Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco 877w Router Routed Ip with 8 ip's

Good Morning Team,

    I am using a company called Zen for adsl, I have 8 IP from XXX.XXX.XXX.248 to - XXX.XXX.XXX.255, Gateway is 254, Address 249-250-251-252-253 I would like to appear at the 4 sockets at back of router, and 252,253 will be used for a server...

I understand I should be using Routed IP , but I cannot get it to work, I can ping out to google from the server, but the server is not live to the world.

I hope someone can piont out my mistakes please...

All the best from Alan

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname bluestreet
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
!
no aaa new-model
!

dot11 syslog
no ip source-route
ip cef
!
!
no ip bootp server
no ip domain lookup
!
!
!
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address xxx.xxx.xxx.254 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
hold-queue 100 out
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxx
ppp chap password 0 xxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxx password 0 xxxxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
logging trap debugging
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
no cdp run

!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!

  • WAN Routing and Switching
8 REPLIES
Green

Re: Cisco 877w Router Routed Ip with 8 ip's

Hi

From your config

!
interface Dialer1
!SNIP
dialer pool 1
dialer-group 1
!
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any

!

Your access list is 100 therefore you need to fix your dialer group


!
interface Dialer1
no dialer-group 1
dialer-group 100
!

Also I see you trying to use the subnet

xxx.xxx.xxx.254 255.255.255.248

This is illegal as it is known as the ALL 1s subnet (The broadcast address affects other subnets lower down the ranges)

You will need to source a different subnet or move the mask back to Class C

Try and retest

Regards
Alex

Regards, Alex. Please rate useful posts.
New Member

Re: Cisco 877w Router Routed Ip with 8 ip's

Hi Alex,

  This is a bit outside of me, but I will pass it back to the ISP and see what he says...

Thank you for the information...

All the best from Alan

Re: Cisco 877w Router Routed Ip with 8 ip's

Hi Alex,

Also I see you trying to use the subnet

xxx.xxx.xxx.254 255.255.255.248

This is illegal as it is known as the ALL 1s subnet (The broadcast address affects other subnets lower down the ranges)

You will need to source a different subnet or move the mask back to Class C


I think you are mistaken by 255 ( 11111111 ) , as 254 can be used in given subnet as it only equals 11111110. I think it is totally OK to use "xxx.xxx.xxx.254 255.255.255.248" as the Gateway Address.

For Alan, I think the problem is mostly with how you are trying to use those IP's. Please explain a little more on what you were doing.

Manish

New Member

Re: Cisco 877w Router Routed Ip with 8 ip's

Hi Alan,

As mentioned above, xxx.xxx.xxx.254 255.255.255.248 IS a valid IP address. Also Alex's advice to change the dialer group command from 'dialer-group 1' to dialer-group 100 is also incorrect. Leave this alone.

From the information you have already told us, I would recommend assigning a private subnet range for your local LAN  traffic and configuring your servers with IPs on this range, then using static NAT to assign the servers private addresses  to addresses in the public range. I would also advise you to  configure a zone-based or cbac firewall on your router to help prevent  your network from being attacked. If you give your server an IP address  on your public network and don't have any firewall configured, your  server will be attacked.

To help you better, I would need to know what exactly are you trying to achieve? What services do the servers  provide, are they web servers? Will you have PC's or other devices that  will need to access the internet, if so how many?,  Are you connecting the LAN interface into a network switch?

New Member

Cisco 877w Router Routed Ip with 8 ip's

Hi krisbain,

Thank you for your reply, I use an Cisco 877 Router modem one connection from the four sockets goes to a server, which gives web access to public of my site, all ports in the server are off, but ssh and ftp are linked to my virgin IP Address (Which has a PC on it) port 80 and 53 are open, I then run a second wire from the 877 to a ASA5505 which translate one of the public ips to DHCP 192.168.x.x for my other PC, ASA is configured to close all port, except 80 25 110

This may not be the idle method though it does work, the problem I had was resolved by the statement "no shutdown" on all 4 FastEthernet Ports..

The information you gave sounded very interesting, I do not understand it, but am willing to learn if you have the time...

All the best from Alan

New Member

Cisco 877w Router Routed Ip with 8 ip's

Ok, that makes more sense. I would not rely on the services being shutdown to protect your server. I would still configure an access list on the router to block unwanted traffic or better still, move the server to an unused interface on the ASA and give this a name such as DMZ with a security level lower than your inside address but higher than your outside address.

With this setup all traffic from that is initilised from the outside to your server will be blocked by default but all traffic from your server to the internet will be permitted. You can then create an access list to permit only the outside traffic that you want to access the server.

All traffic from initialised from LAN to the server will be permitted by default but traffic from the DMZ to the LAN will be blocked. Again you can use an access list to permit required traffic to your LAN.

The ASA is designed to be used in scenarios like this so I would make full use of it.

Kris

New Member

Cisco 877w Router Routed Ip with 8 ip's

Good Morning kris,

   I Presume you are talking about this entry "access-list 100 permit ip host 255.255.255.255 any"

  And you are expecting to see something for the ip 252/253 = server

and 251 for the ASA5505..

So will it be like this

access-list 100 permit tcp any xxx.xxx.xxx.251 255.255.255.248 eq smtp

access-list 100 permit tcp any xxx.xxx.xxx.251 255.255.255.248 eq www

access-list 100 permit tcp any xxx.xxx.xxx.251 255.255.255.248 eq ftp

access-list 100 permit tcp any xxx.xxx.xxx.251 255.255.255.248 eq ssh

access-list 100 permit tcp any xxx.xxx.xxx.252 255.255.255.248 eq smtp

access-list 100 permit tcp any xxx.xxx.xxx.252 255.255.255.248 eq www

access-list 100 permit tcp any xxx.xxx.xxx.252 255.255.255.248 eq ftp

access-list 100 permit tcp any xxx.xxx.xxx.252 255.255.255.248 eq ssh

access-list 100 permit tcp any xxx.xxx.xxx.253 255.255.255.248 eq smtp

access-list 100 permit tcp any xxx.xxx.xxx.253 255.255.255.248 eq www

access-list 100 permit tcp any xxx.xxx.xxx.253 255.255.255.248 eq ftp

access-list 100 permit tcp any xxx.xxx.xxx.253 255.255.255.248 eq ssh

access-list 100 deny ip any any

All the best from Alan

New Member

Cisco 877w Router Routed Ip with 8 ip's

Your'e on the right lines but the the access control entries should be to the host rather than the subnet address.

(i.e access-list 100 permit tcp any host xxx.xxx.xxx.251 eq smtp)

But as i mentioned, I would apply the ACL rules to the ASA and put the server behind that.

616
Views
0
Helpful
8
Replies
This widget could not be displayed.