Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
6
Replies

Need help Configuring 1720 router

emance
Level 1
Level 1

‎02-04-2004 07:20 AM - edited ‎03-02-2019 01:21 PM

Hi,

I have a 1720 that is currently doing NAT to route traffic on a network.I would like to reconfigure the 1720 to route 1 public IP to another s0.1 to FastEthernet0(pass through) so I can config a firewall/VPN appliance.

How do I do this?

Thanks for your help.

Eric

Here is my current config:

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1700-O3Y-M), Version 12.1(5)T10, RELEASE SOFTWARE (fc

2)

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2001 by cisco Systems, Inc.

Compiled Wed 08-Aug-01 02:34 by ccai

Image text-base: 0x800080E0, data-base: 0x806F02F4

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)

Duct&Vent uptime is 41 weeks, 2 days, 15 hours, 31 minutes

System returned to ROM by power-on

System image file is "flash:c1700-o3y-mz.121-5.T10.bin"

cisco 1720 (MPC860) processor (revision 0x601) with 24576K/8192K bytes of memory

.

Processor board ID JAD053308VL (1149039308), with hardware revision 0000

M860 processor: part number 0, mask 32

Bridging software.

X.25 software, Version 3.0.0.

1 FastEthernet/IEEE 802.3 interface(s)

1 Serial(sync/async) network interface(s)

32K bytes of non-volatile configuration memory.

--More--

Building configuration...

Current configuration : 1880 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption

no service dhcp

!

hostname Duct&Vent

!

!

memory-size iomem 25

ip subnet-zero

no ip finger

ip name-server 64.69.98.35

ip name-server 64.69.100.68

ip dhcp excluded-address 10.10.1.1

!

--More--

!

ip dhcp pool clients

network 10.0.0.0 255.0.0.0

default-router 10.0.0.254

dns-server x.x.x.x

!

ip inspect audit-trail

ip inspect max-incomplete high 1100

ip inspect one-minute high 1100

ip inspect name internet udp

ip inspect name internet tcp

ip inspect name internet ftp

ip inspect name internet smtp

ip inspect name internet realaudio

ip inspect name internet cuseeme

ip inspect name internet http java-list 99

ip inspect name internet h323

ip inspect name internet rcmd

ip inspect name internet streamworks

ip inspect name internet vdolive

ip inspect name internet tftp

ip inspect name internet sqlnet

ip inspect name internet fragment maximum 256 timeout 1

ip audit notify log

--More--

ip audit notify log

ip audit po max-events 100

!

!

!

interface FastEthernet0

ip address 10.0.0.254 255.0.0.0

ip nat inside

ip inspect internet in

speed auto

!

interface Serial0

no ip address

encapsulation frame-relay

frame-relay lmi-type ansi

!

interface Serial0.1 point-to-point

ip address x.x.x.x x.x.x.x

ip nat outside

frame-relay interface-dlci 40 IETF

!

ip nat pool internet 66.152.211.134 66.152.211.134 netmask 255.255.255.248

ip nat inside source list 1 pool internet overload

ip classless

--More--

!

interface Serial0.1 point-to-point

ip address x.x.x.x x.x.x.x

ip nat outside

frame-relay interface-dlci 40 IETF

!

ip nat pool internet x.x.x.x x.x.211.134 netmask 255.255.255.248

ip nat inside source list 1 pool internet overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0.1

no ip http server

!

access-list 1 permit 10.0.0.0 0.255.255.255

!

line con 0

transport input none

line aux 0

line vty 0 4

password xxxx

login

!

no scheduler allocate

end

Labels:
0 Helpful
6 Replies 6

marl.beynon
Level 1
Level 1

‎02-05-2004 01:07 AM

Maybe i misunderstood your objectives a little, and if so then apologies...

but if you just want to route to one ip address out of a different interface, then couldnt you use:

ip route

255.255.255.255

0 Helpful

emance
Level 1
Level 1
In response to marl.beynon

‎02-05-2004 03:14 AM

Hi,

Let me start by saying I am not very familiar with the cisco IOS. What I want to do is probably very simple but when you don't know what button to push it makes it more difficult.

Above is a snapshot of the current config.

I want to have the cisco pass traffic to my firewall appliance. It should not do anything else. The 2 interfaces are s0.1 to fastethernet0. From there I will connect fastethernet0 to the WAN port on my firewall.

What do I have to remove on the above config and how do I add the static route to the config?

I am sorry I need specific info as I don't usually work on cisco products. I would love to learn but just don't come in contact with the devices.

