Solved: Re: 1841 pass through

rkovelman · ‎11-15-2010

I have another 1841 that I am using for vlans and having the vlans talk to one another but more importantly I need the router to pass all packets through where they need to go. Is this possible? Normally I set the restrictions up on the firewall and the firewall passes them off to whatever IP its intended to go to. For instance if someone from the outside tries to make a PPTP connection, the firewall sees the activity and knows where to pass these packets to. I will be placing the 1841 in between the firewall and the server handling these PPTP requests. But moreover I do not want the 1841 to block anything to its intended route. How can I achieve this with out messing up the vlans or do I need to place all these access requests into the 1841?

Jon Marshall · ‎11-17-2010

rkovelman wrote:

The router will be doing DHCP as well, but that can be done with the 1841 if so chosen.

I will be running IP Phones and want them and need them on the same network as the computers.

The router is meant to have the 2 vlans talk to one another.

I think there is some confusion here. You say the router is so the vlans can talk to each other but the vlans gateway is on the firewall ??

It might help if i showed a typical setup -

switch -> router -> firewall

1) the switch has the vlans defined on it eg

vlan 10 = 192.168.5.0/24

vlan 11 = 192.168.6.0/24

2) the connection from the switch to the router is a L2 trunk

3) the router uses subinterfaces on the ethernet connection to the switch (note i'm assuming the switch is L2 only)

int fa0/0.10

encapsulation dot1q 10

ip address 192.168.5.1 255.255.255.0

int fa0/0.11

encapsulation dot1q 11

ip address 192.168.6.1 255.255.255.0

4) on the switch you then assign the relevant ports into either vlan 10 or vlan 11 eg.

int fa0/1

switchport mode access

switchport access vlan 10

etc.

5) vlan 10 clients have their default-gateway set to 192.168.5.1

vlan 11 to 192.168.6.1

6) you then connect the router to firewall

router

====

int fa0/1

ip address 192.168.7.1 255.255.255.252

firewall

=====

inside ip address would be 192.168.7.2 255.255.255.252

8) on the firewall you add routes -

route inside 192.168.5.0 255.255.255.0 192.168.7.1

route inside 192.168.6.0 255.255.255.0 192.168.7.1

9) on the router add a default-route to the firewall

ip route 0.0.0.0 0.0.0.0 192.168.7.2

10) use windows server or the router for your DHCP pools

11) setup NAT on the firewall for your 2 internal networks (sounds like you already have this done but if not -

firewall

======

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

With the above vlans 10 & 11 can talk to each via the router. If you need to give access to a server internally from the internet just setup your static NAT + acl access on the firewall and the firewall will know how to route the traffic to the server.

Jon

View solution in original post

Jon Marshall · ‎11-15-2010

I have another 1841 that I am using for vlans and having the vlans talk to one another but more importantly I need the router to pass all packets through where they need to go. Is this possible?

That's exactly what routers do as long as you are not using access-lists on the router that block the traffic.

I will be placing the 1841 in between the firewall and the server handling these PPTP requests. But moreover I do not want the 1841 to block anything to its intended route.

As long as the firewall has a route to the PPTP server via the router, and the router has a route back to the firewall then it will be fine.

Jon

rkovelman · ‎11-15-2010

I do not have any access lists and just want to verify what I did was correct

I am lost in your second statement

" router has a route back to the firewall"

If the sever sees the incomming connection, doesnt it know where to pass the packet back to? If not how would I make a config for the PPTP connection for instance to go from the server back to the firewall? I would have thought that if there is no access lists then the traffic would pass back and forth with no issues.

Thanks

Jon Marshall · ‎11-15-2010

rkovelman wrote:

I do not have any access lists and just want to verify what I did was correct

I am lost in your second statement

" router has a route back to the firewall"

If the sever sees the incomming connection, doesnt it know where to pass the packet back to? If not how would I make a config for the PPTP connection for instance to go from the server back to the firewall? I would have thought that if there is no access lists then the traffic would pass back and forth with no issues.

Thanks

server -> router -> firewall - i'm assuming the server default-gateway is on the router.

the firewall must have a route to the server vlan and the next-hop for the this route will be the router. The traffic will then go from firewall -> router -> server.

when the server returns the traffic it will send it to the router. The router must then have a route to the firewall It probably will have, it is usually the default-route ie. on the router -

ip route 0.0.0.0 0.0.0.0

Jon

rkovelman · ‎11-15-2010

So this is what I have:

Gateway of last resort is not set

C* 192.168.xx.0/24 is directly connected, FastEthernet0/0
is directly connected, FastEthernet0/0.2

So from what your saying is I need to set a gateway of last resort, correct?

Thanks

Jon Marshall · ‎11-15-2010

Impossible to say without knowing your routing setup.

Is you router the default-gateway for the server vlan ?

Are all your vlans routed off router ?

The firewall, how is it connected to the router ?

Jon

rkovelman · ‎11-16-2010

Is you router the default-gateway for the server vlan ?

the gateway would be the firewall correct? firewall->Router->Server

Are all your vlans routed off router ?

Vlan 1 and Vlan 2 are off the router yes. All recive the same IP and subnet from the firewall

The firewall, how is it connected to the router ?

It will be plugged in to 0/0 and then 0/1 will go to the switche(s)

Jon Marshall · ‎11-17-2010

rkovelman wrote:

Is you router the default-gateway for the server vlan ?

the gateway would be the firewall correct? firewall->Router->Server

Are all your vlans routed off router ?

Vlan 1 and Vlan 2 are off the router yes. All recive the same IP and subnet from the firewall

The firewall, how is it connected to the router ?

It will be plugged in to 0/0 and then 0/1 will go to the switche(s)

If the firewall is the default-gatway then why bother with the router ?

Also why have 2 vlans on the router and have them using the same IP subnet handed out by the firewall ?

What is the purpose of the router meant to be ?

Jon

rkovelman · ‎11-17-2010

The router will be doing DHCP as well, but that can be done with the 1841 if so chosen.

I will be running IP Phones and want them and need them on the same network as the computers.

The router is meant to have the 2 vlans talk to one another.

Jon Marshall · ‎11-17-2010

rkovelman wrote:

The router will be doing DHCP as well, but that can be done with the 1841 if so chosen.

I will be running IP Phones and want them and need them on the same network as the computers.

The router is meant to have the 2 vlans talk to one another.

I think there is some confusion here. You say the router is so the vlans can talk to each other but the vlans gateway is on the firewall ??

It might help if i showed a typical setup -

switch -> router -> firewall

1) the switch has the vlans defined on it eg

vlan 10 = 192.168.5.0/24

vlan 11 = 192.168.6.0/24

2) the connection from the switch to the router is a L2 trunk

3) the router uses subinterfaces on the ethernet connection to the switch (note i'm assuming the switch is L2 only)

int fa0/0.10

encapsulation dot1q 10

ip address 192.168.5.1 255.255.255.0

int fa0/0.11

encapsulation dot1q 11

ip address 192.168.6.1 255.255.255.0

4) on the switch you then assign the relevant ports into either vlan 10 or vlan 11 eg.

int fa0/1

switchport mode access

switchport access vlan 10

etc.

5) vlan 10 clients have their default-gateway set to 192.168.5.1

vlan 11 to 192.168.6.1

6) you then connect the router to firewall

router

====

int fa0/1

ip address 192.168.7.1 255.255.255.252

firewall

=====

inside ip address would be 192.168.7.2 255.255.255.252

8) on the firewall you add routes -

route inside 192.168.5.0 255.255.255.0 192.168.7.1

route inside 192.168.6.0 255.255.255.0 192.168.7.1

9) on the router add a default-route to the firewall

ip route 0.0.0.0 0.0.0.0 192.168.7.2

10) use windows server or the router for your DHCP pools

11) setup NAT on the firewall for your 2 internal networks (sounds like you already have this done but if not -

firewall

======

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

With the above vlans 10 & 11 can talk to each via the router. If you need to give access to a server internally from the internet just setup your static NAT + acl access on the firewall and the firewall will know how to route the traffic to the server.

Jon

rkovelman · ‎11-17-2010

Thanks!

Am I to assume you can not have 2 vlans with the same IP pool? You need to have different ones?

Thanks

Jon Marshall · ‎11-17-2010

rkovelman wrote:

Thanks!

Am I to assume you can not have 2 vlans with the same IP pool? You need to have different ones?

Thanks

You can have 2 vlans with one IP subnet but it's not good design. The whole purpose of a vlan is to limit the broadcast domain but by using 2 subnets they are sharing the same broadcast domain ie. a broadcast by a client in either subnet is seen by all clients in both subnets.

It can be useful as a temporary device to migrate IP addresses from one range to another but it shouldn't really be seen as a long term solution except.

Jon

rkovelman · ‎11-19-2010

Thanks again!

For the most part I am complete what I am unable to do is add switchport mode access and access vlan 1 and 2 and 3 to int fa0/1. What is the command for that? I am able to get into the configuration for int fa0/1 but not switchport.

Jon Marshall · ‎11-19-2010

rkovelman wrote:

Thanks again!

For the most part I am complete what I am unable to do is add switchport mode access and access vlan 1 and 2 and 3 to int fa0/1. What is the command for that? I am able to get into the configuration for int fa0/1 but not switchport.

The switchport commands are on the switch not the router. See the config thread for more details.

Jon

rkovelman · ‎11-19-2010

Oh yea woops, got myself confused.

You said to assign relevent ports but what if you have an Avaya phone for instance with an extra port on the back of it for a computer. So now over the same wire to the switch its passing both the computer and the VOIP? That port on the switch then becomes or does 2 vlans. Or maybe what I want is not possible? Have a switch and router know what vlan to put something on by what it is passing through it?