assistance required from anyone who is awake.....

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I have a cisco 1941 that i am trying to configure for a leased line...... I have been given the following details but i am unsure how i configure the router this way....

NAT / NO-NAT: NO-NAT
WAN IP: 1.1.1.24
LAN IP: 2.2.2.62
Subnet Mask: 255.255.255.248

So being given a public IP for the WAN IP and a public IP for the LAN IP im a little confused how to actually assign the IPs...

The idea behind the solution is to have a DSL backup (which is not being configured yet) which uses the same IP for failover (i presume this is the 2.2.2.62)

I want to use GE0/0 for the WAN connection and GE0/1 for the LAN interface but obviously i want to have the internal 10.1.1.0/24 assigned here for connectivity to the LAN

Has anyone seen this sort of setup before? i may just be overlooking something very simple as usual but i cant see the wood through the trees at the moment!

Cheers for any replies.
Jonny

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

What is your eventual set up to look like? What is the subnet mask they have given you for the WAN IP? I presume a /30.

It looks to me like they have just given you a range of public IP's you can use if you want to.....by the sounds of things you just want the internal side of the 1941 to be the private side of the network, therefore just assign the internal interface with the 10.1.1.0/24 address and ignore the public range you have been given.

Normally, you would have this 1941 configured as your gateway router. On the internal interface of this router, you would have a publically addressed network, using the range the ISP has given you, which you would have your firewall connected to. Then on the inside of your firewall you would have the privately addressed network.

I'll draw up a quick visio to show you if you want to see what i mean.

How are you securing the internal network in the configuration you are trying to do? an ACL on the external facing interface of the 1941?

 

View attachment 2529

The one on the left is how i think you want it configured.....the one on the right is how you'd normally set up this type of connection to the internet.

 

The one on the right is the ideal situation but i have been asked to configure a firewall on the device to save costs on the firewall appliance.....

The one on the left is the sort of thing i want to do but they need the 2.2.2.62 range as this is how the backup dsl works i believe. my understanding is that the leased line wan ip of 1.1.1.24 and the future DSL IP of 3.3.3.24 are being told that 2.2.2.62 is at the end of either of these and to fail over it just routes over these.....so anything coming out has to be natted to the global ip of 2.2.2.64... I HOPE THAT MAKES SENSE AS THIS IS A BIT OF A GUESS AT THE MOMENT UNTILL I SPEAK TO THE ISP!!!


I have attached what i think may work but i am not sure about the NAT statement...
View attachment 2531

So in theory, this should NAT everything out using the 2.2.2.62 IP and should all work nicely???

I apreciate your time on this! if i could buy you a beer or two i would!

jonny

 

hmmm, i'm not sure i get where the DSL comes into it....is your backup internet from the same provider?

In order for the 2.2.2.56/29 subnet to be available over both the main link and the DSL backup, you would need to be peering with the upstream routers using BGP on BOTH connections, and advertising your 2.2.2.56 subnet to both peers....

What you hace in that diagram would work i am sure as is.....but not sure how you will get to that 2.2.2.56/29 subnet should the primary fail....If the primary and backup are provided by the same provider then ignore that though, they will just do something within their network to have the route to 2.2.2.56/29 via the primary, unless they cannot reach your 1.1.1.24 interface. If that becomes the case, the route to 2.2.2.56/29 will be via theDSL link.

You actually don't need the VLAN 5 i don't think. Just set the address to be translated as you have done should be fine. Just change the gi0/0 interface to be the NAT outside interface.

 

Daniel (i presume thats your name ), yes, the "backup" link is with the same ISP. The idea is that they are different technology (the DSL and Leased Line) therfore it should be safe to have the same ISP....

I believe they will do the routing as you suggested above, the reason for VLAN 5 will be for web server for example at a later date if required and i can route to the router remotely without having to worry about the entry point in a failover situation.

I know this is not the best solution by any means but it is a solution to this setup (i Hope).

I will try this out tomorro and see how i get on. I will post back and let you know

Again, much apreciated!!! sorry if i fried your mind a little this late at night!

 

Yep good guess

Makes more sense if they are the same provider.....how safe you will be though when they have a core network failure, i'm not so sure, but that's a problem for another day

Test it out and see how it goes. I would probably suggest though the web server being placed on an internally addressed VLAN, and using static NAT from your public pool to the web server, rather than placing it on a public VLAN? Even with that set up though, i think the command:

int vlan 5
ip nat outside

..would be redundant since you have it on the gi0/0 interface.

Good luck tomorrow, i'll probably be thinking about it in my sleep, usually happens when i go to bed after looking at stuff like this haha.

 

Indeed, a problem for another day for the salesmen when he has to explain to the customer!

Web server was just an example, i may be that they end up with an ASA or something which will make this all redundant but it could be put on vlan 5 for instance.....just thinking for future expansion if needed..

yEAH.... LATE NIGHT CONFIGS AND HOMEBREW...... I CANT EVEN GET MY CAPS LOCK TO WORK PROPERLY!

Thanks buddy, i will let you know and i can guarentee that i will have dream or two about cat five cables coming to get me with this router attached on the other end!

Cheers
Jon

 

LMAO classic

 

Thankyou for the applause....

I have configured the router and it is being delivered to site as we speak! I am waiting for the phone call to test it and then i will let you know if it works! once i am in the know i will post a config & diagram just to make it clear for anyone who is interested.

Jon

 

Mate I missed this post, but have done various ASA Firewalls with tracked routes out to different ISP's.

Give me a shout if you have any issues.

 

Below is the FINAL config which worked a treat! only problem is the base license does not have firewall feature set.... guess which license this 1941 has? so i will have to do it the old fashioned way and have one interface with 2.2.2.53/30 and one interface with 2.2.2.56/29 which will have a firewall on the end!

So frustrating when the config worked how i wanted it to!

!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname THE_1941_ROUTER
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
no ipv6 cef
!
!
!
!
!
ip domain name JONNY7.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
multilink bundle-name authenticated
!
Crypto & license info removed
!
!
username admin privilege 15 secret notverysecret
!
!
!
!
!
!
interface Loopback5
ip address 2.2.2.61 255.255.255.248
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description LEASED_LINE
ip address 2.2.2.2.53 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool WANIP 2.2.2.61 2.2.2.61 netmask 255.255.255.248
ip nat pool VOICEWAN 2.2.2.59 2.2.2.59 netmask 255.255.255.248
ip nat pool GUESTWAN 2.2.2.58 2.2.2.58 netmask 255.255.255.248
ip nat inside source list GUEST pool GUESTWAN overload
ip nat inside source list LAN pool WANIP overload
ip nat inside source list VOICE pool VOICEWAN overload
ip nat inside source static tcp 192.168.0.1 25 2.2.2.61 25 extendable
ip nat inside source static tcp 192.168.0.1 443 2.2.2.61 443 extendable
ip nat inside source static tcp 192.168.0.1 3389 2.2.2.61 3389 extendable
ip route 0.0.0.0 0.0.0.0 2.2.2.54
!
ip access-list extended BLOCK_ALL
Removed
!
access-list 23 permit ME
access-list 23 permit MYOTHERSITE 0.0.0.3
access-list 23 permit LAN 0.0.0.255
!
control-plane
!
!
banner motd ^C
******************************************
Unauthorized access prohibited
******************************************
^C
!
line con 0
exec-timeout 0 0
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 130.88.200.4
end

 

Good stuff.....and yeh i should have thought of that haha....Had a similar issue when i wanted to build a VPN on our 2911 The joys of the Cisco IOS 15 licensing model!

I'm off out now for our christmas lunch with work, so will have several beers to celebrate for you!

 

You northern lads start early!