Cisco 1811 router

Unanswered Question
May 19th, 2009

Dear All,

I want to use my cisco 1811 router, it has 2 fastethernet ports and 8 L2 ports,

I want to configure it for using 2 internet connections simultaneously,

I am unable to configure IP and NAT on L2 interfaces,

Please tell me, Is NAT capability builtin in the router for L2 interfaces??

How can I connect my internal network with L2 interface?

Regards,

Junaid

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
junshah22 Wed, 05/20/2009 - 00:36

I want to configure both Fast Ethernet interfaces for internet and NAT outside...

I want to use L2 interfaces for inside,,

Is it possible??

Richard Burts Wed, 05/20/2009 - 04:34

Junaid

The layer 2 ports are part of an Ether switch that is built into the 1811. You can not configure IP addresses directly on them since they are layer 2 only ports. But they belong to a VLAN and you can apply an IP address to the VLAN interface to do routing for your internal network. You could create a second VLAN and assign some ports to the second VLAN and assign an IP address to the second VLAN if you want to subdivide your internal network and have 2 subnets in it.

You should be able to configure NAT with the VLAN(s) as the inside interface and with the FastEthernet interfaces as the outside interfaces.

HTH

Rick

balackcheng Thu, 05/21/2009 - 19:14

Hi Junaid,

Can you show the configuration? Some simple examples will do.

Thanks,

junshah22 Thu, 05/21/2009 - 22:25

On Switch

ip route 0.0.0.0 0.0.0.0 192.168.20.1

route towards router...

vlans are configured,, vlan 2-11

vlan 2 (ip address) 192.168.2.1

vlan 3 (ip address) 192.168.3.1

--------- upto

vlan 11 (ip address) 192.168.11.1

vlan 100 for servers (ip address) 192.168.1.18

On Router

---------

fa0/0 ,, ip address 192.168.20.2

fa0/1,, ip address (live ip)

ip route 192.168.1.0 255.255.255.0 192.168.20.2

the route from router to vlan 100

ip route 192.168.2.0 255.255.255.0 192.168.20.2

the route from router to vlan 2

and so on upto 192.168.11.0

ip route 0.0.0.0 0.0.0.0 live ip

ip nat inside source list 160 interface fastethernet 0/1 overload

access-list 160 permit ip any any

access-list 160 permit tcp any any

In this currently working scenario, fa0/0 is connected to internal network, and fa0/1 is connected to outside

I want to use both interfaces fa0/0 and fa0/1 as outside for running two internet connections,

junshah22 Thu, 05/21/2009 - 22:26

Hi Rick,, I will try this,, hopefully this will help..

Regards,

Junaid

junshah22 Sun, 05/24/2009 - 21:25

Dear Rick,

When I assign an Ip to vlan 1 (192.168.20.1) it dont shows vlans configured in show vlans command

secondly, it is not assigning router L2 ports to vlan 1,, maybe all ports are defined in vlans by default, but it shows nothing in (show vlans) command

when i try to make another vlan (vlan 2) it asks for (vlan accounting input)

What is the purpose of accounting vlan? and what should i do,, input or output..

Please help

Regards,

Junaid

Richard Burts Mon, 05/25/2009 - 07:58

Junaid

When I configured VLANs on an Etherswitch in an ISR router I do not remember having to give vlan accounting information.

Perhaps we should clarify what you are trying to do and what the environment is. Your original post asked about using the layer 2 ports on your 1811 router. But a subsequent post seems to indicate that there is currently an external switch connected to your router. And from the fact that there do not seem to be subinterfaces on the router interface it would appear that the connection to the switch is just an access port. And that would suggest that the switch (where VLANs 2 through 11 and 100 are located) is a layer 3 switch which is doing inter VLAN routing and using the 1811 as its default gateway. Is this the correct understanding?

If that is correct then perhaps you can help us understand what you are trying to accomplish? Is it as simple as moving the connection to the access port on the switch from the router FastEthernet where is currently is to one of the layer 2 interfaces? Or is there something else that you are trying to do?

If we had a clear understanding of your environment and of your requirements then we could give you better advice.

HTH

Rick

junshah22 Mon, 05/25/2009 - 19:00

Sorry for mis-understanding...

LEAVE ABOVE POSTS and please look into my new scenario.

