Solved

Cisco 1811 Router

Posted on 2010-08-25
14
531 Views
Last Modified: 2012-05-10
Hello,

I have a Cisco 1811-k9 router.  I have two VLAN's to access the Internet.  

Vlan 1: ip dhcp excluded-address 192.168.x.x 192.168.x.x accessing 91.x.x.18

Which contains our mail server.


Vlan 2: ip dhcp excluded-address 10.2.x.x 10.2.x.x accessing 91.x.x.18


I would like VLAN 2 to be able to access 91.x.x.20 (which we own also) so that our computers can access the mail server in vlan 1.

What commands would I have to run to get this to work.  Can you have two External IP addresses on one interface FastEthernet1??

Thanks
0
Comment
Question by:jaymehall66
  • 6
  • 6
  • 2
14 Comments
 
LVL 4

Expert Comment

by:RunningGag
ID: 33526271
"Can you have two External IP addresses on one interface FastEthernet1??"

Yes.

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html#wp1001012


Is 91.x.x.20 connected to your network?
0
 

Author Comment

by:jaymehall66
ID: 33526304
No - I want 91.x.x.20 to only be utilized by the 10.2.x.x network (which is a linksys router connected directly to the Cisco 1811 to give Internet access to our clients wirelessly without being on our network.)

What commands do I have to run to get 10.2.x.x to access 91.x.x.20 for Internet access without effecting my Enterprise Network's access to the Internet?

Thanks

0
 
LVL 4

Expert Comment

by:RunningGag
ID: 33526502
So you want the 10.2.x.x network to use the 91.x.x.20 address to access the Internet, while having the rest of your network use 90.x.x.18?  But you also want 10.2.x.x to be able to access your mail server located in VLAN2 which is in the 192.168.x.x network?
0
 

Author Comment

by:jaymehall66
ID: 33526540
Once the 10.2.x.x is out on the Internet on 91.x.x.20 - The our Iphone users can use the mail server's external Internet address.  Right now I have a laptop on 10.2.x.x accessing the Internet on 91.x.x.18, but due to routing I cannot access the mail server's external address - which is 91.x.x.30.


Thanks
0
 
LVL 2

Expert Comment

by:nblancpain
ID: 33529528
You can do policy based routing to route to either 91.x.x.18 or 91.x.x.20 depending on the ip source address of the client (10.2 or 192.168).
You should try something like :

int fa 0
 ip policy route-map TOTO
 ip route-cache policy

route-map TOTO permit 10      PBR
 match ext ACLX
|set ip next-hop 91.x.x.18
|set ip default next-hop 91.x.x.18      !default = only if there is no route for dest
route-map TOTO deny 20            !no match : normal routing

ip access-list ext ACLX
 permit  ip 10.2.0.0 0.0.0.255
0
 

Author Comment

by:jaymehall66
ID: 33532966
So I ran the commands above and got the following:

router(config)#ip access-list ext ACLX
router(config-ext-nacl)#permit ip 10.2.2.0 0.0.0.255
% Incomplete command.

I am still not able to reach my company's external website address (91.x.x.70) from the 10.2.x.x network.

Here is my running config:  

!
!
!
interface FastEthernet0
 description $ETH-LAN$
 ip address x.x.x.1 255.255.0.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache policy
 ip policy route-map TOTO
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ETH-WAN$
 ip address 91.x.x.18 255.255.255.252
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 speed 10
 full-duplex
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
 switchport access vlan 5
!
interface FastEthernet6
!
interface FastEthernet7
 shutdown
!
interface FastEthernet8
 switchport access vlan 2
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$
 ip address 91.x.x.x 255.255.255.224
 ip flow ingress
 ip flow egress
 ip tcp adjust-mss 1452
!
interface Vlan5
 ip address 10.2.x.x 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2 ( I WANT TO REMOVE THIS)
 ip address 65.x.x.x 255.255.255.0
!
interface Async1
 no ip address
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 91.x.x.x
ip route 192.168.x.x 255.255.255.0 10.2.x.x
!
ip access-list extended ACLX
!
access-list 10 permit 91.x.x.0 0.0.0.255
access-list 10 permit 10.2.x.0 0.0.0.255
access-list 10 permit 192.168.x.0 0.0.0.255
no cdp run
!
!
!
route-map TOTO permit 10
 set ip next-hop 64.251.69.74
!
route-map TOTO deny 20
!
!
0
 
LVL 2

Accepted Solution

by:
nblancpain earned 500 total points
ID: 33533156
You must specify destination :

ip access-list ext ACLX
 permit ip 10.2.2.0 0.0.0.255 any
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Expert Comment

by:nblancpain
ID: 33533181
Not sure, might be the other side :

permit ip any 10.2.2.0 0.0.0.255

Try both
0
 
LVL 2

Expert Comment

by:nblancpain
ID: 33533187
Seems your 10.2 is a /16; the mask must be 0.0.255.255
0
 

Author Comment

by:jaymehall66
ID: 33533316
I tried

ip access-list ext ACLX
 permit ip 10.2.2.0 0.0.255.255 any

ip access-list ext ACLX
 permit ip any 10.2.2.0 0.0.255.255

I can browse the Internet fine - but I am still getting the 91.x.x.18 as my external address.  I think I need the 91.x.x.20 address - so that I am able to browse to 91.x.x.70 (Our Mail Server's Internet Address) which is hosted through the 91.x.x.18 address.

This is how I see it working
Laptop (192.168.x.x) --> Linksys WRT54G (10.2.x.x) --> Port 5 cisco 1811 (10.2.x.x - DHCP RANGE) --> (91.x.x.20) Internet


Mail Server (192.x.x.x) --> Firewall --> Port 1 Cisco 1811 --> (91.x.x.70) Internet


I want the laptop to be able to access the External IP address of the mail server.  What am I doing wrong?


0
 
LVL 2

Expert Comment

by:nblancpain
ID: 33533421
ahhh, ok
I was on something totally different.
remove the policy routing and just add :

int vlan 1
 ip nat outside

The mail server is on interface fa 2, correct ?
0
 

Author Comment

by:jaymehall66
ID: 33533654
What does that command do?

I do not want to interrupt my Enterprise Access to the Internet - they use 91.x.x.18 on FA 1.

 
0
 
LVL 2

Expert Comment

by:nblancpain
ID: 33541466
it will NAT toward this network.
If you are unsure... don't change anything, contact your integrator and ask for help.
0
 

Author Closing Comment

by:jaymehall66
ID: 33560734
After 2 hours with a Cisco Engineer we completed the process of the NAT.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now