Re: Help with 2901 switchport

chrisnagle · ‎06-08-2013

I am almost done with ny new internet setup and need help with the last bit. (see attached)

Everything works so far. I can reach the internet with this curent configuration, but I need to add another device with a public IP (55.55.x.x) and want to use one of the 2901's GE switchports to achieve this. what would be the config for one of the ports?

**edit** On the attachment I said to B) access the internet via GB0/1. What I meant to say is server#1 needs access to the internet via GB0/1.

paulstone80 · ‎06-08-2013

Hi Chris,

Can you post the config of the 2901? Make sure you remove any passwords and sensitive information.

Thanks,

Paul

****Please rate useful posts****

HTH Paul ****Please rate useful posts****

chrisnagle · ‎06-08-2013

hree is is running-config

Building configuration...

Current configuration : 1981 bytes

!

! Last configuration change at 03:23:22 UTC Sun Jun 9 2013 by XXXXXX

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CLT-ROUTER

!

boot-start-marker

boot-end-marker

!

no logging buffered

no logging console

!

no aaa new-model

!

ip cef

!

ip name-server 216.136.95.2

no ipv6 cef

multilink bundle-name authenticated

!

license udi pid CISCO2901/K9 sn FTX17138507

!

username ccpuser privilege 15 secret 4 XXX

!

interface Embedded-Service-Engine0/0

no ip address

!

interface GigabitEthernet0/0

description $ETH-LAN$

ip address 50.55.X.1 255.255.255.248

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $ETH-WAN$

ip address 66.X.X.X 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

!

interface GigabitEthernet0/0/0

no ip address

!

interface GigabitEthernet0/0/1

no ip address

!

interface GigabitEthernet0/0/2

no ip address

!

interface GigabitEthernet0/0/3

no ip address

!

interface Vlan1

no ip address

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

!

ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 66.X.X.X

!

control-plane

!

line con 0

transport preferred none

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

login local

transport preferred none

transport input telnet

line vty 5 15

login local

transport preferred none

transport input telnet

!

scheduler allocate 20000 1000

!

end

Alessio Andreoli · ‎06-08-2013

Hi Chris,
Why are you natting a public subnet with another? From the diagram you are natting 55.55.xx.xx with 66.66.xx.xx. .......

About the answer... You can do a simple thing. Just install a switch off the 2901 and change the g0/0 as it follows:

In g0/0
No IP address
No sh

Int g0/0.55
Description ****To Server1***
Encapsulation dot1q 55
IP address 55.55.xx.xy 255.255.255.zzz
No sh

Int g0/0.192
Description ****To Firewall ****
Encapsulation dot1q 192
IP address 192.168.xx.zz
IP nat inside

Int g0/1
Description **** To Internet*****
IP address 66.16.zz.zz 255.255.255.252
IP nat outside
No sh

IP route 0.0.0.0 0.0.0.0 ge0/1

Or you can add an interface to the 2901 (providing none is available and to set a point to point communication with your server). In both case I would not nat your server if it owns a public IP address and if it does not need nat protection . If you want to nat the server too, remove the public subnet and set a private one. Configuration wise would be:

Int g0/0.55
Description ****To Server1***
Encapsulation dot1q 55
IP address 192.168.55.55 255.255.255.0
IP nat inside
No sh

Don't forget to change the server ip accordingly.

READING again your diagram I see a useless double nat. If you nat on your sonic FW you do not need to nat on your router again and viceversa... If you nat on your router there is no need natting on the FW. If I were you I would nat on the FW and I would just perform routing on the 2901 with a universal IOS with security license.

Hope to help
Alessio

Sent from Cisco Technical Support iPad App

chrisnagle · ‎06-08-2013

to answer your first question: I was given an email from my ISP. it stated "this is your external IP address "66.x.x.x." this address is for the device connected directly to our device" (in this case the cisco 3650 switch they provided).

I had asked for 5 public IP addresses (55.55.x.x1-5) to be used for publically accessible devices,

I could only make the 2901 work by assigning GE0/1 as 66.x.x.x., nat outside, and making GE0/0 (nat inside)to be one of the public IP addressses (in this case 55.55.x.1).

I made the "wan" ip adress for my firewall to be 55.55.x.2 which connected to GE0/0.

What I need is to connect an external server (its actually a remote support device) to have an IP address of 55.55.x.3. I need that device to be able to reach the internet. I'm assuming it will have to use the same GE0/1 gateway as it needs to access the outside world.

None of the switchports 1-4 have been configured.

I guess what I'm trying to do is replicate the old DSL modem w/4 port switch we had. All I had to do then was to plug in my firewall to one port, and my support device to another and they both had "public IP" addresses (55.55.x.x.).

paulstone80 · ‎06-09-2013

Hi Chris,

You can do the following:

Repatch the firewall to port Gi0/0/0
Connect the server to Gi0/0/1
Configure the IP of Gi0/0 on a vlan
Assign the interfaces Gi0/0/0 and Gi0/0/1 to the vlan

For example:

!

interface Gi0/0

no ip address

no ip nat inside

!

interface vlan 10

ip address 50.55.X.1 255.255.255.248

ip nat inside

no shut

!

interface Gi0/0/0

switchport mode access

switchport access vlan 10

no shut

!

interface Gi0/0/1

switchport mode access

switchport access vlan 10

no shut

!

This will put both devices on the same network where they can reach 50.55.x.1 to be able to get out to the Internet

HTH

Paul

****Please rate useful posts****

HTH Paul ****Please rate useful posts****