Actually, I am currently using Cisco 2811 router with Cisco 3560 layer 3 switch,

- vlans are configured on 3560 switch,

- switch ports are assigned to vlans (2-11, 100)

- one switch port (int gi0/8) is connected to 2811 router having configuration

no switchport

ip address 192.168.20.2 255.255.255.0

- ACL 110 is in place to block traffic from one vlan to another, but all vlans can communicate with vlan 100 (servers)

ON ROUTER 2811

- Remote Access IpSec vpn is configured

- Remote users connect with router via VPN client

- fa 0/0

ip address 192.168.20.1 255.255.255.0

ip access-group Internet in

ip nat inside

ip virtual-reassembly

- fa0/1

ip address (live ip)

ip nat outside

ip virtual-reassembly

ip route 0.0.0.0 0.0.0.0 live ip gateway

ip route 192.168.1.0 255.255.255.0 192.168.20.2

ip route 192.168.2.0 255.255.255.0 192.168.20.2

and so on upto vlan 11,

ip nat inside source list 160 interface fastethernet 0/1 overload

access-list 160 permit ip any any

access-list 160 permit tcp any any

ip access-list extended Internet

permit ip host 192.168.10.4 any

permit ip host 192.168.10.5 any

permit ip host 192.168.7.2 any

Internet Access-list defined for internet access to limited users, this ACL is in place at interface fa0/0 in

This Environment is running smoothly,,,

NOW,

I have another Router Cisco 1811 and want to replace my 2811 with new 1811 as I want to use 2811 at another place

1811 has 2 fast ethernet WAN ports

8 L2 ports

I want to use 2 Internet connections,

One connection has live ip pool and I want to use this connection only for Microsoft Exchange Server and VPN

and Second connection for General Public Internet access, because this connection is with unlimited downloading and 4MB bandwidth

[

IS IT POSSIBLE that I use one internet connection having live IP pool for Remote Access VPN, SITE-TO-SITE VPN and Internet access simultaneously???

]

Now I want to configure Cisco 1811 as discussed in this post,

Please help me achieving this goal,

REGARDS,

JUNAID

Richard Burts Tue, 05/26/2009 - 11:20

Junaid

This is a much better explanation of the environment and of what you are trying to achieve. I believe that what you describe is possible to achieve.

Several aspects of what you want may get complex and so I would suggest that you consider these changes in several parts:

- how to move the inside LAN connection from fa0/0 of the 2811 to the layer 2 port of the 1811. Since by default the layer 2 ports are members of VLAN 1, the simple thing is to move these statements to interface vlan1:

ip address 192.168.20.1 255.255.255.0

ip access-group Internet in

ip nat inside

ip access-list extended Internet

permit ip host 192.168.10.4 any

permit ip host 192.168.10.5 any

permit ip host 192.168.7.2 any

then move the physical connection from the 2811 to the 1811. This should work.

Then I suggest that you get the Internet connection working that will be used for general access. This would include moving the interface parameters from the 2811 outside interface, the NAT configuration and the default route. I would suggest that you try to test this and verify that it is working before you do the next parts.

You say that there is a working VPN remote access configured and working. Since we do not see the details of this it is hard to advise on how to move it to the 1811 and to use a different outbound interface than the general Internet access but this should not be real difficult. You can probably transfer most of the VPN configuration from the 2811 (crypto maps, ISAKMP parameters, authentication logic, address pool, etc). The more complex part will be getting the VPN to use a different interface than the general Internet interface. I suspect that in the 2811 the VPN outbound traffic just uses the default route. To get it to use a different interface I suggest that you implement Local Policy Based Routing. The route map for local PBR would identify traffic (probably ISAKMP and ESP) generated by the router and set the next hop to be the second address next hop.

Getting Microsoft Exchange Server to use the second interface would be similar except that VPN would be local PBR and Exchange Server would be regular PBR which would identify the Exchange Server traffic and set its next hop to be out the second interface.

