[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 619
  • Last Modified:

Cisco 2620 needs to act as a bridge

I have a big dilemna my fellow experts...

I have recently bought a new Symantec Security Gateway 5420.. Beautiful peice of hardware...  
here is my setup now

T1 to Cisco 2620  static IP by sprint..  FastEthernet is setup to use a private address 192.168.1.x and had my public IP on it as a secondary.. hmmm... anyways
Serial 0/0 has IP by Sprint
I have many IP address that i use NAT setup on the cisco.. well my new gateway is going to do this now but anyways..
what i need to accomplish is have my  cisco all my public IP's through it.

My gateway has 2 main NIC's one internal one external...  external needs to have a public IP ..

Heres the dilemna i get ahold of Cisco   listen to this this guy after two hours on the phone with him makes it so i have no internet and no telnet access for Cisco to get into remotely..

im screwed at the moment..
points will only go up..
From what symantec says is i need to get the Cisco to have my main public IP address as its FastE 0/0 and bride it so i can have public IP's internally and finally setup a proper DMZ..


Help is much appreciated ill be near the PC so ill try to respond to any ?'s quickily
0
nyck6623
Asked:
nyck6623
  • 12
  • 7
  • 2
  • +1
2 Solutions
 
nyck6623Author Commented:
O ya we tried to bridge the router but i believe the problem is that the guy did not do anything with the serial port?
0
 
Don JohnstonInstructorCommented:
Not sure I understand what you're trying to accomplish.

Maybe a diagram?

-Don
0
 
nyck6623Author Commented:
Internet comes in to my Cisco 2620 to my CSU/DSU port serial address is 144.232.x.x  

i have many IP addresses i use 204.96.176.x lets say ...  this was assigned to my FastE 0/0 port as a secondary

and my private IP for the lan 192.168.1.1  

this is where im having trouble... i bought the new firewall and the External interface on it needs to communicate to the interent through the router ...

Symantec says i  need to bridge the router so i can have my public addresses useable behind the Cisco..

So here it is

Internet ---->  144.232.x.x serial Cisco 2620 faste 204.96.176.x and 192.168.1.1  --->to LAN

i need this

Internet ---->  144.232.x.x serial Cisco 2620 faste 204.96.176.14  ------>  204.96.176.13 external on the firewall   > LAN 192.168.1.x
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
nyck6623Author Commented:
your a Cisco instructor huh?

You gotta be much better than Cisco (OutSOURCED SUPPORT)!!!

Thanks for any help

Nyck
0
 
nyck6623Author Commented:
one more thing all my clients will now use the Firewall as its gateway now.. the cisco no longer deals with the LAN
0
 
Don JohnstonInstructorCommented:
You could bridge (as was recommended) the two interfaces.

int s0
 no ip address
 bridge-group 1
int f0
 no ip address
 bridge-group 1
bridge 1 protocol ieee

That would give you:

Internet----- serial 0[Cisco 2620] fastE0 --------- 144.232.x.x external [firewall]internal-----LAN

Is this what you're trying to do?

Don (not a Cisco employee) Johnston
0
 
nyck6623Author Commented:
that is the idea yes .. now the thing is i have 144.232.x.x on my serial port do you know why i also had the 204.96.176.14 on my faste 0
im not exactly sure at the moment why both are needed.. the 144 address is my CSU DSU line coming in and the 204 address is coming out ..

so you think that is still needed though?

also i have these address as well that need to be able to communicate through the router

204.96.176.8,9,10,11,12,13,15
and
63.10.153.160-191
0
 
Don JohnstonInstructorCommented:
It's not a router anymore. It's a bridge. :-)

No IP addresses are needed on the Cisco. If you need to manage either the 2620 or the CSU/DSU, then that complicates things... a lot. Unless you have some additional 144.232.x.x addresses to spare.

As for the other addresses, can they exist on the internal side of the firewall?

