Re: New T1

mjacobsen · ‎09-25-2003

Hi All,

Could someone point me to the resources (e.g. setup, specific commands) for configuring a new full T1 line? I am getting one tomorrow, because of a change in ISP, and need to know how to configure. I have a Cisco 1720 router, as well as a PIX 515. I know how to get on them, and into the priveleged modes, and config modes. How do I change the public addresses in the access lists? According to my ISP, they will provide 14 public addresseses, which will be statically routed to my WAN interface. Encapsulation is PPP, CSU information is as follows: framing= ESP; line code= B8ZS; clock source=Network/Line. I have an external CSU/DSU currently connected to the router with a 256 frame relay line. Also, as far as the DNS, I have an external authoritative provider. I know I need to tell them about which (pubic) addresses to use for what DNS records, as well as the backup MX. The firewall also has a VPN. Also a DMZ is setup with mail server, web server, virus gateway. How does NAT play into the overall setup? Is there anything else I will need to do? My ISP has also asked me if I need a BGP; I only need this if I am wanting to filter traffic from two ISPs, correct? What else would I want/need this? What are other considerations here? Specifics would be great, because I have not done this on my own. Thanks.

jamey · ‎09-26-2003

1. The T1:

If the 1720 is currently providing service to a frame network and you connect the T1 to this same 1720, that frame network will be "outside" of the PIX firewall protection if you connect the 1720 ethernet to the PIX outside interface.

Ideally, you'd have something like this:

ISP

|

router 1720

|

PIX--DMZ

|

internal router---frame relay net

|

internal network

I suspect you are planning on doing this:

ISP-router-frame relay network

|

PIX--DMZ

|

internal network

If you do you may have to use some ACLS/NAT to protect the frame relay hosts.

What kind of CSU do you have? What type of WIC do you have in the 1720? If you have a CSU that can handle multiple T1s and also has multiple data ports, you can connect a WIC-1T from the 1720 via a V.35 cable to the CSU. Then connect the T1 to a free NI port on the CSU. If you have an internal CSU on the 1720, just connect the T1 right into it. The default settings on an internal CSU should be fine.

2. NAT

You should probably do NAT on the PIX like this:

ISP--1720--PIX-

|

DMZ

subnet1=probably ISP assignend /30 (255.255.255.252)

subnet2=you can make one up there like 192.168.10.0/24 (be sure to add a static route on the 1720 for your ISP assigned subnet to go via the PIX, e.g. the 1720 eth0 is 192.168.10.1 and the pix outside is 192.168.10.2 and your ISP assigned subnet is x.x.x.x 255.255.255.240, add a static route on the 1720->ip route x.x.x.x 255.255.255.240 192.168.10.2)

-your internal network

-a made up subnet like 192.168.20.0 255.255.255.0

If you use the 192.168.10.x subnet between the 1720 eth and the pix outside, you'll have something like this on the PIX:

PIX interfaces:

ip address outside 192.168.10.2 255.255.255.0

ip address inside 10.0.0.1 255.255.255.0 (your private internal subnet)

ip address dmz 192.168.20.1 255.255.255.0

Do nat:

nat (inside) 1 10.0.0.0 255.255.255.0 (NAT everything from inside)

nat (dmz) 1 192.168.20.0 255.255.255.0 (NAT everything from dmz)

global (outside) 1 x.x.x.1 (This is for PAT, choose one of your legal assigend IPs for overload)

global (dmz) 1 192.168.20.0 255.255.255.0

give your servers labels:

name 192.168.20.1 mail

name 192.168.20.2 web

name 192.168.20.3 virus

static (dmz,outside) x.x.x.1 mail (this is the mail server one-to-one-NAT)

static (dmz,outside) x.x.x.2 web (this is the www server one-to-one-NAT)

static (dmz,outside) x.x.x.3 virus (this is the virus server one-to-one-NAT)

(take care of allowing SMTP/www inbound to dmz)

access-list aclt permit tcp any host x.x.x.1 eq 25

access-list aclt permit tcp any host x.x.x.2 eq 80

access-group aclt in interface outside

(take care of the default route)

route outside 0.0.0.0 0.0.0.0 192.168.10.1

telnet 10.0.0.100 255.255.255.255 (or whatever your PC is behind the PIX...this allows you to telnet into the PIX)

(configure telnet and enable passwords)

enable password xxxxx

passwd xxxxx

You don't need BGP.

I think the biggest thing is if the 1720 is going to be your Internet router *and* the frame router.

I think once you get all that up, you could start on the VPN solutions:

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration

and

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/index.htm

-HTH

mschooley · ‎09-26-2003

I'm assuming that since you have an external csu/dsu that there isn't one in the 1720, using a regular serial interface with a 50 pin to v.35 cable, if this is the case, you will have to change the number of channel in the csu/dsu from 4 to 24, depending on the type of csu, this can be done from dip switches, i.e kentrox, or from front push buttons, i.e at&t 3160 i believe, or from console cable i.e digital link. On the router, you will need to change the encapsulation from frame to ppp. I'm also assuming that the isp is expecting you to use unnumbered on the serial interface, thereby putting 1 of your 14 address on ethernet of router, another on the external interface of pix, the have a few for nat range and a few for static mappings.