HTH

Rick

junshah22 Tue, 05/26/2009 - 22:33

Rick,

Thanks for your support, First step has been completed successfully, it includes,

- Local Network Access

- Internet connectivity for general public

configurations:

aaa authentication login userauthen local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization network groupauthor local

aaa authorization network sdm_vpn_group_ml_1 local

aaa session-id common

resource policy

memory-size iomem 10

ip cef

ip name-server 10.16.7.12 (internet with live ip pool

ip name-server 203.99.163.240 (general)

username 123 privilege 15 secret 5 $1$vAZxx45xPAflB465365Kq32NN1/

voice-card 0

no dspfarm

crypto isakmp policy 1

encr aes 256

hash md5

authentication pre-share

group 2

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco444 address 55.55.55.55 (live ip)

crypto isakmp client configuration group vpnclient

key cisco444

dns 192.168.1.17

wins 192.168.1.17

domain abc.com

pool ippool

acl 101

include-local-lan

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

match identity group vpnclient

client authentication list sdm_vpn_xauth_ml_1

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

virtual-template 2

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec transform-set cisco esp-seal esp-sha-hmac

! Transform unusable with IKE

crypto ipsec profile SDM_Profile1

set transform-set myset

set isakmp-profile sdm-ike-profile-1

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

crypto map cisco 10 ipsec-isakmp

! Incomplete

set peer 55.55.55.55

set transform-set cisco

match address 100

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface FastEthernet0

ip address 192.168.95.65 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

interface FastEthernet1

no ip address

shutdown

duplex auto

interface Virtual-Template2 type tunnel

ip unnumbered FastEthernet0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

interface Async1

no ip address

encapsulation slip

interface Vlan1

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip local pool ippool 192.168.20.150 192.168.20.254

ip route 0.0.0.0 0.0.0.0 192.168.95.1

ip route 192.168.1.0 255.255.255.0 192.168.20.2

ip route 192.168.2.0 255.255.255.0 192.168.20.2

ip route 192.168.4.0 255.255.255.0 192.168.20.2

default route for internet DSL modem IP

static routes for internal network upto 11 (not shown here)

no ip http server

no ip http secure-server

ip nat inside source list 160 interface FastEthernet0 overload

ip access-list extended Internet

permit ip host 192.168.2.3 any

permit ip host 192.168.4.3 any

permit ip host 192.168.7.2 any

permit ip 192.168.20.0 0.0.0.255 any

access-list 160 permit ip any any

access-list 160 permit tcp any any

snmp-server community public RO

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps cpu threshold

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

NOW, I want to move toward second Internet link having live ip pool

this link will be used for VPN Client, site to site vpn and as a backup internet link,

let me clear one thing, when we make site-to-site vpn, other services like internet access stops or runs??

secondly, please look into my vpn configuration,

How to make policy based routing??

Regards,

Junaid

junshah22 Tue, 05/26/2009 - 22:33

Rick,

Thanks for your support, First step has been completed successfully, it includes,

- Local Network Access

- Internet connectivity for general public

configurations:

aaa authentication login userauthen local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization network groupauthor local

aaa authorization network sdm_vpn_group_ml_1 local

aaa session-id common

resource policy

memory-size iomem 10

ip cef

ip name-server 10.16.7.12 (internet with live ip pool

ip name-server 203.99.163.240 (general)

username 123 privilege 15 secret 5 $1$vAZxx45xPAflB465365Kq32NN1/

voice-card 0

no dspfarm

crypto isakmp policy 1

encr aes 256

hash md5

authentication pre-share

group 2

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco444 address 55.55.55.55 (live ip)

crypto isakmp client configuration group vpnclient

key cisco444

dns 192.168.1.17

wins 192.168.1.17

domain abc.com

pool ippool

acl 101

include-local-lan

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

match identity group vpnclient

client authentication list sdm_vpn_xauth_ml_1

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

virtual-template 2

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec transform-set cisco esp-seal esp-sha-hmac

