Solved

Cisco 2620 needs to act as a bridge

Posted on 2004-08-10
22
609 Views
Last Modified: 2007-12-19
I have a big dilemna my fellow experts...

I have recently bought a new Symantec Security Gateway 5420.. Beautiful peice of hardware...  
here is my setup now

T1 to Cisco 2620  static IP by sprint..  FastEthernet is setup to use a private address 192.168.1.x and had my public IP on it as a secondary.. hmmm... anyways
Serial 0/0 has IP by Sprint
I have many IP address that i use NAT setup on the cisco.. well my new gateway is going to do this now but anyways..
what i need to accomplish is have my  cisco all my public IP's through it.

My gateway has 2 main NIC's one internal one external...  external needs to have a public IP ..

Heres the dilemna i get ahold of Cisco   listen to this this guy after two hours on the phone with him makes it so i have no internet and no telnet access for Cisco to get into remotely..

im screwed at the moment..
points will only go up..
From what symantec says is i need to get the Cisco to have my main public IP address as its FastE 0/0 and bride it so i can have public IP's internally and finally setup a proper DMZ..


Help is much appreciated ill be near the PC so ill try to respond to any ?'s quickily
0
Comment
Question by:nyck6623
  • 12
  • 7
  • 2
  • +1
22 Comments
 
LVL 4

Author Comment

by:nyck6623
ID: 11768343
O ya we tried to bridge the router but i believe the problem is that the guy did not do anything with the serial port?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 11768407
Not sure I understand what you're trying to accomplish.

Maybe a diagram?

-Don
0
 
LVL 4

Author Comment

by:nyck6623
ID: 11768460
Internet comes in to my Cisco 2620 to my CSU/DSU port serial address is 144.232.x.x  

i have many IP addresses i use 204.96.176.x lets say ...  this was assigned to my FastE 0/0 port as a secondary

and my private IP for the lan 192.168.1.1  

this is where im having trouble... i bought the new firewall and the External interface on it needs to communicate to the interent through the router ...

Symantec says i  need to bridge the router so i can have my public addresses useable behind the Cisco..

So here it is

Internet ---->  144.232.x.x serial Cisco 2620 faste 204.96.176.x and 192.168.1.1  --->to LAN

i need this

Internet ---->  144.232.x.x serial Cisco 2620 faste 204.96.176.14  ------>  204.96.176.13 external on the firewall   > LAN 192.168.1.x
0
 
LVL 4

Author Comment

by:nyck6623
ID: 11768475
your a Cisco instructor huh?

You gotta be much better than Cisco (OutSOURCED SUPPORT)!!!

Thanks for any help

Nyck
0
 
LVL 4

Author Comment

by:nyck6623
ID: 11768493
one more thing all my clients will now use the Firewall as its gateway now.. the cisco no longer deals with the LAN
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 300 total points
ID: 11768546
You could bridge (as was recommended) the two interfaces.

int s0
 no ip address
 bridge-group 1
int f0
 no ip address
 bridge-group 1
bridge 1 protocol ieee

That would give you:

Internet----- serial 0[Cisco 2620] fastE0 --------- 144.232.x.x external [firewall]internal-----LAN

Is this what you're trying to do?

Don (not a Cisco employee) Johnston
0
 
LVL 4

Author Comment

by:nyck6623
ID: 11768601
that is the idea yes .. now the thing is i have 144.232.x.x on my serial port do you know why i also had the 204.96.176.14 on my faste 0
im not exactly sure at the moment why both are needed.. the 144 address is my CSU DSU line coming in and the 204 address is coming out ..

so you think that is still needed though?

also i have these address as well that need to be able to communicate through the router

204.96.176.8,9,10,11,12,13,15
and
63.10.153.160-191
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 11768688
It's not a router anymore. It's a bridge. :-)

No IP addresses are needed on the Cisco. If you need to manage either the 2620 or the CSU/DSU, then that complicates things... a lot. Unless you have some additional 144.232.x.x addresses to spare.

As for the other addresses, can they exist on the internal side of the firewall?

-Don
0
 
LVL 11

Assisted Solution

by:PennGwyn
PennGwyn earned 200 total points
ID: 11768723
Secondary addresses solve legacy problems THAT YOU DON'T HAVE.  Get rid of it.

Continue to use the 144.x.x.x address on the outside of the Cisco, and the private on the inside.  Assign a compatible private to the outside of the firewall.  Add a *route* on the Cisco, telling it that your 204.x.x.x block is reachable via the private address assigned to the firewall; leave the default pointing to the Internet for all other traffic.  Now you can assign your public addresses as you see fit inside the firewall.

0
 
LVL 4

Author Comment

by:nyck6623
ID: 11768748
that was how me and cisco set it up sort of Penn

We had ip routes set up allowing the public address to go through the private in side address but this was very slow

since it was going through two subnets .. Symantec said the firewall is going to handle everything from NAT to routing....

Don
 
can I  bridge the network serial 144.   and faste 204.  and

Or can i just trash the 144. and use my 204. addresses since i have several
0
 
LVL 4

Author Comment

by:nyck6623
ID: 11768753
also Don

If you need to manage either the 2620 or the CSU/DSU, then that complicates things... a lot

What do you mean by this
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 4

Author Comment

by:nyck6623
ID: 11768760
What would be the command config the bridge ip address

As for the other addresses, can they exist on the internal side of the firewall?
only through NAT in my cisco

Not needed any more Firewall will do this
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 11768768
Since bridges are layer 2 devices, they don't have IP addresses. There is a way around it... IRB (Integrated Routing and Bridging).

-Don
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 11768778
" What would be the command config the bridge ip address"

Huh?

"As for the other addresses, can they exist on the internal side of the firewall?
only through NAT in my cisco"

Not knowing the specifics of the firewall, but I would think so.

-Don
0
 
LVL 4

Author Comment

by:nyck6623
ID: 11768802
i apologize for the grammar...

What would be the command to configure the bridged ip address on the Cisco 2620

I was commenting on what you said <<<As for the other addresses, can they exist on the internal side of the firewall>>>>

I use IP Nat in the router linking my public 204 addresses to private 192.168.x.x addresses,...
The date way will now handle all NAT
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 11768869
"What would be the command to configure the bridged ip address on the Cisco 2620"

bridge irb
interface BVI1
 ip address 144.232.x.x 255.255.x.x

-Don

0
 
LVL 4

Author Comment

by:nyck6623
ID: 11768883
man my spelling is horrible right now. sorry..

So this will get me rolling correct...

Once i bridge this i can allow my public ip's through the router?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 11769071
You know, it just ocurred to me what the serial link goes to... Or doesn't.

You don't have control over the other end of the serial link, correct?

If that's the case, then the scenario I've outlined won't work.

I'll think about this some more...

-Don
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 11774993
> We had ip routes set up allowing the public address to go through the private in side address but this was very slow
> since it was going through two subnets ..

So?  ONE router hop.  If it was unbearably slow, I'd look for a better explanation than "going through two subnets".  It's not like you have other devices on the segment between the router and firewall, right?

> can I  bridge the network serial 144.   and faste 204.  and

A bridge joins two collision domains within a single segment/subnet.  Different addressing means they're two subnets, and somebody needs to do some routing.

> Or can i just trash the 144. and use my 204. addresses since i have several

The 144 address is where your ISP is going to deliver 204 traffic to, assuming there's something there that will know how to route the traffic to its destination.  Trash it, and you get nada.

0
 
LVL 4

Author Comment

by:nyck6623
ID: 11778452
Here is my sh run
This is a working configuration for internet without the firewall
i spent 4 hours with cisco on the phone today .. exciting ... talked to 4 different countries.. mate
They say i cannot bridge the router to do what i need

The serial is exactly how you say Penn and don.. it is done through subnetting and such on sprints end... my addresses come in 144/30..   and are resolved to 204 /24 accordingly

i hope some of you guys can come up with a solution or an advisory on what i need to to do accomplish this through any other methods

Again i need to allow my firewalls external address to communicate through my T1 via my router or any other method..


sl-magna2-1#sh run
Building configuration...

Current configuration : 3589 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sl-magna2-1
!
!
ip subnet-zero
!
!
ip name-server 204.117.214.10
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.11
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.115
ip dhcp excluded-address 192.168.1.150
ip dhcp excluded-address 192.168.1.1 192.168.1.25
ip dhcp excluded-address 192.168.1.150 192.168.1.255
!
ip dhcp pool cisco
   network 192.168.1.0 255.255.255.0
   dns-server 204.117.214.10 199.2.252.10
   default-router 192.168.1.1
   lease 3
!
!
!
!
interface FastEthernet0/0
 ip address 204.96.176.14 255.255.255.248 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 144.232.199.106 255.255.255.252
 ip nat outside
 no ip mroute-cache
 no fair-queue
!
ip nat inside source list 11 interface Serial0/0 overload
ip nat inside source static 192.168.1.208 63.170.153.170
ip nat inside source static 192.168.1.207 63.170.153.169
ip nat inside source static 192.168.1.206 63.170.153.168
ip nat inside source static 192.168.1.205 63.170.153.167
ip nat inside source static 192.168.1.204 63.170.153.166
ip nat inside source static 192.168.1.203 63.170.153.165
ip nat inside source static 192.168.1.202 63.170.153.164
ip nat inside source static 192.168.1.201 63.170.153.163
ip nat inside source static 192.168.1.200 63.170.153.162
ip nat inside source static 192.168.1.34 204.96.176.15
ip nat inside source static 192.168.1.101 204.96.176.8
ip nat inside source static 192.168.1.11 204.96.176.9
ip nat inside source static 192.168.1.13 204.96.176.10
ip nat inside source static 192.168.1.100 204.96.176.12
ip nat inside source static 192.168.1.18 204.96.176.11
ip nat inside source static 192.168.1.198 63.170.153.160
ip nat inside source static 192.168.1.199 63.170.153.161
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 63.170.153.0 255.255.255.248 204.96.176.13
ip route 192.168.1.0 255.255.255.248 204.96.176.13
ip route 204.96.176.0 255.255.255.248 204.96.176.13
ip http server
ip pim bidir-enable
!
logging 192.168.1.163
access-list 11 deny   192.168.1.105
access-list 11 deny   192.168.1.104
access-list 11 deny   192.168.1.101
access-list 11 deny   192.168.1.100
access-list 11 deny   192.168.1.75
access-list 11 deny   192.168.1.81
access-list 11 deny   192.168.1.34
access-list 11 deny   192.168.1.11
access-list 11 deny   192.168.1.13
access-list 11 deny   192.168.3.27
access-list 11 deny   192.168.1.201
access-list 11 deny   192.168.1.200
access-list 11 deny   192.168.1.203
access-list 11 deny   192.168.1.202
access-list 11 deny   192.168.1.205
access-list 11 deny   192.168.1.204
access-list 11 deny   192.168.1.207
access-list 11 deny   192.168.1.206
access-list 11 deny   192.168.1.208
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 11 permit 192.168.3.0 0.0.0.255
access-list 101 permit ip host 192.168.1.13 any
access-list 101 permit ip host 192.168.1.11 any
access-list 101 permit ip host 192.168.1.12 any
access-list 101 permit ip any host 192.168.1.1
access-list 101 permit ip any host 144.232.199.106
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq domain
access-list 101 permit ip any host 207.26.131.137
access-list 101 deny   tcp any any log
access-list 101 deny   udp any any log
access-list 101 deny   ip any any log
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 
!
no scheduler allocate
end

as you can see no more bridging and some routes have been added
0
 
LVL 4

Author Comment

by:nyck6623
ID: 12228646
sorry got it working with Cisco ... bridged it and allowed my IPs though

thanks for the help
0
 
LVL 3

Expert Comment

by:MVITECH
ID: 14492614
Could you please post your working config so others reading this post could learn.

I am in the same situation you were in.

Thanks
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now