0

The only devices on this particular LAN will all have public IP addresses. Also the public IP address will be configured directly on the machine,,, so we will not translate private/public IP addresses. If we use NAT,, we would have to translate the public IP on the WAN to the public IP on the LAN.

The only security feature I expect on the gateway is an access list.

I don't really know much about networking, so I am sorry if this question is generic.

700 Software
  • 2,233
  • 10
  • 49
  • 77
  • Is the WAN side of the router on a separate subnet from the LAN side public IP addresses? – Thomas G Dec 29 '10 at 17:54
  • No. Both sides are the same subnet. The router/firewall (gateway) is intended to be an access list to add an extra layer of security and also to prevent outside packets with source and destination as inside IP addresses (spoofing). – 700 Software Dec 29 '10 at 18:08

1 Answers1

0

Assuming your topology is that the gateway for the subnet will be on the far side of the Cisco router from the servers with public IP addresses, I believe you will only need to set up a bridge group between the two interfaces and then apply an ACL that permits the traffic you wish to allow to the servers inbound on the opposite side of the router as the servers.

So say the router has two Ethernet interfaces where Fa0 is the side that is connected toward the subnet gateway and Fa1 is the interface connected to the servers with statically assigned public IP address, you should be able to assign both Fa0 and Fa1 to the same bridge-group and then apply an IP ACL for inbound traffic on Fa0 to allow only the traffic that should be able to reach the servers.

Thomas G
  • 631
  • 4
  • 6
  • OK, so a bridge would work, but you have not mentioned BVI.. What is the difference? – 700 Software Dec 29 '10 at 19:57
  • BVI is a layer 3 virtual interface that refers to the bridge-group. So say you had two interfaces you bridged together and also needed that router to be a gateway for the subnet you could assign the BVI for the bridge-group the IP address you wanted hosts to use as the gateway and then route traffic out other interfaces on the same router. But in your case I believe you are just wanting to do some transparent filtering as the traffic passes across the bridge not necessarily route traffic to and from the bridged interfaces. – Thomas G Dec 29 '10 at 21:12