rccg94
asked on
Setup of Cisco 1721 T1 Router LAN Interface
Hi All,
I'm relatively new at programming Cisco routers, I can stumble through it but that doesn't seem to stop my boss from sending me to clients to program them. I have no "official" training on it, just intuition and some limited experience.
Our current client has a 1721 (IOS v 12.2)with a T1 WIC. They will have a Web server and VoIP unit as well that I need to pass certain ports through to.
The specs are as follows as provided by the ISP:
Serial IP Info
WAN Default Gateway 66.155.148.13
Customer serial IP 66.155.148.14
Mask 255.255.255.252
Ethernet IP Info
Public LAN Network 66.155.166.216/29
Mask 255.255.255.248
Usable Public IP's 66.155.166.217 - 66.155.166.222
The rest just has to do with name servers, etc. which I am familiar with adding.
My first question is, what is the proper setup for the LAN side of the router? I can ping Internet addresses from the router command line so the serial interface is OK. Am I correct in assuming that the Ethernet interface IP Address is going to be 66.155.166.216? (I then assume this will serve as the LAN client's gateway address for clients in the range of .217 to .222?)
Second, they will have a web server with only ports 80, 1080 open at at 66.155.166.217
Third, they will have a VoIP unit that will need only ports 1720,1721 and 30000-30011 open at 66.155.166.218
How do I accomplish this? With NAT? I don't think it's that difficult but having not been exposed to it for too long, it's got me stumped. I have some ideas but experimenting on their dime isn't an option!
Thanks in advance for ANY assistance!!
If anyone feels like giving me a sample config, all the better!
Rob
I'm relatively new at programming Cisco routers, I can stumble through it but that doesn't seem to stop my boss from sending me to clients to program them. I have no "official" training on it, just intuition and some limited experience.
Our current client has a 1721 (IOS v 12.2)with a T1 WIC. They will have a Web server and VoIP unit as well that I need to pass certain ports through to.
The specs are as follows as provided by the ISP:
Serial IP Info
WAN Default Gateway 66.155.148.13
Customer serial IP 66.155.148.14
Mask 255.255.255.252
Ethernet IP Info
Public LAN Network 66.155.166.216/29
Mask 255.255.255.248
Usable Public IP's 66.155.166.217 - 66.155.166.222
The rest just has to do with name servers, etc. which I am familiar with adding.
My first question is, what is the proper setup for the LAN side of the router? I can ping Internet addresses from the router command line so the serial interface is OK. Am I correct in assuming that the Ethernet interface IP Address is going to be 66.155.166.216? (I then assume this will serve as the LAN client's gateway address for clients in the range of .217 to .222?)
Second, they will have a web server with only ports 80, 1080 open at at 66.155.166.217
Third, they will have a VoIP unit that will need only ports 1720,1721 and 30000-30011 open at 66.155.166.218
How do I accomplish this? With NAT? I don't think it's that difficult but having not been exposed to it for too long, it's got me stumped. I have some ideas but experimenting on their dime isn't an option!
Thanks in advance for ANY assistance!!
If anyone feels like giving me a sample config, all the better!
Rob
ASKER
Thanks for the response:
The voice pieces are being handled by their Telcom guy. He indicated that as long as he has a public IP available with the specified ports accessible he would do the rest on his end (so it is a totally separate piece of hardware, independent of the 1721).
The router does not need to serve IP addresses.
The 1721 only has IP feature pack, no extra feature set.
Security reqs are only that the two IPs mentioned above for the LAN hosts at .217 and .218 have only the ports mentioned available.
This unit will not be used for their general Internet access and there will be no other hosts utilizing it other than the ones specified.
I hope that's enough info.
Thanks
The voice pieces are being handled by their Telcom guy. He indicated that as long as he has a public IP available with the specified ports accessible he would do the rest on his end (so it is a totally separate piece of hardware, independent of the 1721).
The router does not need to serve IP addresses.
The 1721 only has IP feature pack, no extra feature set.
Security reqs are only that the two IPs mentioned above for the LAN hosts at .217 and .218 have only the ports mentioned available.
This unit will not be used for their general Internet access and there will be no other hosts utilizing it other than the ones specified.
I hope that's enough info.
Thanks
Your LAN address can't be .216 - that's the address of the subnet. Like your ISP said, your usable addresses are 217-222.
If you're not using nat, an inbound access list on your serial interface will work. Here's a sample access list:
access-list 101 permit tcp any host 66.155.166.217 eq 80
access-list 101 permit tcp any host 66.155.166.217 eq 1080
access-list 101 permit udp any host 66.155.166.218 range 1720 1721
access-list 101 permit udp any host 66.155.166.218 range 30000 30011
Of course, I don't know if your VoIP box is using TCP or UDP but that should work (assuming of course that the ports don't change after connnections are established.
