Cisco 1811 Site to Site Metro E and WAN Internet Configuration
I am assisting a customer with configuring their Cisco 1811 for internet and site to site communication over a Metro Ethernet circuit - basically it is a layer 2 connection at each site that connects them together.
Each site has its own separate class C address range 192.168.1.0, 192.168.2.0 and 192.168.3.0. I set an interface address on each side whereby the last octet corresponds with the network it is assigned to so the FE/0 address for the 192.168.1.0 network is 172.16.1.1, the interface address for the 192.168.2.1 network is 172.16.1.2 and the interface address for the 192.168.3.1 network is, 172.16.1.3.
I have route statements configured on each side to route traffic accordingly depending on the location. For example, from network 192.168.1.0 to get to the 192.168.2.0 network I have added a static route that shows up in the routing table as "S 192.168.2.0/24 [1/0] via 172.16.1.2"
Everything works great until I try to configure and connect the WAN port for internet traffic. I tried to set it as the default route, but it keeps taking precedence for all of the traffic and even the internal traffic that I have static routes configured for do not work.
Can somebody assist me with what I am trying to accomplish? I need to know the proper way to configure the WAN internet connection so it is just used for internet traffic and not the site to site traffic.
Re: Cisco 1811 Site to Site Metro E and WAN Internet Configurati
Below is the relevant configuration. I added the default route as a last resort to try to get things working so that is my last attempt and most likely a partial cause of the error.
I must admit I am a bit rusty on my Cisco configs and unfortunately or not I have had to refer to the Cisco configuration professional to help.
Essentially, I don't need any inspection at this point in the site to site communication (FastEthernet0), I may later as I have an opportunity to monitor and tweak the traffic. I don't need any NAT translation on this interface because it is essentially just an extended internal network.
I want to direct all traffic that is not designated to go to either of the remote sites (essentially it should just be internet traffic), to go out the FastEthernet1 interface. At this time and I just need to allow port 3389 through this interface to redirect to an internal server for RDP connections.
! class-map type inspect match-all sdm-cls--2 match access-group name IncomingCox class-map type inspect match-any Internet match protocol http match protocol https class-map type inspect match-all sdm-cls--1 match class-map Internet match access-group name InternetOut class-map type inspect match-any RDP match protocol user-RDP class-map type inspect match-all sdm-cls-sdm-policy-sdm-cls--2-1 match class-map RDP match access-group name RDP ! ! policy-map type inspect sdm-policy-sdm-cls--1 class type inspect sdm-cls--1 pass class class-default policy-map type inspect sdm-policy-sdm-cls--2 class type inspect sdm-cls-sdm-policy-sdm-cls--2-1 pass class type inspect sdm-cls--2 drop log class class-default ! zone security CoxInternet zone security InternalLAN zone-pair security sdm-zp-InternalLAN-CoxInternet source InternalLAN destination CoxInternet service-policy type inspect sdm-policy-sdm-cls--1 zone-pair security sdm-zp-CoxInternet-InternalLAN source CoxInternet destination InternalLAN service-policy type inspect sdm-policy-sdm-cls--2 ! ! interface FastEthernet0 description $ETH-WAN$ ip address 172.16.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip flow ingress ip flow egress ip virtual-reassembly ip route-cache flow duplex auto speed auto ! interface FastEthernet1 description $ETH-WAN$ ip address 2*.***.***.*** 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip flow ingress ip flow egress ip nat outside ip virtual-reassembly zone-member security CoxInternet ip route-cache flow duplex auto speed auto ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface FastEthernet9 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$ ip address 192.168.1.200 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip flow ingress ip flow egress ip virtual-reassembly zone-member security InternalLAN ip route-cache flow ip tcp adjust-mss 1452 ! interface Async1 no ip address no ip redirects no ip unreachables no ip proxy-arp encapsulation slip ! ip route 192.168.2.0 255.255.255.0 172.16.1.2 permanent ip route 192.168.3.0 255.255.255.0 172.16.1.3 permanent ip route 0.0.0.0 0.0.0.0 FastEthernet0 permanent ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface FastEthernet1 overload ! ip access-list extended IncomingCox remark CCP_ACL Category=128 deny ip any any ip access-list extended InternetOut remark CCP_ACL Category=128 permit ip any any ip access-list extended RDP remark CCP_ACL Category=128 permit ip any host 126.96.36.199 ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark CCP_ACL Category=2 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 2 remark CCP_ACL Category=1 access-list 2 permit 192.168.1.10 no cdp run !
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...