[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 855
  • Last Modified:

Cisco 1841 Router Configuration Segment Network

I have a few Cisco 1841 Routers with T1 Serial CSU/DSU Wic cards. These routers were used for our old T1 lines, etc. I want to try and use them on our network to segment out two portions of the network.  Can I do this without purchasing new cards for them? For example, I want to set up a separate segmented network using a different IP scheme (ie. 10.10.10.0/24) which will connect to another network internally (192.168.0.0/22). Any help would be appreciated.
0
andrishelp
Asked:
andrishelp
  • 6
  • 4
  • 2
  • +1
1 Solution
 
Don JohnstonInstructorCommented:
Sure. The 1841's have two 10/100 ports that can be used to connect ethernet LANs together.
0
 
andrishelpAuthor Commented:
Understood. I have configured Eth0/0 as 10.10.10.1 and Eth0/1 as 192.168.1.61. I then  have tried to put a default route into the config from 0.0.0.0 to Ethernet0/0 192.168.0.1 which is the next router it should hop to and it won't get past the 10.10.10.0 network.
0
 
ZombieAutopsyCommented:
Are these routing through a firewall? If so what kind?
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
andrishelpAuthor Commented:
No firewall. This is just segmenting two parts of our network. I have a department that I want to set up with the 10.10.10.0 subnet that needs to connect to the the 192.168.0.0/22 network and then if needed out to the internet from that network.
0
 
Don JohnstonInstructorCommented:
Please post the config of the router.
0
 
andrishelpAuthor Commented:
Sorry. I should have thought of that.


!This is the running config of the router: 10.10.10.1
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain name yourdomain.com
!
username lyon privilege 15 secret 5 $1$2CeA$5pQHesvSOR.v3HmA6tEfd.
!
!
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ETH-LAN$
 ip address 10.10.10.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description $ETH-LAN$
 ip address 192.168.1.61 255.255.252.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm 
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
end

0
 
_valkyrie_Commented:
Packets are getting past, as long as your configuration looks like:

interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0

interface FastEthernet0/1
 ip address 192.168.1.61 255.255.252.0

ip route 0.0.0.0 0.0.0.0 192.168.0.1

Open in new window


Note: No ACLs are used.

And devices under 10.10.10.0 should use 10.10.10.1 as their gateway. But the return packets don't know where to go! Your 192.168.0.0/22 network is sending 10.10.10.0/24 traffic to their gateway which is 192.168.0.1 and it does not know where that network is.

Your router with IP 192.168.0.1 also needs a route:

ip route 10.10.10.0 255.255.255.0 192.168.1.61

Open in new window

0
 
andrishelpAuthor Commented:
ok. That makes a lot of sense. Let me try that. Thanks much.
0
 
andrishelpAuthor Commented:
I think I am still missing something. I got the route added to our router to the internet. I can ping devices into the secondary network but not out to the internet. I think that route I got added won't let any access out from there. It is going to direct a request back to my internal router. If I traceroute to the internet public address, I get 10.10.10.1 > 192.168.0.1 > then nothing...
0
 
_valkyrie_Commented:
Assuming you're using NAT on 192.168.0.1, you need to add that subnet to the ACL for NAT. Without seeing the config from 192.168.0.1, I can't give you specifics but here is how I would do it:


Existing example:

ip nat inside source route-map rm-block-vpn-on-nat interface Vlan2 overload

ip access-list extended acl-block-vpn
! Insert deny statements for VPN IPs here
 permit ip 192.168.0.0 0.0.8.255 any

route-map rm-block-vpn-on-nat permit 1
 match ip address acl-block-vpn

Open in new window


Would change to:
ip nat inside source route-map rm-block-vpn-on-nat interface Vlan2 overload

ip access-list extended acl-block-vpn
! Insert deny statements for VPN IPs here
 permit ip 192.168.0.0 0.0.8.255 any
 permit ip 10.10.10.0 0.0.0.255 any

route-map rm-block-vpn-on-nat permit 1
 match ip address acl-block-vpn

Open in new window


Again, this is a generalized example to point you in the direction. If you need help with your specific config, post what you can on 192.168.0.1.
0
 
_valkyrie_Commented:
Vlan2 should be your outside interface (I pulled some this from an old config file of mine)
0
 
andrishelpAuthor Commented:
I will look at this. My challenge with this is that Qwest manages our other router to get to the outside and I have to have them put in the new configs. It is kind of a hassle because you have to submit a ticket to them to do it. I will let you know what happens.
0
 
_valkyrie_Commented:
Ah, then just ask them to add 10.10.10.0/24 to the NAT rule. They should be able to handle it from there easily.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 6
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now