[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 287
  • Last Modified:

Cisco 1720 router config for multiple interrnet connection

Here is my question,

I  have a cisco 1720 router with this config
Interface                  IP-Address      OK? Method Status                Prot
ocol
Ethernet0                  unassigned      NO  unset  up                    down

FastEthernet0              unassigned      NO  unset  up                    down

FastEthernet1              unassigned      YES unset  initializing          down

FastEthernet2              unassigned      YES unset  initializing          down

FastEthernet3              unassigned      YES unset  initializing          down

FastEthernet4              unassigned      YES unset  initializing          down

Vlan1                      unassigned      YES unset  up                    down



i have not setup router yet.  My question is:

Can I have a cable internet connection  and a T1 connection  configured on the same router.

We want to be able to router certain traffic to the T1 ( like citrix connections) and all other traffic thru the cable modem connection.

How do I setup the router to do this??

0
danman265
Asked:
danman265
  • 7
  • 6
1 Solution
 
Scotty_ciscoCommented:
this is going to be a policy based routing configuration you will use source IP addresses and destination if you want specify them with ACL's and what path to follow I need more detail to write the config. but you will want to look into the route-map command and how it works with policy based routing.

If you want to give me some more specific details I can provide additional help.

thanks
Scott Bertsch
0
 
danman265Author Commented:
I have 1 T1 connection going to my 501 pix then to the switch.

inside ip is 192.168.0.0
outside ip  71.16.75.210

Now i want to add the cable modem to the mix.

cable ip is 78.54.16.25

Do i keep the same inside route?

I have a 1720 router. I just updated the firmware and memory to support additional WICs
Now how to do setup my router so all traffic to and from citrix seesions which is IP 71.16.75.213-218
stay on the T1 and all internet and email traffics go thru the cable modem.


Im not sure how to setup the router at this point.
0
 
danman265Author Commented:
Here is the current config

T1 (adtran) -----> pix501 -----> switch


what I want to do is add a cisco 1720 and add an additional cable modem  ISP

My 1720 has a 4esw wic, 1-enet, 1-on board fastE0

How do I confure the router to allow traffic to be inbound from T1 the outbound either t1 or cable depending on type of traffic.

I need a sample config setup from the begining. my router has not been configured yet

thanks
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Scotty_ciscoCommented:
So the router is going between the adtran and the pix501?

Will the pix being doing the NAT or will the 1720 ?  and out of what interface will the pix be plugged into?
0
 
danman265Author Commented:
I was thinking about putting the router after the pix

adtran  -----> pix -----> router  ----> switch
                                      |
                                  cable ISP

or  should I have the router between adtran and pix?

or should I romove the pix and use the router as the firewall.

Whatever way is better and easier.


adtran to interface e0

cable   to interface fa0

use the 4esw WIC to lan switch.





0
 
Scotty_ciscoCommented:
ok but Policy based routeing can only happen on the input of a interface not out-put so it would go on the interface that you think would be handling inbound traffic out to the internet.  Have you looked into the route-map commands and how they work?

This is not an easy config to handle I have done this a number of times with my experiance and it is even harder to explain this way.... If you can give me specific information I could maybe take a shot at a config.  This is going to mean what hosts you want to go out the cable and what types of traffic basically everything to build an ACL based on this traffic.

Thanks
Scott
0
 
danman265Author Commented:
ok..

So would you say put the router between the pix and adtran?

The T1 ip is  static 71.16.74.146 255.255.255.240

internal ip 192.168.0.0

Cable modem  static ip address is 78.54.16.25  not sure what to do with this.

So can we put the t1  into the WIC 1enet

put the Cable modem in the onboard FE0

then have the 4esw WIC to the LAN

As far as policy..  http, email outbound thru the cable

all other traffic thru the T1  Citrix sessions  ( 71.16.75.210 thru 218)


does that help??




0
 
Scotty_ciscoCommented:
No I would leave the router were you had it because if the PIX is doing the network address translation then by the time the packet got to the router it would have a different address.

couple of questions

do you have multipule IP addresses on the cable and the T1?

if not you can NAT on both the pix and the 1720

how many ports are you going to use on the LAN side of the 1720?

what is the source IP and dest IP of what you want to go over the cable and what is it for what you want to go over the T1?

Thanks
Scott

0
 
danman265Author Commented:
here is the pix config where you can get an idea how its setup.

: Written by enable_15 at 01:59:39.996 EST Thu Jan 12 2006
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password WrFqxM/WbjMo02ox encrypted
passwd hPGDIXby294ZeGjH encrypted
hostname stockcad.local
domain-name stockcad.local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit tcp any host 71.16.74.146 eq 4501
access-list inbound permit tcp any host 71.16.74.146 eq 4502
access-list inbound permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list inbound permit tcp any host 71.16.74.146 eq smtp
access-list inbound permit tcp any host 71.16.74.146 eq www
access-list inbound permit tcp any host 71.16.74.146 eq 1923
access-list inbound permit tcp any host 71.16.74.146 eq citrix-ica
access-list inbound permit tcp any host 71.16.74.146 eq 3443
access-list inbound permit tcp any host 71.16.74.146 eq https
access-list inbound permit icmp any any echo
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list outside_cryptomap_60 permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list outside_cryptomap_60 permit ip host 71.16.74.146 172.16.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.16.74.146 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.5.15 255.255.255.255 inside
pdm location 172.16.5.99 255.255.255.255 inside
pdm location 192.168.0.2 255.255.255.255 inside
pdm location 192.168.0.3 255.255.255.255 inside
pdm location 192.168.0.6 255.255.255.255 inside
pdm location 192.168.0.8 255.255.255.255 inside
pdm location 192.168.0.35 255.255.255.255 inside
pdm location 64.4.43.7 255.255.255.255 outside
pdm location 64.4.44.7 255.255.255.255 outside
pdm location 64.4.45.7 255.255.255.255 outside
pdm location 64.4.52.7 255.255.255.255 outside
pdm location 64.4.53.7 255.255.255.255 outside
pdm location 172.16.0.0 255.255.0.0 outside
pdm location 192.168.0.5 255.255.255.255 inside
pdm location 71.16.75.208 255.255.255.240 outside
pdm location 172.16.5.15 255.255.255.255 outside
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 172.16.5.5 255.255.255.255 outside
pdm location 172.16.0.0 255.255.255.255 inside
pdm location 172.16.5.9 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 172.16.0.0 255.255.255.255 outside
pdm location 172.16.5.9 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp 71.16.74.146 4502 192.168.0.35 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 71.16.74.146 1923 192.168.0.3 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 71.16.74.146 https 192.168.0.5 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 71.16.74.146 www 192.168.0.5 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 71.16.74.146 3443 192.168.0.0 3443 netmask 255.255.255.255 0 0
static (inside,outside) tcp 71.16.74.146 smtp 192.168.0.5 smtp netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 71.16.74.145 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
url-server (outside) vendor websense host 172.16.5.15 timeout 30 protocol TCP version 1
filter url except 0.0.0.0 0.0.0.0 64.4.43.7 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 64.4.44.7 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 64.4.45.7 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 64.4.52.7 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 64.4.53.7 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 172.16.5.9 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 172.16.5.100 255.255.255.255
filter url except 172.16.5.95 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url except 192.168.0.2 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url except 0.0.0.0 0.0.0.0 67.19.150.213 255.255.255.255
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 71.16.75.208 255.255.255.240 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set stronger esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 71.16.75.210
crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 71.16.75.210 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
url-block url-mempool 1500
url-block url-size 4
url-block block 128
terminal width 80
Cryptochecksum:fafd63e836c6c1982c8f4c8a63faf4f7
stockcad.local#
0
 
Scotty_ciscoCommented:
ok so yeah you could not seperate taffic if you put it on the outside of the pix it needs to go before the pix to make the routing decisions.

I need to find you a PBR config let me see if I have one I can modify and send.

Thanks
Scott
0
 
danman265Author Commented:
Ok, thanks for your help.  This is harder than we expected I think
0
 
danman265Author Commented:
Any luck with this configuration ?
0
 
Scotty_ciscoCommented:
!
interface FastEthernet0/x
 ip address 10.192.1.4 255.255.255.0
 no ip redirects
 ip nat outside
 ip policy route-map somename
 speed 100
 full-duplex
!
access-list 102 permit ip (source) (destination)
!
route-map somename permit 20
 match ip address 102
 set ip next-hop 192.168.1.x (Next hop router) Cable
!

This is a basic representation anything not in ACL 102 will get router per the routing table.

Thanks
Scott
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now