• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1177
  • Last Modified:

Routing and Default Route / Cisco 2821

Hello experts.

I am hoping this is an easy question to write out, so if I am unclear on the scenario please let me know what other information I can provide to help with a solution.

I am working with a Cisco 2821 which I want to enable one of the Gig ports to allow an external routable IP to utilize. We currently have a firewall solution which the default route of the 2821 points to. We can currently use routable IPs on the firewall device, and we also have everything on the LAN side connecting to the firewall device (FD).

Currently, the 2821 uses both Gig ports to route seperate internal subnets to the FD, but I want to convert one to actually use a routable IP address. There is a 2 x T multilink and a 3 x T multilink (MPLS) ppp terminating to this 2821.

Given this setup, I have tried to assign a routable IP to the G0/1 port but I am unable to see it from the outside. I believe this is because the routable IP is using the default route of the FD instead of the next hop which would be the ISP's and not the internal hop of the FD. I can assign this same routable IP to the FD's interface and it works perfectly.

Can someone help me understand what I need to so with the route table and ACL's to allow what I need to happen? Thanks a bunch!
  • 5
  • 3
1 Solution
assuming, you mean public (nonprivate) IP addresses, by writing "routable IPs" and you're using RFC1918 (private addresses) internal. then you have to setup NAT from external to internal site on your router. every private address has to be translated while going through this device.
to enable transport from outside to a private inside address you need static translation for addresses an sometimes also for ports.
swcrookAuthor Commented:
Hello Heiko, and thanks for the info. Yes, I am aware that I would require natting except for the moment I just want to be able to ping the address I have setup on this port (public). Here is somewhat of a visual on the setup:
Cisco 2821:
Incoming  ---> MPLS Network, 3 T1's.
Incoming ---> 2 Multilink PPP T1's
Default Route = ---> only route on this 2821 = Firewall Device
Firewall Device:
Internal Network --->
External Network ---> 68.x.x.x Default Route
Numberous natting, routing and firewall policies. This device can also have routable 68.x.x.x IPs going to it, and this works.
I want to use a routable 68.x.x.x address on the 2821 and NOT on the Firewall Device. This 68.x.x.x /29 block is different from the /29 block on the firewall device. The 2821 will route all traffic to the address, correct? However, I think this is the problem because the device has a default route of 68.x.x.x. /29 for the first block.

So, do I need to add a route to the 2821 to allow traffic to go to the second 68.x.x.x /29's external gateway instead of first going to the hop? If not, would I need to simply add a route to the with the second block's default gateway?

your firewall-device is configured for NAT. thats why you can use private addresses behind this.
to use 68.xx adresses behind FD you have two possible solutions.

1. you add a static route for your 68.xx-/29 subnet to your device pointing to your 2821 (10.10.10.x-interface). on 2821 you setup then static translations for each address you want to use.

2. you define static NAT for each device (address) of second 68.xx/29 block you want to use on FD to a different ip of 10.10.10.x subnet. for all addresses who should be handled by 2821 you add secondary addresse on 2821. for example: if you translate to you have to add as secondary address on 2821.

everything else is normal routing proc
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

swcrookAuthor Commented:
On the first scenario, you say " then static translations for each address you want to use" On the 2821, when I add a static NAT translation rule for the "from interface" to the "to interface" going outside to in how does the 2821 determine to translate on the proper interface?  Do I need to add ip ant inside and outside commands to the interfaces and when I do that, will it affect the other MPLS interfaces at all? I assume no?
On the second scenario, I think this will work best for me, but is it only possible to have a secondary address or can I have a third, fourth, etc., on  one interface? I believe I understand what this scenario will achieve but can I have more than 2 addresses?
Thanks for the help!

swcrookAuthor Commented:
Scenario 1 (S1):
Right now, the 2821 has two Gig ports. The G0/0 already has and the other will have an external IP pf 68.xxx /29?

Scenario 2 (S2): If I have a free G0/1 port wouldn't it be better to use this port for the NAT translated IP that will be on the subnet or do I still need to add the secondary address to the G0/0 port?
Hi swcrook,

for scenario 1)
on 2821 routers you have interface commands to specify inside and outside interfaces.
if you want to translate packets while going through int g0/0 then you have to specify

interface g0/0
 ip nat outside

interface g0/1
 ip nat inside

if you have multiple outside interfaces specify there also "ip nat outside" and you will see translations on both interfaces.
then setup static translations like

ip nat inside source static ip 68.x.y.z

you only have to define how to translate from inside to outside. the IOS will automaticaly translate also from outside to inside.

for scenario 2)
on this case you dont have to change 2821 all translations are made by FD. so you dont need additional interfaces or other on 2821.
swcrookAuthor Commented:
Ok, I think I have this working partly except I am running into a snag. On the 2821, the interface Loopback0 is set to an address on the second 68.xxx /29 block. So, when I try to assign the G0/1 interface as the gateway .105 (.104 is access provider's gateway), the router responds that Loopback0 overlaps with .104.

If I change the blocks to flip-flop, meaning the Loopback0 is set to an IP in the first block and the interface on G0/0 is now 68.x.x.105, it works....so I know the block is functioning. The thing is, I need a loopback obviously, but I am unsure how to solve this delimma. Any ideas? Do I have to have the loopback set to an external IP in one of the blocks?

I sure am getting an education :)
Thanks for the help.
swcrookAuthor Commented:
Ignore my last email. I have the loopback issue resolved.  I will update this ticket as I am able to verify that everything is working. Thanks!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now