In dedicated Internet connection (i.e. T1/E1 or DS3/E3) and some xDSL plans, you may receive two different subnets from your ISP. One is for the WAN connection between your network and ISP.

In dedicated Internet connection plan using T1/E1 or faster circuit, typically the WAN subnet is in the form of /30 network since the circuit you have is point-to-point type. Note that it is possible to have the WAN subnet in the form of subnet larger than /30, especially when you have the xDSL plan.

Another subnet you receive from ISP is your Public IP Block. This block could be in the form of /29, /28, or /27 network; depending on which plan or subnet you choose to have.

There will be a router that connects to your ISP. This router has two Layer-3 interfaces. One interface should face your ISP and another interface should face your network.

You plan to have a Private network that uses Private IP addresses (i.e. 10.0.0.0/24, 172.16.1.0/24, or 192.168.4.0/24). Therefore there must be NAT/PAT in place within your network between the Private IP addresses and the Public IP Block assigned by your ISP.

Your objective is to find the suitable network setup using these IP blocks you receive from your ISP. You have several scenarios to choose to setup such network.

For the discussion sake, let's say you have the following subnets from your ISP

WAN IP Subnet: 1.1.1.0/30, where you have 1.1.1.2/30 for your WAN IP address and 1.1.1.1/30 as the ISP gateway
Public IP Block: 2.2.2.0/24

and you plan to use 192.168.0.0/24 as your Private subnet. Following are the scenarios.

Scenario 1: The router does NAT/PAT

In this scenario, there is a switch behind the router to connect to the Private LAN. The router inside (E0/0) interface is within the Private LAN, which also serves as default gateway to all hosts within the Private LAN.

You set the router to assign 2.2.2.1 as the Public PAT IP address to all Private LAN hosts. You may later assign other IP addresses within your Public IP Block to other devices such as servers and VPN Concentrator.

Router configuration

interface Ethernet0/0
description Private LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface Ethernet0/1
description WAN connection to ISP
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip nat pool NAT-pool 2.2.2.1 2.2.2.1 prefix-length 24
ip nat inside source list 10 pool NAT-pool overload
!
access-list 10 remark Permitted Private LAN to go out to the Internet
access-list 10 permit 192.168.0.0 0.0.0.255
 

Following is sample configuration when there are multiple LAN interfaces on the router. Note that there are no NAT process take place between Ethernet0/0 and Ethernet0/1 interfaces since NAT process takes place only when the traffic traverse interfaces with ip nat inside command on one interface and ip nat outside command on other interface.

Router configuration

interface Ethernet0/0
description Private LAN 1 (DMZ)
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface Ethernet0/1
description Private LAN 2 (Inside)
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Serial0/0
description WAN connection to ISP (Outside)
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip nat pool NAT-pool 2.2.2.1 2.2.2.1 prefix-length 24
ip nat inside source list 10 pool NAT-pool overload
!
access-list 10 remark Permitted Private LAN to go out to the Internet
access-list 10 permit 192.168.0.0 0.0.1.255
 

Another sample configuration with multiple router interfaces where one interface is as Outside (lowest security level or untrusted network), one interface is as DMZ (medium security level), and one interface is as Inside (highest security level or trusted network). The Outside interface (which is the WAN or Serial interface) has the 1.1.1.0/30 WAN subnet. The DMZ interface has part of the LAN subnet where the 2.2.2.1 is the default gateway of all DMZ machines. The Inside has other part of the LAN subnet as NAT-ed IP address. Further, the router runs dynamic routing protocol (in this case, BGP) with ISP to advertise the 1.1.1.0/30 WAN and 2.2.2.0/24 LAN subnets.

