[c-nsp] 1811 questions (bridging, nat, etc)
David Hubbard
dhubbard at dino.hostasaurus.com
Tue Jun 11 21:16:20 EDT 2013
Hi all, trying to figure out how best to implement an 1811 at a remote
office that ideally could use all three of the following:
1) Internal user NAT for ipv4 users on wired and wireless interfaces
2) site to site vpn
3) A few servers that need to be exposed/public but ideally have some
ACL's in front.
My original plan was to make Fast0 WAN, apply NAT for inside VLAN's,
ACL's for all incoming. Make Fast1 a trunk with tagged subinterfaces
for the internal user vlan, a dmz vlan and wireless vlan; connect it
back to internal switch. Make Fast2-9 DMZ interfaces for the couple
servers and put them in the DMZ vlan.
Interfaces Fast0 and Fast1 appear to be routed only, and the device does
not appear to forward packets between a vlan subinterface defined on
either of them and Fast2 through Fast9 if they're switchport mode access
on the same vlan, so the DMZ servers could not get out or receive
traffic in, before even getting the ACL stuff.
Can I do the following, and is it the best solution?
Don't use Fast0 and Fast1. Instead make Fast2 a switchport mode access
for the public internet using a 'public' vlan. Make Fast3 a switchport
mode trunk. Define vlan's for internal users, wireless interfaces and
DMZ. Put ports Fast4-Fast9 in the DMZ vlan mode access; connect
external-facing servers there. Define vlan interfaces for routing from
internal to the 1811.
Can I do NAT on a vlan interface in an 1811? I've read some things that
made me think no. If not, any other options?
Thanks,
David
More information about the cisco-nsp
mailing list