I'd like to have the /29 on one > subinterface which talks to PacBell's router, and take a /30 out of the > /29 and put it on another subinterface so that I can hang the DNS server > off a port on that VLAN using a public IP address. NT: Why would you vlan traffic from you ISP instead of using the extra interface(eth0/0) You must consider a number of things when using your existing design. Firstly, the interface you're referring to as a FE interface is shown in the cisco catalog as a 10/100 ethernet interface. Secondly, please note that based on your current traffic utilization what kind of performance could be achieved/expected on the physical interface(the subs are technically part of the same physical NIC/transiciever). On the area of addressing you might want to take a look at the following links which could answer some of your questions as they apply to addressing(VLSM in particular). http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf (watch the wrap) http://www.ietf.org/rfc/rfc3021.txt?number=3021 >I'd also like to use > static NAT addresses out of the /29 including what would be an all zero or > all one address out of the /30. My thought is that this would work since > the NAT will take place via the subinterface on the /29 (ip nat outside), > and the only time the /30 will come into play is with traffic destined to > the DNS server, which is not NAT'ed. This would allow me to have routing > and CBAC protection for the host on the /30 net and not lose the ability > to use those addresses which would normally be lost from the /30 all zeros > and all ones addresses by using them for static NAT entries for hosts on > the private IP side of my network. When I go to assign an address out of > the /30 to the subinterface facing the DMZ I get a message stating that > the addresses overlap the other interface. Will this still work the way I > believe it will? Would it make a difference if I use my currently shut > down Eth0/0 interface instead of the trunked Fa0/0? IMHO, based on what you're trying to accomplish here's my recomendations... 1. Depending on the type of connection you make to your provider(10MB or 100MB) I would configure the port(and that port only) for connectivity to my provider. I'm not sure if you currently have a requirment to be connected to your provider at 100MB, but if you did, I would suggest you look into purshasing another device like the 2620/21 or 265x model. 2. I would again recomend that you follow the links I listed above. Also, please note most of your presumptions are incorrect. What you observed in the message "overlap the other interface" is correct. With a /29 of any address block you only have 2 bits to be used as subnet bits. Furthermore, if you were to use a /30 mask on the interface then the all 1s and all 0s are unusable using NAT or not. The emphasis here is that although the router's NAT configuration might(haven't comfirmed this) allow you to create the static mapping, the end host will not allow you to assign the 1s and 0s using the /30 mask. 3. Your options here are as follows.. Request your provider to allow you to make the /29 into /30(or even a /31[1]) on WAN connection. (Assuming you're not using any dynamic routing protocols, this would simply require a static route(for the /29) in the provider' edge device This would then allow you to make more efficient use of the /29 and provide address space to fill you DMZ requirement. So let's say you have the address 172.16.10.0/29, this would then allow the following; 172.16.10.0/30 with the valid IPs being .1, .2, and .3 for broadcast. 172.16.10.4/30 with the valid IPs being .4, .5, and .6 broadcast. Doing this now allows you to configure the ISP connection, and it allows for the use of an additional device on the DMZ apart from the DNS server you noted. Finally, you can now implement NAT (using rfc1918 compliant address) on what you determine to be the inside network connection/interface. Your NAT configurations would have to be configured for overlaping(makes use of port mappings) In this design you will not have a need to manually configure any static NAT mappings for services on the DMZ. As well, you should have no problem using CBAC as you noted to monitor and filter traffic to and from the DMZ. HTH Nigel [1] I'm not sure of how many providers(ISP) currently use or will allow their customers to use the /31 subnet. However, the /30 shouldn't be a problem. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51205&t=51193 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
