02-04-2004 07:20 AM - edited 03-02-2019 01:21 PM
Hi,
I have a 1720 that is currently doing NAT to route traffic on a network.I would like to reconfigure the 1720 to route 1 public IP to another s0.1 to FastEthernet0(pass through) so I can config a firewall/VPN appliance.
How do I do this?
Thanks for your help.
Eric
Here is my current config:
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-O3Y-M), Version 12.1(5)T10, RELEASE SOFTWARE (fc
2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Wed 08-Aug-01 02:34 by ccai
Image text-base: 0x800080E0, data-base: 0x806F02F4
ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)
Duct&Vent uptime is 41 weeks, 2 days, 15 hours, 31 minutes
System returned to ROM by power-on
System image file is "flash:c1700-o3y-mz.121-5.T10.bin"
cisco 1720 (MPC860) processor (revision 0x601) with 24576K/8192K bytes of memory
.
Processor board ID JAD053308VL (1149039308), with hardware revision 0000
M860 processor: part number 0, mask 32
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial(sync/async) network interface(s)
32K bytes of non-volatile configuration memory.
--More--
Building configuration...
Current configuration : 1880 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service dhcp
!
hostname Duct&Vent
!
!
memory-size iomem 25
ip subnet-zero
no ip finger
ip name-server 64.69.98.35
ip name-server 64.69.100.68
ip dhcp excluded-address 10.10.1.1
!
--More--
!
ip dhcp pool clients
network 10.0.0.0 255.0.0.0
default-router 10.0.0.254
dns-server x.x.x.x
!
ip inspect audit-trail
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name internet udp
ip inspect name internet tcp
ip inspect name internet ftp
ip inspect name internet smtp
ip inspect name internet realaudio
ip inspect name internet cuseeme
ip inspect name internet http java-list 99
ip inspect name internet h323
ip inspect name internet rcmd
ip inspect name internet streamworks
ip inspect name internet vdolive
ip inspect name internet tftp
ip inspect name internet sqlnet
ip inspect name internet fragment maximum 256 timeout 1
ip audit notify log
--More--
ip audit notify log
ip audit po max-events 100
!
!
!
interface FastEthernet0
ip address 10.0.0.254 255.0.0.0
ip nat inside
ip inspect internet in
speed auto
!
interface Serial0
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
ip address x.x.x.x x.x.x.x
ip nat outside
frame-relay interface-dlci 40 IETF
!
ip nat pool internet 66.152.211.134 66.152.211.134 netmask 255.255.255.248
ip nat inside source list 1 pool internet overload
ip classless
--More--
!
interface Serial0.1 point-to-point
ip address x.x.x.x x.x.x.x
ip nat outside
frame-relay interface-dlci 40 IETF
!
ip nat pool internet x.x.x.x x.x.211.134 netmask 255.255.255.248
ip nat inside source list 1 pool internet overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
no ip http server
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
line con 0
transport input none
line aux 0
line vty 0 4
password xxxx
login
!
no scheduler allocate
end
02-05-2004 01:07 AM
Maybe i misunderstood your objectives a little, and if so then apologies...
but if you just want to route to one ip address out of a different interface, then couldnt you use:
ip route
255.255.255.25502-05-2004 03:14 AM
Hi,
Let me start by saying I am not very familiar with the cisco IOS. What I want to do is probably very simple but when you don't know what button to push it makes it more difficult.
Above is a snapshot of the current config.
I want to have the cisco pass traffic to my firewall appliance. It should not do anything else. The 2 interfaces are s0.1 to fastethernet0. From there I will connect fastethernet0 to the WAN port on my firewall.
What do I have to remove on the above config and how do I add the static route to the config?
I am sorry I need specific info as I don't usually work on cisco products. I would love to learn but just don't come in contact with the devices.
Thank you for your time,
Eric
02-05-2004 03:52 AM
at the moment your router is configured to route everything that is not on a directly connected subnet (i.e 10.0.0.0 or 66.x.x.x) via the serial interface. There is no other routing in place.
from your explanation it seems that your router Fa0/0 will connect straight into the firewall. so anything coming in over the serial link wants to go to the firewall, and anything coming out of the firewall wants to go over the serail link.
i would therefore suggest that on the router you put a static route to all subnets on the other side of the firewall via the ip address of the firewall. so, if the firewall has ip address 10.10.1.1, and protects subnet 11.0.0.0, then add the following:
ip route 11.0.0.0 255.0.0.0 10.10.1.1
you will also want to add a default route on your firewall with a default gateway of the router, 10.0.0.254 i believe.
your config already has the classless default route of:
ip route 0.0.0.0 0.0.0.0 serial0.1
so all traffic coming out of the firewall will be sent via the serial interface as wanted.
this is based on my understanding of what you have and what you want, so please check through it
02-05-2004 05:44 AM
This is how I usually do it but the T1 provider usually sets up the router. In this case I am being asked to make the adjustments. I have a block of IP's
Cisco 1720 -
s0.1 IP 66.152.211.129
FastEthernet0 IP 66.152.211.130
connect FE0 to WAN on Firewall
WAN IP 66.152.211.131
NAT
LAN IP(Gateway)10.0.0.254
The cisco should just pass traffic.
Thanks for your help,
Eric
02-05-2004 08:08 AM
A few observations...
First it looks like you are running IOS based Firewall software on your router but it isn't configured correctly. Not sure if you were aware of that or not...
Your main issue is how to use your legal block of IPs. Your ISP is using your whole IP block on the serial interface of your router. This leaves no more legal IPs for you to use on your firewall for NATing etc.
"s0.1 IP 66.152.211.129
FastEthernet0 IP 66.152.211.130 "
You won't be able to do this. Both of these IPs are on the same subnet. Router IP interfaces have to be in different subnets.
You could ask you ISP to give you a separate block of IPs (a small subnet like a x.x.x.x 255.255.255.252 also called a /30 - "slash 30") to be used on your WAN (s0.1)interface so you can use your assigned block of IPs behind your router.
After you've done that, depending on your firewall and what you would like to do you could:
Choice A - assign your block of IPs on the FA0 link to your firewall
OR
Choice B - assign a made up block of IPs on your FA0 link like 192.168.10.x and add a route on the router to your legal block via the firewall.
Then on the firewall do your NAT etc...
Let's say you've worked with the ISP and have a /30 (255.255.255.252) new "mini-subnet" on your serial link. You must now choose one of the following:
Choice A:
On router:
s0.1
IP x.x.x.x 255.255.255.252 -> new ISP assigned block
Fa0
IP 66.152.211.129 255.255.255.248
On firewall:
interface going to router fa0:
ip address 66.152.211.130 255.255.255.248
interface facing LAN
ip address 10.0.0.254 255.0.0.0
ip route 0.0.0.0 0.0.0.0 66.152.211.129 ->default route pointing to router
Then configure your firewall for NAT, etc...
Choice B:
On router:
s0.1
IP x.x.x.x 255.255.255.252 -> new ISP assigned block
Fa0
IP 192.168.10.1 255.255.255.0
ip route 66.152.211.128 255.255.255.248 192.168.10.2 -> route point to your legal IP block via firewall
On firewall:
interface going to router fa0:
ip address 192.168.10.2 255.255.255.0
interface facing LAN
ip address 10.0.0.254 255.0.0.0
ip route 0.0.0.0 0.0.0.0 192.168.10.1 ->default route pointing to router
You should then also remove the following from router:
int fa0
ip nat inside -> External Firewall will do NAT
ip inspect internet in -> Not needed since you have an external firewall
int s0.1
ip nat outside -> External Firewall will do NAT
Then configure your firewall for NAT, etc...
-HTH
02-05-2004 09:10 AM
Thanks,
This is exactly the info I needed.
Choice A would be ideal. I will give the ISP a call now that I know what I need.
Thanks again for the info.
Eric
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: