Preamble: I'm studying for CCNA, but I'm jumping ahead a little to get my home internet coming in through a Cisco router. I understand the basic ideas but obviously not enough...
My current setup
I have a /29 subnet through ADSL, with a noname modem/router in a sort-of half bridge mode, followed by an OpenBSD box doing firewall and routing duties. Let's say my public network is 22.214.171.124/29.
The BSD box has a public IP, 126.96.36.199, on interface FE0 and uses the modem as default gateway (188.8.131.52).
The BSD box performs NAT overload with 184.108.40.206 for the internal network 192.168.0.0/24 on interface FE1 (192.168.0.1)
It also transparently bridges FE0 with FE2, allowing servers on that seperate network to have public IP addresses.
The benefit of that is it allows full firewalling of all traffic from FE0 to FE2 (and vice versa of course), so the servers with the public addresses are protected.
Finally, I have a seperate software router on a VMware ESXi host, connected to the public network (220.127.116.11, gateway 18.104.22.168) behind the BSD box. This runs pfSense and connects to one of those 'internet privacy' VPN services. It also performs NAT overload going out through that VPN, with the inside interface connected to the same 192.168.0.0 network as the BSD box. pfSense's address there is 192.168.0.2.
This allows me to configure a PC to go out through the VPN, instead of directly through the BSD box, by simply changing the PCs default gateway from 192.168.0.1 to 192.168.0.2.
That was all trivial to set up and works perfectly.
What I'm trying to do, and so far not succeeding
I want to replicate the above with my Cisco kit. I have an 1801, but am trying it all out on a 2811 first, with the outside connected into the 22.214.171.124 network behind the BSD box instead of an actual ADSL WAN interface. That way, I can play about without breeching my security, and don't keep losing my internet connection when I get it wrong. I am trying to put the inside interfaces (192.168.0.0 and 126.96.36.199) on VLANs on the remaining physical interface.
Is it possible to do the above with a 2811?
Could anyone point me in the right direction? At least for the main NAT and bridging parts. I guess the VPN would need to be done on a seperate VLAN if done on the same router rather than having another IP address in the same network..
I've tried a few things. Getting NAT to work alone is easy, but I can't get the bridging to work. I've tried setting IRB and a BVI interface but simply lost connection to the outside interface. I'm not sure that is exactly relevent to what I want to acheive.
Any ideas folks? Am I heading in the right direction?
In the meantime, I'll keep playing...
Edit - Update:
This is getting to be a habit - I keep finding answers myself (after trying for ages) as soon as I ask for help.
I was doing it roughly correctly, the only thing I did differently this time was that I created the BVI (and tested it) before doing the NAT configuration. That, and I entered 'bridge 1 route ip' which I thought was done automatically by enabling irb. Anyway, this time it all worked. Nat and bridging, from one interface, out of another interface now in VLANs.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.