Router Configuration

interface Ethernet0/0
description Private LAN 1 (DMZ)
ip address 2.2.2.1 255.255.255.128
!
interface Ethernet0/1
description Private LAN 2 (Inside)
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Serial0/0
description WAN connection to ISP (Outside)
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
router bgp 4127
no synchronization
neighbor 1.1.1.1 remote-as 239
neighbor 1.1.1.1 description ISP BGP Peers
neighbor 1.1.1.1 soft-reconfiguration inbound
network 1.1.1.0 mask 255.255.255.252
network 2.2.2.0 mask 255.255.255.0
no auto-summary
!
ip nat pool NAT-pool 2.2.2.254 2.2.2.254 prefix-length 29
ip nat inside source list 10 pool NAT-pool overload
ip route 2.2.2.0 255.255.255.0 Null0
!
access-list 10 remark Permitted Private LAN to go out to the Internet
access-list 10 permit 192.168.0.0 0.0.1.255
 

Typically you implement this scenario when there is no dedicated firewall to do NAT/PAT. When you do have dedicated firewall, then you may want to implement one of the next scenarios.

Scenario 2: There is a firewall behind the router that does NAT/PAT

In this scenario, you have a PIX Firewall as the dedicated firewall gear that sits behind the router. You have a crossover cable connecting the router E0/0 and the PIX e0 interfaces to make a point-to-point connection. This point-to-point connection has 192.168.1.0/30 subnet

There is a switch behind the PIX to connect to the Private LAN. The PIX inside (e1) interface is within the Private LAN, which also serves as default gateway to all hosts within the Private LAN.

You set the PIX to assign 2.2.2.1 as the Public PAT IP address to all Private LAN hosts. You may later assign other IP addresses within your Public IP Block to other devices such as servers and VPN Concentrator.

Router configuration

interface Ethernet0/0
description Private LAN
ip address 192.168.1.1 255.255.255.252
!
interface Ethernet0/1
description WAN connection to ISP
ip address 1.1.1.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 2.2.2.0 255.255.255.0 192.168.1.2
!
 

PIX Firewall configuration

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging on
logging timestamp
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.2 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 2.2.2.1
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
isakmp enable outside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
 

Typically you implement this scenario when there are no other physical devices directly behind the router but the firewall.

More Sample Configuration regarding dedicated firewall behind an Internet router
»Cisco Forum FAQ »Internet - Router - PIX/ASA - LAN

Scenario 3: There is a firewall behind the router that does NAT/PAT and does IPSec VPN tunnel

In this scenario, you have a PIX Firewall as the dedicated firewall gear that sits behind the router. You have a crossover cable connecting the router E0/0 and the PIX e0 interfaces to make a point-to-point connection.

There is a switch behind the PIX to connect to the Private LAN. The PIX inside (e1) interface is within the Private LAN, which also serves as default gateway to all hosts within the Private LAN.

You set the PIX to assign 2.2.2.3 as the Public PAT IP address to all Private LAN hosts. You set the PIX outside interface as 2.2.2.2 which will be the VPN Concentrator IP address. You can later assign other IP addresses within your Public IP Block to other devices such as servers. Check out the following FAQ for more info on running servers with ASA or PIX Firewall.

»Cisco Forum FAQ »PIX Firewall/ASA configuration to run server (with and without port forwarding)

Router configuration

interface Ethernet0/0
description Private LAN
ip address 2.2.2.1 255.255.255.0
!
interface Ethernet0/1
description WAN connection to ISP
ip address 1.1.1.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
 

PIX Firewall configuration

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 90 permit ip any 192.168.1.0 255.255.255.0
access-list nonat permit ip any 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 2.2.2.2 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 192.168.1.1-192.168.1.254
pdm history enable
arp timeout 14400
global (outside) 1 2.2.2.3
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup vpn3000-all address-pool bigpool
vpngroup vpn3000-all dns-server 192.168.0.2
vpngroup vpn3000-all wins-server 192.168.0.3
vpngroup vpn3000-all default-domain yournetwork.com
vpngroup vpn3000-all split-tunnel 90
vpngroup vpn3000-all idle-time 1800
vpngroup vpn3000-all password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local bigpool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username cisco password *********
vpdn enable outside
terminal width 80
 

This is an alternate scenario when there is a possibility to connect other devices behind the router other than the firewall. In addition, this might be the preferred scenario when the firewall acts also as VPN Concentrator. Check out the following FAQ for more info in setting up ASA or PIX Firewall as both Internet firewall and VPN Concentrator.

»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2010-11-09 06:21:09