Routing and Default Route / Cisco 2821
Hello experts.
I am hoping this is an easy question to write out, so if I am unclear on the scenario please let me know what other information I can provide to help with a solution.
I am working with a Cisco 2821 which I want to enable one of the Gig ports to allow an external routable IP to utilize. We currently have a firewall solution which the default route of the 2821 points to. We can currently use routable IPs on the firewall device, and we also have everything on the LAN side connecting to the firewall device (FD).
Currently, the 2821 uses both Gig ports to route seperate internal subnets to the FD, but I want to convert one to actually use a routable IP address. There is a 2 x T multilink and a 3 x T multilink (MPLS) ppp terminating to this 2821.
Given this setup, I have tried to assign a routable IP to the G0/1 port but I am unable to see it from the outside. I believe this is because the routable IP is using the default route of the FD instead of the next hop which would be the ISP's and not the internal hop of the FD. I can assign this same routable IP to the FD's interface and it works perfectly.
Can someone help me understand what I need to so with the route table and ACL's to allow what I need to happen? Thanks a bunch!
I am hoping this is an easy question to write out, so if I am unclear on the scenario please let me know what other information I can provide to help with a solution.
I am working with a Cisco 2821 which I want to enable one of the Gig ports to allow an external routable IP to utilize. We currently have a firewall solution which the default route of the 2821 points to. We can currently use routable IPs on the firewall device, and we also have everything on the LAN side connecting to the firewall device (FD).
Currently, the 2821 uses both Gig ports to route seperate internal subnets to the FD, but I want to convert one to actually use a routable IP address. There is a 2 x T multilink and a 3 x T multilink (MPLS) ppp terminating to this 2821.
Given this setup, I have tried to assign a routable IP to the G0/1 port but I am unable to see it from the outside. I believe this is because the routable IP is using the default route of the FD instead of the next hop which would be the ISP's and not the internal hop of the FD. I can assign this same routable IP to the FD's interface and it works perfectly.
Can someone help me understand what I need to so with the route table and ACL's to allow what I need to happen? Thanks a bunch!
ASKER
Hello Heiko, and thanks for the info. Yes, I am aware that I would require natting except for the moment I just want to be able to ping the address I have setup on this port (public). Here is somewhat of a visual on the setup:
Cisco 2821:
Incoming ---> MPLS Network, 3 T1's.
Incoming ---> 2 Multilink PPP T1's
Default Route = 10.10.10.1 ---> only route on this 2821
10.10.10.1 = Firewall Device
Firewall Device:
Internal Network ---> 10.10.0.0
External Network ---> 68.x.x.x Default Route
Numberous natting, routing and firewall policies. This device can also have routable 68.x.x.x IPs going to it, and this works.
Scenario:
I want to use a routable 68.x.x.x address on the 2821 and NOT on the Firewall Device. This 68.x.x.x /29 block is different from the /29 block on the firewall device. The 2821 will route all traffic to the 10.10.10.1 address, correct? However, I think this is the problem because the 10.10.10.1 device has a default route of 68.x.x.x. /29 for the first block.
So, do I need to add a route to the 2821 to allow traffic to go to the second 68.x.x.x /29's external gateway instead of first going to the 10.10.10.1 hop? If not, would I need to simply add a route to the 10.10.10.1 with the second block's default gateway?
Thanks!
Cisco 2821:
Incoming ---> MPLS Network, 3 T1's.
Incoming ---> 2 Multilink PPP T1's
Default Route = 10.10.10.1 ---> only route on this 2821
10.10.10.1 = Firewall Device
Firewall Device:
Internal Network ---> 10.10.0.0
External Network ---> 68.x.x.x Default Route
Numberous natting, routing and firewall policies. This device can also have routable 68.x.x.x IPs going to it, and this works.
Scenario:
I want to use a routable 68.x.x.x address on the 2821 and NOT on the Firewall Device. This 68.x.x.x /29 block is different from the /29 block on the firewall device. The 2821 will route all traffic to the 10.10.10.1 address, correct? However, I think this is the problem because the 10.10.10.1 device has a default route of 68.x.x.x. /29 for the first block.
So, do I need to add a route to the 2821 to allow traffic to go to the second 68.x.x.x /29's external gateway instead of first going to the 10.10.10.1 hop? If not, would I need to simply add a route to the 10.10.10.1 with the second block's default gateway?
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
On the first scenario, you say " then static translations for each address you want to use" On the 2821, when I add a static NAT translation rule for the "from interface" to the "to interface" going outside to in how does the 2821 determine to translate on the proper interface? Do I need to add ip ant inside and outside commands to the interfaces and when I do that, will it affect the other MPLS interfaces at all? I assume no?
On the second scenario, I think this will work best for me, but is it only possible to have a secondary address or can I have a third, fourth, etc., on one interface? I believe I understand what this scenario will achieve but can I have more than 2 addresses?
Thanks for the help!
On the second scenario, I think this will work best for me, but is it only possible to have a secondary address or can I have a third, fourth, etc., on one interface? I believe I understand what this scenario will achieve but can I have more than 2 addresses?
Thanks for the help!
ASKER
Scenario 1 (S1):
Right now, the 2821 has two Gig ports. The G0/0 already has 10.10.10.1 and the other will have an external IP pf 68.xxx /29?
Scenario 2 (S2): If I have a free G0/1 port wouldn't it be better to use this port for the NAT translated IP that will be on the 10.10.10.0 subnet or do I still need to add the secondary address to the G0/0 port?
Right now, the 2821 has two Gig ports. The G0/0 already has 10.10.10.1 and the other will have an external IP pf 68.xxx /29?
Scenario 2 (S2): If I have a free G0/1 port wouldn't it be better to use this port for the NAT translated IP that will be on the 10.10.10.0 subnet or do I still need to add the secondary address to the G0/0 port?
Hi swcrook,
for scenario 1)
on 2821 routers you have interface commands to specify inside and outside interfaces.
if you want to translate packets while going through int g0/0 then you have to specify
interface g0/0
ip nat outside
interface g0/1
ip nat inside
if you have multiple outside interfaces specify there also "ip nat outside" and you will see translations on both interfaces.
then setup static translations like
ip nat inside source static ip 10.1.2.3 68.x.y.z
you only have to define how to translate from inside to outside. the IOS will automaticaly translate also from outside to inside.
for scenario 2)
on this case you dont have to change 2821 all translations are made by FD. so you dont need additional interfaces or other on 2821.
for scenario 1)
on 2821 routers you have interface commands to specify inside and outside interfaces.
if you want to translate packets while going through int g0/0 then you have to specify
interface g0/0
ip nat outside
interface g0/1
ip nat inside
if you have multiple outside interfaces specify there also "ip nat outside" and you will see translations on both interfaces.
then setup static translations like
ip nat inside source static ip 10.1.2.3 68.x.y.z
you only have to define how to translate from inside to outside. the IOS will automaticaly translate also from outside to inside.
for scenario 2)
on this case you dont have to change 2821 all translations are made by FD. so you dont need additional interfaces or other on 2821.
ASKER
Ok, I think I have this working partly except I am running into a snag. On the 2821, the interface Loopback0 is set to an address on the second 68.xxx /29 block. So, when I try to assign the G0/1 interface as the gateway .105 (.104 is access provider's gateway), the router responds that Loopback0 overlaps with .104.
If I change the blocks to flip-flop, meaning the Loopback0 is set to an IP in the first block and the interface on G0/0 is now 68.x.x.105, it works....so I know the block is functioning. The thing is, I need a loopback obviously, but I am unsure how to solve this delimma. Any ideas? Do I have to have the loopback set to an external IP in one of the blocks?
I sure am getting an education :)
Thanks for the help.
If I change the blocks to flip-flop, meaning the Loopback0 is set to an IP in the first block and the interface on G0/0 is now 68.x.x.105, it works....so I know the block is functioning. The thing is, I need a loopback obviously, but I am unsure how to solve this delimma. Any ideas? Do I have to have the loopback set to an external IP in one of the blocks?
I sure am getting an education :)
Thanks for the help.
ASKER
Ignore my last email. I have the loopback issue resolved. I will update this ticket as I am able to verify that everything is working. Thanks!
to enable transport from outside to a private inside address you need static translation for addresses an sometimes also for ports.