1

I have a Cisco 867VAE running IOS 15.1 which I am trying to configure. My network style is simple: I have one subnet, 10.0.0.255. I have mostly user operated computers DHCP'd and Wi-Fi for the mobile devices, also DHCP'd. Further there are two Internet-facing servers, both with multiple HTTP servers and one with nothing-too-complex custom application TCP servers.

From my ISP, I originally purchased VDSL and a static outside IP. For security's sake I shall refer to said original IP as '.15'. For reasons involving external access to the servers on the 10.0.0.xxx network, I purchased a further four outside IPs, referred to herein as '.228','.229,'.230', and '.231'.

Presently all the outbound traffic from servers and employee computers alike go out via .15. All the employee desktops and Wi-Fi clients have their gateway set as '10.0.0.1', referring to my Cisco.

Now for the actual configuration question. Employees and other staff, aware of our possession of five static external IP addresses would like to send their traffic outbound through .228 - .231 . Obliged to configure this, and not having a clue regarding how, I have come here.

The ideal configuration is that a local network client could change their router address (they are smart enough) from 10.0.0.1 to an address representing the same Cisco gateway. The preceding such that a DHCP client having their 'Default Gateway' as it is sometimes called or 'Router' set to 10.0.0.1 would have their outbound traffic (primarily HTTP requests) come from .15 while having their gateway set as 10.0.0.228 would result in sites like www.whatismyip.com report the .228 address instead of .15. The aforementioned case in .228 should apply for .229, .230, and .231 inside and outside addresses. Addresses in 10.0.0.228/4 are clear for the Cisco router to use as 10.0.0.200-10.0.0.254 is reserved for servers and the DHCP server does not assign there.

This is my first question on ServerFault. I have tried my best to adhere to the 'perfect question' outline. If there is something critical I am doing wrong or have not made something clear, sing out and I'll address that.

Scruffy
  • 135
  • 7
  • 1
    What is 10.0.0.228/4? And is there a reason your users want to appear as one of the other IP's and not the standard NAT address? Usually you would reserve additional addresses for required business functions like static NAT for your webservers, email, etc. – cpt_fink Nov 21 '14 at 04:31
  • 10.0.0.228/4 should be /30 and I meant for it to refer to 10.0.0.228-10.0.0.231. The reason behind users wanting to use other IPs is not important, but involves convincing a website or two that they are different persons. – Scruffy Nov 21 '14 at 05:36
  • If the users outside NAT-ed address needs to change for a specific website you would match that in your NAT rules and specify the new address there. Are you trying to NAT each user to a unique address, or just something different than .15? – cpt_fink Nov 21 '14 at 05:53
  • Firstly, I won't change their outside IP when data is send to a predefined IP or DNS name. It is not just for one website, but rather a dynamic multitude of websites, and non-HTTP services involved. It was a mistake to describe the target as 'a website or two'. Secondly, no, we only have five public IPs and only want to switch between the five, no unique addresses involved. – Scruffy Nov 21 '14 at 06:13
  • Could you put all of the addresses into a pool? I'm not sure of IOS NAT defaults and how it handles overload on a range of addresses, so this might not work as I think. – cpt_fink Nov 21 '14 at 06:16
  • Pooling the IPs would only be of use if the ability for the user to specify which they would connect out of remains. – Scruffy Nov 21 '14 at 06:20
  • Ummm... The user could remote to a machine with a static NAT? People that want to use a specific IP for some reason would remote to that machine and perform their work. – cpt_fink Nov 21 '14 at 06:28
  • That is a valid solution to an extent. However, it is not financially plausible for the company at this time to invest in another machine. That is, it's not in budget. Furthermore, giving the users statics, be it by configuring the DHCP server by MAC address or by having the users themselves set statics, becomes disorganised to an out of hand extent. We have considered this option in the past, in fact. The ideal situation remains: that the user can select their outside IP by changing their router IP. Further workarounds are welcome if I unintentionally implied that they weren't. – Scruffy Nov 21 '14 at 06:36

0 Answers0