?
Solved

Setup of Cisco 1721 T1 Router  LAN Interface

Posted on 2003-03-28
8
Medium Priority
?
413 Views
Last Modified: 2012-05-04
Hi All,

I'm relatively new at programming Cisco routers, I can stumble through it but that doesn't seem to stop my boss from sending me to clients to program them.  I have no "official" training on it, just intuition and some limited experience.

Our current client has a 1721 (IOS v 12.2)with a T1 WIC.  They will have a Web server and VoIP unit as well that I need to pass certain ports through to.

The specs are as follows as provided by the ISP:

Serial IP Info

WAN Default Gateway     66.155.148.13
Customer serial IP      66.155.148.14
Mask                    255.255.255.252

Ethernet IP Info

Public LAN Network      66.155.166.216/29
Mask                    255.255.255.248
Usable Public IP's      66.155.166.217 - 66.155.166.222

The rest just has to do with name servers, etc. which I am familiar with adding.

My first question is, what is the proper setup for the LAN side of the router?  I can ping Internet addresses from the router command line so the serial interface is OK.  Am I correct in assuming that the Ethernet interface IP Address is going to be 66.155.166.216? (I then assume this will serve as the LAN client's gateway address for clients in the range of .217 to .222?)

Second, they will have a web server with only ports 80, 1080 open at at 66.155.166.217
Third, they will have a VoIP unit that will need only ports 1720,1721 and 30000-30011 open at 66.155.166.218

How do I accomplish this?  With NAT?   I don't think it's that difficult but having not been exposed to it for too long, it's got me stumped.  I have some ideas but experimenting on their dime isn't an option!

Thanks in advance for ANY assistance!!

If anyone feels like giving me a sample config, all the better!

Rob
0
Comment
Question by:rccg94
  • 4
  • 2
  • 2
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8225486
Need more information on the voice pieces.. using FXx ports on the router?

What are the security requirements? What feature sets available? FW/CBAC/IDS?

Does the router need to be a DHCP server for the LAN side?
0
 

Author Comment

by:rccg94
ID: 8225735
Thanks for the response:

The voice pieces are being handled by their Telcom guy.  He indicated that as long as he has a public IP available with the specified ports accessible he would do the rest on his end (so it is a totally separate piece of hardware, independent of the 1721).

The router does not need to serve IP addresses.

The 1721 only has IP feature pack, no extra feature set.

Security reqs are only that the two IPs mentioned above for the LAN hosts at .217 and .218 have only the ports mentioned available.  

This unit will not be used for their general Internet access and there will be no other hosts utilizing it other than the ones specified.

I hope that's enough info.

Thanks
0
 
LVL 5

Expert Comment

by:epylko
ID: 8225737
Your LAN address can't be .216 - that's the address of the subnet.  Like your ISP said, your usable addresses are 217-222.

If you're not using nat, an inbound access list on your serial interface will work.  Here's a sample access list:

access-list 101 permit tcp any host 66.155.166.217 eq 80
access-list 101 permit tcp any host 66.155.166.217 eq 1080
access-list 101 permit udp any host 66.155.166.218 range 1720 1721
access-list 101 permit udp any host 66.155.166.218 range 30000 30011

Of course, I don't know if your VoIP box is using TCP or UDP but that should work (assuming of course that the ports don't change after connnections are established.

This will also deny all other traffic back into your network.  If this is not what you want, something more elegant like the Firewall Feature Set should be used (like lrmoore suggested)

-Eric
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:rccg94
ID: 8246128
Eric-

Thanks for the input.  Irealized my mistake on the first usable IP (.217 will be the E0 address, not .216) shortly after posting but thanks for bringing it to my attention.  This will mean that the first two hosts will be .218 and .219  I think I am pretty well set with the access list, the only remaining portion is the syntax for adding the access list to the serial interface.  Can you just expand on that for me? Should it look like this (just a partial config for serial0)?:

Interface serial0
ip address 66.155.148.14 255.255.255.252
ip access-group 101 in
!
!
access-list 101 permit tcp any host 66.155.166.218 eq 80
access-list 101 permit tcp any host 66.155.166.218 eq 1080
access-list 101 permit udp any host 66.155.166.219 range 1720 1721
access-list 101 permit udp any host 66.155.166.219 range 30000 30011
!

Thanks again for your help.  If I can just confirm this last portion, I'll be all set.

Rob

 
0
 

Author Comment

by:rccg94
ID: 8246170
Eric-

Thanks for the input.  Irealized my mistake on the first usable IP (.217 will be the E0 address, not .216) shortly after posting but thanks for bringing it to my attention.  This will mean that the first two hosts will be .218 and .219  I think I am pretty well set with the access list, the only remaining portion is the syntax for adding the access list to the serial interface.  Can you just expand on that for me? Should it look like this (just a partial config for serial0)?:

Interface serial0
ip address 66.155.148.14 255.255.255.252
ip access-group 101 in
!
!
access-list 101 permit tcp any host 66.155.166.218 eq 80
access-list 101 permit tcp any host 66.155.166.218 eq 1080
access-list 101 permit udp any host 66.155.166.219 range 1720 1721
access-list 101 permit udp any host 66.155.166.219 range 30000 30011
!

Thanks again for your help.  If I can just confirm this last portion, I'll be all set.

Rob

 
0
 
LVL 5

Accepted Solution

by:
epylko earned 750 total points
ID: 8247826
Yes, that's correct.

-Eric
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8442664
G'day, rccg94
It has been 34 days since you posted this question.
Do you still need help? Have you received enough information?
Can you close out this question?
Ways to close questions: http://www.apollois.com/EE/Help/Closing_Questions.htm
0
 

Author Comment

by:rccg94
ID: 8443902
Sorry so long on the points assignment.  Thanks to lrmoore for the reminder on closing the question.  Honestly, I thought I had!  Everything worked out well, so thanks again, Eric.

Rob
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question