Cisco 871 / use IP UNNUMBERED for DMZ

ideanet77 · ‎11-12-2008

Hi, have the following situation:

_ VDSL 20'000/1'000 internet connection

_ VDSL bridge (zyxel P-870M)

_ router Cisco 871 (Advanced IP Services)

Assigned subnet from ISP

Subnet: xxx.yyy.zzz.248

Router IP: xxx.yyy.zzz.249

Available IPs: xxx.yyy.zzz.250 .. xxx.yyy.zzz.254

Broadcast: xxx.yyy.zzz.255

Netmask: 255.255.255.248

dns 1: 212.90.199.2

dns 2: 212.90.192.190

Subnet internal LAN

Subnet: 10.10.1.0

Gateway: 10.10.1.1

Netmask: 255.255.255.0

Target:

_ configure WAN port (Dialer0 on FE4) of Cisco 871 for the PPPOE negotiation and configure IP UNNUMBERED with the VLAN of DMZ port (VLAN10, see following config)

_ configure DMZ (FE3) with first public ip (xxx.yyy.zzz.249) assigned to VLAN10, that permit to connect directly some server using the other public IP assigned from the provider (xxx.yyy.zzz.250 .. xxx.yyy.zzz.254)

_ configure FE0/FE1/FE2 for the internal LAN (10.10.1.0/24), natted with the Dialer port.

_ configure DHCP server for the LAN port (FE0/FE1/FE2) for the range 10.10.1.60-10.10.1.99

_ configure an ACL to enable full access from LAN to DMZ

_ configure an ACL to enable full access from LAN to WAN

This is my configuration, but I don't find why doesn't work. Anyone can help me ?

Thank you

Luca

********************************

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname <REMOVED>

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 warnings

enable secret 5 <REMOVED>

!

no aaa new-model

dot11 syslog

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.1.1 10.10.1.59

ip dhcp excluded-address 10.10.1.100 10.10.1.254

!

ip dhcp pool VLAN1

import all

network 10.10.1.0 255.255.255.0

default-router 10.10.1.1

domain-name <REMOVED>

dns-server 212.90.199.2 212.90.192.190

lease 0 2

!

no ip domain lookup

no ip bootp server

ip domain name <REMOVED>

ip name-server 212.90.199.2

ip name-server 212.90.192.190

!

multilink bundle-name authenticated

!

username <REMOVED> privilege 15 secret 5 <REMOVED>

!

archive

log config

hidekeys

!

interface FastEthernet0

no shutdown

!

interface FastEthernet1

no shutdown

!

interface FastEthernet2

no shutdown

!

interface FastEthernet3

description DMZ port

switchport access vlan 10

no shutdown

!

interface FastEthernet4

description WAN port

no ip address

duplex auto

speed auto

pppoe-client dial-pool-number 1

no shutdown

!

interface Vlan1

description Local Area Network

ip address 10.10.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan10

description DMZ Network

ip address xxx.yyy.zzz.249 255.255.255.248

!

interface Dialer0

description WAN Interface

ip unnumbered Vlan10

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname <REMOVED>

ppp chap password 7 <REMOVED>

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

no ip http server

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 101 interface Dialer0 overload

!

access-list 101 remark *** NAT overload ***

access-list 101 permit ip 10.10.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

banner login ^CCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

ntp clock-period 17175101

ntp server 212.90.197.226

end

ideanet77 · ‎11-13-2008

ok, I have changed the config.

Now I have some problems to exit from my LAN (VLAN1).

I can ping my LAN gateway (10.10.1.1), but no other external ip. The DMZ (VLAN10) works fine...

Does anyone can help me ? thanks, Luca

My configuration:

version 12.4

no parser cache

no service pad

service tcp-keepalives-in

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

service sequence-numbers

!

hostname

!

boot-start-marker

boot-end-marker

!

logging userinfo

logging buffered 32000 informational

logging console informational

logging monitor informational

enable secret 5

!

aaa new-model

!

aaa authentication login default local

aaa authentication login admin local

!

aaa session-id common

!

dot11 syslog

no ip source-route

no ip gratuitous-arps

no ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.1.1 10.10.1.59

ip dhcp excluded-address 10.10.1.100 10.10.1.254

!

ip dhcp pool VLAN1

import all

network 10.10.1.0 255.255.255.0

default-router 10.10.1.1

domain-name

dns-server 212.90.199.2 212.90.192.190

lease 0 2

!

no ip bootp server

no ip domain lookup

ip domain name

ip name-server 212.90.199.2

ip name-server 212.90.192.190

ip inspect max-incomplete high 1100

ip inspect max-incomplete low 1100

ip inspect one-minute high 1100

ip inspect one-minute low 1100

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 tcp

login block-for 60 attempts 3 within 30

login on-failure log

login on-success log

!

multilink bundle-name authenticated

!

username privilege 15 secret 5

!

no crypto isakmp enable

!

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 1

ip ssh version 2

!

interface FastEthernet0

no cdp enable

!

interface FastEthernet1

no cdp enable

!

interface FastEthernet2

no cdp enable

!

interface FastEthernet3

description DMZ port

switchport access vlan 10

no cdp enable

!

interface FastEthernet4

description WAN port

no ip address

duplex auto

speed auto

pppoe-client dial-pool-number 1

!

interface Vlan1

description Local Area Network

ip address 10.10.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan10

description DMZ Network

ip address xxx.yyy.zzz.249 255.255.255.248

no ip proxy-arp

no ip mroute-cache

ntp broadcast

hold-queue 100 out

!

interface Dialer0

ip unnumbered Vlan10

ip access-group 101 in

ip access-group 102 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer persistent

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname

ppp chap password 7

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

no ip http server

no ip http secure-server

!

access-list 101 permit ip any any

access-list 102 permit ip any any

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

banner motd ^CC

This is machine name. Unauthorised access to this

machine is strictly prohibited. Please disconnect now unless

you have received prior authorisation for use. The systems

administrator is your name on Your phone number.

^C

!

line con 0

login authentication admin

no modem enable

stopbits 1

line aux 0

line vty 0 4

exec-timeout 5 0

login authentication admin

transport input ssh

!

scheduler max-task-time 5000

ntp logging

ntp clock-period 17179869

ntp source Dialer0

ntp peer 212.90.197.226 prefer

end

ericdolton · ‎06-02-2010

I'm sure this issue is long resolved but it looks like you don't have an Nat overload statement and cooresponding NAT INSIDE commands.