This will also deny all other traffic back into your network. If this is not what you want, something more elegant like the Firewall Feature Set should be used (like lrmoore suggested)
-Eric
If you're not using nat, an inbound access list on your serial interface will work. Here's a sample access list:
access-list 101 permit tcp any host 66.155.166.217 eq 80
access-list 101 permit tcp any host 66.155.166.217 eq 1080
access-list 101 permit udp any host 66.155.166.218 range 1720 1721
access-list 101 permit udp any host 66.155.166.218 range 30000 30011
Of course, I don't know if your VoIP box is using TCP or UDP but that should work (assuming of course that the ports don't change after connnections are established.
This will also deny all other traffic back into your network. If this is not what you want, something more elegant like the Firewall Feature Set should be used (like lrmoore suggested)
-Eric
ASKER
Eric-
Thanks for the input. Irealized my mistake on the first usable IP (.217 will be the E0 address, not .216) shortly after posting but thanks for bringing it to my attention. This will mean that the first two hosts will be .218 and .219 I think I am pretty well set with the access list, the only remaining portion is the syntax for adding the access list to the serial interface. Can you just expand on that for me? Should it look like this (just a partial config for serial0)?:
Interface serial0
ip address 66.155.148.14 255.255.255.252
ip access-group 101 in
!
!
access-list 101 permit tcp any host 66.155.166.218 eq 80
access-list 101 permit tcp any host 66.155.166.218 eq 1080
access-list 101 permit udp any host 66.155.166.219 range 1720 1721
access-list 101 permit udp any host 66.155.166.219 range 30000 30011
!
Thanks again for your help. If I can just confirm this last portion, I'll be all set.
Rob
Thanks for the input. Irealized my mistake on the first usable IP (.217 will be the E0 address, not .216) shortly after posting but thanks for bringing it to my attention. This will mean that the first two hosts will be .218 and .219 I think I am pretty well set with the access list, the only remaining portion is the syntax for adding the access list to the serial interface. Can you just expand on that for me? Should it look like this (just a partial config for serial0)?:
Interface serial0
ip address 66.155.148.14 255.255.255.252
ip access-group 101 in
!
!
access-list 101 permit tcp any host 66.155.166.218 eq 80
access-list 101 permit tcp any host 66.155.166.218 eq 1080
access-list 101 permit udp any host 66.155.166.219 range 1720 1721
access-list 101 permit udp any host 66.155.166.219 range 30000 30011
!
Thanks again for your help. If I can just confirm this last portion, I'll be all set.
Rob
ASKER
Eric-
Thanks for the input. Irealized my mistake on the first usable IP (.217 will be the E0 address, not .216) shortly after posting but thanks for bringing it to my attention. This will mean that the first two hosts will be .218 and .219 I think I am pretty well set with the access list, the only remaining portion is the syntax for adding the access list to the serial interface. Can you just expand on that for me? Should it look like this (just a partial config for serial0)?:
Interface serial0
ip address 66.155.148.14 255.255.255.252
ip access-group 101 in
!
!
access-list 101 permit tcp any host 66.155.166.218 eq 80
access-list 101 permit tcp any host 66.155.166.218 eq 1080
access-list 101 permit udp any host 66.155.166.219 range 1720 1721
access-list 101 permit udp any host 66.155.166.219 range 30000 30011
!
Thanks again for your help. If I can just confirm this last portion, I'll be all set.
Rob
Thanks for the input. Irealized my mistake on the first usable IP (.217 will be the E0 address, not .216) shortly after posting but thanks for bringing it to my attention. This will mean that the first two hosts will be .218 and .219 I think I am pretty well set with the access list, the only remaining portion is the syntax for adding the access list to the serial interface. Can you just expand on that for me? Should it look like this (just a partial config for serial0)?:
Interface serial0
ip address 66.155.148.14 255.255.255.252
ip access-group 101 in
!
!
access-list 101 permit tcp any host 66.155.166.218 eq 80
access-list 101 permit tcp any host 66.155.166.218 eq 1080
access-list 101 permit udp any host 66.155.166.219 range 1720 1721
access-list 101 permit udp any host 66.155.166.219 range 30000 30011
!
Thanks again for your help. If I can just confirm this last portion, I'll be all set.
Rob
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
G'day, rccg94
It has been 34 days since you posted this question.
Do you still need help? Have you received enough information?
Can you close out this question?
Ways to close questions: http://www.apollois.com/EE/Help/Closing_Questions.htm
It has been 34 days since you posted this question.
Do you still need help? Have you received enough information?
Can you close out this question?
Ways to close questions: http://www.apollois.com/EE/Help/Closing_Questions.htm
ASKER
Sorry so long on the points assignment. Thanks to lrmoore for the reminder on closing the question. Honestly, I thought I had! Everything worked out well, so thanks again, Eric.
Rob
Rob
What are the security requirements? What feature sets available? FW/CBAC/IDS?
Does the router need to be a DHCP server for the LAN side?