Bridge setup

Eggzter100 · ‎04-23-2010

Hi all,

I would like to set up a cisco 2811 as a bridge and pass my public address through to my ASA firewall. At the moment I have the outside interface ATM0/3/0 in bridge-group 1 and BVI1 holds my public address. My inside interface Fa0/0 is configured with a 10.3.10.1/16 address with the outside interface of my firewall on 10.3.10.2/16.

I was hoping to acheive this with the following configuration: (I have changed the IP addresses)

-------------------------------------------------------------------------

!

Interface FastEthernet0/0

no ip address 10.3.10.1 255.255.0.0

no ip nat inside

switchport access vlan 1

!

interface vlan 1

bridge group 1

!

interface BVI1

no ip address 1.2.123.108 255.255.248.0

no ip nat outside

!

no bridge 1 route ip

-------------------------------------------------------------------------

I was then going to configure the outside interface of my firewall with the 1.2.123.108 255.255.248.0 address.

Would I then need to remove the default route 1.2.120.1 from the router and put it on the firewall?

What do I do about access-list 1?

Can anyone advise me as to any additional configuration I'll need to make this work?

My current router config is as follows:

-------------------------------------------------------------------------

bridge irb

!

interface FastEthernet0/0

description Connection to Firewall

ip address 10.3.10.1 255.255.0.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface ATM0/3/0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

bridge-group 1

pvc 0/101

encapsulation aal5snap

!

interface BVI1

ip address 1.2.123.108 255.255.248.0

ip nat outside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 1.2.120.1

!

ip http server

ip http access-class 25

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface BVI1 overload

!

access-list 1 permit 10.3.0.0 0.0.255.255

access-list 25 permit 10.10.10.0 0.0.0.7

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

login local

line aux 0

line vty 0 4

access-class 25 in

privilege level 15

login local

transport input telnet

line vty 5 15

access-class 25 in

privilege level 15

login local

transport input telnet

!

scheduler allocate 20000 1000

!

end

Router#

-----------------------------------------------------------------------------------------

Any help would be greatly appreciated.

Thanks

Regards

Egg

Eggzter100 · ‎04-26-2010

Hi All,

I really would appreciate some help here.

The problem:

I need to pass my public IP address of 1.2.123.108 255.255.248.0 which is currently on a 2811 router (see config below), through to my ASA 5510 firewall and just have the router as a transparent bridge with no ip addresses

Any advice would be much appreciated as I'm not that confident that my solution is going to work (see further below).

My current router config:

-------------------------------------------------------------------------------------

bridge irb

!

interface FastEthernet0/0

description Connection to Firewall

ip address 10.3.10.1 255.255.0.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface ATM0/3/0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

bridge-group 1

pvc 0/101

encapsulation aal5snap

!

interface BVI1

ip address 1.2.123.108 255.255.248.0

ip nat outside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 1.2.120.1

!

ip http server

ip http access-class 25

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface BVI1 overload

!

access-list 1 permit 10.3.0.0 0.0.255.255

access-list 25 permit 10.10.10.0 0.0.0.7

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

login local

line aux 0

line vty 0 4

access-class 25 in

privilege level 15

login local

transport input telnet

line vty 5 15

access-class 25 in

privilege level 15

login local

transport input telnet

!

scheduler allocate 20000 1000

!

end

Router#

--------------------------------------------------------------------------

My solution would be:

--------------------------------------------------------------------------

!

Interface FastEthernet0/0

no ip address 10.3.10.1 255.255.0.0

no ip nat inside

switchport access vlan 1

!

interface vlan 1

bridge group 1

!

interface BVI1

no ip address 1.2.123.108 255.255.248.0

no ip nat outside

!

no bridge 1 route ip

-------------------------------------------------------------------------

I was then going to configure the outside interface of my firewall with the 1.2.123.108 255.255.248.0 address.

Would I then need to remove the default route 1.2.120.1 from the router and put it on the firewall?

What do I do about access-list 1?

Can anyone advise me as to any additional configuration I'll need to make this work?

TYLER WEST · ‎04-26-2010

Is the reason you are needing to do this due to that being the only public address you have available to use? If not, I would suggest the use of another available public address in that range and proxy ARP. If so, you might be able to utilize static NAT mapping at the port level to support specific protocols as opposed to bridging. Based on the supplied config, the ATM is the public from your provider, right? Just wanted to make sure that is clear.

Tyler West, CCNP

CWI, Inc.

Eggzter100 · ‎04-27-2010

Hi Tyler,

Yes, just one ip address at the moment. I have a leased line on order but for the meantime I have to make do with what I've got and I need the public address from my provider, presently on the ATM shifted over to the ASA. I've been told this is quite a common set up but I can't seem to find any documentation on it. Any pointers would be much appreciated.