Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 554
  • Last Modified:

Cisco 1811 Router

Hello,

I have a Cisco 1811-k9 router.  I have two VLAN's to access the Internet.  

Vlan 1: ip dhcp excluded-address 192.168.x.x 192.168.x.x accessing 91.x.x.18

Which contains our mail server.


Vlan 2: ip dhcp excluded-address 10.2.x.x 10.2.x.x accessing 91.x.x.18


I would like VLAN 2 to be able to access 91.x.x.20 (which we own also) so that our computers can access the mail server in vlan 1.

What commands would I have to run to get this to work.  Can you have two External IP addresses on one interface FastEthernet1??

Thanks
0
jaymehall66
Asked:
jaymehall66
  • 6
  • 6
  • 2
1 Solution
 
RunningGagCommented:
"Can you have two External IP addresses on one interface FastEthernet1??"

Yes.

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfipadr.html#wp1001012


Is 91.x.x.20 connected to your network?
0
 
jaymehall66Author Commented:
No - I want 91.x.x.20 to only be utilized by the 10.2.x.x network (which is a linksys router connected directly to the Cisco 1811 to give Internet access to our clients wirelessly without being on our network.)

What commands do I have to run to get 10.2.x.x to access 91.x.x.20 for Internet access without effecting my Enterprise Network's access to the Internet?

Thanks

0
 
RunningGagCommented:
So you want the 10.2.x.x network to use the 91.x.x.20 address to access the Internet, while having the rest of your network use 90.x.x.18?  But you also want 10.2.x.x to be able to access your mail server located in VLAN2 which is in the 192.168.x.x network?
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
jaymehall66Author Commented:
Once the 10.2.x.x is out on the Internet on 91.x.x.20 - The our Iphone users can use the mail server's external Internet address.  Right now I have a laptop on 10.2.x.x accessing the Internet on 91.x.x.18, but due to routing I cannot access the mail server's external address - which is 91.x.x.30.


Thanks
0
 
nblancpainCommented:
You can do policy based routing to route to either 91.x.x.18 or 91.x.x.20 depending on the ip source address of the client (10.2 or 192.168).
You should try something like :

int fa 0
 ip policy route-map TOTO
 ip route-cache policy

route-map TOTO permit 10      PBR
 match ext ACLX
|set ip next-hop 91.x.x.18
|set ip default next-hop 91.x.x.18      !default = only if there is no route for dest
route-map TOTO deny 20            !no match : normal routing

ip access-list ext ACLX
 permit  ip 10.2.0.0 0.0.0.255
0
 
jaymehall66Author Commented:
So I ran the commands above and got the following:

router(config)#ip access-list ext ACLX
router(config-ext-nacl)#permit ip 10.2.2.0 0.0.0.255
% Incomplete command.

I am still not able to reach my company's external website address (91.x.x.70) from the 10.2.x.x network.

Here is my running config:  

!
!
!
interface FastEthernet0
 description $ETH-LAN$
 ip address x.x.x.1 255.255.0.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache policy
 ip policy route-map TOTO
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ETH-WAN$
 ip address 91.x.x.18 255.255.255.252
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 speed 10
 full-duplex
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
 switchport access vlan 5
!
interface FastEthernet6
!
interface FastEthernet7
 shutdown
!
interface FastEthernet8
 switchport access vlan 2
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$
 ip address 91.x.x.x 255.255.255.224
 ip flow ingress
 ip flow egress
 ip tcp adjust-mss 1452
!
interface Vlan5
 ip address 10.2.x.x 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2 ( I WANT TO REMOVE THIS)
 ip address 65.x.x.x 255.255.255.0
!
interface Async1
 no ip address
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 91.x.x.x
ip route 192.168.x.x 255.255.255.0 10.2.x.x
!
ip access-list extended ACLX
!
access-list 10 permit 91.x.x.0 0.0.0.255
access-list 10 permit 10.2.x.0 0.0.0.255
access-list 10 permit 192.168.x.0 0.0.0.255
no cdp run
!
!
!
route-map TOTO permit 10
 set ip next-hop 64.251.69.74
!
route-map TOTO deny 20
!
!
0
 
nblancpainCommented:
You must specify destination :

ip access-list ext ACLX
 permit ip 10.2.2.0 0.0.0.255 any
0
 
nblancpainCommented:
Not sure, might be the other side :

permit ip any 10.2.2.0 0.0.0.255

Try both
0
 
nblancpainCommented:
Seems your 10.2 is a /16; the mask must be 0.0.255.255
0
 
jaymehall66Author Commented:
I tried

ip access-list ext ACLX
 permit ip 10.2.2.0 0.0.255.255 any

ip access-list ext ACLX
 permit ip any 10.2.2.0 0.0.255.255

I can browse the Internet fine - but I am still getting the 91.x.x.18 as my external address.  I think I need the 91.x.x.20 address - so that I am able to browse to 91.x.x.70 (Our Mail Server's Internet Address) which is hosted through the 91.x.x.18 address.

This is how I see it working
Laptop (192.168.x.x) --> Linksys WRT54G (10.2.x.x) --> Port 5 cisco 1811 (10.2.x.x - DHCP RANGE) --> (91.x.x.20) Internet


Mail Server (192.x.x.x) --> Firewall --> Port 1 Cisco 1811 --> (91.x.x.70) Internet


I want the laptop to be able to access the External IP address of the mail server.  What am I doing wrong?


0
 
nblancpainCommented:
ahhh, ok
I was on something totally different.
remove the policy routing and just add :

int vlan 1
 ip nat outside

The mail server is on interface fa 2, correct ?
0
 
jaymehall66Author Commented:
What does that command do?

I do not want to interrupt my Enterprise Access to the Internet - they use 91.x.x.18 on FA 1.

 
0
 
nblancpainCommented:
it will NAT toward this network.
If you are unsure... don't change anything, contact your integrator and ask for help.
0
 
jaymehall66Author Commented:
After 2 hours with a Cisco Engineer we completed the process of the NAT.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 6
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now