Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 380
  • Last Modified:

Cisco 3700 Multiple IP Ranges

Okay, here's the deal: We have 5 IP address ranges assigned to us by our telecom provider. We are trying to configure our cisco 3700 series router so that we can use them. Currently, the router routes 4 of the IP tanges to a single address that is located on our Pix Firewall, which then translates traffic from the WAN IPs to LAN equivalents. For example, if 192.168.1.10 was our WAN IP (provided by the telecom), it would translate it to 10.20.35.10 (the address on the local server). With the first range we originally received from the telecom we are able to assign an address to a server (ie - 192.168.0.11) and it would route through the router without a problem. Ranges 2-5, though, must have the firewall translate. I'm not 100% sure why it was set up that way, but we'd like to set it up so that the firewall acts solely as a firewall (rather than running NAT from 192.168.x.x to 10.20.x.x) and the router does it's thing and allows us to assign a WAN IP from any of the ranges to a server, plug it in the network, and have it work.

I hope all of that made sense. If anyone wants me to expand on anything, or try to explain why things were done a certain way originally, please let me know. Here's a copy of the config file. I've changed the WAN IP's to generic 192 ranges. The IPs for the two PONs (the boxes that the fiber goes into from our telecom, which then provides us with an ethernet cable -- basicaly they're routers/media converters) have been modified to be 1.2.3.1 and 1.2.3.2. The IP range which works without the firewall is the 192.168.0.x range. Ranges 192.168.1.x-192.168.4.x require the firewall to translate.

version 12.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname INT-CKE-1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
no network-clock-participate slot 1
no network-clock-participate slot 2
no network-clock-participate slot 3
no network-clock-participate slot 4
no network-clock-participate wic 0
no network-clock-participate wic 1
no network-clock-participate wic 2
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
ip tcp selective-ack
ip tcp mss 1460
!
!
ip cef
!
!
!
!
!
interface FastEthernet0/0
 description PON 1
 ip address 1.2.3.1 255.255.255.252
 ip access-group 2010 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 speed 100
 full-duplex
 no cdp enable
!
interface FastEthernet0/1
 description PON 2
 ip address 1.2.3.2 255.255.255.252
 ip access-group 2010 in
 no ip redirects
 no ip unreachables
 no ip mroute-cache
 speed 100
 full-duplex
 no cdp enable
!
interface FastEthernet1/0
 description DMZ
 ip address 192.168.0.1 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
!
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.3.1
ip route 0.0.0.0 0.0.0.0 1.2.3.2 5
ip route 192.168.1.0 255.255.255.0 192.168.0.14 permanent
ip route 192.168.2.0 255.255.255.224 192.168.0.14 permanent
ip route 192.168.3.0 255.255.255.0 192.168.0.14 permanent
ip route 192.168.4.0 255.255.255.0 192.168.0.14 permanent
!
!
access-list 2010 remark Specifically block ICMP fragments
access-list 2010 deny   icmp any any fragments
access-list 2010 remark Permit inbound ping.
access-list 2010 permit icmp any any echo
access-list 2010 remark Permit inbound ping response.
access-list 2010 permit icmp any any echo-reply
access-list 2010 remark Permit Path MTU to function.
access-list 2010 permit icmp any any packet-too-big
access-list 2010 remark Permit time exceeded messages for traceroute and loops.
access-list 2010 permit icmp any any time-exceeded
access-list 2010 remark And explicitly block all other ICMP packets
access-list 2010 deny   icmp any any
access-list 2010 remark Permit everything else (or add additional ACLs here).
access-list 2010 remark RESERVED ADDRESSES, SHOULD NOT BE ROUTED
access-list 2010 deny   ip host 0.0.0.0 any
access-list 2010 deny   ip 127.0.0.0 0.255.255.255 any
access-list 2010 deny   ip 10.0.0.0 0.255.255.255 any
access-list 2010 deny   ip 192.168.0.0 0.0.255.255 any
access-list 2010 deny   ip 172.16.0.0 0.15.255.255 any
access-list 2010 deny   ip 169.254.0.0 0.0.255.255 any
access-list 2010 deny   ip 224.0.0.0 31.255.255.255 any
access-list 2010 permit ip any any
no cdp run

!
line con 0
 password 7 xxxxxxxxxxxxxxxxxxxxxxx
 login
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 password 7 xxxxxxxxxxxxxxxxxxxxxxx
 login
 transport preferred all
 transport input all
 transport output all
!
!
end
0
phoenix706
Asked:
phoenix706
1 Solution
 
phoenix706Author Commented:
By the way: the second PON is designed for redundancy. If the main PON fails (1.2.3.1), traffic should be routed through the second one (1.2.3.2). I'm assuming that's what the "ip route 0.0.0.0 0.0.0.0 1.2.3.2 5" is for. I'm not very knowledgeable with regards to Cisco, so I'm not 100% sure...
0
 
mikecrCommented:
Since you already have a route on the router to look back inside of your network with the next hop being your firewall, you will need to create no nat statements on your Pix so that it won't nat anything coming in destined for those ip address ranges. You would then need to either have VLAN's for each of the networks set up inside on your local LAN, or create VLAN's on the DMZ of the Pix to accommodate those different ranges. This would be the only way to plug and go as you request.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now