! Transform unusable with IKE

crypto ipsec profile SDM_Profile1

set transform-set myset

set isakmp-profile sdm-ike-profile-1

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

crypto map cisco 10 ipsec-isakmp

! Incomplete

set peer 55.55.55.55

set transform-set cisco

match address 100

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface FastEthernet0

ip address 192.168.95.65 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

interface FastEthernet1

no ip address

shutdown

duplex auto

interface Virtual-Template2 type tunnel

ip unnumbered FastEthernet0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

interface Async1

no ip address

encapsulation slip

interface Vlan1

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip local pool ippool 192.168.20.150 192.168.20.254

ip route 0.0.0.0 0.0.0.0 192.168.95.1

ip route 192.168.1.0 255.255.255.0 192.168.20.2

ip route 192.168.2.0 255.255.255.0 192.168.20.2

ip route 192.168.4.0 255.255.255.0 192.168.20.2

default route for internet DSL modem IP

static routes for internal network upto 11 (not shown here)

no ip http server

no ip http secure-server

ip nat inside source list 160 interface FastEthernet0 overload

ip access-list extended Internet

permit ip host 192.168.2.3 any

permit ip host 192.168.4.3 any

permit ip host 192.168.7.2 any

permit ip 192.168.20.0 0.0.0.255 any

access-list 160 permit ip any any

access-list 160 permit tcp any any

snmp-server community public RO

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps cpu threshold

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

NOW, I want to move toward second Internet link having live ip pool

this link will be used for VPN Client, site to site vpn and as a backup internet link,

let me clear one thing, when we make site-to-site vpn, other services like internet access stops or runs??

secondly, please look into my vpn configuration,

How to make policy based routing??

Regards,

Junaid

Richard Burts Thu, 05/28/2009 - 09:08

Junaid

when you configure site to site VPN other services like Internet access should continue to run.

Getting VPN to use the second interface is easy for inbound traffic since that only requires that the remote devices specify the peer address as the address on the second interface (FastEthernet1). Getting outbound traffic for VPN to use that interface would take local policy based routing. To get this to work you would need to do the following things: configure an access list to identify the VPN traffic, configure a route-map to use the access list and set the next hop address, enable local policy based routing. The config might look something like this:

ip access-list extended id_vpn

permit udp any any eq isakmp

permit udp any eq isakmp any

permit udp any any non500-isakmp

permit udp any eq non500-isakmp any

permit esp any any

route-map send_vpn permit 10

match ip address id_vpn

set ip next-hop x.x.x.x (next hop out the second interface)

ip local policy send_vpn

HTH

Rick

junshah22 Thu, 05/28/2009 - 18:46

Rick,

My second Internet connection is not UP right now, when I add second default route

0.0.0.0 0.0.0.0 55.55.55.55, the internet services stop,

I am worried about to UP the second Internet connection, which will run simultaneously with existing one,

Richard Burts Fri, 05/29/2009 - 04:06

Junaid

When you add the second default route you are instructing the router to try to load share. I did not think that you wanted to load share. I thought that you wanted to have a primary Internet link and to use the second interface only for VPN and Exchange traffic.

If you want to use the second interface as a failover in case of problems with the primary connection then you need to make the second static default route be a floating static default route. Perhaps something like:

ip route 0.0.0.0 0.0.0.0 55.55.55.55 250

HTH

Rick

junshah22 Sat, 05/30/2009 - 00:20

Rick,

I have to overload to send the traffic over the internet, like

access-list 160 permit ip any any

access-list 160 permit tcp any any

ip nat inside source list 160 interface fastethernet 0 overload

By applying above three commands, my first link (for general internet access) comes UP

To up the second interface, I must use NAT (which traffic will be overloaded)

In this case, what ACL should I make to allow only VPN traffic,

As you wrote in your second last post, to make a policy for isakmp,

Secondly, I need to configure a route towards second internet link and that will maybe default,

0.0.0.0 0.0.0.0 55.55.55.55

If i mention AD in the last of static default route, as you said, it will work as a fail-over link,

But I need to run the both links at the same time, one for General Internet and one for VPN,

Regards,

Junaid

Richard Burts Sat, 05/30/2009 - 08:29

Junaid

As I tried to explain in my previous post, if you configure a static default route like this using 55.55.55.55 then you have enabled using this for general internet traffic. And you have said that this is not what you want to do. So why do you insist on configuring this static default route instead of making it a floating static default route as I suggested?

You do not need a default route for the VPN traffic to work. The local policy based routing will send the traffic through the second interface without needing a default route.

I do not see why the VPN traffic would need to be NATed since the source address of the VPN packet will be the outside interface address of the router. For the Exchange traffic you probably do need to NAT it. So you would need an access list that identified the Exhange traffic.

HTH

Rick

Actions

This Discussion