nyck6623
asked on
Cisco 2620 needs to act as a bridge
I have a big dilemna my fellow experts...
I have recently bought a new Symantec Security Gateway 5420.. Beautiful peice of hardware...
here is my setup now
T1 to Cisco 2620 static IP by sprint.. FastEthernet is setup to use a private address 192.168.1.x and had my public IP on it as a secondary.. hmmm... anyways
Serial 0/0 has IP by Sprint
I have many IP address that i use NAT setup on the cisco.. well my new gateway is going to do this now but anyways..
what i need to accomplish is have my cisco all my public IP's through it.
My gateway has 2 main NIC's one internal one external... external needs to have a public IP ..
Heres the dilemna i get ahold of Cisco listen to this this guy after two hours on the phone with him makes it so i have no internet and no telnet access for Cisco to get into remotely..
im screwed at the moment..
points will only go up..
From what symantec says is i need to get the Cisco to have my main public IP address as its FastE 0/0 and bride it so i can have public IP's internally and finally setup a proper DMZ..
Help is much appreciated ill be near the PC so ill try to respond to any ?'s quickily
I have recently bought a new Symantec Security Gateway 5420.. Beautiful peice of hardware...
here is my setup now
T1 to Cisco 2620 static IP by sprint.. FastEthernet is setup to use a private address 192.168.1.x and had my public IP on it as a secondary.. hmmm... anyways
Serial 0/0 has IP by Sprint
I have many IP address that i use NAT setup on the cisco.. well my new gateway is going to do this now but anyways..
what i need to accomplish is have my cisco all my public IP's through it.
My gateway has 2 main NIC's one internal one external... external needs to have a public IP ..
Heres the dilemna i get ahold of Cisco listen to this this guy after two hours on the phone with him makes it so i have no internet and no telnet access for Cisco to get into remotely..
im screwed at the moment..
points will only go up..
From what symantec says is i need to get the Cisco to have my main public IP address as its FastE 0/0 and bride it so i can have public IP's internally and finally setup a proper DMZ..
Help is much appreciated ill be near the PC so ill try to respond to any ?'s quickily
Not sure I understand what you're trying to accomplish.
Maybe a diagram?
-Don
Maybe a diagram?
-Don
ASKER
Internet comes in to my Cisco 2620 to my CSU/DSU port serial address is 144.232.x.x
i have many IP addresses i use 204.96.176.x lets say ... this was assigned to my FastE 0/0 port as a secondary
and my private IP for the lan 192.168.1.1
this is where im having trouble... i bought the new firewall and the External interface on it needs to communicate to the interent through the router ...
Symantec says i need to bridge the router so i can have my public addresses useable behind the Cisco..
So here it is
Internet ----> 144.232.x.x serial Cisco 2620 faste 204.96.176.x and 192.168.1.1 --->to LAN
i need this
Internet ----> 144.232.x.x serial Cisco 2620 faste 204.96.176.14 ------> 204.96.176.13 external on the firewall > LAN 192.168.1.x
i have many IP addresses i use 204.96.176.x lets say ... this was assigned to my FastE 0/0 port as a secondary
and my private IP for the lan 192.168.1.1
this is where im having trouble... i bought the new firewall and the External interface on it needs to communicate to the interent through the router ...
Symantec says i need to bridge the router so i can have my public addresses useable behind the Cisco..
So here it is
Internet ----> 144.232.x.x serial Cisco 2620 faste 204.96.176.x and 192.168.1.1 --->to LAN
i need this
Internet ----> 144.232.x.x serial Cisco 2620 faste 204.96.176.14 ------> 204.96.176.13 external on the firewall > LAN 192.168.1.x
ASKER
your a Cisco instructor huh?
You gotta be much better than Cisco (OutSOURCED SUPPORT)!!!
Thanks for any help
Nyck
You gotta be much better than Cisco (OutSOURCED SUPPORT)!!!
Thanks for any help
Nyck
ASKER
one more thing all my clients will now use the Firewall as its gateway now.. the cisco no longer deals with the LAN
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
that is the idea yes .. now the thing is i have 144.232.x.x on my serial port do you know why i also had the 204.96.176.14 on my faste 0
im not exactly sure at the moment why both are needed.. the 144 address is my CSU DSU line coming in and the 204 address is coming out ..
so you think that is still needed though?
also i have these address as well that need to be able to communicate through the router
204.96.176.8,9,10,11,12,13
and
63.10.153.160-191
im not exactly sure at the moment why both are needed.. the 144 address is my CSU DSU line coming in and the 204 address is coming out ..
so you think that is still needed though?
also i have these address as well that need to be able to communicate through the router
204.96.176.8,9,10,11,12,13
and
63.10.153.160-191
It's not a router anymore. It's a bridge. :-)
No IP addresses are needed on the Cisco. If you need to manage either the 2620 or the CSU/DSU, then that complicates things... a lot. Unless you have some additional 144.232.x.x addresses to spare.
As for the other addresses, can they exist on the internal side of the firewall?
-Don
No IP addresses are needed on the Cisco. If you need to manage either the 2620 or the CSU/DSU, then that complicates things... a lot. Unless you have some additional 144.232.x.x addresses to spare.
As for the other addresses, can they exist on the internal side of the firewall?
-Don
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
that was how me and cisco set it up sort of Penn
We had ip routes set up allowing the public address to go through the private in side address but this was very slow
since it was going through two subnets .. Symantec said the firewall is going to handle everything from NAT to routing....
Don
can I bridge the network serial 144. and faste 204. and
Or can i just trash the 144. and use my 204. addresses since i have several
We had ip routes set up allowing the public address to go through the private in side address but this was very slow
since it was going through two subnets .. Symantec said the firewall is going to handle everything from NAT to routing....
Don
can I bridge the network serial 144. and faste 204. and
Or can i just trash the 144. and use my 204. addresses since i have several
ASKER
also Don
If you need to manage either the 2620 or the CSU/DSU, then that complicates things... a lot
What do you mean by this
If you need to manage either the 2620 or the CSU/DSU, then that complicates things... a lot
What do you mean by this
ASKER
What would be the command config the bridge ip address
As for the other addresses, can they exist on the internal side of the firewall?
only through NAT in my cisco
Not needed any more Firewall will do this
As for the other addresses, can they exist on the internal side of the firewall?
only through NAT in my cisco
Not needed any more Firewall will do this
Since bridges are layer 2 devices, they don't have IP addresses. There is a way around it... IRB (Integrated Routing and Bridging).
-Don
-Don
" What would be the command config the bridge ip address"
Huh?
"As for the other addresses, can they exist on the internal side of the firewall?
only through NAT in my cisco"
Not knowing the specifics of the firewall, but I would think so.
-Don
Huh?
"As for the other addresses, can they exist on the internal side of the firewall?
only through NAT in my cisco"
Not knowing the specifics of the firewall, but I would think so.
-Don
ASKER
i apologize for the grammar...
What would be the command to configure the bridged ip address on the Cisco 2620
I was commenting on what you said <<<As for the other addresses, can they exist on the internal side of the firewall>>>>
I use IP Nat in the router linking my public 204 addresses to private 192.168.x.x addresses,...
The date way will now handle all NAT
What would be the command to configure the bridged ip address on the Cisco 2620
I was commenting on what you said <<<As for the other addresses, can they exist on the internal side of the firewall>>>>
I use IP Nat in the router linking my public 204 addresses to private 192.168.x.x addresses,...
The date way will now handle all NAT
"What would be the command to configure the bridged ip address on the Cisco 2620"
bridge irb
interface BVI1
ip address 144.232.x.x 255.255.x.x
-Don
bridge irb
interface BVI1
ip address 144.232.x.x 255.255.x.x
-Don
ASKER
man my spelling is horrible right now. sorry..
So this will get me rolling correct...
Once i bridge this i can allow my public ip's through the router?
So this will get me rolling correct...
Once i bridge this i can allow my public ip's through the router?
You know, it just ocurred to me what the serial link goes to... Or doesn't.
You don't have control over the other end of the serial link, correct?
If that's the case, then the scenario I've outlined won't work.
I'll think about this some more...
-Don
You don't have control over the other end of the serial link, correct?
If that's the case, then the scenario I've outlined won't work.
I'll think about this some more...
-Don
> We had ip routes set up allowing the public address to go through the private in side address but this was very slow
> since it was going through two subnets ..
So? ONE router hop. If it was unbearably slow, I'd look for a better explanation than "going through two subnets". It's not like you have other devices on the segment between the router and firewall, right?
> can I bridge the network serial 144. and faste 204. and
A bridge joins two collision domains within a single segment/subnet. Different addressing means they're two subnets, and somebody needs to do some routing.
> Or can i just trash the 144. and use my 204. addresses since i have several
The 144 address is where your ISP is going to deliver 204 traffic to, assuming there's something there that will know how to route the traffic to its destination. Trash it, and you get nada.
> since it was going through two subnets ..
So? ONE router hop. If it was unbearably slow, I'd look for a better explanation than "going through two subnets". It's not like you have other devices on the segment between the router and firewall, right?
> can I bridge the network serial 144. and faste 204. and
A bridge joins two collision domains within a single segment/subnet. Different addressing means they're two subnets, and somebody needs to do some routing.
> Or can i just trash the 144. and use my 204. addresses since i have several
The 144 address is where your ISP is going to deliver 204 traffic to, assuming there's something there that will know how to route the traffic to its destination. Trash it, and you get nada.
ASKER
Here is my sh run
This is a working configuration for internet without the firewall
i spent 4 hours with cisco on the phone today .. exciting ... talked to 4 different countries.. mate
They say i cannot bridge the router to do what i need
The serial is exactly how you say Penn and don.. it is done through subnetting and such on sprints end... my addresses come in 144/30.. and are resolved to 204 /24 accordingly
i hope some of you guys can come up with a solution or an advisory on what i need to to do accomplish this through any other methods
Again i need to allow my firewalls external address to communicate through my T1 via my router or any other method..
sl-magna2-1#sh run
Building configuration...
Current configuration : 3589 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sl-magna2-1
!
!
ip subnet-zero
!
!
ip name-server 204.117.214.10
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.11
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.115
ip dhcp excluded-address 192.168.1.150
ip dhcp excluded-address 192.168.1.1 192.168.1.25
ip dhcp excluded-address 192.168.1.150 192.168.1.255
!
ip dhcp pool cisco
network 192.168.1.0 255.255.255.0
dns-server 204.117.214.10 199.2.252.10
default-router 192.168.1.1
lease 3
!
!
!
!
interface FastEthernet0/0
ip address 204.96.176.14 255.255.255.248 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip mroute-cache
duplex auto
speed auto
!
interface Serial0/0
ip address 144.232.199.106 255.255.255.252
ip nat outside
no ip mroute-cache
no fair-queue
!
ip nat inside source list 11 interface Serial0/0 overload
ip nat inside source static 192.168.1.208 63.170.153.170
ip nat inside source static 192.168.1.207 63.170.153.169
ip nat inside source static 192.168.1.206 63.170.153.168
ip nat inside source static 192.168.1.205 63.170.153.167
ip nat inside source static 192.168.1.204 63.170.153.166
ip nat inside source static 192.168.1.203 63.170.153.165
ip nat inside source static 192.168.1.202 63.170.153.164
ip nat inside source static 192.168.1.201 63.170.153.163
ip nat inside source static 192.168.1.200 63.170.153.162
ip nat inside source static 192.168.1.34 204.96.176.15
ip nat inside source static 192.168.1.101 204.96.176.8
ip nat inside source static 192.168.1.11 204.96.176.9
ip nat inside source static 192.168.1.13 204.96.176.10
ip nat inside source static 192.168.1.100 204.96.176.12
ip nat inside source static 192.168.1.18 204.96.176.11
ip nat inside source static 192.168.1.198 63.170.153.160
ip nat inside source static 192.168.1.199 63.170.153.161
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 63.170.153.0 255.255.255.248 204.96.176.13
ip route 192.168.1.0 255.255.255.248 204.96.176.13
ip route 204.96.176.0 255.255.255.248 204.96.176.13
ip http server
ip pim bidir-enable
!
logging 192.168.1.163
access-list 11 deny 192.168.1.105
access-list 11 deny 192.168.1.104
access-list 11 deny 192.168.1.101
access-list 11 deny 192.168.1.100
access-list 11 deny 192.168.1.75
access-list 11 deny 192.168.1.81
access-list 11 deny 192.168.1.34
access-list 11 deny 192.168.1.11
access-list 11 deny 192.168.1.13
access-list 11 deny 192.168.3.27
access-list 11 deny 192.168.1.201
access-list 11 deny 192.168.1.200
access-list 11 deny 192.168.1.203
access-list 11 deny 192.168.1.202
access-list 11 deny 192.168.1.205
access-list 11 deny 192.168.1.204
access-list 11 deny 192.168.1.207
access-list 11 deny 192.168.1.206
access-list 11 deny 192.168.1.208
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 11 permit 192.168.3.0 0.0.0.255
access-list 101 permit ip host 192.168.1.13 any
access-list 101 permit ip host 192.168.1.11 any
access-list 101 permit ip host 192.168.1.12 any
access-list 101 permit ip any host 192.168.1.1
access-list 101 permit ip any host 144.232.199.106
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq domain
access-list 101 permit ip any host 207.26.131.137
access-list 101 deny tcp any any log
access-list 101 deny udp any any log
access-list 101 deny ip any any log
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
no scheduler allocate
end
as you can see no more bridging and some routes have been added
This is a working configuration for internet without the firewall
i spent 4 hours with cisco on the phone today .. exciting ... talked to 4 different countries.. mate
They say i cannot bridge the router to do what i need
The serial is exactly how you say Penn and don.. it is done through subnetting and such on sprints end... my addresses come in 144/30.. and are resolved to 204 /24 accordingly
i hope some of you guys can come up with a solution or an advisory on what i need to to do accomplish this through any other methods
Again i need to allow my firewalls external address to communicate through my T1 via my router or any other method..
sl-magna2-1#sh run
Building configuration...
Current configuration : 3589 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sl-magna2-1
!
!
ip subnet-zero
!
!
ip name-server 204.117.214.10
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.11
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.115
ip dhcp excluded-address 192.168.1.150
ip dhcp excluded-address 192.168.1.1 192.168.1.25
ip dhcp excluded-address 192.168.1.150 192.168.1.255
!
ip dhcp pool cisco
network 192.168.1.0 255.255.255.0
dns-server 204.117.214.10 199.2.252.10
default-router 192.168.1.1
lease 3
!
!
!
!
interface FastEthernet0/0
ip address 204.96.176.14 255.255.255.248 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip mroute-cache
duplex auto
speed auto
!
interface Serial0/0
ip address 144.232.199.106 255.255.255.252
ip nat outside
no ip mroute-cache
no fair-queue
!
ip nat inside source list 11 interface Serial0/0 overload
ip nat inside source static 192.168.1.208 63.170.153.170
ip nat inside source static 192.168.1.207 63.170.153.169
ip nat inside source static 192.168.1.206 63.170.153.168
ip nat inside source static 192.168.1.205 63.170.153.167
ip nat inside source static 192.168.1.204 63.170.153.166
ip nat inside source static 192.168.1.203 63.170.153.165
ip nat inside source static 192.168.1.202 63.170.153.164
ip nat inside source static 192.168.1.201 63.170.153.163
ip nat inside source static 192.168.1.200 63.170.153.162
ip nat inside source static 192.168.1.34 204.96.176.15
ip nat inside source static 192.168.1.101 204.96.176.8
ip nat inside source static 192.168.1.11 204.96.176.9
ip nat inside source static 192.168.1.13 204.96.176.10
ip nat inside source static 192.168.1.100 204.96.176.12
ip nat inside source static 192.168.1.18 204.96.176.11
ip nat inside source static 192.168.1.198 63.170.153.160
ip nat inside source static 192.168.1.199 63.170.153.161
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 63.170.153.0 255.255.255.248 204.96.176.13
ip route 192.168.1.0 255.255.255.248 204.96.176.13
ip route 204.96.176.0 255.255.255.248 204.96.176.13
ip http server
ip pim bidir-enable
!
logging 192.168.1.163
access-list 11 deny 192.168.1.105
access-list 11 deny 192.168.1.104
access-list 11 deny 192.168.1.101
access-list 11 deny 192.168.1.100
access-list 11 deny 192.168.1.75
access-list 11 deny 192.168.1.81
access-list 11 deny 192.168.1.34
access-list 11 deny 192.168.1.11
access-list 11 deny 192.168.1.13
access-list 11 deny 192.168.3.27
access-list 11 deny 192.168.1.201
access-list 11 deny 192.168.1.200
access-list 11 deny 192.168.1.203
access-list 11 deny 192.168.1.202
access-list 11 deny 192.168.1.205
access-list 11 deny 192.168.1.204
access-list 11 deny 192.168.1.207
access-list 11 deny 192.168.1.206
access-list 11 deny 192.168.1.208
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 11 permit 192.168.3.0 0.0.0.255
access-list 101 permit ip host 192.168.1.13 any
access-list 101 permit ip host 192.168.1.11 any
access-list 101 permit ip host 192.168.1.12 any
access-list 101 permit ip any host 192.168.1.1
access-list 101 permit ip any host 144.232.199.106
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq domain
access-list 101 permit ip any host 207.26.131.137
access-list 101 deny tcp any any log
access-list 101 deny udp any any log
access-list 101 deny ip any any log
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
no scheduler allocate
end
as you can see no more bridging and some routes have been added
ASKER
sorry got it working with Cisco ... bridged it and allowed my IPs though
thanks for the help
thanks for the help
Could you please post your working config so others reading this post could learn.
I am in the same situation you were in.
Thanks
I am in the same situation you were in.
Thanks
ASKER