Cisco router + cable modem – How to configure routing

I am starting up a small business network. The ISP has provided us two distinct static IP ranges; understand that the actual IP addresses provided by the ISP are in routable Internet space.

Network 1: 128.66.0.0/30, gateway 128.66.0.1, usable IP 128.66.0.2.
Network 2: 128.66.1.0/29, gateway 128.66.1.1, usable IPs 128.66.1.2-6.

The hardware provided is a simple cable-modem bridge device with a coax port and a single Ethernet port.

To do initial testing, I connected a server directly to the Ethernet port. If I perform static IP assignments given the above parameters, connectivity works as expected.

Now, I want to use a Cisco 2800 series router (surplus) to provide some actual routing for this setup. Basically, I want the router to provide NAT for basic Internet access from workstations, and also allow me to use the other five usable IPs for public-facing servers.

In other words, the router's Gi0/0 will be assigned 128.66.0.2/29, and its Gi0/1 will be assigned 192.168.1.0/24 (for NAT/source overload). The router will also provide DHCP to the LAN and such. Basically, Gi0/0 will be used as a WAN outside port while Gi0/1 will be a LAN inside port. I do not care about actually running services on 128.66.0.2, in fact since that will be used for general Internet access I will be applying filtering rules to make inbound unsolicited traffic drop.

Here's where I'm confused. I want to now be able to have servers providing services to the Internet via the 128.66.1.x IPs. However, I don't really want to connect them directly to the cable modem via a switch. This would mean I'd have to independently firewall each machine within itself, and also would have to deal directly with static IPs. Instead, I'd really prefer to use a VLAN to separate the traffic.

I have a Cisco 3560 switch available for this purpose. I want to assign, say, VLAN 100 to be my "servers" VLAN. I would then connect a cable from the router's Gi0/1 interface to a trunk port on the switch. General workstations would (for now) be on the untagged VLAN (1) while servers would be on ports assigned to VLAN 100. (I will probably end up configuring the workstations to be on a different VLAN too, but I already understand what to do there.)

Ok, so the problem is that short of using NAT and having my servers be assigned IPs like 192.168.100.x, I don't see how I can more or less have the same network appear on two interfaces in the router. Remember, the cable modem expects traffic to be sent to itself with a source IP in the 128.66.1.0/29 range, and also 128.66.1.1 is used with ARP to locate the cable modem. Putting computers on the other side of the Cisco router seems to make this impossible.

I could just use NAT, but I am running some in-house software on the servers that strongly prefers the servers to have their real world IP addresses on the interfaces. Protocols like FTP, SIP, IRC's DCC, etc. depend on reverse connections, and dealing with packet mangling is a headache in and of itself, if Cisco routers can even do that sorta thing. (Linux can, but I was hoping to use my Cisco hardware.)

Thinking about how IP networking and ARP work, I can't see a way for this scenario to work without either using NAT or directly connecting the servers to the cable modem. Consider: If a server at 128.66.1.5 wants to access the Internet, it's told to use default gateway 128.66.1.1. If the router receives an ARP request on Gi0/0.100 for that IP, it will ignore it since it doesn't have that IP address. Therefore, the server cannot reach the Internet. The router itself could place an ARP request on Gi0/0 for 128.66.1.1 and receive the MAC address of the cable modem, but this does not help the server. Even if we forced the server to be aware of the router's MAC address and associate it with 128.66.1.1, the server will send a packet with source IP 128.66.1.5 to the router. The router would know that 128.66.1.1 is on Gi0/0, and would thus route the packet there. However, when the response returns, the router would also say that 128.66.1.0/29 is on Gi0/0, and thus would never re-forward that packet back out Gi0/1.100.

So to summarize:

• Cable modem provides single Ethernet port and expects two separate IP networks to exist on the same physical LAN segment.
• Cisco router with IOS 15.0/Advanced IP Services-K9 will be used to provide routing and NAT for workstations. It will be connected directly to the cable modem on one interface, and to a 3560 switch on the other interface, to which all of the workstations and servers will connect, using ports assigned to the correct VLANs.
• I want servers to exist on a VLAN and for the Cisco router to be able to hand traffic back and forth to that VLAN, possibly providing filtering and access control in the process. I do NOT want the servers directly connected to the Internet, depending entirely on their own local firewalls for security.
• I do not know if it is possible, or if it is how to implement, routing such so that the servers can be assigned their real-world static IPs but still have their traffic flowing through the Cisco router.
• I do not want to waste one of the five public IPs in the second range by having to assign it to the router.
• Workstations inside the network must be able to access servers on the server VLAN via their native IPs. Example: 192.168.1.5 should be able to access 128.66.1.4 directly.

In theory, what I feel like I almost need is some kind of bridge. Basically, packets coming in Gi0/1/VLAN100 should be bridged over to Gi0/0, but at the same time, access control should be able to be applied to prevent unsolicited inbound traffic on ports I want closed, and so on. The other possibility is some form of subrouting; the 2800 would be aware of 128.66.1.0/29, but would have some exception telling it that 128.66.1.1 is on Gi0/0, whereas the rest of the network is on Gi0/1.100.

Anyone have advice?