LlewellynIT
asked on
How to "bridge" a DSL modem with Cisco 2811 so it is "behind" the firewall
We currently have a Cisco 2811 that has two internet connections available to it. One is a T1 connection that is bridged with one of the Cisco 2811 interfaces, and is the default internet route. We also have a DSL modem, but this is currently not bridged with the Cisco 2811 and has traffic sent to it via a static route-map for one of our VLANs. To my understanding this means the DSL is not behind our 2811 firewall. How can I "bridge" our DSL modem so that it is configured to a physical interface on the Cisco 2811 and having its traffic inspected by the firewall?
ASKER
Forgive me for being vague, allow me to explain it in more detail.
We have a Cisco 2811 with two VLANs configured on it : VLAN 2 and VLAN 3. For this example lets say their IP ranges are 192.168.2.x and 192.168.3.x for VLAN 2 and 3 respectively. Our T1 comes into the building and connects to our T1 modem, and this connects to our 2811 via a Cat5 cable. The public IPs of the T1 are then configured on one of the FastEthernet interfaces and the public IP is the default route on the router.
On our secondary VLAN, the 2811 is set as the gateway, but the DSL is not integrated whatsoever with the router. There is a secondary static route that bounces VLAN 2 traffic to the internal IP of the DSL modem : 192.168.2.5.
So with this setup, the 2811 defaults VLAN 3 traffic out to the T1. It then manually routes the VLAN 2 traffic to the DSL. If I understand correctly this means the 2811 isn't firewalling the DSL which I'd like to rectify.
We have a Cisco 2811 with two VLANs configured on it : VLAN 2 and VLAN 3. For this example lets say their IP ranges are 192.168.2.x and 192.168.3.x for VLAN 2 and 3 respectively. Our T1 comes into the building and connects to our T1 modem, and this connects to our 2811 via a Cat5 cable. The public IPs of the T1 are then configured on one of the FastEthernet interfaces and the public IP is the default route on the router.
On our secondary VLAN, the 2811 is set as the gateway, but the DSL is not integrated whatsoever with the router. There is a secondary static route that bounces VLAN 2 traffic to the internal IP of the DSL modem : 192.168.2.5.
So with this setup, the 2811 defaults VLAN 3 traffic out to the T1. It then manually routes the VLAN 2 traffic to the DSL. If I understand correctly this means the 2811 isn't firewalling the DSL which I'd like to rectify.
Er...
The Cisco 2811 is a router, not a switch, so you generally do not configure VLANs on it.
Can you post the configuration? That should clarify things.
The Cisco 2811 is a router, not a switch, so you generally do not configure VLANs on it.
Can you post the configuration? That should clarify things.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Asavener:
I am learning this now, that a 2811 Router is not the best to configure VLANs on due to it's immensely slow inter-VLAN routing. I am in the process of trying to migrate the Layer 3 function to a Layer 3 switch.
Our configuration is as such:
Cisco 2811 configured with 2 VLANs, with static routes sending one VLAN traffic to the T1, and the other VLAN traffic to the DSL. The static route map for the T1 uses our public IP from our ISP, while the static route map for the DSL is routed by the DSL's internal IP. Is this even a problem or am I just assuming there is a problem here?
JFrady:
I was under the impression the 2811 utilized a "CBAC" firewall. You are correct that we are utilizing the NAT/ACL to control traffic flow, but I see some "ip inspect" statements in here that lead me to believe it has a firewall doing something.
We have 2 FastEthernet route ports, and a 4 port switch module on the 2811. And yes we connect the 2811 to our "core switch" with a .Q trunk port.
This question was posted under the assumption that my Cisco 2811 is inspecting the traffic coming in on the T1 while the DSL was getting ignored, and this was causing a security issue. If that is not true however, then I'm probably okay leaving everything as is because the DSL has it's own firewall denying everything and the T1 has ACL's from the 2811.
I am learning this now, that a 2811 Router is not the best to configure VLANs on due to it's immensely slow inter-VLAN routing. I am in the process of trying to migrate the Layer 3 function to a Layer 3 switch.
Our configuration is as such:
Cisco 2811 configured with 2 VLANs, with static routes sending one VLAN traffic to the T1, and the other VLAN traffic to the DSL. The static route map for the T1 uses our public IP from our ISP, while the static route map for the DSL is routed by the DSL's internal IP. Is this even a problem or am I just assuming there is a problem here?
JFrady:
I was under the impression the 2811 utilized a "CBAC" firewall. You are correct that we are utilizing the NAT/ACL to control traffic flow, but I see some "ip inspect" statements in here that lead me to believe it has a firewall doing something.
We have 2 FastEthernet route ports, and a 4 port switch module on the 2811. And yes we connect the 2811 to our "core switch" with a .Q trunk port.
This question was posted under the assumption that my Cisco 2811 is inspecting the traffic coming in on the T1 while the DSL was getting ignored, and this was causing a security issue. If that is not true however, then I'm probably okay leaving everything as is because the DSL has it's own firewall denying everything and the T1 has ACL's from the 2811.
"The 2811 wouldn't be firewalling the traffic either way as it is a router."
This is false. The 2811 with the appropriate image is perfectly capable of functioning as a firewall in addition to a router.
This is false. The 2811 with the appropriate image is perfectly capable of functioning as a firewall in addition to a router.
"Cisco 2811 configured with 2 VLANs, with static routes sending one VLAN traffic to the T1, and the other VLAN traffic to the DSL. The static route map for the T1 uses our public IP from our ISP, while the static route map for the DSL is routed by the DSL's internal IP. Is this even a problem or am I just assuming there is a problem here?"
I'm still not understanding how the 2811 is configured. Now you have route maps configured?
Please post the configuration.
I'm still not understanding how the 2811 is configured. Now you have route maps configured?
Please post the configuration.
yes - the 2811 can be a firewall with the right option pack.
If posting the configuration please mask the external IP addresses.
If the 2811 is doing the inter-VLAN routing it might be possible that traffic is flowing through the firewall module. Depends on the config though.
Back to the original question. If you have an additional ethernet port on the 2811 you could plug the ethernet from the dsl modem into it and use it to route.
Otherwise you could do a setup similar to what you already have: connect the dsl modem (which it must be more than a modem in the way it is currently being used) to a VLAN on the switch and trunk it up to the router via a .1Q trunk.
If posting the configuration please mask the external IP addresses.
If the 2811 is doing the inter-VLAN routing it might be possible that traffic is flowing through the firewall module. Depends on the config though.
Back to the original question. If you have an additional ethernet port on the 2811 you could plug the ethernet from the dsl modem into it and use it to route.
Otherwise you could do a setup similar to what you already have: connect the dsl modem (which it must be more than a modem in the way it is currently being used) to a VLAN on the switch and trunk it up to the router via a .1Q trunk.
ASKER
Below is the running config. I changed all public/private IPs. Please don't laugh, this is a combination of what was left by the previous administrator + "tweaks" from Cisco TAC to get certain things working. Obviously no telling what it looks like to a pro...I think you can gauge where I'm at in my learning process by my questions.
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Rock-R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
!
no aaa new-model
!
resource policy
!
clock timezone EST -4
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW who
ip inspect name SDM_LOW wins
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW streamworks
!
ip flow-cache timeout active 1
ip ips notify SDEE
ip ips name sdm_ips_rule
no ip bootp server
ip domain name llehomes.com
!
!
!
crypto pki trustpoint Equifax_Secure_CA
revocation-check none
!
crypto pki trustpoint NetworkSolutions_CA
revocation-check none
!
crypto pki trustpoint trps1_server
revocation-check none
!
crypto pki trustpoint TP-self-signed-59056035
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-59056035
!
archive
log config
hidekeys
!
!
class-map match-all servers
match access-group 3
!
!
policy-map servers
class servers
bandwidth 400
policy-map shaping
class class-default
shape average 1500000
service-policy servers
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-
bandwidth 1500
ip address xxx.xx.xxx.106 255.255.255.248 secondary
ip address xxx.xx.xxx.107 255.255.255.248 secondary
ip address xxx.xx.xxx.109 255.255.255.248 secondary
ip address xxx.xx.xxx.108 255.255.255.248
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
service-policy output shaping
!
interface FastEthernet0/1
description $FW_INSIDE$$ETH-LAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/0/0
description Trunk
switchport mode trunk
duplex full
speed 100
!
interface FastEthernet0/0/1
switchport access vlan 10
duplex full
speed 100
!
interface FastEthernet0/0/2
switchport access vlan 2
duplex full
speed 100
!
interface FastEthernet0/0/3
description VLAN2 Switch Port
switchport access vlan 2
duplex full
speed 100
!
interface Serial0/1/0
description $FW_INSIDE$
ip address 10.0.1.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
encapsulation ppp
service-module t1 clock source internal
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan2
description $FW_INSIDE$
bandwidth 10000
ip address 192.168.2.1 255.255.255.0
ip access-group 198 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
no ip route-cache cef
ip policy route-map INTERNET
!
interface Vlan3
description $FW_INSIDE$
ip address 192.168.3.1 255.255.255.0
ip access-group 100 in
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
no ip route-cache cef
!
interface Vlan10
description $FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xx.xxx.105
ip route 192.168.10.0 255.255.255.0 Serial0/1/0
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.3.68 9996
ip flow-top-talkers
top 50
sort-by bytes
cache-timeout 100
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 150 interface Vlan2 overload
ip nat inside source static tcp 192.168.3.64 10543 interface FastEthernet0/0 105
43
ip nat inside source static udp 192.168.3.64 10543 interface FastEthernet0/0 105
43
ip nat inside source static tcp 192.168.3.2 3389 xxx.xx.xxx.106 55534 extendable
ip nat inside source static tcp 192.168.3.76 3389 xxx.xx.xxx.106 55535 extendable
ip nat inside source static tcp 192.168.3.157 3389 xxx.xx.xxx.106 55536 extendable
ip nat inside source static tcp 192.168.3.131 3389 xxx.xx.xxx.106 55537 extendable
ip nat inside source static tcp 192.168.3.158 3389 xxx.xx.xxx.106 55538 extendable
ip nat inside source static tcp 192.168.3.155 3389 xxx.xx.xxx.106 55539 extendable
ip nat inside source static tcp 192.168.3.143 3389 xxx.xx.xxx.106 55540 extendable
ip nat inside source static tcp 192.168.10.10 80 xxx.xx.xxx.107 80 extendable
ip nat inside source static tcp 192.168.10.11 4899 xxx.xx.xxx.107 4899 extendable
ip nat inside source static tcp 192.168.3.76 25 xxx.xx.xxx.108 25 extendable
ip nat inside source static tcp 192.168.3.76 80 xxx.xx.xxx.108 80 extendable
ip nat inside source static tcp 192.168.3.76 110 xxx.xx.xxx.108 110 extendable
ip nat inside source static tcp 192.168.3.76 143 xxx.xx.xxx.108 143 extendable
ip nat inside source static tcp 192.168.3.76 389 xxx.xx.xxx.108 389 extendable
ip nat inside source static tcp 192.168.3.76 443 xxx.xx.xxx.108 443 extendable
ip nat inside source static tcp 192.168.3.76 993 xxx.xx.xxx.108 993 extendable
ip nat inside source static tcp 192.168.3.76 2552 xxx.xx.xxx.108 2552 extendable
ip nat inside source static tcp 192.168.3.76 9251 xxx.xx.xxx.108 9251 extendable
ip nat inside source static tcp 192.168.3.6 80 xxx.xx.xxx.109 80 extendable
ip nat inside source static tcp 192.168.3.6 443 xxx.xx.xxx.109 443 extendable
!
no logging trap
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.20.1.0 0.0.0.255
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 2 permit 10.0.1.0 0.0.0.255
access-list 2 deny any
access-list 3 permit 192.168.3.2
access-list 3 permit 192.168.3.76
access-list 3 permit 192.168.3.66
access-list 3 permit 192.168.3.64
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 192.168.3.68 eq domain any
access-list 100 permit udp host 192.168.3.64 eq domain any
access-list 100 remark Exchange 2007 Email Server
access-list 100 permit tcp host 192.168.3.76 eq smtp any
access-list 100 remark LLESRV01 SMTP
access-list 100 permit tcp host 192.168.3.64 eq smtp any
access-list 100 remark Deny email
access-list 100 deny tcp any eq smtp any
access-list 100 deny ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip 10.0.1.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.10.0 0.0.0.255 any
access-list 101 deny ip xxx.xx.xxx.104 0.0.0.7 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip xxx.xx.xxx.104 0.0.0.7 any
access-list 102 deny ip 10.0.1.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark SDM_ACL Category=1
access-list 103 remark Trend Micro IOS Content Filtering
access-list 103 permit ip host 216.99.133.100 host xxx.xx.xxx.106
access-list 103 remark Google Message Security
access-list 103 permit tcp 64.18.0.0 0.0.255.255 host xxx.xx.xxx.108 eq smtp
access-list 103 remark MX Force > Exchange 2007
access-list 103 permit tcp host 207.210.234.37 host xxx.xx.xxx.108 eq 2552
access-list 103 remark MX Force > Exchange 2007
access-list 103 permit tcp host 207.200.28.37 host xxx.xx.xxx.108 eq 2552
access-list 103 remark Sharepoint HTTP
access-list 103 permit tcp any host xxx.xx.xxx.109 eq www
access-list 103 remark Sharepoint HTTPS
access-list 103 permit tcp any host xxx.xx.xxx.109 eq 443
access-list 103 remark Exchange IMAP
access-list 103 permit tcp any host xxx.xx.xxx.108 eq 143
access-list 103 remark Exchange IMAP SSL
access-list 103 permit tcp any host xxx.xx.xxx.108 eq 993
access-list 103 remark Exchange HTTP
access-list 103 permit tcp any host xxx.xx.xxx.108 eq www
access-list 103 remark Exchange HTTPS
access-list 103 permit tcp any host xxx.xx.xxx.108 eq 443
access-list 103 remark PW Reset HTTPS
access-list 103 permit tcp any host xxx.xx.xxx.108 eq 9251
access-list 103 remark Metropark Rita Box
access-list 103 permit tcp any host xxx.xx.xxx.107 eq 4899
access-list 103 remark NBX Voicemail
access-list 103 permit tcp any host xxx.xx.xxx.107 eq www
access-list 103 permit tcp any host xxx.xx.xxx.106 eq 46524
access-list 103 permit udp any host xxx.xx.xxx.106 eq 10543
access-list 103 permit tcp any host xxx.xx.xxx.106 eq 10543
access-list 103 permit tcp any host xxx.xx.xxx.106 eq 4125
access-list 103 deny ip 192.168.10.0 0.0.0.255 any
access-list 103 deny ip 192.168.3.0 0.0.0.255 any
access-list 103 deny ip 10.0.1.0 0.0.0.255 any
access-list 103 permit icmp any host xxx.xx.xxx.106 echo-reply
access-list 103 permit icmp any host xxx.xx.xxx.106 time-exceeded
access-list 103 permit icmp any host xxx.xx.xxx.106 unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.10.0 0.0.0.255 any
access-list 104 permit ip 192.168.3.0 0.0.0.255 any
access-list 104 permit ip 10.0.1.0 0.0.0.255 any
access-list 104 deny ip any any
access-list 144 permit ip host 192.168.2.69 host 192.168.3.3
access-list 144 permit ip host 192.168.3.3 host 192.168.2.69
access-list 144 permit ip host 192.168.2.69 host xxx.xx.xxx.109
access-list 150 permit ip 192.168.2.0 0.0.0.255 any
access-list 198 remark SDM_ACL Category=17
access-list 198 remark Mt Vernon HP
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.70
access-list 198 remark Conf Hall Copier
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.126
access-list 198 remark CopyRoom Copier
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.71
access-list 198 remark MRIS Copier
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.101
access-list 198 remark LLESRV00
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.68
access-list 198 remark LLESRV01
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.64
access-list 198 remark NBX Voicemail
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.10.10
access-list 198 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 198 permit ip 192.168.2.0 0.0.0.255 any
access-list 198 permit udp any eq bootpc any
access-list 198 permit udp any eq bootps any
access-list 199 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 199 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 199 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
route-map INTERNET permit 10
description
match ip address 199
set ip next-hop 192.168.2.5 xx.xxx.xx.xxx (public DSL IP = xxx)
!
!
!
control-plane
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 104 in
login
transport input telnet ssh
line vty 5 15
access-class 104 in
login
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Rock-R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
!
no aaa new-model
!
resource policy
!
clock timezone EST -4
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW who
ip inspect name SDM_LOW wins
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW streamworks
!
ip flow-cache timeout active 1
ip ips notify SDEE
ip ips name sdm_ips_rule
no ip bootp server
ip domain name llehomes.com
!
!
!
crypto pki trustpoint Equifax_Secure_CA
revocation-check none
!
crypto pki trustpoint NetworkSolutions_CA
revocation-check none
!
crypto pki trustpoint trps1_server
revocation-check none
!
crypto pki trustpoint TP-self-signed-59056035
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-59056035
!
archive
log config
hidekeys
!
!
class-map match-all servers
match access-group 3
!
!
policy-map servers
class servers
bandwidth 400
policy-map shaping
class class-default
shape average 1500000
service-policy servers
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-
bandwidth 1500
ip address xxx.xx.xxx.106 255.255.255.248 secondary
ip address xxx.xx.xxx.107 255.255.255.248 secondary
ip address xxx.xx.xxx.109 255.255.255.248 secondary
ip address xxx.xx.xxx.108 255.255.255.248
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
service-policy output shaping
!
interface FastEthernet0/1
description $FW_INSIDE$$ETH-LAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/0/0
description Trunk
switchport mode trunk
duplex full
speed 100
!
interface FastEthernet0/0/1
switchport access vlan 10
duplex full
speed 100
!
interface FastEthernet0/0/2
switchport access vlan 2
duplex full
speed 100
!
interface FastEthernet0/0/3
description VLAN2 Switch Port
switchport access vlan 2
duplex full
speed 100
!
interface Serial0/1/0
description $FW_INSIDE$
ip address 10.0.1.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
encapsulation ppp
service-module t1 clock source internal
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan2
description $FW_INSIDE$
bandwidth 10000
ip address 192.168.2.1 255.255.255.0
ip access-group 198 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
no ip route-cache cef
ip policy route-map INTERNET
!
interface Vlan3
description $FW_INSIDE$
ip address 192.168.3.1 255.255.255.0
ip access-group 100 in
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
no ip route-cache cef
!
interface Vlan10
description $FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xx.xxx.105
ip route 192.168.10.0 255.255.255.0 Serial0/1/0
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.3.68 9996
ip flow-top-talkers
top 50
sort-by bytes
cache-timeout 100
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 150 interface Vlan2 overload
ip nat inside source static tcp 192.168.3.64 10543 interface FastEthernet0/0 105
43
ip nat inside source static udp 192.168.3.64 10543 interface FastEthernet0/0 105
43
ip nat inside source static tcp 192.168.3.2 3389 xxx.xx.xxx.106 55534 extendable
ip nat inside source static tcp 192.168.3.76 3389 xxx.xx.xxx.106 55535 extendable
ip nat inside source static tcp 192.168.3.157 3389 xxx.xx.xxx.106 55536 extendable
ip nat inside source static tcp 192.168.3.131 3389 xxx.xx.xxx.106 55537 extendable
ip nat inside source static tcp 192.168.3.158 3389 xxx.xx.xxx.106 55538 extendable
ip nat inside source static tcp 192.168.3.155 3389 xxx.xx.xxx.106 55539 extendable
ip nat inside source static tcp 192.168.3.143 3389 xxx.xx.xxx.106 55540 extendable
ip nat inside source static tcp 192.168.10.10 80 xxx.xx.xxx.107 80 extendable
ip nat inside source static tcp 192.168.10.11 4899 xxx.xx.xxx.107 4899 extendable
ip nat inside source static tcp 192.168.3.76 25 xxx.xx.xxx.108 25 extendable
ip nat inside source static tcp 192.168.3.76 80 xxx.xx.xxx.108 80 extendable
ip nat inside source static tcp 192.168.3.76 110 xxx.xx.xxx.108 110 extendable
ip nat inside source static tcp 192.168.3.76 143 xxx.xx.xxx.108 143 extendable
ip nat inside source static tcp 192.168.3.76 389 xxx.xx.xxx.108 389 extendable
ip nat inside source static tcp 192.168.3.76 443 xxx.xx.xxx.108 443 extendable
ip nat inside source static tcp 192.168.3.76 993 xxx.xx.xxx.108 993 extendable
ip nat inside source static tcp 192.168.3.76 2552 xxx.xx.xxx.108 2552 extendable
ip nat inside source static tcp 192.168.3.76 9251 xxx.xx.xxx.108 9251 extendable
ip nat inside source static tcp 192.168.3.6 80 xxx.xx.xxx.109 80 extendable
ip nat inside source static tcp 192.168.3.6 443 xxx.xx.xxx.109 443 extendable
!
no logging trap
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.20.1.0 0.0.0.255
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 2 permit 10.0.1.0 0.0.0.255
access-list 2 deny any
access-list 3 permit 192.168.3.2
access-list 3 permit 192.168.3.76
access-list 3 permit 192.168.3.66
access-list 3 permit 192.168.3.64
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 192.168.3.68 eq domain any
access-list 100 permit udp host 192.168.3.64 eq domain any
access-list 100 remark Exchange 2007 Email Server
access-list 100 permit tcp host 192.168.3.76 eq smtp any
access-list 100 remark LLESRV01 SMTP
access-list 100 permit tcp host 192.168.3.64 eq smtp any
access-list 100 remark Deny email
access-list 100 deny tcp any eq smtp any
access-list 100 deny ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip 10.0.1.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.10.0 0.0.0.255 any
access-list 101 deny ip xxx.xx.xxx.104 0.0.0.7 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip xxx.xx.xxx.104 0.0.0.7 any
access-list 102 deny ip 10.0.1.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark SDM_ACL Category=1
access-list 103 remark Trend Micro IOS Content Filtering
access-list 103 permit ip host 216.99.133.100 host xxx.xx.xxx.106
access-list 103 remark Google Message Security
access-list 103 permit tcp 64.18.0.0 0.0.255.255 host xxx.xx.xxx.108 eq smtp
access-list 103 remark MX Force > Exchange 2007
access-list 103 permit tcp host 207.210.234.37 host xxx.xx.xxx.108 eq 2552
access-list 103 remark MX Force > Exchange 2007
access-list 103 permit tcp host 207.200.28.37 host xxx.xx.xxx.108 eq 2552
access-list 103 remark Sharepoint HTTP
access-list 103 permit tcp any host xxx.xx.xxx.109 eq www
access-list 103 remark Sharepoint HTTPS
access-list 103 permit tcp any host xxx.xx.xxx.109 eq 443
access-list 103 remark Exchange IMAP
access-list 103 permit tcp any host xxx.xx.xxx.108 eq 143
access-list 103 remark Exchange IMAP SSL
access-list 103 permit tcp any host xxx.xx.xxx.108 eq 993
access-list 103 remark Exchange HTTP
access-list 103 permit tcp any host xxx.xx.xxx.108 eq www
access-list 103 remark Exchange HTTPS
access-list 103 permit tcp any host xxx.xx.xxx.108 eq 443
access-list 103 remark PW Reset HTTPS
access-list 103 permit tcp any host xxx.xx.xxx.108 eq 9251
access-list 103 remark Metropark Rita Box
access-list 103 permit tcp any host xxx.xx.xxx.107 eq 4899
access-list 103 remark NBX Voicemail
access-list 103 permit tcp any host xxx.xx.xxx.107 eq www
access-list 103 permit tcp any host xxx.xx.xxx.106 eq 46524
access-list 103 permit udp any host xxx.xx.xxx.106 eq 10543
access-list 103 permit tcp any host xxx.xx.xxx.106 eq 10543
access-list 103 permit tcp any host xxx.xx.xxx.106 eq 4125
access-list 103 deny ip 192.168.10.0 0.0.0.255 any
access-list 103 deny ip 192.168.3.0 0.0.0.255 any
access-list 103 deny ip 10.0.1.0 0.0.0.255 any
access-list 103 permit icmp any host xxx.xx.xxx.106 echo-reply
access-list 103 permit icmp any host xxx.xx.xxx.106 time-exceeded
access-list 103 permit icmp any host xxx.xx.xxx.106 unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.10.0 0.0.0.255 any
access-list 104 permit ip 192.168.3.0 0.0.0.255 any
access-list 104 permit ip 10.0.1.0 0.0.0.255 any
access-list 104 deny ip any any
access-list 144 permit ip host 192.168.2.69 host 192.168.3.3
access-list 144 permit ip host 192.168.3.3 host 192.168.2.69
access-list 144 permit ip host 192.168.2.69 host xxx.xx.xxx.109
access-list 150 permit ip 192.168.2.0 0.0.0.255 any
access-list 198 remark SDM_ACL Category=17
access-list 198 remark Mt Vernon HP
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.70
access-list 198 remark Conf Hall Copier
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.126
access-list 198 remark CopyRoom Copier
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.71
access-list 198 remark MRIS Copier
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.101
access-list 198 remark LLESRV00
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.68
access-list 198 remark LLESRV01
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.64
access-list 198 remark NBX Voicemail
access-list 198 permit ip 192.168.2.0 0.0.0.255 host 192.168.10.10
access-list 198 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 198 permit ip 192.168.2.0 0.0.0.255 any
access-list 198 permit udp any eq bootpc any
access-list 198 permit udp any eq bootps any
access-list 199 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 199 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 199 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
route-map INTERNET permit 10
description
match ip address 199
set ip next-hop 192.168.2.5 xx.xxx.xx.xxx (public DSL IP = xxx)
!
!
!
control-plane
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 104 in
login
transport input telnet ssh
line vty 5 15
access-class 104 in
login
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I just added "ip route-cache cef" to both VLAN 2 and 3.
To connect the DSL as a modem, I'm guessing I need to change some settings on it as it is currently set up? What adjustments need to be made? This is what I'm confused about mainly I think.
Would I then define FastEthernet0/1's interface with the public IP of the DSL, similar to the way the T1 looks defined? I'd also adjust our route-map to point to the public IP.
Or would I set FE0/1 to the internal LAN IP of the DSL and leave the route-map as is?
To connect the DSL as a modem, I'm guessing I need to change some settings on it as it is currently set up? What adjustments need to be made? This is what I'm confused about mainly I think.
Would I then define FastEthernet0/1's interface with the public IP of the DSL, similar to the way the T1 looks defined? I'd also adjust our route-map to point to the public IP.
Or would I set FE0/1 to the internal LAN IP of the DSL and leave the route-map as is?
ASKER
And yes my goal is to simply have internet traffic on VLAN 3 flow through the T1 (as it is) and VLAN 2 flow to the DSL. It already works that way but I'm confused as to why I am using the private IP of the DSL and the public IP of the T1.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll login to the modem and look around for bridging options. If I turn this on, will it "break" the existing connection without any modification to the 2811? The custom route map looks like it has both the internal IP defined and the external IP as the next hop.
You should really work with your ISP to configure the bridge mode.
ASKER
Ok thanks, its clear now that the 2811 won't need much modified to bridge the dsl.
Here's my understanding: You have a 2811 (two FastEthernet ports and a T1 WIC). The T1 has an Internet connection configured on it. How are the FastEthernet ports configured? When you say the T1 is "bridged", what exactly do you mean? Is it running as "ip unnumbered" with one of the FastEthernet interfaces assigned to it?