[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco router - 2 interfaces on same subnet?

Posted on 2009-02-18
8
Medium Priority
?
2,566 Views
Last Modified: 2012-05-06
At our "primary" location, our company uses access-control lists on our perimeter Cisco router to reduce all incoming traffic to just the ports required for our DMZ servers.  Inside that we use a SonicWall UTM appliance for IPS, anti-virus, etc.  (PLEASE don't get hung up on the "why" of this approach)

At a remote location, we would like to use the same approach.  However, we are prohibited from configuring the perimeter Cisco router that was provided by our ISP.  So we currently have their Cisco 2600 series router (no access-list restrictions in place at all), then the SonicWall.  Our hope is to place another Cisco 2600 series router (with access lists) between the current Cisco and the SonicWall.  Our concerns center on the routing& how to get that Cisco to pass traffic when both interfaces are within the same subnet.

The current perimeter Cisco has a public IP of x.x.x.17 (255.255.255.240)

The SonicWall interface has a public IP of x.x.x.18 (same subnet)

The SonicWall uses NAT to convert the remainder of our public addresses (.19 through .30, though only .28 through .30 are currently used) to our private addresses.

How would the Cisco "middleman" be configured to properly pass traffic between the current Cisco and the SonicWall ?
0
Comment
Question by:DBrecht
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 3

Expert Comment

by:ciscoguy69
ID: 23674186
The router man in the middle is not viable. Can you use the SonicWall UTM to do the port access along with the NAT? The other option would be to set up the router with the old subnet on one side and a new one on the other and use it to do the NAT instead of the SonicWall UTM.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23674205
Will the ISP make changes to their 2600 at your request?  If so, you could use a /30 (public or private) between their 2600 and your "outside" interface of the 2600.  You could then use the x.x.x.16/28 on your 2600 "inside" interface.  You could break up your public block even for the /30 between your router and theirs.  They would need to add a route to the public block via your 2600 outside interface and your 2600 would have a default route pointing to their 2600 inside interface.

If they will not make changes to their router, you can use the public block on the outside and a private subnet to match on the inside connected to the Sonicwall.  You could do a 1-1 static NAT for each public IP in the pool.  The sonicwall would NAT the private IP to the real IP of the server.

Mapping like this:

192.168.254.19 - x.x.x.19
192.168.254.20 - x.x.x.20
192.168.254.21 - x.x.x.21
etc...
0
 
LVL 11

Expert Comment

by:asdlkf
ID: 23677106
uh...

your both overlooking the obvious

you dont want to "route" traffic you want to "switch" traffic.

if what you want is:

ISP --- [isp's 2600] ---[your device with acl's] -- to DMZ or LAN


then you dont need to 'route'. You can use ip-less inspection (your device wont have 'routing'). It'll just have an in and an out and ACL's and zones.

Look into PIX devices.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 23

Expert Comment

by:Mysidia
ID: 23677169
Assuming you cannot have the ISP change config of their router (to use a /30 and route a _different_ subnet to your router for use on your LAN)

If you want two interfaces on the same subnet, to forward traffic for that subnet between the two, you cannot use a router.

You must use a bridge.

Since you want to use access lists to control traffic,  it must be a bridge with Layer 2 access list or transparent firewall capabilities

To use a Cisco router for this, an  IOS firewall + Layer 2 inspection + CBAC, also known as "Transparent Firewall", would work.

http://www.cisco.com/web/go/iosfirewall/index.html

Certain switches (with the right featuresets) also have Layer 2 ACL capability, in that case, you don't use any routing on the switch, the ISP  2600 goes in one port,  the Sonicwall and DMZ devices go in different ports, and you apply ACLs to L2 ports.


An alternative would be to use one-to-one NAT on your 2600 middleman, so the internal subnets aren't really the same, so your router middleman can actually route.


0
 
LVL 23

Expert Comment

by:Mysidia
ID: 23677176
*When I say 'cisco router' would work, I mean, with the right L2 features, it can work, if you turn off routing, and setup the router to perform bridging instead, subject to your L2 ACLs.
0
 
LVL 11

Expert Comment

by:asdlkf
ID: 23677182
or... use a pix... which is what Mysidia is describing... out of the box.

a PIX is a device that runs IOS that performs stateful packet inspection (FORMERLY called cbac, now known as the IOS Firewall) out of the box. It can be made to do NAT, but is by default a transparent gateway.
0
 
LVL 3

Expert Comment

by:ciscoguy69
ID: 23677569
Basically you can not route between two interfaces on the same router on the same subnet. You could attempt to brake up the subnets as JFrederick29 had mentioned or do static NAT to a different subnet on the inside of the man in the middle router on the outside of the SonicWall such as I mentioned earlier. Other than that, you would have to do something like a transparent firewall (mode) such as a Pix or ASA. Cisco switches only support inbound access lists on L2 ports. If you are looking to add hardware such as a Pix, you could also use an IPS to block hosts or ports without having to have a L3 interface.
0
 

Accepted Solution

by:
DBrecht earned 0 total points
ID: 25609017
OK... our security guru finally solved this!

His short explanation is:  Use bridging (layer 2), IP routing (layer 3), and stateful packet inspection (CBAC)

The nuts and bolts are:



//Layer 2 Bridging with IP Routing + Stateful Inspection (CBAC) Configuration on Cisco 2621 Series Router

!
ip inspect name SPIout tcp
ip inspect name SPIout udp
ip inspect name SPIout icmp
ip inspect name SPIout smtp
ip inspect name SPIout ftp
!
!
!
bridge irb
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 no cdp enable
 bridge-group 1
!
interface FastEthernet0/1
 no ip address
 ip inspect SPIout in
 duplex auto
 speed auto
 no cdp enable
 bridge-group 1
!
interface BVI1
 ip address xx.xxx.xxx.19 255.255.255.240
!
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
end

0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question