• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 772
  • Last Modified:

Changing subnet mask on networks and configure routing on ISR running CIOS 12.4

In a test lab I have the following:

SITE A: Cisco ISR 2811
  IP: 192.168.1.250/24  
  LAN: 192.168.1.0/24
  VPN Pool: 192.168.4.0/24
 
SITE B: Cisco PIX 506e
  IP: 192.168.3.250/24  
  LAN: 192.168.3.0/24
  VPN Pool: 192.168.6.0/24

SITE C: CIsco PIX 501
  IP: 192.168.2.250/24
  LAN: 192.168.2.0/24
  VPN Pool: 192.168.5.0/24

The ISR is brand new and is not yet configured for routing and is acting as a hub and the PIXes as spokes. There are IPSec tunnells between the PIXes and the ISR. Users that access any of the three devices using Cisco VPN Client software lease an IP address fron the VPN Pool associated with the device their are connecting to.

What I would like to do is configure routing on the ISR in as simple a fashion as possible.

Would changing the subnet mask from /24 to say /21, using classless routing, help to simplify the routing configuration on the ISR? Would I need to enable OSPF or RIPv2? If so, how would the routes be configured?

ip route 192.168.1.0/21 192.168.1.250/21?

Yes, I am hapless at routing because I am a newb.

Thank you,

Keatscon
 


0
keatscon
Asked:
keatscon
  • 4
  • 4
1 Solution
 
knightrider2k2Commented:
no, do not change the subnet. /24 is good in your situation.
 what are the IP addresses for the tunnels between pix and isr
0
 
keatsconAuthor Commented:
KnightRider2k2,

  SITE A: Cisco ISR 2811
  LAN IP: 192.168.1.250/24
  LAN: 192.168.1.0/24
         WAN IP: A.B.C.D
  VPN Pool: 192.168.4.0/24

 crypto map CMAP_1 1 ipsec-isakmp
   description Tunnel to E.F.G.H
   set peer E.F.G.H
   set transform-set ESP-3DES_ESP-MD5-HMAC
 match address 130

 crypto map CMAP_2 2 ipsec-isakmp
   description Tunnel to I.J.K.L
   set peer I.J.K.L
   set transform-set ESP-3DES_ESP-MD5-HMAC
 match address 110

SITE B: Cisco PIX 506e
  LAN IP: 192.168.3.250/24  
  LAN: 192.168.3.0/24
        WAN IP: E.F.G.H
  VPN Pool: 192.168.6.0/24

SITE C: CIsco PIX 501
  LAN IP: 192.168.2.250/24
  LAN: 192.168.2.0/24
        WAN IP: I.J.K.L
  VPN Pool: 192.168.5.0/24


Thank you,

Keatscon
0
 
Jim_CoyneCommented:
Overall you look good, but if you really wanted it to be nice use the following subnets:

192.168.0.0/24 (instead of 192.168.1.0)
192.168.1.0/24 (instead of 192.168.2.0)
192.168.2.0/24 (instead of 192.168.3.0)
192.168.3.0/24 (instead of 192.168.4.0)

then entire network can be described as 192.168.0.0/22

 
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Jim_CoyneCommented:

ISR needs these routes now:

ip route 192.168.0.0 255.255.255.0 x.x.x.x (where x.x.x. is next hop)
ip route 192.168.1.0 255.255.255.0 x.x.x.x
ip route 192.168.2.0 255.255.255.0 x.x.x.x
ip route 192.168.3.0 255.255.255.0 x.x.x.x

but if you change ISR only needs:

ip route 192.168.0.0 255.255.252.0
0
 
keatsconAuthor Commented:
Jim,

    I am a little confused, I have three subnets that I use for VPN clients that connect to the PIXes and ISR.  Would I need to configure routes for a subnet that handles VPN Clients at SITE B on the ISR?

   e.g., A VPN Client leases IP 192.168.6.2 on the PIX at SIte B. She wants to access a server (192.168.1.5) located at Site A, where the ISR is lcoated.

  Would I then enter on the ISR:

   ip route 192.168.6.0 255.255.255.0 192.168.1.1 to dump the traffic on the subnet where the target server resides?
 
Thank you,

Keatscon
0
 
keatsconAuthor Commented:
Jim,

   So I would change the subnet mask for my networks to 255.255.252.0?

   e.g., For a host on the 192.168.1.0 subnet would be 192.168.1.60 255.255.252.0
           and I would only need the following route on the ISR:
 
            ip route 192.168.0.0 255.255.252.0?

     I would also need the 'ip classless' command on the ISR, yes?

Thank you,

Keatscon
0
 
Jim_CoyneCommented:
So I would change the subnet mask for my networks to 255.255.252.0?

>> no, all subnets stay 255.255.255.0 (but your entire network could be described as the 192.168.0.0/22 network. 192.168.0.0/22 includes 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24 and 192.168.4.0/24

For a host on the 192.168.1.0 subnet would be 192.168.1.60 255.255.252.0
           and I would only need the following route on the ISR:

>> no, I am sorry. I was confussed.  ip route 192.168.0.0 255.255.252.0 x.x.x.x would be for a router that needs to access all these sites. A buisness partners network for example.

I would also need the 'ip classless' command on the ISR, yes?
>> Yes, ip classless is need but it is on by default on 12.x IOS. In general "ip classless" is the standard, so I wouldn't expect to see classful routing in a network.    
 
0
 
keatsconAuthor Commented:
Jim,

    If I have a user on the 192.168.3.0/24 subnet that is accessing servers on the 192.168.1.0/24 subnet I would need the following:

    ip route 192.168.3.0 255.255.255.0 192.168.1.0?

    And for my VPN users that connect to the ISR and access servers on the 192.168.1.0/24 subnet I would need:

    ip route 192.168.4.0 255.255.255.0 192.168.1.0?  

And finally for users on the 192.168.1.0/24 subnet wanting to get to the Internet I would have:

    ip route 192.168.1.0 255.255.255.0 Ethernet0/1?

      OR

   ip route 192.168.1.0 255.255.255.0 A.B.C.D (ISP"s router)

Or Am I confusing the role of routing with the role of ACLs?

Thank you,

Keatscon
0
 
Jim_CoyneCommented:
You're on the right track, the clients get a default gateway of the local router (a route more or less),and the ISR router gets a route to the ISP.

   ip route 0.0.0.0 0.0.0.0 Ethernet0/1
   ip route 0.0.0.0 0.0.0.0 A.B.C.D

Either of these will work if the ISP is on that interface (e0/1). This is known as a default route, it basically says if you can't match any other routes, send the traffic here. To the ISP (Internet) in this case. This is similar to the default gateway you give a host.

For the remote networks (.3 in this example) the router gets a route like this:

  ip route 192.168.1.0 255.255.255.0 192.168.3.1

The way to read this is the 192.168.1.0/24 network is available via the 192.168.3.1 ip address. Notice the first number is the network number and not an IP and the second number is the IP of the router that knows how to get to that network.

Once routing is setup, you can limit certian kinds of traffic with ACLs. For example lets' say I want to allow HTTP on port 80 to the Internet but I don't want to allow any other traffic. I would first write an access-list:

ip access-list extended ALLOWHTTP
permit tcp any eq 80 any

This says allow any host using port 80 to communicate with any host, what you don't see is an implied deny everything at the end which blocks all other traffic. Now that I have the access-list written I need to apply it to an interface.

int e0/1
ip access-group ALLOWHTTP out

If you really want to get fancy you could use CBAC, but that is harder to explain. See this link:

http://www.cisco.com/warp/public/110/32.html



0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now