Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
0
Helpful
6
Replies

using public IP inside of the LAN

pamihailescu
Level 1
Level 1

‎07-14-2015 11:04 AM - edited ‎03-08-2019 12:58 AM

Hi all,

 

The question is how can I propagate a public IP to a specific port on a 2960 switch? 

Here is the situation: ISP is providing us multiple IP's and I need to use one available public IP to provide Internet access to one router located inside of my network who's making an outgoing VPN connexion to a specific server at the exterior of the company.

I have created new VLAN 500, propagated thru all my switches with VPT. This VLAN interface is configured with the public IP that I should use on the VPN router.

I'm using a smart switch  (SG200) in between the ISP box and my firewall. From this switch (which has already the VLAN properly configured) I have one cable to my firewall and another one connected to our distribution switch on port 7. At the end of the port 8 of the same switch I have the VPN router.

see attached image, will be much easy to understand I believe

Thanks

Paul

Labels:
Preview file
27 KB
0 Helpful
6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

‎07-14-2015 12:10 PM

Paul

 

Your verbal description mentions a firewall but the drawing has only the outside switch, the 2960, and the VPN router. Can you clarify if there is a firewall and if so where is it connected, and how does it relate to this subnet.

 

Also the drawing shows something labeled as interface vlan 500 with an IP address assigned. But it is not clear to me whether this is something on the 2960 or something on the VPN router. Can you clarify this?

 

Based on the drawing it would seem that the connection from the outside switch should flow through the 2960 on vlan 500 to the VPN router and that 1.1.1.1 should be able to communicate with 1.1.1.4 without requiring any IP address on the 2960.

 

HTH

 

Rick

HTH

Rick
0 Helpful

pamihailescu
Level 1
Level 1
In response to Richard Burts

‎07-14-2015 12:40 PM

Hi Richard,

 

I've mentioned about the firewall just to advise there is connectivity after the SG200. This device is not related or involved on this issue.

The vlan 500 has been configured only on the 2960, however I can see the vlan 500 in all our switches, including the SG200. All the 2960 ports are configured as LAN IP's, except port 7 and 9.

In fact, I will like to push the 1.1.1.4 public IP to the router (thru the 2960) and give them access to the Internet without translating the public IP.

In the attach I put another image of the connexions.

Many thanks,

Preview file
27 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to pamihailescu

‎07-14-2015 01:09 PM

Paul

 

Is there anything in this version of the drawing that is different from the one in your original post? They look exactly the same to me.

 

OK so the firewall is not involved in this issue.

 

Depending on how you have set up VTP it is quite possible that vlan 500 will show up on all of the switches even when it is configured only on the 2960. I do not see that it is important to your issue whether or not other switches see vlan 500. Is there some reason why you believe that this is a significant part of the issue?

 

Perhaps the issue is how your SG200 is configured. In your first post you describe that the SG200 has the vlan configured and that the SG200 connects to the firewall and to the distribution switch. So please tell us how the SG200 is configured for these two connections?

 

HTH

 

Rick

HTH

Rick
0 Helpful

pamihailescu
Level 1
Level 1
In response to Richard Burts

‎07-14-2015 01:37 PM

Could be the SG200! This one doesn't have a CLI is just having a GUI interface and I really don't feel comfortable with this.

For connecting the firewall I have used the port 1 with basic config (interface vlan trunk, default vlan 1, priority 0, port speed 1000, full, MTU 1518). For the other interface that connects to the 2960 I have trunk, vlan 500, priority 0, port speed 1000, full and MTU 1518

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to pamihailescu

‎07-14-2015 07:18 PM

Paul

 

It seems that we are making some progress. I do have a question and an observation.

Question: if the SG200 connection to the firewall is configured as a trunk, is the interface on the firewall also configured as a trunk? Can you verify that the firewall trunk is expecting vlan 500 as a tagged vlan on the trunk?

Observation: In this post you indicate that the SG200 connection to the 2960 is configured as a trunk. But in your drawing it shows the 2960 port configured as an access port. Is this accurate and if so can you explain the inconsistency?

 

HTH

 

Rick 

HTH

Rick
0 Helpful

pamihailescu
Level 1
Level 1
In response to Richard Burts

‎07-16-2015 11:01 AM

Hi Richard,

 

By going so many changes and trying so many time I probably forgot to get a print-screen according with of what I was saying/drawing. Anyway whether I use access or trunk doesn't change anything. I put all the interface on trunk and doesn't work anymore.

I hard to say if the firewall uses trunk... it's a Fortigate firewall

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card