Thank you for your time,

Eric

0 Helpful

marl.beynon
Level 1
Level 1
In response to emance

‎02-05-2004 03:52 AM

at the moment your router is configured to route everything that is not on a directly connected subnet (i.e 10.0.0.0 or 66.x.x.x) via the serial interface. There is no other routing in place.

from your explanation it seems that your router Fa0/0 will connect straight into the firewall. so anything coming in over the serial link wants to go to the firewall, and anything coming out of the firewall wants to go over the serail link.

i would therefore suggest that on the router you put a static route to all subnets on the other side of the firewall via the ip address of the firewall. so, if the firewall has ip address 10.10.1.1, and protects subnet 11.0.0.0, then add the following:

ip route 11.0.0.0 255.0.0.0 10.10.1.1

you will also want to add a default route on your firewall with a default gateway of the router, 10.0.0.254 i believe.

your config already has the classless default route of:

ip route 0.0.0.0 0.0.0.0 serial0.1

so all traffic coming out of the firewall will be sent via the serial interface as wanted.

this is based on my understanding of what you have and what you want, so please check through it

0 Helpful

emance
Level 1
Level 1
In response to marl.beynon

‎02-05-2004 05:44 AM

This is how I usually do it but the T1 provider usually sets up the router. In this case I am being asked to make the adjustments. I have a block of IP's

Cisco 1720 -

s0.1 IP 66.152.211.129

FastEthernet0 IP 66.152.211.130

connect FE0 to WAN on Firewall

WAN IP 66.152.211.131

NAT

LAN IP(Gateway)10.0.0.254

The cisco should just pass traffic.

Thanks for your help,

Eric

0 Helpful

jamey
Level 4
Level 4
In response to emance

‎02-05-2004 08:08 AM

A few observations...

First it looks like you are running IOS based Firewall software on your router but it isn't configured correctly. Not sure if you were aware of that or not...

Your main issue is how to use your legal block of IPs. Your ISP is using your whole IP block on the serial interface of your router. This leaves no more legal IPs for you to use on your firewall for NATing etc.

"s0.1 IP 66.152.211.129

FastEthernet0 IP 66.152.211.130 "

You won't be able to do this. Both of these IPs are on the same subnet. Router IP interfaces have to be in different subnets.

You could ask you ISP to give you a separate block of IPs (a small subnet like a x.x.x.x 255.255.255.252 also called a /30 - "slash 30") to be used on your WAN (s0.1)interface so you can use your assigned block of IPs behind your router.

After you've done that, depending on your firewall and what you would like to do you could:

Choice A - assign your block of IPs on the FA0 link to your firewall

OR

Choice B - assign a made up block of IPs on your FA0 link like 192.168.10.x and add a route on the router to your legal block via the firewall.

Then on the firewall do your NAT etc...

Let's say you've worked with the ISP and have a /30 (255.255.255.252) new "mini-subnet" on your serial link. You must now choose one of the following:

Choice A:

On router:

s0.1

IP x.x.x.x 255.255.255.252 -> new ISP assigned block

Fa0

IP 66.152.211.129 255.255.255.248

On firewall:

interface going to router fa0:

ip address 66.152.211.130 255.255.255.248

interface facing LAN

ip address 10.0.0.254 255.0.0.0

ip route 0.0.0.0 0.0.0.0 66.152.211.129 ->default route pointing to router

Then configure your firewall for NAT, etc...

Choice B:

On router:

s0.1

IP x.x.x.x 255.255.255.252 -> new ISP assigned block

Fa0

IP 192.168.10.1 255.255.255.0

ip route 66.152.211.128 255.255.255.248 192.168.10.2 -> route point to your legal IP block via firewall

On firewall:

interface going to router fa0:

ip address 192.168.10.2 255.255.255.0

interface facing LAN

ip address 10.0.0.254 255.0.0.0

ip route 0.0.0.0 0.0.0.0 192.168.10.1 ->default route pointing to router

You should then also remove the following from router:

int fa0

ip nat inside -> External Firewall will do NAT

ip inspect internet in -> Not needed since you have an external firewall

int s0.1

ip nat outside -> External Firewall will do NAT

Then configure your firewall for NAT, etc...

-HTH

0 Helpful

emance
Level 1
Level 1
In response to jamey

‎02-05-2004 09:10 AM

Thanks,

This is exactly the info I needed.

Choice A would be ideal. I will give the ISP a call now that I know what I need.

Thanks again for the info.

Eric

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents