05-19-2009 10:45 PM - edited 03-04-2019 04:49 AM
Dear All,
I want to use my cisco 1811 router, it has 2 fastethernet ports and 8 L2 ports,
I want to configure it for using 2 internet connections simultaneously,
I am unable to configure IP and NAT on L2 interfaces,
Please tell me, Is NAT capability builtin in the router for L2 interfaces??
How can I connect my internal network with L2 interface?
Regards,
Junaid
05-20-2009 12:36 AM
I want to configure both Fast Ethernet interfaces for internet and NAT outside...
I want to use L2 interfaces for inside,,
Is it possible??
05-20-2009 04:34 AM
Junaid
The layer 2 ports are part of an Ether switch that is built into the 1811. You can not configure IP addresses directly on them since they are layer 2 only ports. But they belong to a VLAN and you can apply an IP address to the VLAN interface to do routing for your internal network. You could create a second VLAN and assign some ports to the second VLAN and assign an IP address to the second VLAN if you want to subdivide your internal network and have 2 subnets in it.
You should be able to configure NAT with the VLAN(s) as the inside interface and with the FastEthernet interfaces as the outside interfaces.
HTH
Rick
05-21-2009 07:14 PM
Hi Junaid,
Can you show the configuration? Some simple examples will do.
Thanks,
05-21-2009 10:25 PM
On Switch
ip route 0.0.0.0 0.0.0.0 192.168.20.1
route towards router...
vlans are configured,, vlan 2-11
vlan 2 (ip address) 192.168.2.1
vlan 3 (ip address) 192.168.3.1
--------- upto
vlan 11 (ip address) 192.168.11.1
vlan 100 for servers (ip address) 192.168.1.18
On Router
---------
fa0/0 ,, ip address 192.168.20.2
fa0/1,, ip address (live ip)
ip route 192.168.1.0 255.255.255.0 192.168.20.2
the route from router to vlan 100
ip route 192.168.2.0 255.255.255.0 192.168.20.2
the route from router to vlan 2
and so on upto 192.168.11.0
ip route 0.0.0.0 0.0.0.0 live ip
ip nat inside source list 160 interface fastethernet 0/1 overload
access-list 160 permit ip any any
access-list 160 permit tcp any any
In this currently working scenario, fa0/0 is connected to internal network, and fa0/1 is connected to outside
I want to use both interfaces fa0/0 and fa0/1 as outside for running two internet connections,
05-21-2009 10:26 PM
Hi Rick,, I will try this,, hopefully this will help..
Regards,
Junaid
05-24-2009 09:25 PM
Dear Rick,
When I assign an Ip to vlan 1 (192.168.20.1) it dont shows vlans configured in show vlans command
secondly, it is not assigning router L2 ports to vlan 1,, maybe all ports are defined in vlans by default, but it shows nothing in (show vlans) command
when i try to make another vlan (vlan 2) it asks for (vlan accounting input)
What is the purpose of accounting vlan? and what should i do,, input or output..
Please help
Regards,
Junaid
05-25-2009 07:58 AM
Junaid
When I configured VLANs on an Etherswitch in an ISR router I do not remember having to give vlan accounting information.
Perhaps we should clarify what you are trying to do and what the environment is. Your original post asked about using the layer 2 ports on your 1811 router. But a subsequent post seems to indicate that there is currently an external switch connected to your router. And from the fact that there do not seem to be subinterfaces on the router interface it would appear that the connection to the switch is just an access port. And that would suggest that the switch (where VLANs 2 through 11 and 100 are located) is a layer 3 switch which is doing inter VLAN routing and using the 1811 as its default gateway. Is this the correct understanding?
If that is correct then perhaps you can help us understand what you are trying to accomplish? Is it as simple as moving the connection to the access port on the switch from the router FastEthernet where is currently is to one of the layer 2 interfaces? Or is there something else that you are trying to do?
If we had a clear understanding of your environment and of your requirements then we could give you better advice.
HTH
Rick
05-25-2009 07:00 PM
Sorry for mis-understanding...
LEAVE ABOVE POSTS and please look into my new scenario.
Actually, I am currently using Cisco 2811 router with Cisco 3560 layer 3 switch,
- vlans are configured on 3560 switch,
- switch ports are assigned to vlans (2-11, 100)
- one switch port (int gi0/8) is connected to 2811 router having configuration
no switchport
ip address 192.168.20.2 255.255.255.0
- ACL 110 is in place to block traffic from one vlan to another, but all vlans can communicate with vlan 100 (servers)
ON ROUTER 2811
- Remote Access IpSec vpn is configured
- Remote users connect with router via VPN client
- fa 0/0
ip address 192.168.20.1 255.255.255.0
ip access-group Internet in
ip nat inside
ip virtual-reassembly
- fa0/1
ip address (live ip)
ip nat outside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 live ip gateway
ip route 192.168.1.0 255.255.255.0 192.168.20.2
ip route 192.168.2.0 255.255.255.0 192.168.20.2
and so on upto vlan 11,
ip nat inside source list 160 interface fastethernet 0/1 overload
access-list 160 permit ip any any
access-list 160 permit tcp any any
ip access-list extended Internet
permit ip host 192.168.10.4 any
permit ip host 192.168.10.5 any
permit ip host 192.168.7.2 any
Internet Access-list defined for internet access to limited users, this ACL is in place at interface fa0/0 in
This Environment is running smoothly,,,
NOW,
I have another Router Cisco 1811 and want to replace my 2811 with new 1811 as I want to use 2811 at another place
1811 has 2 fast ethernet WAN ports
8 L2 ports
I want to use 2 Internet connections,
One connection has live ip pool and I want to use this connection only for Microsoft Exchange Server and VPN
and Second connection for General Public Internet access, because this connection is with unlimited downloading and 4MB bandwidth
[
IS IT POSSIBLE that I use one internet connection having live IP pool for Remote Access VPN, SITE-TO-SITE VPN and Internet access simultaneously???
]
Now I want to configure Cisco 1811 as discussed in this post,
Please help me achieving this goal,
REGARDS,
JUNAID
05-26-2009 11:20 AM
Junaid
This is a much better explanation of the environment and of what you are trying to achieve. I believe that what you describe is possible to achieve.
Several aspects of what you want may get complex and so I would suggest that you consider these changes in several parts:
- how to move the inside LAN connection from fa0/0 of the 2811 to the layer 2 port of the 1811. Since by default the layer 2 ports are members of VLAN 1, the simple thing is to move these statements to interface vlan1:
ip address 192.168.20.1 255.255.255.0
ip access-group Internet in
ip nat inside
ip access-list extended Internet
permit ip host 192.168.10.4 any
permit ip host 192.168.10.5 any
permit ip host 192.168.7.2 any
then move the physical connection from the 2811 to the 1811. This should work.
Then I suggest that you get the Internet connection working that will be used for general access. This would include moving the interface parameters from the 2811 outside interface, the NAT configuration and the default route. I would suggest that you try to test this and verify that it is working before you do the next parts.
You say that there is a working VPN remote access configured and working. Since we do not see the details of this it is hard to advise on how to move it to the 1811 and to use a different outbound interface than the general Internet access but this should not be real difficult. You can probably transfer most of the VPN configuration from the 2811 (crypto maps, ISAKMP parameters, authentication logic, address pool, etc). The more complex part will be getting the VPN to use a different interface than the general Internet interface. I suspect that in the 2811 the VPN outbound traffic just uses the default route. To get it to use a different interface I suggest that you implement Local Policy Based Routing. The route map for local PBR would identify traffic (probably ISAKMP and ESP) generated by the router and set the next hop to be the second address next hop.
Getting Microsoft Exchange Server to use the second interface would be similar except that VPN would be local PBR and Exchange Server would be regular PBR which would identify the Exchange Server traffic and set its next hop to be out the second interface.
HTH
Rick
05-26-2009 10:33 PM
Rick,
Thanks for your support, First step has been completed successfully, it includes,
- Local Network Access
- Internet connectivity for general public
configurations:
aaa authentication login userauthen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
resource policy
memory-size iomem 10
ip cef
ip name-server 10.16.7.12 (internet with live ip pool
ip name-server 203.99.163.240 (general)
username 123 privilege 15 secret 5 $1$vAZxx45xPAflB465365Kq32NN1/
voice-card 0
no dspfarm
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco444 address 55.55.55.55 (live ip)
crypto isakmp client configuration group vpnclient
key cisco444
dns 192.168.1.17
wins 192.168.1.17
domain abc.com
pool ippool
acl 101
include-local-lan
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group vpnclient
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 2
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set cisco esp-seal esp-sha-hmac
! Transform unusable with IKE
crypto ipsec profile SDM_Profile1
set transform-set myset
set isakmp-profile sdm-ike-profile-1
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map cisco 10 ipsec-isakmp
! Incomplete
set peer 55.55.55.55
set transform-set cisco
match address 100
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0
ip address 192.168.95.65 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet1
no ip address
shutdown
duplex auto
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Async1
no ip address
encapsulation slip
interface Vlan1
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip local pool ippool 192.168.20.150 192.168.20.254
ip route 0.0.0.0 0.0.0.0 192.168.95.1
ip route 192.168.1.0 255.255.255.0 192.168.20.2
ip route 192.168.2.0 255.255.255.0 192.168.20.2
ip route 192.168.4.0 255.255.255.0 192.168.20.2
default route for internet DSL modem IP
static routes for internal network upto 11 (not shown here)
no ip http server
no ip http secure-server
ip nat inside source list 160 interface FastEthernet0 overload
ip access-list extended Internet
permit ip host 192.168.2.3 any
permit ip host 192.168.4.3 any
permit ip host 192.168.7.2 any
permit ip 192.168.20.0 0.0.0.255 any
access-list 160 permit ip any any
access-list 160 permit tcp any any
snmp-server community public RO
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps cpu threshold
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
NOW, I want to move toward second Internet link having live ip pool
this link will be used for VPN Client, site to site vpn and as a backup internet link,
let me clear one thing, when we make site-to-site vpn, other services like internet access stops or runs??
secondly, please look into my vpn configuration,
How to make policy based routing??
Regards,
Junaid
05-26-2009 10:33 PM
Rick,
Thanks for your support, First step has been completed successfully, it includes,
- Local Network Access
- Internet connectivity for general public
configurations:
aaa authentication login userauthen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
resource policy
memory-size iomem 10
ip cef
ip name-server 10.16.7.12 (internet with live ip pool
ip name-server 203.99.163.240 (general)
username 123 privilege 15 secret 5 $1$vAZxx45xPAflB465365Kq32NN1/
voice-card 0
no dspfarm
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco444 address 55.55.55.55 (live ip)
crypto isakmp client configuration group vpnclient
key cisco444
dns 192.168.1.17
wins 192.168.1.17
domain abc.com
pool ippool
acl 101
include-local-lan
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group vpnclient
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 2
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set cisco esp-seal esp-sha-hmac
! Transform unusable with IKE
crypto ipsec profile SDM_Profile1
set transform-set myset
set isakmp-profile sdm-ike-profile-1
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map cisco 10 ipsec-isakmp
! Incomplete
set peer 55.55.55.55
set transform-set cisco
match address 100
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0
ip address 192.168.95.65 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet1
no ip address
shutdown
duplex auto
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Async1
no ip address
encapsulation slip
interface Vlan1
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip local pool ippool 192.168.20.150 192.168.20.254
ip route 0.0.0.0 0.0.0.0 192.168.95.1
ip route 192.168.1.0 255.255.255.0 192.168.20.2
ip route 192.168.2.0 255.255.255.0 192.168.20.2
ip route 192.168.4.0 255.255.255.0 192.168.20.2
default route for internet DSL modem IP
static routes for internal network upto 11 (not shown here)
no ip http server
no ip http secure-server
ip nat inside source list 160 interface FastEthernet0 overload
ip access-list extended Internet
permit ip host 192.168.2.3 any
permit ip host 192.168.4.3 any
permit ip host 192.168.7.2 any
permit ip 192.168.20.0 0.0.0.255 any
access-list 160 permit ip any any
access-list 160 permit tcp any any
snmp-server community public RO
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps cpu threshold
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
NOW, I want to move toward second Internet link having live ip pool
this link will be used for VPN Client, site to site vpn and as a backup internet link,
let me clear one thing, when we make site-to-site vpn, other services like internet access stops or runs??
secondly, please look into my vpn configuration,
How to make policy based routing??
Regards,
Junaid
05-27-2009 06:53 PM
Rick,
Waiting for your reply,
Regards,
Junaid
05-28-2009 09:08 AM
Junaid
when you configure site to site VPN other services like Internet access should continue to run.
Getting VPN to use the second interface is easy for inbound traffic since that only requires that the remote devices specify the peer address as the address on the second interface (FastEthernet1). Getting outbound traffic for VPN to use that interface would take local policy based routing. To get this to work you would need to do the following things: configure an access list to identify the VPN traffic, configure a route-map to use the access list and set the next hop address, enable local policy based routing. The config might look something like this:
ip access-list extended id_vpn
permit udp any any eq isakmp
permit udp any eq isakmp any
permit udp any any non500-isakmp
permit udp any eq non500-isakmp any
permit esp any any
route-map send_vpn permit 10
match ip address id_vpn
set ip next-hop x.x.x.x (next hop out the second interface)
ip local policy send_vpn
HTH
Rick
05-28-2009 06:46 PM
Rick,
My second Internet connection is not UP right now, when I add second default route
0.0.0.0 0.0.0.0 55.55.55.55, the internet services stop,
I am worried about to UP the second Internet connection, which will run simultaneously with existing one,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide