How to "bridge" a DSL modem with Cisco 2811 so it is "behind" the firewall

LlewellynIT
LlewellynIT used Ask the Experts™
on
We currently have a Cisco 2811 that has two internet connections available to it. One is a T1 connection that is bridged with one of the Cisco 2811 interfaces, and is the default internet route. We also have a DSL modem, but this is currently not bridged with the Cisco 2811 and has traffic sent to it via a static route-map for one of our VLANs. To my understanding this means the DSL is not behind our 2811 firewall. How can I "bridge" our DSL modem so that it is configured to a physical interface on the Cisco 2811 and having its traffic inspected by the firewall?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Can you explain a little further about what your current setup is, and what you're trying to accomplish?

Here's my understanding:  You have a 2811 (two FastEthernet ports and a T1 WIC).  The T1 has an Internet connection configured on it.  How are the FastEthernet ports configured?  When you say the T1 is "bridged", what exactly do you mean?  Is it running as "ip unnumbered" with one of the FastEthernet interfaces assigned to it?

Author

Commented:
Forgive me for being vague, allow me to explain it in more detail.

We have a Cisco 2811 with two VLANs configured on it : VLAN 2 and VLAN 3. For this example lets say their IP ranges are 192.168.2.x and 192.168.3.x for VLAN 2 and 3 respectively. Our T1 comes into the building and connects to our T1 modem, and this connects to our 2811 via a Cat5 cable. The public IPs of the T1 are then configured on one of the FastEthernet interfaces and the public IP is the default route on the router.

On our secondary VLAN, the 2811 is set as the gateway, but the DSL is not integrated whatsoever with the router. There is a secondary static route that bounces VLAN 2 traffic to the internal IP of the DSL modem : 192.168.2.5.

So with this setup, the 2811 defaults VLAN 3 traffic out to the T1. It then manually routes the VLAN 2 traffic to the DSL. If I understand correctly this means the 2811 isn't firewalling the DSL which I'd like to rectify.
Er...

The Cisco 2811 is a router, not a switch, so you generally do not configure VLANs on it.

Can you post the configuration?  That should clarify things.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
The 2811 wouldn't be firewalling the traffic either way as it is a router.  The only thing it might be doing is providing Network Address Translation (NAT) and offer access lists (ACL).  To do what I think you are trying to do you would need 4 Ethernet interfaces on the 2811.  

@asavener - I think they have a .Q trunk to the 2811 and are routing that way

If the dsl is being utilized something is providing NAT,  What device is it that is connecting the dsl?  It has to be more than a modem only.

Author

Commented:
Asavener:
I am learning this now, that a 2811 Router is not the best to configure VLANs on due to it's immensely slow inter-VLAN routing. I am in the process of trying to migrate the Layer 3 function to a Layer 3 switch.
Our configuration is as such:
Cisco 2811 configured with 2 VLANs, with static routes sending one VLAN traffic to the T1, and the other VLAN traffic to the DSL. The static route map for the T1 uses our public IP from our ISP, while the static route map for the DSL is routed by the DSL's internal IP. Is this even a problem or am I just assuming there is a problem here?

JFrady:
I was under the impression the 2811 utilized a "CBAC" firewall. You are correct that we are utilizing the NAT/ACL to control traffic flow, but I see some "ip inspect" statements in here that lead me to believe it has a firewall doing something.

We have 2 FastEthernet route ports, and a 4 port switch module on the 2811. And yes we connect the 2811 to our "core switch" with a .Q trunk port.

This question was posted under the assumption that my Cisco 2811 is inspecting the traffic coming in on the T1 while the DSL was getting ignored, and this was causing a security issue. If that is not true however, then I'm probably okay leaving everything as is because the DSL has it's own firewall denying everything and the T1 has ACL's from the 2811.
"The 2811 wouldn't be firewalling the traffic either way as it is a router."

This is false.  The 2811 with the appropriate image is perfectly capable of functioning as a firewall in addition to a router.
"Cisco 2811 configured with 2 VLANs, with static routes sending one VLAN traffic to the T1, and the other VLAN traffic to the DSL. The static route map for the T1 uses our public IP from our ISP, while the static route map for the DSL is routed by the DSL's internal IP. Is this even a problem or am I just assuming there is a problem here?"

I'm still not understanding how the 2811 is configured.  Now you have route maps configured?

