Using 1841 Router as Internal and Internet Router

I am trying to setup a 1841 series router to be a companies internal router and internet router to save them money if possible.

Here is the basic picture. I have an 1841 with 2 Fast Ethernet interfaces and 2 T1 controllers. One T1 connects to a remote office and 1 to the internet. Fa0/0 connects to the LAN and is the default gateway for all the PCs.

My plan was to put one of their public IP's on Fa0/1, connect that directly to a 501 PIX and then connect the private interface of the PIX to the lan. I though traffic would flow like this.

Internet traffic would hit Fa0/0 as it is the default gateway. The router would forward this traffic right back out fa0/0 to the private side of the pix as I have the pix configured as the router's gateway of last resort. The pix would translate the traffic and send it to fa0/1 on the router which would forward it to the internet router at our ISP. What I believe is happening is that the router is receiving this traffic from the pix, and since it doesn't know where to send it, forwarding it to the gateway of last resort, which is the pix, thereby creating a loop.

Is there a way I can kind of isolate fa0/1 and the T1 for the internet from fa0/0 and the T1 for the remote office so I can have 2 gateways of last resort, with one forwarding traffic to the PIX and one forwarding traffic to the internet?

Re: Using 1841 Router as Internal and Internet Router


your topology is ok but i have some suggestion

# make default gateway to pix

# put static route in pix for remote branch network pointing to router.

# gateway of last resort in router will be ISP interface.

# pix default gateway will be router fa0/1's public ip address.

# Block any traffic from internet link coming to your private network because your private network will be directly reachable.

You might think of running HSRP between PIX and router as both the device have default route. do nattiing on router also and active gateway should be pix if pix goes down router will take care about the traffic.

BUt for this design you need to be very care full about traffic coming from internet. that you can do easily.

HTH please rate post.


Re: Using 1841 Router as Internal and Internet Router

Your requirement is quite interesting and if not implemented properly can leave a big security hole in your network. The way you have it configured it now is definitely going to create a routing loop. While there might be clever ways to implement this using policy based routing I will not recommend it for mixed reasons; complexity and security.

There is a nifty IOS feature that you might be able to use to implement it the way you want. The feature is called Multi-VRF support (or VRF-Lite). It allows creating isolated routing tables within a router. What you might be able to do is to create two VRFs; say VRF-Outside and VRF-Inside. Put the Int Fa0/1 and the T1 connecting to the internet in VRF-Outside. Connect the PIX outside interface to the router's Fa0/1 interface. On the PIX configure the default gateway as the IP Address of the Int Fa 0/1 of the router. In the router configure a default route in the VRF-Outside pointing to the ISP next-hop.

Configure the T1 interface connecting to the remote office as well as the interface Fa0/0 of the router in the VRF-Inside. The PIX inside will connect to the same LAN. You will have to create a default route in the VRF-Inside pointing to the inside interface of the PIX. One thing to keep in mind is that the inside hosts should use the router (Int Fa0/0) as their gateway and not the PIX. The reason is that the PIX will not route packets out the same interface they were received on so your internal hosts will not be able to talk to the remote office users unless you add specific routes in each internal host.

Another point to consider is the router sending ICMP redirects to your internal hosts. The router will send redirects whenever an internal client wants to get to a destination out on the internet and the router has to forward it to the PIX inside interface. The router does that to optimize communication but I believe ICMP redirects cause creation of a host route in the internal host which might present a scalability issue. If you are comfortable with all traffic hitting the router and the router forwarding it to the PIX out the same interface then you can turn off the ICMP redirect feature.

Please note that I have not tested this solution but based on my understanding of the VRF-Lite feature it should provide you with a means to successfully achieve what you are looking for.

