Cisco 2610 t1 configuration

MisterArtLP
MisterArtLP used Ask the Experts™
on
Hello,

I have a Cisco 2610's with a WIC 1DSU T1 card and I want to use it for a data T1.

I've been given the following network information by my ISP:

Default Gateway: 67.153.47.65
IP Addresses: 67.153.47.66 - 67.153.47.70
Subnet Mask: 255.255.255.248
Primary DNS Server: 65.106.1.196
Secondary DNS Server: 65.106.7.196

XO WAN : 67.155.32.133
Customer WAN : 67.155.32.134


IOS Info:
IOS (tm) C2600 Software (C2600-I-M), Version 12.0(5)T1,  RELEASE SOFTWARE (fc1)

Hereis as far as I got in configuring the router. Can someone please help with the rest?

I would like the router's IP to be 67.153.47.66, as it will be outside my firewall.

Please help.
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco2600
!
enable secret 5 $1$rM/213123LoYqXhkXtfvHO1
enable password 7 06040A1232E0B2116081200
!
!
!
!
!
ip subnet-zero
no ip routing
ip name-server 65.106.1.196
ip name-server 65.106.7.196
!
!
!
process-max-time 200
!
interface Ethernet0/0
 ip address ???
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 full-duplex
!
interface Serial0/0
 description AireSpring T1
 ip address 67.153.47.66 255.255.255.248
 no ip directed-broadcast
 ip nat outside
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
!
ip nat pool pool1 67.153.47.66 67.153.47.66 netmask 255.255.255.248
ip nat inside source list 1 interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 67.153.47.65
 
!         
 
!
line con 0
 transport input none
line aux 0
 
!
scheduler allocate 20000 1000
end

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Where are you going to connect the ethernet interface too?  Directly to the firewall?

Author

Commented:
Although I could, I was thinking of just having a small switch outside the firewall with both the router and firewall on it. I'll probably assign 67.153.47.67 to the firewall and give it the default gw of 67.153.47.66 (the cisco router).
Because your T1 has the address of 67.153.47.66 and your ISP is going to have .65 then you need to assign a new network to your ethernet/firewall configuration.  A router passes traffic between two networks.  By this configuration your T1 is connect to network 67.153.47.64 / 29 (address 47.65 - 70) so your ethernet needs to be connected to another network.  This could be a private network address, 192.168.1.0 / 24.

Configuration something like list

interface Ethernet0/0
 ip address 192.168.1.1 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 full-duplex
 SPEED 100
!
interface Serial0/0
 description AireSpring T1
 ip address 67.153.47.66 255.255.255.248
 no ip directed-broadcast
 ip nat outside
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
(NOT SURE BUT YOU MIGHT NEED A CLOCKING COMMAND HERE, TALK WITH ISP)
!
ip nat pool pool1 67.153.47.66 67.153.47.66 netmask 255.255.255.248
WOULD CHANGE TO USE ENTIRE POOL FOR NOW, OR CAN LEAVE IF YOU THINK YOU WANT STATIC ASSIGNMENT FOR A DEVICE
ip nat inside source list 1 interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 67.153.47.65
IP ROUTE (need ip of your internal network) via firewall

Would also add

Some may or may not work
 

service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no ip bootp server       
no ip redirects
no ip directed-broadcast
no ip unreachables
no ip proxy-arp
no ip mask-reply
no ip http server
no ip http secure-server
no ip source-route
no service finger
no service pad

you need to add
access-list extended vty_access
 permit ip (internetal network) 0.0.0.255 (for 24 bit mask) any
 deny   ip any any log-input

line vty 0 4
  exec-timeout 15 0
  login
  Password xxxx
 access-class INTERNAL_v4 in

line con 0
  exec-timeout 15 0
  login
  Password xxxx
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
HI,

Your router seee the T1 card correctly?
I would like to see sh diag

Author

Commented:
yes. The t1 card shows up. Here's the diagnostic

voss-cisco2600#sh diag
Slot 0:
        C2610 1E Mainboard port adapter, 2 ports
        Port adapter is analyzed 
        Port adapter insertion time unknown
        EEPROM contents at hardware discovery:
        Hardware revision 2.2           Board revision B0
        Serial number     2115241832    Part number    73-2839-12
        Test history      0x0           RMA number     00-00-00
        EEPROM format version 1
        EEPROM contents (hex):
          0x20: 01 91 02 02 7E 14 07 68 49 0B 17 0C 00 00 00 00
          0x30: 58 50 35 06 00 00 00 00 00 00 00 00 00 00 00 00
 
        WIC Slot 0:
        FT1 WAN daughter card
        Hardware revision 1.3           Board revision C0
        Serial number     18106413      Part number    800-03279-03
        Test history      0x0           RMA number     00-00-00
        Connector type    Wan Module
        EEPROM format version 2
        EEPROM contents (hex):
          0x20: 02 11 01 03 01 14 48 2D 50 0C CF 03 00 00 00 00
          0x30: 60 00 00 00 00 01 27 01 FF FF FF FF FF FF FF FF

Open in new window

Author

Commented:
The reason I'm having a hard time getting my hands around this configuration is because in the past, the public IP my ISP has given us has always been assigned to the Ethernet port--not the serial port. This means it was routing between a WAN ip on serial0/0  and one IP on our provisioned "public IP space" on the ethernet0/0 port.

Athough its possble for me to deploy as carlson777 suggests (with a private IP on the Ethernet port), i'm wondering how common this type of deployment is for regular internet T1's from companies such as XO, Qwest, etc...

thanks

-marco
I would agree with you that the ethernet should have the public IP and you should have a point to point IP for the serial.  From the specs you gave you cannot do that.  I would ask the vendor for a point to point IP for the serial.  I thought that this is the way you had requested.  What they gave you does not make sense and most likely a mistake.

Author

Commented:
Carlson777,

Thanks for your feedback.  After speaking with the carrier they gave me some updated information shown below. So, I've applied the serial/ethernet IP's to the sample config you provided, but had questions about what to do with the rest (such as the ACLs and any other routing required). Please take a look at the code.

Carrier Serial IP (customer's WAN gateway):
67.155.32.133/14 or 255.254.0.0


Customer Serial IP (customer router's WAN IP):
67.155.32.134 /14 or 255.254.0.0

Primary DNS Server: 65.106.1.196  Secondary DNS Server: 65.106.7.196

Router LAN IP (gateway IP for other computers on the network):
12.228.107.1    Default Gateway: 67.153.47.65


Customer LAN IP range (range of public IPs assigned for customer network):
67.153.47.66 - 67.153.47.70  /29  or  255.255.255.248




interface Ethernet0/0
 ip address 67.153.47.66 255.255.255.248
 description AireSpring T1
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 full-duplex
 SPEED 100
!
interface Serial0/0
 description XO WAN
 ip address 67.155.32.134 255.254.0.0
 no ip directed-broadcast
 ip nat outside
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
(NOT SURE BUT YOU MIGHT NEED A CLOCKING COMMAND HERE, TALK WITH ISP)
!
ip nat pool pool1 67.153.47.66 67.153.47.66 netmask 255.255.255.248
WOULD CHANGE TO USE ENTIRE POOL FOR NOW, OR CAN LEAVE IF YOU THINK YOU WANT STATIC ASSIGNMENT FOR A DEVICE
ip nat inside source list 1 interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 67.155.32.133
 
 
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no ip bootp server       
no ip redirects
no ip directed-broadcast
no ip unreachables
no ip proxy-arp
no ip mask-reply
no ip http server
no ip http secure-server
no ip source-route
no service finger
no service pad
 
you need to add
access-list extended vty_access
 permit ip (internetal network) 0.0.0.255 (for 24 bit mask) any
 deny   ip any any log-input
 
line vty 0 4
  exec-timeout 15 0
  login
  Password xxxx
 access-class INTERNAL_v4 in
 
line con 0
  exec-timeout 15 0
  login
  Password xxxx

Open in new window

Robert Sutton JrSenior Network Manager

Commented:
Shouldnt this:
ip route 0.0.0.0 0.0.0.0 67.155.32.133

Be this:
ip route 0.0.0.0 0.0.0.0 67.153.47.65  ?
No route is correct is the ISP router is
Carrier Serial IP (customer's WAN gateway):
67.155.32.133/14 or 255.254.0.0
Assumption that access-list 1 is correctly done.
Would add something on
line Aux 0
  exec-timeout 15 0
  login
  Password xxxx

Also add access-list to serial interface
interface s0/0
ip access-group Internet_In in

Only allow ports you want users to access out and only established connections in.  This helps prevent your network from doing some bad things and outside networks attacking you.

access-list extended Internet_In
 permit tcp 67.153.47.64 0.0.0.7 any eq www
 permit tcp 67.153.47.64 0.0.0.7 any eq 443
 permit tcp 67.153.47.64 0.0.0.7 any eq ftp
 permit tcp 67.153.47.64 0.0.0.7 any eq 22
 permit tcp any 67.153.47.64 0.0.0.7 established
 permit tcp 67.153.47.64 0.0.0.7 host 65.106.1.196 eq domain
 permit udp 67.153.47.64 0.0.0.7 host 65.106.1.196 eq domain
 permit tcp 67.153.47.64 0.0.0.7 host 65.106.7.196 eq domain
 permit udp 67.153.47.64 0.0.0.7 host 65.106.7.196 eq domain
 permit udp any 67.153.47.64 0.0.0.7 gt 1023
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
etc.
this depends on how secure you want to be and what you all need to access over internet and how confortable you are when working with TCP and UDP ports

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial