I am installing a 1721 router for a customer. The customer is gettin a T1 to connect to the internet. The ISP is providing addressing for the router. In the data is the public address that I need to configure on the Serial 0 interface. They have also provided the next hop to their network. All is well.
Herein lies my issue:
For the inside, they have provided the following:
Network address: 220.127.116.11/29
Broadcast address: 18.104.22.168/29
They have indicated that I should use 22.214.171.124 as my E0 address. Effectively this means I need to use the remaining 5 available addresses for my clients. And this also means that my clients will be exposed to the public.
I would rather use an IANA class C address inside (ex.192.168.5.0/24). Why do I have to use the pool they are giving me? Can I not simply configure 192.168.5.1 as my E0 interface, and then use 192.168.5.2 and do dynamic NAT overload to that address? And then set up DHCP on the router to hand out a pool of addresses to my few inside clients??
Usually ISPs assign you two public blocks one for the wan side (/30 mask typically) and another block for your inside LAN. Usually between your private network and the Internet router, there will be firewall which protects the network. The firewall would also do NAT (rather than doing at the router). For this the firewall needs a public IP (say 126.96.36.199/29) on the outside interface. Also an IP (188.8.131.52) would need to be configured on the router's ethernet interface. The firewall's inside interface can be configured as 192.168.5.1 with the hosts having IP address from the 192.168.5.0 network.
If you do not plan to use any firewall (but plan to use an IOS based firewall on the router - which is recommended) then you can request the ISP to remove this IP block from their routing table (This will also save you money, if you are paying additional money/month for that pool of public IPs).
If you do intend to use a web server or a vpn concentrator, which needs to be accessed from the Internet, you will need this IP block.
Hope that helps!
PS: Its advisable to mask the IPs assigned to your company while posting in a public forum like Netpro.
I searched the Cisco Web for information regarding "configuring firewall features on the 1700 series" and came up blank. I am not certain how to tell if I have the correct IOS to even run the Stateful inspection type features; how can I tell?
I went to the Software Center, and was able to pull down a Feature set that had FW in the chain, but I am still not sure if this is correct because it had ADSL in the chain also, and we are getting a T-1...
I also remember using the configuration tool, and I had thought that it was a separate purchase for the IOS containing the Firewall and IDS mechanisms...
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.