-Don
0
 
PennGwynCommented:
Secondary addresses solve legacy problems THAT YOU DON'T HAVE.  Get rid of it.

Continue to use the 144.x.x.x address on the outside of the Cisco, and the private on the inside.  Assign a compatible private to the outside of the firewall.  Add a *route* on the Cisco, telling it that your 204.x.x.x block is reachable via the private address assigned to the firewall; leave the default pointing to the Internet for all other traffic.  Now you can assign your public addresses as you see fit inside the firewall.

0
 
nyck6623Author Commented:
that was how me and cisco set it up sort of Penn

We had ip routes set up allowing the public address to go through the private in side address but this was very slow

since it was going through two subnets .. Symantec said the firewall is going to handle everything from NAT to routing....

Don
 
can I  bridge the network serial 144.   and faste 204.  and

Or can i just trash the 144. and use my 204. addresses since i have several
0
 
nyck6623Author Commented:
also Don

If you need to manage either the 2620 or the CSU/DSU, then that complicates things... a lot

What do you mean by this
0
 
nyck6623Author Commented:
What would be the command config the bridge ip address

As for the other addresses, can they exist on the internal side of the firewall?
only through NAT in my cisco

Not needed any more Firewall will do this
0
 
Don JohnstonInstructorCommented:
Since bridges are layer 2 devices, they don't have IP addresses. There is a way around it... IRB (Integrated Routing and Bridging).

-Don
0
 
Don JohnstonInstructorCommented:
" What would be the command config the bridge ip address"

Huh?

"As for the other addresses, can they exist on the internal side of the firewall?
only through NAT in my cisco"

Not knowing the specifics of the firewall, but I would think so.

-Don
0
 
nyck6623Author Commented:
i apologize for the grammar...

What would be the command to configure the bridged ip address on the Cisco 2620

I was commenting on what you said <<<As for the other addresses, can they exist on the internal side of the firewall>>>>

I use IP Nat in the router linking my public 204 addresses to private 192.168.x.x addresses,...
The date way will now handle all NAT
0
 
Don JohnstonInstructorCommented:
"What would be the command to configure the bridged ip address on the Cisco 2620"

bridge irb
interface BVI1
 ip address 144.232.x.x 255.255.x.x

-Don

0
 
nyck6623Author Commented:
man my spelling is horrible right now. sorry..

So this will get me rolling correct...

Once i bridge this i can allow my public ip's through the router?
0
 
Don JohnstonInstructorCommented:
You know, it just ocurred to me what the serial link goes to... Or doesn't.

You don't have control over the other end of the serial link, correct?

If that's the case, then the scenario I've outlined won't work.

I'll think about this some more...

-Don
0
 
PennGwynCommented:
> We had ip routes set up allowing the public address to go through the private in side address but this was very slow
> since it was going through two subnets ..

So?  ONE router hop.  If it was unbearably slow, I'd look for a better explanation than "going through two subnets".  It's not like you have other devices on the segment between the router and firewall, right?

> can I  bridge the network serial 144.   and faste 204.  and

A bridge joins two collision domains within a single segment/subnet.  Different addressing means they're two subnets, and somebody needs to do some routing.

> Or can i just trash the 144. and use my 204. addresses since i have several

The 144 address is where your ISP is going to deliver 204 traffic to, assuming there's something there that will know how to route the traffic to its destination.  Trash it, and you get nada.

0
 
nyck6623Author Commented:
Here is my sh run
This is a working configuration for internet without the firewall
i spent 4 hours with cisco on the phone today .. exciting ... talked to 4 different countries.. mate
They say i cannot bridge the router to do what i need

The serial is exactly how you say Penn and don.. it is done through subnetting and such on sprints end... my addresses come in 144/30..   and are resolved to 204 /24 accordingly

i hope some of you guys can come up with a solution or an advisory on what i need to to do accomplish this through any other methods

Again i need to allow my firewalls external address to communicate through my T1 via my router or any other method..


sl-magna2-1#sh run
Building configuration...

Current configuration : 3589 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sl-magna2-1
!
!
ip subnet-zero
!
!
ip name-server 204.117.214.10
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.11
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.115
ip dhcp excluded-address 192.168.1.150
ip dhcp excluded-address 192.168.1.1 192.168.1.25
ip dhcp excluded-address 192.168.1.150 192.168.1.255
!
ip dhcp pool cisco
   network 192.168.1.0 255.255.255.0
   dns-server 204.117.214.10 199.2.252.10
   default-router 192.168.1.1
   lease 3
!
!
!
!
interface FastEthernet0/0
 ip address 204.96.176.14 255.255.255.248 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 144.232.199.106 255.255.255.252
 ip nat outside
 no ip mroute-cache
 no fair-queue
!
ip nat inside source list 11 interface Serial0/0 overload
ip nat inside source static 192.168.1.208 63.170.153.170
ip nat inside source static 192.168.1.207 63.170.153.169
ip nat inside source static 192.168.1.206 63.170.153.168
ip nat inside source static 192.168.1.205 63.170.153.167
ip nat inside source static 192.168.1.204 63.170.153.166
ip nat inside source static 192.168.1.203 63.170.153.165
ip nat inside source static 192.168.1.202 63.170.153.164
ip nat inside source static 192.168.1.201 63.170.153.163
ip nat inside source static 192.168.1.200 63.170.153.162
ip nat inside source static 192.168.1.34 204.96.176.15
ip nat inside source static 192.168.1.101 204.96.176.8
ip nat inside source static 192.168.1.11 204.96.176.9
ip nat inside source static 192.168.1.13 204.96.176.10
ip nat inside source static 192.168.1.100 204.96.176.12
ip nat inside source static 192.168.1.18 204.96.176.11
ip nat inside source static 192.168.1.198 63.170.153.160
ip nat inside source static 192.168.1.199 63.170.153.161
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 63.170.153.0 255.255.255.248 204.96.176.13
ip route 192.168.1.0 255.255.255.248 204.96.176.13
ip route 204.96.176.0 255.255.255.248 204.96.176.13
ip http server
ip pim bidir-enable
!
logging 192.168.1.163
access-list 11 deny   192.168.1.105
access-list 11 deny   192.168.1.104
access-list 11 deny   192.168.1.101
access-list 11 deny   192.168.1.100
access-list 11 deny   192.168.1.75
access-list 11 deny   192.168.1.81
access-list 11 deny   192.168.1.34
access-list 11 deny   192.168.1.11
access-list 11 deny   192.168.1.13
access-list 11 deny   192.168.3.27
access-list 11 deny   192.168.1.201
access-list 11 deny   192.168.1.200
access-list 11 deny   192.168.1.203
access-list 11 deny   192.168.1.202
access-list 11 deny   192.168.1.205
access-list 11 deny   192.168.1.204
access-list 11 deny   192.168.1.207
access-list 11 deny   192.168.1.206
access-list 11 deny   192.168.1.208
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 11 permit 192.168.3.0 0.0.0.255
access-list 101 permit ip host 192.168.1.13 any
access-list 101 permit ip host 192.168.1.11 any
access-list 101 permit ip host 192.168.1.12 any
access-list 101 permit ip any host 192.168.1.1
access-list 101 permit ip any host 144.232.199.106
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq domain
access-list 101 permit ip any host 207.26.131.137
access-list 101 deny   tcp any any log
access-list 101 deny   udp any any log
access-list 101 deny   ip any any log
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 
!
no scheduler allocate
end

as you can see no more bridging and some routes have been added
0
 
nyck6623Author Commented:
sorry got it working with Cisco ... bridged it and allowed my IPs though

thanks for the help
0
 
MVITECHCommented:
Could you please post your working config so others reading this post could learn.

I am in the same situation you were in.

Thanks
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 12
  • 7
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now