Cisco 877 Router -- Multiple IP Addresses

I'm a bit of a novice with Cisco routers, so please forgive me if I do not explain this clearly. Our company has a T1 line that connects through our Cisco 877 router. We have been given a block of public IP addresses (3 I think), but are currently only using one of these addresses. We would like to use one of the other public IP addresses for our ftp server. I already know how to port forward the traffic to the secondary IP address, like so:

ip nat inside source static tcp x.x.x.x 21 x.x.x.x 21 extendable

But, if I do this, the ip inspection rules that are being applied to the public IP address I use now (x.x.x.y) are not being applied to this connection. In particular:

ip inspect name CBAC-FTP ftp

interface FastEthernet 4 ip address x.x.x.y .... ip inspect CBAC-FTP in

I have read that you can add a secondary ip address to the same interface. Is this what I would have to do in this situation or is there another preferred method of handling this?

interface FastEthernet 4 ip address x.x.x.y ip address x.x.x.x secondary (Should I do this?)

Thank you for your assistance.


Reply to
Loading thread data ...

Vincent, You don't have to add a secondary ip to the outside interface. Adding the "ip inspect" CBAC-FTP in" command to the Fa4 interface will inspect the FTP traffic coming into the interface.

What you have there seems to be correct. What leads you to believe that the traffic coming in the interface is not being inspected?


Reply to


The traffic coming into the Fa4 interface IS being inspected on the IP address assigned to this interface (x.x.x.x), but it IS NOT on the IP address that is being port forwarded (x.x.x.y). If I try to perform passive ftp over x.x.x.x, it works correctly but it does not over x.x.x.y. I hope I explained this somewhat clearly.


Reply to
Vincent Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.