Please post the configuration.

Commented:
yes - the 2811 can be a firewall with the right option pack.  

If posting the configuration please mask the external IP addresses.

If the 2811 is doing the inter-VLAN routing it might be possible that traffic is flowing through the firewall module.  Depends on the config though.

Back to the original question.  If you have an additional ethernet port on the 2811 you could plug the ethernet from the dsl modem into it and use it to route.

Otherwise you could do a setup similar to what you already have: connect the dsl modem (which it must be more than a modem in the way it is currently being used) to a VLAN on the switch and trunk it up to the router via a .1Q trunk.

Author

Commented:
Below is the running config. I changed all public/private IPs. Please don't laugh, this is a combination of what was left by the previous administrator + "tweaks" from Cisco TAC to get certain things working. Obviously no telling what it looks like to a pro...I think you can gauge where I'm at in my learning process by my questions.

service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Rock-R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
!
no aaa new-model
!
resource policy
!
clock timezone EST -4
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW who
ip inspect name SDM_LOW wins
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW streamworks

!
ip flow-cache timeout active 1
ip ips notify SDEE
ip ips name sdm_ips_rule
no ip bootp server
ip domain name llehomes.com
!
!
!
crypto pki trustpoint Equifax_Secure_CA
 revocation-check none
!
crypto pki trustpoint NetworkSolutions_CA
 revocation-check none
!
crypto pki trustpoint trps1_server
 revocation-check none
!
crypto pki trustpoint TP-self-signed-59056035
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-59056035
 revocation-check none
 rsakeypair TP-self-signed-59056035
!

archive
 log config
  hidekeys
!
!
class-map match-all servers
 match access-group 3
!
!
policy-map servers
 class servers
  bandwidth 400
policy-map shaping
 class class-default
  shape average 1500000
  service-policy servers
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$FW_OUTSIDE$$ETH-LAN$
 bandwidth 1500
 ip address xxx.xx.xxx.106 255.255.255.248 secondary
 ip address xxx.xx.xxx.107 255.255.255.248 secondary
 ip address xxx.xx.xxx.109 255.255.255.248 secondary
 ip address xxx.xx.xxx.108 255.255.255.248
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 service-policy output shaping
!
interface FastEthernet0/1
 description $FW_INSIDE$$ETH-LAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/0/0
 description Trunk
 switchport mode trunk
 duplex full
 speed 100
!
interface FastEthernet0/0/1
 switchport access vlan 10
 duplex full
 speed 100
!
interface FastEthernet0/0/2
 switchport access vlan 2
 duplex full
 speed 100
!
interface FastEthernet0/0/3
 description VLAN2 Switch Port
 switchport access vlan 2
 duplex full
 speed 100
!
interface Serial0/1/0
 description $FW_INSIDE$
 ip address 10.0.1.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 encapsulation ppp
 service-module t1 clock source internal
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan2
 description $FW_INSIDE$
 bandwidth 10000
 ip address 192.168.2.1 255.255.255.0
 ip access-group 198 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 ip policy route-map INTERNET
!
interface Vlan3
 description $FW_INSIDE$
 ip address 192.168.3.1 255.255.255.0
 ip access-group 100 in
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
!
interface Vlan10
 description $FW_INSIDE$
 ip address 192.168.10.1 255.255.255.0

 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xx.xxx.105
ip route 192.168.10.0 255.255.255.0 Serial0/1/0
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.3.68 9996
ip flow-top-talkers
 top 50
 sort-by bytes
 cache-timeout 100
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 150 interface Vlan2 overload
ip nat inside source static tcp 192.168.3.64 10543 interface FastEthernet0/0 105
43
ip nat inside source static udp 192.168.3.64 10543 interface FastEthernet0/0 105
43
ip nat inside source static tcp 192.168.3.2 3389 xxx.xx.xxx.106 55534 extendable
ip nat inside source static tcp 192.168.3.76 3389 xxx.xx.xxx.106 55535 extendable
ip nat inside source static tcp 192.168.3.157 3389 xxx.xx.xxx.106 55536 extendable
ip nat inside source static tcp 192.168.3.131 3389 xxx.xx.xxx.106 55537 extendable
ip nat inside source static tcp 192.168.3.158 3389 xxx.xx.xxx.106 55538 extendable
ip nat inside source static tcp 192.168.3.155 3389 xxx.xx.xxx.106 55539 extendable
ip nat inside source static tcp 192.168.3.143 3389 xxx.xx.xxx.106 55540 extendable
ip nat inside source static tcp 192.168.10.10 80 xxx.xx.xxx.107 80 extendable
ip nat inside source static tcp 192.168.10.11 4899 xxx.xx.xxx.107 4899 extendable
ip nat inside source static tcp 192.168.3.76 25 xxx.xx.xxx.108 25 extendable
ip nat inside source static tcp 192.168.3.76 80 xxx.xx.xxx.108 80 extendable
ip nat inside source static tcp 192.168.3.76 110 xxx.xx.xxx.108 110 extendable
ip nat inside source static tcp 192.168.3.76 143 xxx.xx.xxx.108 143 extendable
ip nat inside source static tcp 192.168.3.76 389 xxx.xx.xxx.108 389 extendable
ip nat inside source static tcp 192.168.3.76 443 xxx.xx.xxx.108 443 extendable
ip nat inside source static tcp 192.168.3.76 993 xxx.xx.xxx.108 993 extendable
ip nat inside source static tcp 192.168.3.76 2552 xxx.xx.xxx.108 2552 extendable
ip nat inside source static tcp 192.168.3.76 9251 xxx.xx.xxx.108 9251 extendable
ip nat inside source static tcp 192.168.3.6 80 xxx.xx.xxx.109 80 extendable
ip nat inside source static tcp 192.168.3.6 443 xxx.xx.xxx.109 443 extendable
!
no logging trap
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.20.1.0 0.0.0.255
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 2 permit 10.0.1.0 0.0.0.255
access-list 2 deny   any
access-list 3 permit 192.168.3.2
access-list 3 permit 192.168.3.76
access-list 3 permit 192.168.3.66
access-list 3 permit 192.168.3.64
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 192.168.3.68 eq domain any
access-list 100 permit udp host 192.168.3.64 eq domain any
access-list 100 remark Exchange 2007 Email Server
access-list 100 permit tcp host 192.168.3.76 eq smtp any
access-list 100 remark LLESRV01 SMTP
access-list 100 permit tcp host 192.168.3.64 eq smtp any
access-list 100 remark Deny email
access-list 100 deny   tcp any eq smtp any
access-list 100 deny   ip 192.168.10.0 0.0.0.255 any
access-list 100 deny   ip 10.0.1.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 deny   ip xxx.xx.xxx.104 0.0.0.7 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=1
access-list 102 deny   ip xxx.xx.xxx.104 0.0.0.7 any
access-list 102 deny   ip 10.0.1.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark SDM_ACL Category=1
access-list 103 remark Trend Micro IOS Content Filtering
access-list 103 permit ip host 216.99.133.100 host xxx.xx.xxx.106
access-list 103 remark Google Message Security
access-list 103 permit tcp 64.18.0.0 0.0.255.255 host xxx.xx.xxx.108 eq smtp
access-list 103 remark MX Force > Exchange 2007
access-list 103 permit tcp host 207.210.234.37 host xxx.xx.xxx.108 eq 2552
access-list 103 remark MX Force > Exchange 2007
access-list 103 permit tcp host 207.200.28.37 host xxx.xx.xxx.108 eq 2552
access-list 103 remark Sharepoint HTTP
access-list 103 permit tcp any host xxx.xx.xxx.109 eq www
access-list 103 remark Sharepoint HTTPS
access-list 103 permit tcp any host xxx.xx.xxx.109 eq 443
access-list 103 remark Exchange IMAP
access-list 103 permit tcp any host xxx.xx.xxx.108 eq 143
access-list 103 remark Exchange IMAP SSL
access-list 103 permit tcp any host xxx.xx.xxx.108 eq 993
access-list 103 remark Exchange HTTP
access-list 103 permit tcp any host xxx.xx.xxx.108 eq www
access-list 103 remark Exchange HTTPS
access-list 103 permit tcp any host xxx.xx.xxx.108 eq 443
access-list 103 remark PW Reset HTTPS
access-list 103 permit tcp any host xxx.xx.xxx.108 eq 9251
access-list 103 remark Metropark Rita Box
access-list 103 permit tcp any host xxx.xx.xxx.107 eq 4899
access-list 103 remark NBX Voicemail
access-list 103 permit tcp any host xxx.xx.xxx.107 eq www
access-list 103 permit tcp any host xxx.xx.xxx.106 eq 46524
access-list 103 permit udp any host xxx.xx.xxx.106 eq 10543
access-list 103 permit tcp any host xxx.xx.xxx.106 eq 10543
access-list 103 permit tcp any host xxx.xx.xxx.106 eq 4125
access-list 103 deny   ip 192.168.10.0 0.0.0.255 any
access-list 103 deny   ip 192.168.3.0 0.0.0.255 any
access-list 103 deny   ip 10.0.1.0 0.0.0.255 any
access-list 103 permit icmp any host xxx.xx.xxx.106 echo-reply
access-list 103 permit icmp any host xxx.xx.xxx.106 time-exceeded
access-list 103 permit icmp any host xxx.xx.xxx.106 unreachable
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.10.0 0.0.0.255 any
access-list 104 permit ip 192.168.3.0 0.0.0.255 any
access-list 104 permit ip 10.0.1.0 0.0.0.255 any
access-list 104 deny   ip any any
access-list 144 permit ip host 192.168.2.69 host 192.168.3.3
access-list 144 permit ip host 192.168.3.3 host 192.168.2.69
access-list 144 permit ip host 192.168.2.69 host xxx.xx.xxx.109
access-list 150 permit ip 192.168.2.0 0.0.0.255 any
access-list 198 remark SDM_ACL Category=17
access-list 198 remark Mt Vernon HP
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.70
access-list 198 remark Conf Hall Copier
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.126
access-list 198 remark CopyRoom Copier
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.71
access-list 198 remark MRIS Copier
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.101
access-list 198 remark LLESRV00
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.68
access-list 198 remark LLESRV01
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.64
access-list 198 remark NBX Voicemail
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.10.10
access-list 198 deny   ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 198 permit ip 192.168.2.0 0.0.0.255 any
access-list 198 permit udp any eq bootpc any
access-list 198 permit udp any eq bootps any
access-list 199 deny   ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 199 deny   ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 199 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
route-map INTERNET permit 10
 description
 match ip address 199
 set ip next-hop 192.168.2.5 xx.xxx.xx.xxx     (public DSL IP = xxx)
!
!
!
control-plane
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 104 in
 login
 transport input telnet ssh
line vty 5 15
 access-class 104 in
 login
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
First, I suspect that your poor inter-vlan routing is due to these commands:  no ip route-cache cef.

That basically turns off fast switching.  Turning off fast switching is sometimes necessary, but you should only do it if it fixes a particular problem.

As for adding the second Internet connection, you can do so by connecting FastEthernet0/1 to the DSL modem.

The rest of the configuration depends on your goals.  If you simply want some traffic on ISP1 and some traffic on ISP2, you can configure a route map that will determine where the traffic should go.  If you want the router to fail over in the event of one of the connections failing, then you have to set up SLA monitoring.

Here is an article on how to configure policy-based routing with multiple tracking option:  http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtpbrtrk.html

Author

Commented:
I just added "ip route-cache cef" to both VLAN 2 and 3.

To connect the DSL as a modem, I'm guessing I need to change some settings on it as it is currently set up? What adjustments need to be made? This is what I'm confused about mainly I think.

Would I then define FastEthernet0/1's interface with the public IP of the DSL, similar to the way the T1 looks defined? I'd also adjust our route-map to point to the public IP.

Or would I set FE0/1 to the internal LAN IP of the DSL and leave the route-map as is?

Author

Commented:
And yes my goal is to simply have internet traffic on VLAN 3 flow through the T1 (as it is) and VLAN 2 flow to the DSL. It already works that way but I'm confused as to why I am using the private IP of the DSL and the public IP of the T1.
The DSL "modem" is probably configured as a firewall/NAT device.  It is usually possible to configure them to be in "bridge mode" so that your router can have the public IP assigned to it, but many ISPs tell you that it is unsupported.

Author

Commented:
I'll login to the modem and look around for bridging options. If I turn this on, will it "break" the existing connection without any modification to the 2811? The custom route map looks like it has both the internal IP defined and the external IP as the next hop.
You should really work with your ISP to configure the bridge mode.

Author

Commented:
Ok thanks, its clear now that the 2811 won't need much modified to bridge the dsl.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial