• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 920
  • Last Modified:

Help with cisco 1841 router config

Hi I am changing my ISP I am going with a 3 meg fiber network, all terminals will be coming into my main office and connecting directly to my switches so no subnetting. I bought a cisco 1841 router to use with my new isp two fe interfaces.  I have received my router WAN and router Lan with 5 usable ip address which I need to point to server inside my lan my current private ip's 192.168.10.1-256. I want to keep this the same. I need to point a static to a citrix nfuse box a future email server and to a video confrencing device. A have a configuartoin that does not seem to work my wan inferface is not correct, I need a little help I will show my current config any detailed advice is appreciated.
thanks

information  from isp:
router wan
IP: [ 24.56.160.50]
subnet Mask: [255.255.255.252]
default GW: [24.56.160.49]

Router LAN
CIDR Allocation: [ 24.56.160.216/29]
Suggested Router IP: [24.56.160.217 ]
Subnet Mask: [ 255.255.255.248 ]
Avail IP's if using suggested router IP: [24.56.160.218-222]
Pri DNS: 24.56.133.69
sec DNS                 .70

CURRENT CONFIG:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cmhcrouter
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$GKTc$FYMaCHw4CFwM6FlHcCUO51
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -7
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.99
!
ip dhcp pool sdm-pool1
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
!
!
no ip bootp server
ip domain name cmha.ts1
ip name-server 24.56.133.69
ip name-server 24.56.133.70
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto pki trustpoint TP-self-signed-3472870003
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3472870003
revocation-check none
rsakeypair TP-self-signed-3472870003
!
!
crypto pki certificate chain TP-self-signed-3472870003
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343732 38373030 3033301E 170D3037 30393234 31363434
35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373238
37303030 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D6BF ABC661DA 99E4BB1C 22A005DC F3FF6D9C 013ADF03 F8FC8D8D 63FFE8CC
84D8A0C0 439A6848 1AE8F94B 7D8ACD97 65850CBB 037E2935 83994A67 527C5D13
406D6BAC B8F0FD16 74032A9B 6285FAD1 D60C115F 6CEA6A6B FAE5D1A3 7362204A
32705935 054B3DA2 A7C30E77 56B2E76D 829D9585 981FBCE8 0C516CF2 BB9CB679
9A210203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13636D68 63726F75 7465722E 636D6861 2E747331 301F0603
551D2304 18301680 14D37AD3 E3BF1E2C AAB3F916 459F2543 0CA6A208 06301D06
03551D0E 04160414 D37AD3E3 BF1E2CAA B3F91645 9F25430C A6A20806 300D0609
2A864886 F70D0101 04050003 81810037 71AE67F5 7866FB3D 6654CB53 4C56A7A5
CF46C7F8 99F76768 08B5254A 3CB602B1 7FF62F5A AB6EC975 BB4E59B3 F129F9FD
AAFB7699 124D918E 357DC94B 8DD3DCF2 B328ABA0 ADD5DADE E8739384 7BCADFC1
7B6AF816 C4A9A926 F3633E2D A69E1688 394EE72D 45FBBA46 95B34EA8 CEDAEB39
CD9B0370 B1625FA1 97FF16AC 1515AD
quit
username djw privilege 15 secret 5 $1$fF06$tANxj.Jwj.KLfpXkuXlXp/
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$
ip address 24.56.160.50 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed auto
full-duplex
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.56.160.49
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static 192.168.10.1 24.56.160.217
ip nat inside source static 192.168.10.6 24.56.160.218
ip nat inside source static 192.168.10.5 24.56.160.219
ip nat inside source static 192.168.10.20 24.56.160.220
ip nat inside source static 192.168.10.21 24.56.160.221
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
end

0
dwoodfie74
Asked:
dwoodfie74
  • 3
  • 3
1 Solution
 
avilovCommented:
you need to deny all those IP in the access list first

something like

access-list 1 deny 192.168.10.21 0.0.0.0
access-list 1 deny 192.168.10.20 0.0.0.0
access-list 1 deny 192.168.10.1 0.0.0.0
access-list 1 deny 192.168.10.6 0.0.0.0
access-list 1 deny 192.168.10.5 0.0.0.0
access-list 1 permit 192.168.10.0 0.0.0.255
0
 
llyquidCommented:
avilov is correct,  but I prefer to use route-maps to do PAT....  try the following

ip access-l ext InternetNAT
 deny ip host 192.168.10.1 any
 deny ip host 192.168.10.5 any
 deny ip host 192.168.10.6 any
 deny ip host 192.168.10.20 any
 deny ip host 192.168.10.21 any
 permit ip 192.168.10.0 0.0.0.255

route-map InternetNAT permit 10
 match ip add InternetNAT

no ip nat inside source list 1 interface FastEthernet0/1 overload
no access-l 1

ip nat inside source route-map InternetNAT int F0/1 overload

0
 
dwoodfie74Author Commented:
How does this look: does my external interface fe0/1 info look right with the info given by the isp?
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cmhcrouter
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$GKTc$FYMaCHw4CFwM6FlHcCUO51
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -7
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.99
!
ip dhcp pool sdm-pool1
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
!
!
no ip bootp server
ip domain name cmha.ts1
ip name-server 24.56.133.69
ip name-server 24.56.133.70
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto pki trustpoint TP-self-signed-3472870003
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3472870003
revocation-check none
rsakeypair TP-self-signed-3472870003
!
!
crypto pki certificate chain TP-self-signed-3472870003
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343732 38373030 3033301E 170D3037 30393234 31363434
35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373238
37303030 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D6BF ABC661DA 99E4BB1C 22A005DC F3FF6D9C 013ADF03 F8FC8D8D 63FFE8CC
84D8A0C0 439A6848 1AE8F94B 7D8ACD97 65850CBB 037E2935 83994A67 527C5D13
406D6BAC B8F0FD16 74032A9B 6285FAD1 D60C115F 6CEA6A6B FAE5D1A3 7362204A
32705935 054B3DA2 A7C30E77 56B2E76D 829D9585 981FBCE8 0C516CF2 BB9CB679
9A210203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13636D68 63726F75 7465722E 636D6861 2E747331 301F0603
551D2304 18301680 14D37AD3 E3BF1E2C AAB3F916 459F2543 0CA6A208 06301D06
03551D0E 04160414 D37AD3E3 BF1E2CAA B3F91645 9F25430C A6A20806 300D0609
2A864886 F70D0101 04050003 81810037 71AE67F5 7866FB3D 6654CB53 4C56A7A5
CF46C7F8 99F76768 08B5254A 3CB602B1 7FF62F5A AB6EC975 BB4E59B3 F129F9FD
AAFB7699 124D918E 357DC94B 8DD3DCF2 B328ABA0 ADD5DADE E8739384 7BCADFC1
7B6AF816 C4A9A926 F3633E2D A69E1688 394EE72D 45FBBA46 95B34EA8 CEDAEB39
CD9B0370 B1625FA1 97FF16AC 1515AD
quit
username djw privilege 15 secret 5 $1$fF06$tANxj.Jwj.KLfpXkuXlXp/
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$
ip address 24.56.160.50 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed auto
full-duplex
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.56.160.49
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static 192.168.10.1 24.56.160.217
ip nat inside source static 192.168.10.6 24.56.160.218
ip nat inside source static 192.168.10.5 24.56.160.219
ip nat inside source static 192.168.10.20 24.56.160.220
ip nat inside source static 192.168.10.21 24.56.160.221
!
ip access-list extended InternetNAT
deny   ip host 192.168.10.1 any
deny   ip host 192.168.10.5 any
deny   ip host 192.168.10.20 any
deny   ip host 192.168.10.21 any
permit ip 192.168.10.0 0.0.0.255 any
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
end
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
llyquidCommented:
you still need to add the route-map:

route-map InternetNAT permit 10
 match ip add InternetNAT

and change this line:

ip nat inside source list 1 interface FastEthernet0/1 overload

to this line:

ip nat inside source route-map InternetNAT int F0/1 overload
0
 
dwoodfie74Author Commented:
ok how does this look:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cmhcrouter
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$GKTc$FYMaCHw4CFwM6FlHcCUO51
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -7
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.99
!
ip dhcp pool sdm-pool1
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
!
!
no ip bootp server
ip domain name cmha.ts1
ip name-server 24.56.133.69
ip name-server 24.56.133.70
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto pki trustpoint TP-self-signed-3472870003
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3472870003
revocation-check none
rsakeypair TP-self-signed-3472870003
!
!
crypto pki certificate chain TP-self-signed-3472870003
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343732 38373030 3033301E 170D3037 30393234 31363434
35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373238
37303030 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D6BF ABC661DA 99E4BB1C 22A005DC F3FF6D9C 013ADF03 F8FC8D8D 63FFE8CC
84D8A0C0 439A6848 1AE8F94B 7D8ACD97 65850CBB 037E2935 83994A67 527C5D13
406D6BAC B8F0FD16 74032A9B 6285FAD1 D60C115F 6CEA6A6B FAE5D1A3 7362204A
32705935 054B3DA2 A7C30E77 56B2E76D 829D9585 981FBCE8 0C516CF2 BB9CB679
9A210203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13636D68 63726F75 7465722E 636D6861 2E747331 301F0603
551D2304 18301680 14D37AD3 E3BF1E2C AAB3F916 459F2543 0CA6A208 06301D06
03551D0E 04160414 D37AD3E3 BF1E2CAA B3F91645 9F25430C A6A20806 300D0609
2A864886 F70D0101 04050003 81810037 71AE67F5 7866FB3D 6654CB53 4C56A7A5
CF46C7F8 99F76768 08B5254A 3CB602B1 7FF62F5A AB6EC975 BB4E59B3 F129F9FD
AAFB7699 124D918E 357DC94B 8DD3DCF2 B328ABA0 ADD5DADE E8739384 7BCADFC1
7B6AF816 C4A9A926 F3633E2D A69E1688 394EE72D 45FBBA46 95B34EA8 CEDAEB39
CD9B0370 B1625FA1 97FF16AC 1515AD
quit
username djw privilege 15 secret 5 $1$fF06$tANxj.Jwj.KLfpXkuXlXp/
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$
ip address 24.56.160.50 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed auto
full-duplex
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.56.160.49
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map InternetNAT interface FastEthernet0/1 overload
ip nat inside source static 192.168.10.1 24.56.160.217
ip nat inside source static 192.168.10.6 24.56.160.218
ip nat inside source static 192.168.10.5 24.56.160.219
ip nat inside source static 192.168.10.20 24.56.160.220
ip nat inside source static 192.168.10.21 24.56.160.221
!
ip access-list extended InternetNAT
deny   ip host 192.168.10.1 any
deny   ip host 192.168.10.5 any
deny   ip host 192.168.10.20 any
deny   ip host 192.168.10.21 any
permit ip 192.168.10.0 0.0.0.255 any
!
logging trap debugging
no cdp run
route-map InternetNAT permit 10
match ip address InternetNAT
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
end
0
 
llyquidCommented:
looks good,  is it working any better?
0
 
dwoodfie74Author Commented:
When I hook up my fe0/1 outside interface to my media converter my fe0/1 interface goes down the FDX, 100, and link lights all turn off and my status light on my media converter is orange any ideas?
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now