Solved

Router Config Cisco 1721 for two WAN, Firewall and VPN

Posted on 2004-10-31
517 Views
Last Modified: 2008-01-09
Need a hand with a router config.

Have a Cisco 1721 router with 2 Ethernet WIC's in it.  

Need a config for Internet connection through both WIC's connecting to standard Broadband (2 seperate ISP's)
One has 1 Static IP, the Other has 3 Static IP's.

I need a config to allow NAT/PAT from inside to outside.  Must use WIC1 for the main route and WIC2 as a failover if WIC1 is disconeected or fails.

The router has the fireall component and we would like to use it.  The only incoming traffic we have is SMTp mail and WWW web traffic.

The router also has the VPN component and we would like to use it for roadwarrior clients using a vpn-client.

Any help would be much appreciated.
0
Question by:dgratton1085
    10 Comments
     
    LVL 79

    Accepted Solution

    by:
    You'll have to give us some information regarding your skill level and what you need specific help with.
    We might need to break this into multiple questions..
    1st get it up and running with basic NAT and connectivity
    2nd add the failover to the 2nd ISP - not a trivial task
    3rd add the firewall feature components and inbound nat for mail and web
    4th add the VPN endpoint component.

    What IP addresses are you going to use for the inside LAN?
    Do you want the router to be a DHCP server?
    Are you familiar with the command line? Have you tried using the SDM web GUI? The web gui has wizards that can help walk you through most of your requirements.

    0
     

    Author Comment

    by:dgratton1085
    Skill Level:  This would be the first router I configured but I have a strong grasp on the concepts and should be able to work throught this quickly.  Just too many things for the first time out!

    Here are the IP ranges (not real for security sake)
    ISP1 - 24.5.5.5, 24.5.5.6, 24.5.5.7/22
    ISP2 - 208.4.4.2/30
    LAN - 192.168.0.0/22

    1.  NAT seems easy enough except for the idea of the POOL's.  Not sure what I am wanting to define here.
    2.  Fail-over....whatever the idea is here....route with diff metric?  Multiple default-gateway?
    3.  Want a best practices firewall solution in place.
    4.  VPN needs to be setup.

    Do not need the router to be a DHCP server.  I am familiar with command line.  The SDM is useful but doesn't seem to give me a) control over certain areas b) Failover??  c) VPN roadwarrior style...all seems to be site-to-site or other.

    Darren

    I will provide any info you need...would love to get htis up and running.
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Here's a basic config to get going with ISP1 only (just to start, don't panic)
    Suggestion: Pick a more discrete LAN subnet. Do you really need 1000+ hosts on this LAN subnet? Don't try to "supernet" a class C network, rather "sub"net a Class B if you want more than 250 hosts on one single subnet. Think long and hard about this requirement. Personal opionion only here - if you have more clients than a single class C subnet will hold, then the 1700 is not the product you need to be using...
    The reason for not using the most common subnets in use throughout the world (i.e 192.168.0.x, 192.168.1.x, 10.0.0.x, 10.10.10.x) is for future compatibility with VPN clients (one of your stated requirements). If you have a client with a broadband connection and their local LAN is 192.168.0.x, and your corporate LAN is also 192.168.0.x, then you have problems communicating with the client.
    Having said all that, lets use this as an example very basic config:

    !
    Interface Ethernet 0   <== first WIC1E
      description ISP1
      ip address 24.5.5.5 255.255.252.0
      ip nat outside
      no shut  <== you must always do this to enable the interface first time around only...
    !
    Interface Ethernet 1   <== 2nd WIC1E
      description ISP2
      ip address 208.4.4.2 255.255.255.252
      ip nat outside
      no shut
    !
    Interface FastEthernet 0
      description Local LAN
      ip address 192.168.233.1 255.255.255.0
      ip nat inside
      no shut
    !
    ip route 0.0.0.0 0.0.0.0 24.5.5.1  
    ip route 0.0.0.0 0.0.0.0 208.4.4.1 100  <== higher cost "100" will only take this route if Interface Eth0 is down
    !
    ip nat inside source route-map ROUTE-NAT interface Ethernet0 overload
    ip nat inside source route-map ROUTE-NAT interface Ethernet1 overload <== alternate if ISP1 is down
    ip nat inside source static 192.168.233.12 24.5.5.6   <== email server
      alternative using just port redirect:
       ip nat inside source static tcp 192.168.233.12 25 24.5.5.6 25
    ip nat inside source static 192.168.233.14 24.5.5.7   <== WWW server
     alternative using just port redirect:
       ip nat inside source static tcp 192.168.233.14 80 24.5.5.6 80
    ip nat inside source static tcp 192.168.233.12 25 208.4.4.2 25  <== alternate IP for email if ISP1 is down (will explain MX DNS if you need it)
    !
    route-map ROUTE-NAT permit 10
      match ip address 110
    !
    access-list 110 deny ip 192.168.233.0 0.0.0.255 192.168.123.0 0.0.0.255  <== this will be for the roadwarior vpn later
    access-list 110 permit ip 192.168.233.0 0.0.0.255 any

    !
    end

    This config should get you going with inside users being able to access the Internet.
    Confirm that, and we can go the the next step.

    All further config entries will simply be added to this starting point.
    Next steps will be to layer on:
    1. Firewall feature set with inbound rules so that email and www access is permitted.
    2. VPN for road-warriors
    0
     

    Author Comment

    by:dgratton1085
    I would ove to confirm that...butit will have to be after work hours.  Production network.

    Anyway we can continue with some of the ideas??

    I have made some changes to the config.  Please check!  Just changed some of the orders.  Also wanted to know where 192.168.233.12 and 192.168.233.14 come into play.  Are these reserved IP's in our subnet that you are using for NAT?  Please note that the internal IP scheme is 192.168.0.0 255.255.252.0  We have other routes on the inside.  I will put themi n the config so you can see.


    !
    Interface Ethernet 0   <== first WIC1E
      description ISP1
      ip address 24.5.5.5 255.255.252.0
      ip nat outside
      no shut  <== you must always do this to enable the interface first time around only...
    !
    Interface Ethernet 1   <== 2nd WIC1E
      description ISP2
      ip address 208.4.4.2 255.255.255.252
      ip nat outside
      no shut
    !
    Interface FastEthernet 0
      description Local LAN
      ip address 192.168.3.1 255.255.252.0
      ip nat inside
      no shut
    !
    ip route 192.168.60.0 255.255.255.0 192.168.0.2
    ip route 192.168.61.0 255.255.255.0 192.168.0.2
    ip route 192.168.62.0 255.255.255.0 192.168.0.2
    ip route 192.168.63.0 255.255.255.0 192.168.0.2
    ip route 192.168.64.0 255.255.255.0 192.168.0.2
    ip route 192.168.65.0 255.255.255.0 192.168.0.2
    ip route 192.168.66.0 255.255.255.0 192.168.0.2
    ip route 192.168.67.0 255.255.255.0 192.168.0.2
    ip route 192.168.68.0 255.255.255.0 192.168.0.2
    ip route 192.168.69.0 255.255.255.0 192.168.0.2
    ip route 192.168.70.0 255.255.255.0 192.168.0.2
    ip route 192.168.71.0 255.255.255.0 192.168.0.2
    ip route 0.0.0.0 0.0.0.0 208.4.4.1
    ip route 0.0.0.0 0.0.0.0 24.5.5.1  100 <== higher cost "100" will only take this route if Interface Eth0 is down
    !
    ip nat inside source route-map ROUTE-NAT interface Ethernet1 overload
    ip nat inside source route-map ROUTE-NAT interface Ethernet0 overload <== alternate if ISP2 is down
    ip nat inside source static 192.168.233.12 24.5.5.6   <== email server
      alternative using just port redirect:
       ip nat inside source static tcp 192.168.233.12 25 24.5.5.6 25
    ip nat inside source static 192.168.233.14 24.5.5.7   <== WWW server
     alternative using just port redirect:
       ip nat inside source static tcp 192.168.233.14 80 24.5.5.6 80
    ip nat inside source static tcp 192.168.233.12 25 208.4.4.2 25  <== alternate IP for email if ISP1 is down (will explain MX DNS if you need it)
    !
    route-map ROUTE-NAT permit 10
      match ip address 110
    !
    access-list 110 deny ip 192.168.233.0 0.0.0.255 192.168.123.0 0.0.0.255  <== this will be for the roadwarior vpn later
    access-list 110 permit ip 192.168.233.0 0.0.0.255 any

    !
    end
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    What kind of router is 192.168.0.2 ? Why not use a dynamic routing protocol like RIPv2, or OSPF instead of multiple static routes?

    >192.168.233.12 and 192.168.233.14
    These are representative IP address for EMAIL server and WWW server. Replace with the appropriate IP
    Be sure to edit out my comments that are denoted by "<=="

    See if this makes more sense..

    GIVEN for illustration purposes only:
    Email server = 192.168.1.100
    WWW server = 192.168.1.101

    VPN for roadwarriors included:
    !
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group vpngroup
    key cisco123
    !<== change these DNS/WINS IP's to fit your network:
    dns 192.168.2.100
    wins 192.168.2.200
    !
    domain yourdomain.com
    pool ippool
    !
    ip local pool ippool 192.168.123.100 192.168.123.200
    !
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynmap 10
    set transform-set myset
    !
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    !
    ip subnet-zero
    !
    Interface Ethernet 0
      description ISP1
      ip address 24.5.5.5 255.255.252.0
      ip nat outside
      crypto map clientmap
      no shut  
    !
    Interface Ethernet 1  
      description ISP2
      ip address 208.4.4.2 255.255.255.252
      ip nat outside
      crypto map clientmap
      no shut
    !
    Interface FastEthernet 0
      description Local LAN
      ip address 192.168.3.1 255.255.252.0
      ip nat inside
      no shut
    !
    ip classless
    !
    ip route 192.168.60.0 255.255.255.0 192.168.0.2
    ip route 192.168.61.0 255.255.255.0 192.168.0.2
    ip route 192.168.62.0 255.255.255.0 192.168.0.2
    ip route 192.168.63.0 255.255.255.0 192.168.0.2
    ip route 192.168.64.0 255.255.255.0 192.168.0.2
    ip route 192.168.65.0 255.255.255.0 192.168.0.2
    ip route 192.168.66.0 255.255.255.0 192.168.0.2
    ip route 192.168.67.0 255.255.255.0 192.168.0.2
    ip route 192.168.68.0 255.255.255.0 192.168.0.2
    ip route 192.168.69.0 255.255.255.0 192.168.0.2
    ip route 192.168.70.0 255.255.255.0 192.168.0.2
    ip route 192.168.71.0 255.255.255.0 192.168.0.2
    !
    ip route 0.0.0.0 0.0.0.0 24.5.5.1  
    ip route 0.0.0.0 0.0.0.0 208.4.4.1 100
    !
    ip nat inside source route-map ROUTE-NAT interface Ethernet1 overload
    ip nat inside source route-map ROUTE-NAT interface Ethernet0 overload
      ip nat inside source static tcp 192.168.1.100 25 24.5.5.6 25
      ip nat inside source static tcp 192.168.1.101 80 24.5.5.6 80

    !
    route-map ROUTE-NAT permit 10
      match ip address 110
    !
    ! <== exempt traffic from your local IP subnet to the road warrior ip pool
    access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.123.0 0.0.0.255
    ! <== allow all other traffic to use NAT
    access-list 110 permit ip 192.168.0.0 0.0.255.255 any
    !
    end

    0
     

    Author Comment

    by:dgratton1085
    router 192.168.0.2 is part of a managed infrastructure to provide VPN service across leased lines to other branch offices. We can't touch it. If we can still use RIP or OSPF fine, but I don't think we can.  The only LAN ip's we use at the main office are from 192.168.0.X --> 192.168.3.X  this router will actually have a 192.168.3.1 indisde address.  You can tell the other IP's we use by the routes to the branch offices.

    Can you explain a little about the VPN setup/entries in the config.  I will be using the safenet softremote client to connect to this device.

    Basically I understand most of what you have placed int he config.  I just want toi make sure I know what is going on so I can support this after.

    Cheers,

    darren
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    >I will be using the safenet softremote client to connect to this device.
    You might want to re-think that. The Cisco IPSEC VPN client is free and works better.
    I can't guarantee that it works with the Safenet client.

    Here's the reference doc that explains everything for the VPN:
      http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml

    0
     

    Author Comment

    by:dgratton1085
    Is there andy Firewall effects in this config.  Usually I look for INSPECT functions.
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Not yet. We have not yet layered on the firewall with the INSPECT...
    I'd like some confirmation that what we have so far works. The more complex you make the initial config, the more difficult it is to troubleshoot later.

    Here's a basic firewall config that can simply be added to the config above:

    !
    ip inspect name firewall tcp
    ip inspect name firewall udp
    ip inspect name firewall ftp
    ip inspect name firewall cuseeme
    ip inspect name firewall h323
    ip inspect name firewall netshow
    ip inspect name firewall realaudio
    ip inspect name firewall rtsp
    ip inspect name firewall smtp
    ip inspect name firewall sqlnet
    ip inspect name firewall streamworks
    ip inspect name firewall tftp
    ip inspect name firewall vdolive
    ip audit notify log
    ip audit po max-events 100
    !
    Interface ethernet 0
     ip access-group 100 in
     ip inspect firewall out
    !
    Interface ethernet 1
      ip access-group 100 in
      ip inspect firewall out
    !
    interface FastEthernet0
     ip access-group 102 in
    !
    access-list 100 permit tcp any host 24.5.5.6 eq 25
    access-list 100 permit tcp any host 24.5.5.6 eq 80
    access-list 102 permit ip any any
    !
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Do you need more information?
    Have you resolved this problem?
    Can you close this question?
    Thanks!
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

     Java Android Coding Bundle

    Whether you're an Apple user or Android addict, learning to code for the Android platform is an extremely valuable, in-demand skill. It all starts with Java, the language behind the apps and games that make Android the top platform it is today.

    Suggested Solutions

    New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
    This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now