Multiple Internet connections

control

Hi All,

If I have 3 VLANs and 3 Separate Public IP addresses attached to the same interface, do I need to create subinterfaces with a Public IP address on each?

The goal is to have each of the VLANs to each use on of the Public IP/Interface for their browsing.
Can this be done easily?

boredgamelad

I don't know if this is the optimal solution but I'm fairly certain it works. All you have to do is set up NAT rules so that each internal network NATs to a different public IP. So you might have the vlans 10.0.1.0/24, 10.0.2.0/24, and 10.0.3.0/24, and you were given the public IPs 28.12.150.33 - 35 / 21 (I made these up, don't use them obviously). You'd set up your ACLs:

access-list 1 permit ip 10.0.1.0 0.0.0.255
access-list 2 permit ip 10.0.2.0 0.0.0.255
access-list 3 permit ip 10.0.3.0 0.0.0.255

Set up a NAT pool for each outside IP:

ip nat pool outside1 28.12.150.33 28.12.150.33 255.255.248.0
ip nat pool outside2 28.12.150.34 28.12.150.34 255.255.248.0
ip nat pool outside3 28.12.150.35 28.12.150.35 255.255.248.0

And then set up your address translation:

ip nat inside source list 1 pool outside1 overload
ip nat inside source list 2 pool outside2 overload
ip nat inside source list 3 pool outside3 overload

Set up your interfaces on the inside network with the ip nat inside command and your external interface with ip nat outside. You shouldn't need subinterfaces to accomplish this, as far as I'm aware.

If I'm totally wrong about this and it wouldn't work at all I do not mind being corrected by somebody who knows what they're doing.

Just as best practice note, you probably don't want to allow all access outbound. You might restrict your access lists to only allow say HTTP and HTTPS, in which case you'd want to use extended ACLs.