Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

1841 pass through

I have another 1841 that I am using for vlans and having the vlans talk to one another but more importantly I need the router to pass all packets through where they need to go.  Is this possible?  Normally I set the restrictions up on the firewall and the firewall passes them off to whatever IP its intended to go to.  For instance if someone from the outside tries to make a PPTP connection, the firewall sees the activity and knows where to pass these packets to.  I will be placing the 1841 in between the firewall and the server handling these PPTP requests.  But moreover I do not want the 1841 to block anything to its intended route.  How can I achieve this with out messing up the vlans or do I need to place all these access requests into the 1841?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: 1841 pass through

rkovelman wrote:

The router will be doing DHCP as well, but that can be done with the 1841 if so chosen.

I will be running IP Phones and want them and need them on the same network as the computers.

The router is meant to have the 2 vlans talk to one another.

I think there is some confusion here. You say the router is so the vlans can talk to each other but the vlans gateway is on the firewall ??

It might help if i showed a typical setup -

switch -> router -> firewall

1) the switch has the vlans defined on it eg

vlan 10 = 192.168.5.0/24

vlan 11 = 192.168.6.0/24

2) the connection from the switch to the router is a L2 trunk

3) the router uses subinterfaces on the ethernet connection to the switch (note i'm assuming the switch is L2 only)


int fa0/0.10

encapsulation dot1q 10

ip address 192.168.5.1 255.255.255.0

int fa0/0.11

encapsulation dot1q 11

ip address 192.168.6.1 255.255.255.0


4) on the switch you then assign the relevant ports into either vlan 10 or vlan 11 eg.

int fa0/1

switchport mode access

switchport access vlan 10

etc.

5) vlan 10 clients have their default-gateway set to 192.168.5.1

   vlan 11 to 192.168.6.1

6) you then connect the router to firewall

router

====

int fa0/1

ip address 192.168.7.1 255.255.255.252

firewall

=====

inside ip address would be 192.168.7.2 255.255.255.252

8) on the firewall you add routes -

route inside 192.168.5.0 255.255.255.0 192.168.7.1

route inside 192.168.6.0 255.255.255.0 192.168.7.1

9) on the router add a default-route to the firewall

ip route 0.0.0.0 0.0.0.0 192.168.7.2

10) use windows server or the router for your DHCP pools

11) setup NAT on the firewall for your 2 internal networks (sounds like you already have this done but if not -

firewall

======

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

With the above vlans 10 & 11 can talk to each via the router. If you need to give access to a server internally from the internet just setup your static NAT + acl access on the firewall and the firewall will know how to route the traffic to the server.

Jon

17 REPLIES
Hall of Fame Super Blue

Re: 1841 pass through

I have another 1841 that I am using for vlans and having the vlans talk to one another but more importantly I need the router to pass all packets through where they need to go.  Is this possible?

That's exactly what routers do as long as you are not using access-lists on the router that block the traffic.

I will be placing the 1841 in between the firewall and the server handling these PPTP requests.  But moreover I do not want the 1841 to block anything to its intended route.

As long as the firewall has a route to the PPTP server via the router, and the router has a route back to the firewall then it will be fine.

Jon

New Member

Re: 1841 pass through

I do not have any access lists and just want to verify what I did was correct

I am lost in your second statement

" router has a route back to the firewall"

If the sever sees the incomming connection, doesnt it know where to pass the packet back to?  If not how would I make a config for the PPTP connection for instance to go from the server back to the firewall?  I would have thought that if there is no access lists then the traffic would pass back and forth with no issues.

Thanks

Hall of Fame Super Blue

Re: 1841 pass through

rkovelman wrote:

I do not have any access lists and just want to verify what I did was correct

I am lost in your second statement

" router has a route back to the firewall"

If the sever sees the incomming connection, doesnt it know where to pass the packet back to?  If not how would I make a config for the PPTP connection for instance to go from the server back to the firewall?  I would have thought that if there is no access lists then the traffic would pass back and forth with no issues.

Thanks


server -> router -> firewall  - i'm assuming the server default-gateway is on the router.

the firewall must have a route to the server vlan and the next-hop for the this route will be the router. The traffic will then go from firewall -> router -> server.

when the server returns the traffic it will send it to the router. The router must then have a route to the firewall It probably will have, it is usually the default-route ie. on the router -

ip route 0.0.0.0 0.0.0.0

Jon

New Member

Re: 1841 pass through

So this is what I have:

Gateway of last resort is not set

C*   192.168.xx.0/24 is directly connected, FastEthernet0/0
                      is directly connected, FastEthernet0/0.2

So from what your saying is I need to set a gateway of last resort, correct?

Thanks

Hall of Fame Super Blue

Re: 1841 pass through

Impossible to say without knowing your routing setup.

Is you router the default-gateway for the server vlan ?

Are all your vlans routed off router ?

The firewall, how is it connected to the router ?

Jon

New Member

Re: 1841 pass through

Is you router the default-gateway for the server vlan ?

the gateway would be the firewall correct?  firewall->Router->Server

Are all your vlans routed off router ?

Vlan 1 and Vlan 2 are off the router yes.  All recive the same IP and subnet from the firewall

The firewall, how is it connected to the router ?

It will be plugged in to 0/0 and then 0/1 will go to the switche(s)

Hall of Fame Super Blue

Re: 1841 pass through

rkovelman wrote:

Is you router the default-gateway for the server vlan ?

the gateway would be the firewall correct?  firewall->Router->Server

Are all your vlans routed off router ?

Vlan 1 and Vlan 2 are off the router yes.  All recive the same IP and subnet from the firewall

The firewall, how is it connected to the router ?

It will be plugged in to 0/0 and then 0/1 will go to the switche(s)

If the firewall is the default-gatway then why bother with the router ?

Also why have 2 vlans on the router and have them using the same IP subnet handed out by the firewall ?

What is the purpose of the router meant to be ?

Jon

New Member

Re: 1841 pass through

The router will be doing DHCP as well, but that can be done with the 1841 if so chosen.

I will be running IP Phones and want them and need them on the same network as the computers.

The router is meant to have the 2 vlans talk to one another.

Hall of Fame Super Blue

Re: 1841 pass through

rkovelman wrote:

The router will be doing DHCP as well, but that can be done with the 1841 if so chosen.

I will be running IP Phones and want them and need them on the same network as the computers.

The router is meant to have the 2 vlans talk to one another.

I think there is some confusion here. You say the router is so the vlans can talk to each other but the vlans gateway is on the firewall ??

It might help if i showed a typical setup -

switch -> router -> firewall

1) the switch has the vlans defined on it eg

vlan 10 = 192.168.5.0/24

vlan 11 = 192.168.6.0/24

2) the connection from the switch to the router is a L2 trunk

3) the router uses subinterfaces on the ethernet connection to the switch (note i'm assuming the switch is L2 only)


int fa0/0.10

encapsulation dot1q 10

ip address 192.168.5.1 255.255.255.0

int fa0/0.11

encapsulation dot1q 11

ip address 192.168.6.1 255.255.255.0


4) on the switch you then assign the relevant ports into either vlan 10 or vlan 11 eg.

int fa0/1

switchport mode access

switchport access vlan 10

etc.

5) vlan 10 clients have their default-gateway set to 192.168.5.1

   vlan 11 to 192.168.6.1

6) you then connect the router to firewall

router

====

int fa0/1

ip address 192.168.7.1 255.255.255.252

firewall

=====

inside ip address would be 192.168.7.2 255.255.255.252

8) on the firewall you add routes -

route inside 192.168.5.0 255.255.255.0 192.168.7.1

route inside 192.168.6.0 255.255.255.0 192.168.7.1

9) on the router add a default-route to the firewall

ip route 0.0.0.0 0.0.0.0 192.168.7.2

10) use windows server or the router for your DHCP pools

11) setup NAT on the firewall for your 2 internal networks (sounds like you already have this done but if not -

firewall

======

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

With the above vlans 10 & 11 can talk to each via the router. If you need to give access to a server internally from the internet just setup your static NAT + acl access on the firewall and the firewall will know how to route the traffic to the server.

Jon

New Member

Re: 1841 pass through

Thanks!

Am I to assume you can not have 2 vlans with the same IP pool?  You need to have different ones?

Thanks

Hall of Fame Super Blue

Re: 1841 pass through

rkovelman wrote:

Thanks!

Am I to assume you can not have 2 vlans with the same IP pool?  You need to have different ones?

Thanks

You can have 2 vlans with one IP subnet but it's not good design. The whole purpose of a vlan is to limit the broadcast domain but by using 2 subnets they are sharing the same broadcast domain ie. a broadcast by a client in either subnet is seen by all clients in both subnets.

It can be useful as a temporary device to migrate IP addresses from one range to another but it shouldn't really be seen as a long term solution except.

Jon

New Member

Re: 1841 pass through

Thanks again!

For the most part I am complete what I am unable to do is add switchport mode access and access vlan 1 and 2 and 3 to int fa0/1.  What is the command for that?  I am able to get into the configuration for int fa0/1 but not switchport.

Hall of Fame Super Blue

Re: 1841 pass through

rkovelman wrote:

Thanks again!

For the most part I am complete what I am unable to do is add switchport mode access and access vlan 1 and 2 and 3 to int fa0/1.  What is the command for that?  I am able to get into the configuration for int fa0/1 but not switchport.

The switchport commands are on the switch not the router. See the config thread for more details.

Jon

New Member

Re: 1841 pass through

Oh yea woops, got myself confused.

You said to assign relevent ports but what if you have an Avaya phone for instance with an extra port on the back of it for a computer. So now over the same wire to the switch its passing both the computer and the VOIP? That port on the switch then becomes or does 2 vlans.  Or maybe what I want is not possible?  Have a switch and router know what vlan to put something on by what it is passing through it?

Hall of Fame Super Blue

Re: 1841 pass through

rkovelman wrote:

Oh yea woops, got myself confused.

You said to assign relevent ports but what if you have an Avaya phone for instance with an extra port on the back of it for a computer. So now over the same wire to the switch its passing both the computer and the VOIP? That port on the switch then becomes or does 2 vlans.  Or maybe what I want is not possible?  Have a switch and router know what vlan to put something on by what it is passing through it?

See this thread for how to configure the ports if you have Avaya phones -

https://supportforums.cisco.com/message/316893#316893

Jon

New Member

Re: 1841 pass through

Thanks for the link.

Just for my further clarification:

If you have 2 vlans and each has its own IP range the router allows the 2 vlans to talk together.  So in essence if I have the 2 seperated now phone and computer network I could in theory keep it that way but stick the router in between and just make sure the vlans on the switches are both not on vlan 1 as they are by default.

I really want to be able to though plug a computer into the back of the phone and get the right IP and see the network.  Is this possible?  I am not running Cisco Switches but that link helps point in the right direction.

Hall of Fame Super Blue

Re: 1841 pass through


If you have 2 vlans and each has its own IP range the router allows the 2 vlans to talk together.  So in essence if I have the 2 seperated now phone and computer network I could in theory keep it that way but stick the router in between and just make sure the vlans on the switches are both not on vlan 1 as they are by default.

Not sure what you mean by this. it's nothing to do with vlan 1. If you have 2 vlans and you connect them to the router with subinterfaces those vlans will be able to communicate with each other. If you don't want them communicating with each other then use access-lists on the subinterfaces.

I really want to be able to though plug a computer into the back of the phone and get the right IP and see the network.  Is this possible?  I am not running Cisco Switches but that link helps point in the right direction.

Can't say for sure if non-Cisco switches but don't see why not. If the DHCP server is on a different vlan than the computer is meant to be in you would need to add this under the subinterface on the router for the computer vlan -

int fa0/0.10

ip helper-address x.x.x.x  <--- where x.x.x.x is the DHCP server address

Jon

464
Views
0
Helpful
17
Replies