12-05-2007 08:03 AM - edited 03-03-2019 07:48 PM
Hello all,
Bare with me as I'm new to the CIcso configurations.
I am working on bringing up a 2600 series router to be used as the gateway to our ISP.
I have the Serial interface configured so that it will communicate with the provided default route and now I would like to configure servers on the LAN side with routable ip addresses, so I'm looking for someone to look over my config and give me some incite before I put the router into production.
Here is the information from the ISP (ips changed)
Local WAN IP Address: 200.200.50.118 255.255.255.252
Remote IP Address: 200.200.50.117 255.255.255.252
Ethernet IP Address: 201.200.150.165 255.255.255.224
Primary Domain Name Server: 200.200.40.10
Secondary Domain Name Server: 202.200.51.16
Here is the config thus far.
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cicrtr
!
logging queue-limit 100
enable secret 5 $1$blah$blah%blaV2rUJaL2.
enable password 7 00110011110011001
!
ip subnet-zero
!
ip name-server 200.200.40.10
ip name-server 202.200.51.16
!
ip audit notify log
ip audit po max-events 100
!
no voice hpi capture buffer
no voice hpi capture destination
!
mta receive maximum-recipients 0
!
interface FastEthernet0/0
ip address 201.200.150.165 255.255.255.224
duplex auto
!
interface Serial0/0
ip address 200.200.50.118 255.255.255.252
encapsulation ppp
no ip route-cache
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
!
interface FastEthernet0/1
ip address 10.0.0.20 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
!
ip classless
ip route 0.0.0.0 0.0.0.0 205.214.50.217
!
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
line con 0
exec-timeout 15 0
line aux 0
line vty 0 4
exec-timeout 30 0
password 7 001100111100
login
!
I want to run 201.200.150.170 as the firewall / routable interface from to internal LAN to the router via a Linux box.
Is there anything specific that I missing?
12-05-2007 08:27 AM
The config looks fine, just connect the 201.200.150.170 device directly to the router's Fa0/0 interface.
They should be able to ping each other.
The default gateway on the 201.200.150.170 should be 201.200.150.165
12-05-2007 08:37 AM
Thanks,
I'll put it into production and see how it goes.
Regards,
Ryan
12-05-2007 08:40 AM
One more thing I noticed, you have a default route to a non-directly connected interface.
Your next hop IP for the default route should be 200.200.50.117
12-05-2007 08:39 AM
ip route 0.0.0.0 0.0.0.0 205.214.50.217
What is this IP address 205.214.50.217??
it doesnt seem to be a connected device. you may want to replace this with 200.200.50.117 which is the coonected interface of ISP router.
12-05-2007 08:40 AM
it is a typo... I noticed after I posted.
12-05-2007 08:46 AM
The acutal router is teh following (i don't know if I can change my origianl post)
ip route 0.0.0.0 0.0.0.0 200.200.50.117
12-05-2007 08:48 AM
The acutal route is the following (i don't know if I can change my origianl post)
ip route 0.0.0.0 0.0.0.0 200.200.50.117
12-05-2007 09:51 AM
Ryan
There are some aspects of what you have set up that are not clear to me. You have a /30 public address on the serial interface which suggests that the path from your network to the ISP is through the router serial interface. If that is the case I am not clear how the firewall will function if it is connected on the Fa0/0 interface. The subnet on that interface is a /27. Are there other devices connected on that interface and in that subnet?
In my experience most people with a router connected to an ISP want to do some amount of filtering at the interface that faces the ISP (at a minimum filter out spoofed addresses, private addresses, etc) but I do not see any access lists on the router at all.
I am also puzzled about the devices in the subnet of FA0/1. The subnet there is in private address space so would I be correct in assuming that your user devices are in that subnet? If so what will direct their traffic to the Internet through the firewall? And if traffic from network 10 is going to the Internet there needs to be address translation. Where will the address translation take place?
Can you clarify some of these things?
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: