[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Router Config Cisco 1721 for two WAN, Firewall and VPN

Posted on 2004-10-31
10
Medium Priority
?
585 Views
Last Modified: 2008-01-09
Need a hand with a router config.

Have a Cisco 1721 router with 2 Ethernet WIC's in it.  

Need a config for Internet connection through both WIC's connecting to standard Broadband (2 seperate ISP's)
One has 1 Static IP, the Other has 3 Static IP's.

I need a config to allow NAT/PAT from inside to outside.  Must use WIC1 for the main route and WIC2 as a failover if WIC1 is disconeected or fails.

The router has the fireall component and we would like to use it.  The only incoming traffic we have is SMTp mail and WWW web traffic.

The router also has the VPN component and we would like to use it for roadwarrior clients using a vpn-client.

Any help would be much appreciated.
0
Comment
Question by:dgratton1085
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 1500 total points
ID: 12457306
You'll have to give us some information regarding your skill level and what you need specific help with.
We might need to break this into multiple questions..
1st get it up and running with basic NAT and connectivity
2nd add the failover to the 2nd ISP - not a trivial task
3rd add the firewall feature components and inbound nat for mail and web
4th add the VPN endpoint component.

What IP addresses are you going to use for the inside LAN?
Do you want the router to be a DHCP server?
Are you familiar with the command line? Have you tried using the SDM web GUI? The web gui has wizards that can help walk you through most of your requirements.

0
 

Author Comment

by:dgratton1085
ID: 12463696
Skill Level:  This would be the first router I configured but I have a strong grasp on the concepts and should be able to work throught this quickly.  Just too many things for the first time out!

Here are the IP ranges (not real for security sake)
ISP1 - 24.5.5.5, 24.5.5.6, 24.5.5.7/22
ISP2 - 208.4.4.2/30
LAN - 192.168.0.0/22

1.  NAT seems easy enough except for the idea of the POOL's.  Not sure what I am wanting to define here.
2.  Fail-over....whatever the idea is here....route with diff metric?  Multiple default-gateway?
3.  Want a best practices firewall solution in place.
4.  VPN needs to be setup.

Do not need the router to be a DHCP server.  I am familiar with command line.  The SDM is useful but doesn't seem to give me a) control over certain areas b) Failover??  c) VPN roadwarrior style...all seems to be site-to-site or other.

Darren

I will provide any info you need...would love to get htis up and running.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12464108
Here's a basic config to get going with ISP1 only (just to start, don't panic)
Suggestion: Pick a more discrete LAN subnet. Do you really need 1000+ hosts on this LAN subnet? Don't try to "supernet" a class C network, rather "sub"net a Class B if you want more than 250 hosts on one single subnet. Think long and hard about this requirement. Personal opionion only here - if you have more clients than a single class C subnet will hold, then the 1700 is not the product you need to be using...
The reason for not using the most common subnets in use throughout the world (i.e 192.168.0.x, 192.168.1.x, 10.0.0.x, 10.10.10.x) is for future compatibility with VPN clients (one of your stated requirements). If you have a client with a broadband connection and their local LAN is 192.168.0.x, and your corporate LAN is also 192.168.0.x, then you have problems communicating with the client.
Having said all that, lets use this as an example very basic config:

!
Interface Ethernet 0   <== first WIC1E
  description ISP1
  ip address 24.5.5.5 255.255.252.0
  ip nat outside
  no shut  <== you must always do this to enable the interface first time around only...
!
Interface Ethernet 1   <== 2nd WIC1E
  description ISP2
  ip address 208.4.4.2 255.255.255.252
  ip nat outside
  no shut
!
Interface FastEthernet 0
  description Local LAN
  ip address 192.168.233.1 255.255.255.0
  ip nat inside
  no shut
!
ip route 0.0.0.0 0.0.0.0 24.5.5.1  
ip route 0.0.0.0 0.0.0.0 208.4.4.1 100  <== higher cost "100" will only take this route if Interface Eth0 is down
!
ip nat inside source route-map ROUTE-NAT interface Ethernet0 overload
ip nat inside source route-map ROUTE-NAT interface Ethernet1 overload <== alternate if ISP1 is down
ip nat inside source static 192.168.233.12 24.5.5.6   <== email server
  alternative using just port redirect:
   ip nat inside source static tcp 192.168.233.12 25 24.5.5.6 25
ip nat inside source static 192.168.233.14 24.5.5.7   <== WWW server
 alternative using just port redirect:
   ip nat inside source static tcp 192.168.233.14 80 24.5.5.6 80
ip nat inside source static tcp 192.168.233.12 25 208.4.4.2 25  <== alternate IP for email if ISP1 is down (will explain MX DNS if you need it)
!
route-map ROUTE-NAT permit 10
  match ip address 110
!
access-list 110 deny ip 192.168.233.0 0.0.0.255 192.168.123.0 0.0.0.255  <== this will be for the roadwarior vpn later
access-list 110 permit ip 192.168.233.0 0.0.0.255 any

!
end

This config should get you going with inside users being able to access the Internet.
Confirm that, and we can go the the next step.

All further config entries will simply be added to this starting point.
Next steps will be to layer on:
1. Firewall feature set with inbound rules so that email and www access is permitted.
2. VPN for road-warriors
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:dgratton1085
ID: 12464846
I would ove to confirm that...butit will have to be after work hours.  Production network.

Anyway we can continue with some of the ideas??

I have made some changes to the config.  Please check!  Just changed some of the orders.  Also wanted to know where 192.168.233.12 and 192.168.233.14 come into play.  Are these reserved IP's in our subnet that you are using for NAT?  Please note that the internal IP scheme is 192.168.0.0 255.255.252.0  We have other routes on the inside.  I will put themi n the config so you can see.


!
Interface Ethernet 0   <== first WIC1E
  description ISP1
  ip address 24.5.5.5 255.255.252.0
  ip nat outside
  no shut  <== you must always do this to enable the interface first time around only...
!
Interface Ethernet 1   <== 2nd WIC1E
  description ISP2
  ip address 208.4.4.2 255.255.255.252
  ip nat outside
  no shut
!
Interface FastEthernet 0
  description Local LAN
  ip address 192.168.3.1 255.255.252.0
  ip nat inside
  no shut
!
ip route 192.168.60.0 255.255.255.0 192.168.0.2
ip route 192.168.61.0 255.255.255.0 192.168.0.2
ip route 192.168.62.0 255.255.255.0 192.168.0.2
ip route 192.168.63.0 255.255.255.0 192.168.0.2
ip route 192.168.64.0 255.255.255.0 192.168.0.2
ip route 192.168.65.0 255.255.255.0 192.168.0.2
ip route 192.168.66.0 255.255.255.0 192.168.0.2
ip route 192.168.67.0 255.255.255.0 192.168.0.2
ip route 192.168.68.0 255.255.255.0 192.168.0.2
ip route 192.168.69.0 255.255.255.0 192.168.0.2
ip route 192.168.70.0 255.255.255.0 192.168.0.2
ip route 192.168.71.0 255.255.255.0 192.168.0.2
ip route 0.0.0.0 0.0.0.0 208.4.4.1
ip route 0.0.0.0 0.0.0.0 24.5.5.1  100 <== higher cost "100" will only take this route if Interface Eth0 is down
!
ip nat inside source route-map ROUTE-NAT interface Ethernet1 overload
ip nat inside source route-map ROUTE-NAT interface Ethernet0 overload <== alternate if ISP2 is down
ip nat inside source static 192.168.233.12 24.5.5.6   <== email server
  alternative using just port redirect:
   ip nat inside source static tcp 192.168.233.12 25 24.5.5.6 25
ip nat inside source static 192.168.233.14 24.5.5.7   <== WWW server
 alternative using just port redirect:
   ip nat inside source static tcp 192.168.233.14 80 24.5.5.6 80
ip nat inside source static tcp 192.168.233.12 25 208.4.4.2 25  <== alternate IP for email if ISP1 is down (will explain MX DNS if you need it)
!
route-map ROUTE-NAT permit 10
  match ip address 110
!
access-list 110 deny ip 192.168.233.0 0.0.0.255 192.168.123.0 0.0.0.255  <== this will be for the roadwarior vpn later
access-list 110 permit ip 192.168.233.0 0.0.0.255 any

!
end
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12465592
What kind of router is 192.168.0.2 ? Why not use a dynamic routing protocol like RIPv2, or OSPF instead of multiple static routes?

>192.168.233.12 and 192.168.233.14
These are representative IP address for EMAIL server and WWW server. Replace with the appropriate IP
Be sure to edit out my comments that are denoted by "<=="

See if this makes more sense..

GIVEN for illustration purposes only:
Email server = 192.168.1.100
WWW server = 192.168.1.101

VPN for roadwarriors included:
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup
key cisco123
!<== change these DNS/WINS IP's to fit your network:
dns 192.168.2.100
wins 192.168.2.200
!
domain yourdomain.com
pool ippool
!
ip local pool ippool 192.168.123.100 192.168.123.200
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
ip subnet-zero
!
Interface Ethernet 0
  description ISP1
  ip address 24.5.5.5 255.255.252.0
  ip nat outside
  crypto map clientmap
  no shut  
!
Interface Ethernet 1  
  description ISP2
  ip address 208.4.4.2 255.255.255.252
  ip nat outside
  crypto map clientmap
  no shut
!
Interface FastEthernet 0
  description Local LAN
  ip address 192.168.3.1 255.255.252.0
  ip nat inside
  no shut
!
ip classless
!
ip route 192.168.60.0 255.255.255.0 192.168.0.2
ip route 192.168.61.0 255.255.255.0 192.168.0.2
ip route 192.168.62.0 255.255.255.0 192.168.0.2
ip route 192.168.63.0 255.255.255.0 192.168.0.2
ip route 192.168.64.0 255.255.255.0 192.168.0.2
ip route 192.168.65.0 255.255.255.0 192.168.0.2
ip route 192.168.66.0 255.255.255.0 192.168.0.2
ip route 192.168.67.0 255.255.255.0 192.168.0.2
ip route 192.168.68.0 255.255.255.0 192.168.0.2
ip route 192.168.69.0 255.255.255.0 192.168.0.2
ip route 192.168.70.0 255.255.255.0 192.168.0.2
ip route 192.168.71.0 255.255.255.0 192.168.0.2
!
ip route 0.0.0.0 0.0.0.0 24.5.5.1  
ip route 0.0.0.0 0.0.0.0 208.4.4.1 100
!
ip nat inside source route-map ROUTE-NAT interface Ethernet1 overload
ip nat inside source route-map ROUTE-NAT interface Ethernet0 overload
  ip nat inside source static tcp 192.168.1.100 25 24.5.5.6 25
  ip nat inside source static tcp 192.168.1.101 80 24.5.5.6 80

!
route-map ROUTE-NAT permit 10
  match ip address 110
!
! <== exempt traffic from your local IP subnet to the road warrior ip pool
access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.123.0 0.0.0.255
! <== allow all other traffic to use NAT
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
!
end

0
 

Author Comment

by:dgratton1085
ID: 12465864
router 192.168.0.2 is part of a managed infrastructure to provide VPN service across leased lines to other branch offices. We can't touch it. If we can still use RIP or OSPF fine, but I don't think we can.  The only LAN ip's we use at the main office are from 192.168.0.X --> 192.168.3.X  this router will actually have a 192.168.3.1 indisde address.  You can tell the other IP's we use by the routes to the branch offices.

Can you explain a little about the VPN setup/entries in the config.  I will be using the safenet softremote client to connect to this device.

Basically I understand most of what you have placed int he config.  I just want toi make sure I know what is going on so I can support this after.

Cheers,

darren
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12466437
>I will be using the safenet softremote client to connect to this device.
You might want to re-think that. The Cisco IPSEC VPN client is free and works better.
I can't guarantee that it works with the Safenet client.

Here's the reference doc that explains everything for the VPN:
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml

0
 

Author Comment

by:dgratton1085
ID: 12466484
Is there andy Firewall effects in this config.  Usually I look for INSPECT functions.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12466744
Not yet. We have not yet layered on the firewall with the INSPECT...
I'd like some confirmation that what we have so far works. The more complex you make the initial config, the more difficult it is to troubleshoot later.

Here's a basic firewall config that can simply be added to the config above:

!
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall ftp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall realaudio
ip inspect name firewall rtsp
ip inspect name firewall smtp
ip inspect name firewall sqlnet
ip inspect name firewall streamworks
ip inspect name firewall tftp
ip inspect name firewall vdolive
ip audit notify log
ip audit po max-events 100
!
Interface ethernet 0
 ip access-group 100 in
 ip inspect firewall out
!
Interface ethernet 1
  ip access-group 100 in
  ip inspect firewall out
!
interface FastEthernet0
 ip access-group 102 in
!
access-list 100 permit tcp any host 24.5.5.6 eq 25
access-list 100 permit tcp any host 24.5.5.6 eq 80
access-list 102 permit ip any any
!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13688774
Do you need more information?
Have you resolved this problem?
Can you close this question?
Thanks!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question