Link to home
Start Free TrialLog in
Avatar of dgratton1085
dgratton1085Flag for Canada

asked on

Router Config Cisco 1721 for two WAN, Firewall and VPN

Need a hand with a router config.

Have a Cisco 1721 router with 2 Ethernet WIC's in it.  

Need a config for Internet connection through both WIC's connecting to standard Broadband (2 seperate ISP's)
One has 1 Static IP, the Other has 3 Static IP's.

I need a config to allow NAT/PAT from inside to outside.  Must use WIC1 for the main route and WIC2 as a failover if WIC1 is disconeected or fails.

The router has the fireall component and we would like to use it.  The only incoming traffic we have is SMTp mail and WWW web traffic.

The router also has the VPN component and we would like to use it for roadwarrior clients using a vpn-client.

Any help would be much appreciated.
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dgratton1085

ASKER

Skill Level:  This would be the first router I configured but I have a strong grasp on the concepts and should be able to work throught this quickly.  Just too many things for the first time out!

Here are the IP ranges (not real for security sake)
ISP1 - 24.5.5.5, 24.5.5.6, 24.5.5.7/22
ISP2 - 208.4.4.2/30
LAN - 192.168.0.0/22

1.  NAT seems easy enough except for the idea of the POOL's.  Not sure what I am wanting to define here.
2.  Fail-over....whatever the idea is here....route with diff metric?  Multiple default-gateway?
3.  Want a best practices firewall solution in place.
4.  VPN needs to be setup.

Do not need the router to be a DHCP server.  I am familiar with command line.  The SDM is useful but doesn't seem to give me a) control over certain areas b) Failover??  c) VPN roadwarrior style...all seems to be site-to-site or other.

Darren

I will provide any info you need...would love to get htis up and running.
Here's a basic config to get going with ISP1 only (just to start, don't panic)
Suggestion: Pick a more discrete LAN subnet. Do you really need 1000+ hosts on this LAN subnet? Don't try to "supernet" a class C network, rather "sub"net a Class B if you want more than 250 hosts on one single subnet. Think long and hard about this requirement. Personal opionion only here - if you have more clients than a single class C subnet will hold, then the 1700 is not the product you need to be using...
The reason for not using the most common subnets in use throughout the world (i.e 192.168.0.x, 192.168.1.x, 10.0.0.x, 10.10.10.x) is for future compatibility with VPN clients (one of your stated requirements). If you have a client with a broadband connection and their local LAN is 192.168.0.x, and your corporate LAN is also 192.168.0.x, then you have problems communicating with the client.
Having said all that, lets use this as an example very basic config:

!
Interface Ethernet 0   <== first WIC1E
  description ISP1
  ip address 24.5.5.5 255.255.252.0
  ip nat outside
  no shut  <== you must always do this to enable the interface first time around only...
!
Interface Ethernet 1   <== 2nd WIC1E
  description ISP2
  ip address 208.4.4.2 255.255.255.252
  ip nat outside
  no shut
!
Interface FastEthernet 0
  description Local LAN
  ip address 192.168.233.1 255.255.255.0
  ip nat inside
  no shut
!
ip route 0.0.0.0 0.0.0.0 24.5.5.1  
ip route 0.0.0.0 0.0.0.0 208.4.4.1 100  <== higher cost "100" will only take this route if Interface Eth0 is down
!
ip nat inside source route-map ROUTE-NAT interface Ethernet0 overload
ip nat inside source route-map ROUTE-NAT interface Ethernet1 overload <== alternate if ISP1 is down
ip nat inside source static 192.168.233.12 24.5.5.6   <== email server
  alternative using just port redirect:
   ip nat inside source static tcp 192.168.233.12 25 24.5.5.6 25
ip nat inside source static 192.168.233.14 24.5.5.7   <== WWW server
 alternative using just port redirect:
   ip nat inside source static tcp 192.168.233.14 80 24.5.5.6 80
ip nat inside source static tcp 192.168.233.12 25 208.4.4.2 25  <== alternate IP for email if ISP1 is down (will explain MX DNS if you need it)
!
route-map ROUTE-NAT permit 10
  match ip address 110
!
access-list 110 deny ip 192.168.233.0 0.0.0.255 192.168.123.0 0.0.0.255  <== this will be for the roadwarior vpn later
access-list 110 permit ip 192.168.233.0 0.0.0.255 any

!
end

This config should get you going with inside users being able to access the Internet.
Confirm that, and we can go the the next step.

All further config entries will simply be added to this starting point.
Next steps will be to layer on:
1. Firewall feature set with inbound rules so that email and www access is permitted.
2. VPN for road-warriors
I would ove to confirm that...butit will have to be after work hours.  Production network.

Anyway we can continue with some of the ideas??

I have made some changes to the config.  Please check!  Just changed some of the orders.  Also wanted to know where 192.168.233.12 and 192.168.233.14 come into play.  Are these reserved IP's in our subnet that you are using for NAT?  Please note that the internal IP scheme is 192.168.0.0 255.255.252.0  We have other routes on the inside.  I will put themi n the config so you can see.


!
Interface Ethernet 0   <== first WIC1E
  description ISP1
  ip address 24.5.5.5 255.255.252.0
  ip nat outside
  no shut  <== you must always do this to enable the interface first time around only...
!
Interface Ethernet 1   <== 2nd WIC1E
  description ISP2
  ip address 208.4.4.2 255.255.255.252
  ip nat outside
  no shut
!
Interface FastEthernet 0
  description Local LAN
  ip address 192.168.3.1 255.255.252.0
  ip nat inside
  no shut
!
ip route 192.168.60.0 255.255.255.0 192.168.0.2
ip route 192.168.61.0 255.255.255.0 192.168.0.2
ip route 192.168.62.0 255.255.255.0 192.168.0.2
ip route 192.168.63.0 255.255.255.0 192.168.0.2
ip route 192.168.64.0 255.255.255.0 192.168.0.2
ip route 192.168.65.0 255.255.255.0 192.168.0.2
ip route 192.168.66.0 255.255.255.0 192.168.0.2
ip route 192.168.67.0 255.255.255.0 192.168.0.2
ip route 192.168.68.0 255.255.255.0 192.168.0.2
ip route 192.168.69.0 255.255.255.0 192.168.0.2
ip route 192.168.70.0 255.255.255.0 192.168.0.2
ip route 192.168.71.0 255.255.255.0 192.168.0.2
ip route 0.0.0.0 0.0.0.0 208.4.4.1
ip route 0.0.0.0 0.0.0.0 24.5.5.1  100 <== higher cost "100" will only take this route if Interface Eth0 is down
!
ip nat inside source route-map ROUTE-NAT interface Ethernet1 overload
ip nat inside source route-map ROUTE-NAT interface Ethernet0 overload <== alternate if ISP2 is down
ip nat inside source static 192.168.233.12 24.5.5.6   <== email server
  alternative using just port redirect:
   ip nat inside source static tcp 192.168.233.12 25 24.5.5.6 25
ip nat inside source static 192.168.233.14 24.5.5.7   <== WWW server
 alternative using just port redirect:
   ip nat inside source static tcp 192.168.233.14 80 24.5.5.6 80
ip nat inside source static tcp 192.168.233.12 25 208.4.4.2 25  <== alternate IP for email if ISP1 is down (will explain MX DNS if you need it)
!
route-map ROUTE-NAT permit 10
  match ip address 110
!
access-list 110 deny ip 192.168.233.0 0.0.0.255 192.168.123.0 0.0.0.255  <== this will be for the roadwarior vpn later
access-list 110 permit ip 192.168.233.0 0.0.0.255 any

!
end
What kind of router is 192.168.0.2 ? Why not use a dynamic routing protocol like RIPv2, or OSPF instead of multiple static routes?

>192.168.233.12 and 192.168.233.14
These are representative IP address for EMAIL server and WWW server. Replace with the appropriate IP
Be sure to edit out my comments that are denoted by "<=="

See if this makes more sense..

GIVEN for illustration purposes only:
Email server = 192.168.1.100
WWW server = 192.168.1.101

VPN for roadwarriors included:
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup
key cisco123
!<== change these DNS/WINS IP's to fit your network:
dns 192.168.2.100
wins 192.168.2.200
!
domain yourdomain.com
pool ippool
!
ip local pool ippool 192.168.123.100 192.168.123.200
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
ip subnet-zero
!
Interface Ethernet 0
  description ISP1
  ip address 24.5.5.5 255.255.252.0
  ip nat outside
  crypto map clientmap
  no shut  
!
Interface Ethernet 1  
  description ISP2
  ip address 208.4.4.2 255.255.255.252
  ip nat outside
  crypto map clientmap
  no shut
!
Interface FastEthernet 0
  description Local LAN
  ip address 192.168.3.1 255.255.252.0
  ip nat inside
  no shut
!
ip classless
!
ip route 192.168.60.0 255.255.255.0 192.168.0.2
ip route 192.168.61.0 255.255.255.0 192.168.0.2
ip route 192.168.62.0 255.255.255.0 192.168.0.2
ip route 192.168.63.0 255.255.255.0 192.168.0.2
ip route 192.168.64.0 255.255.255.0 192.168.0.2
ip route 192.168.65.0 255.255.255.0 192.168.0.2
ip route 192.168.66.0 255.255.255.0 192.168.0.2
ip route 192.168.67.0 255.255.255.0 192.168.0.2
ip route 192.168.68.0 255.255.255.0 192.168.0.2
ip route 192.168.69.0 255.255.255.0 192.168.0.2
ip route 192.168.70.0 255.255.255.0 192.168.0.2
ip route 192.168.71.0 255.255.255.0 192.168.0.2
!
ip route 0.0.0.0 0.0.0.0 24.5.5.1  
ip route 0.0.0.0 0.0.0.0 208.4.4.1 100
!
ip nat inside source route-map ROUTE-NAT interface Ethernet1 overload
ip nat inside source route-map ROUTE-NAT interface Ethernet0 overload
  ip nat inside source static tcp 192.168.1.100 25 24.5.5.6 25
  ip nat inside source static tcp 192.168.1.101 80 24.5.5.6 80

!
route-map ROUTE-NAT permit 10
  match ip address 110
!
! <== exempt traffic from your local IP subnet to the road warrior ip pool
access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.123.0 0.0.0.255
! <== allow all other traffic to use NAT
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
!
end

router 192.168.0.2 is part of a managed infrastructure to provide VPN service across leased lines to other branch offices. We can't touch it. If we can still use RIP or OSPF fine, but I don't think we can.  The only LAN ip's we use at the main office are from 192.168.0.X --> 192.168.3.X  this router will actually have a 192.168.3.1 indisde address.  You can tell the other IP's we use by the routes to the branch offices.

Can you explain a little about the VPN setup/entries in the config.  I will be using the safenet softremote client to connect to this device.

Basically I understand most of what you have placed int he config.  I just want toi make sure I know what is going on so I can support this after.

Cheers,

darren
>I will be using the safenet softremote client to connect to this device.
You might want to re-think that. The Cisco IPSEC VPN client is free and works better.
I can't guarantee that it works with the Safenet client.

Here's the reference doc that explains everything for the VPN:
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml

Is there andy Firewall effects in this config.  Usually I look for INSPECT functions.
Not yet. We have not yet layered on the firewall with the INSPECT...
I'd like some confirmation that what we have so far works. The more complex you make the initial config, the more difficult it is to troubleshoot later.

Here's a basic firewall config that can simply be added to the config above:

!
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall ftp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall realaudio
ip inspect name firewall rtsp
ip inspect name firewall smtp
ip inspect name firewall sqlnet
ip inspect name firewall streamworks
ip inspect name firewall tftp
ip inspect name firewall vdolive
ip audit notify log
ip audit po max-events 100
!
Interface ethernet 0
 ip access-group 100 in
 ip inspect firewall out
!
Interface ethernet 1
  ip access-group 100 in
  ip inspect firewall out
!
interface FastEthernet0
 ip access-group 102 in
!
access-list 100 permit tcp any host 24.5.5.6 eq 25
access-list 100 permit tcp any host 24.5.5.6 eq 80
access-list 102 permit ip any any
!
Do you need more information?
Have you resolved this problem?
Can you close this question?
Thanks!