Could someone point me to the resources (e.g. setup, specific commands) for configuring a new full T1 line? I am getting one tomorrow, because of a change in ISP, and need to know how to configure. I have a Cisco 1720 router, as well as a PIX 515. I know how to get on them, and into the priveleged modes, and config modes. How do I change the public addresses in the access lists? According to my ISP, they will provide 14 public addresseses, which will be statically routed to my WAN interface. Encapsulation is PPP, CSU information is as follows: framing= ESP; line code= B8ZS; clock source=Network/Line. I have an external CSU/DSU currently connected to the router with a 256 frame relay line. Also, as far as the DNS, I have an external authoritative provider. I know I need to tell them about which (pubic) addresses to use for what DNS records, as well as the backup MX. The firewall also has a VPN. Also a DMZ is setup with mail server, web server, virus gateway. How does NAT play into the overall setup? Is there anything else I will need to do? My ISP has also asked me if I need a BGP; I only need this if I am wanting to filter traffic from two ISPs, correct? What else would I want/need this? What are other considerations here? Specifics would be great, because I have not done this on my own. Thanks.
If the 1720 is currently providing service to a frame network and you connect the T1 to this same 1720, that frame network will be "outside" of the PIX firewall protection if you connect the 1720 ethernet to the PIX outside interface.
Ideally, you'd have something like this:
internal router---frame relay net
I suspect you are planning on doing this:
ISP-router-frame relay network
If you do you may have to use some ACLS/NAT to protect the frame relay hosts.
What kind of CSU do you have? What type of WIC do you have in the 1720? If you have a CSU that can handle multiple T1s and also has multiple data ports, you can connect a WIC-1T from the 1720 via a V.35 cable to the CSU. Then connect the T1 to a free NI port on the CSU. If you have an internal CSU on the 1720, just connect the T1 right into it. The default settings on an internal CSU should be fine.
subnet2=you can make one up there like 192.168.10.0/24 (be sure to add a static route on the 1720 for your ISP assigned subnet to go via the PIX, e.g. the 1720 eth0 is 192.168.10.1 and the pix outside is 192.168.10.2 and your ISP assigned subnet is x.x.x.x 255.255.255.240, add a static route on the 1720->ip route x.x.x.x 255.255.255.240 192.168.10.2)
-your internal network
-a made up subnet like 192.168.20.0 255.255.255.0
If you use the 192.168.10.x subnet between the 1720 eth and the pix outside, you'll have something like this on the PIX:
ip address outside 192.168.10.2 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0 (your private internal subnet)
ip address dmz 192.168.20.1 255.255.255.0
nat (inside) 1 10.0.0.0 255.255.255.0 (NAT everything from inside)
nat (dmz) 1 192.168.20.0 255.255.255.0 (NAT everything from dmz)
global (outside) 1 x.x.x.1 (This is for PAT, choose one of your legal assigend IPs for overload)
global (dmz) 1 192.168.20.0 255.255.255.0
give your servers labels:
name 192.168.20.1 mail
name 192.168.20.2 web
name 192.168.20.3 virus
static (dmz,outside) x.x.x.1 mail (this is the mail server one-to-one-NAT)
static (dmz,outside) x.x.x.2 web (this is the www server one-to-one-NAT)
static (dmz,outside) x.x.x.3 virus (this is the virus server one-to-one-NAT)
(take care of allowing SMTP/www inbound to dmz)
access-list aclt permit tcp any host x.x.x.1 eq 25
access-list aclt permit tcp any host x.x.x.2 eq 80
access-group aclt in interface outside
(take care of the default route)
route outside 0.0.0.0 0.0.0.0 192.168.10.1
telnet 10.0.0.100 255.255.255.255 (or whatever your PC is behind the PIX...this allows you to telnet into the PIX)
(configure telnet and enable passwords)
enable password xxxxx
You don't need BGP.
I think the biggest thing is if the 1720 is going to be your Internet router *and* the frame router.
I think once you get all that up, you could start on the VPN solutions:
I'm assuming that since you have an external csu/dsu that there isn't one in the 1720, using a regular serial interface with a 50 pin to v.35 cable, if this is the case, you will have to change the number of channel in the csu/dsu from 4 to 24, depending on the type of csu, this can be done from dip switches, i.e kentrox, or from front push buttons, i.e at&t 3160 i believe, or from console cable i.e digital link. On the router, you will need to change the encapsulation from frame to ppp. I'm also assuming that the isp is expecting you to use unnumbered on the serial interface, thereby putting 1 of your 14 address on ethernet of router, another on the external interface of pix, the have a few for nat range and a few for static mappings.
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts The ProblemOn traditional
switches whenever we have a trunk interface we use the VLAN tag to
demultiplex the VLANs. The switch needs to determine which MAC ...
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts Introduction: Netdr is a tool
available on a RSP720, Sup720 or Sup32 that allows one to capture
packets on the RP or SP inband. The netdr command can be use...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...