Solved

Cisco 1841 Router Configuration Segment Network

Posted on 2011-03-11
13
849 Views
Last Modified: 2012-05-11
I have a few Cisco 1841 Routers with T1 Serial CSU/DSU Wic cards. These routers were used for our old T1 lines, etc. I want to try and use them on our network to segment out two portions of the network.  Can I do this without purchasing new cards for them? For example, I want to set up a separate segmented network using a different IP scheme (ie. 10.10.10.0/24) which will connect to another network internally (192.168.0.0/22). Any help would be appreciated.
0
Comment
Question by:andrishelp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 35112955
Sure. The 1841's have two 10/100 ports that can be used to connect ethernet LANs together.
0
 

Author Comment

by:andrishelp
ID: 35112980
Understood. I have configured Eth0/0 as 10.10.10.1 and Eth0/1 as 192.168.1.61. I then  have tried to put a default route into the config from 0.0.0.0 to Ethernet0/0 192.168.0.1 which is the next router it should hop to and it won't get past the 10.10.10.0 network.
0
 
LVL 8

Expert Comment

by:ZombieAutopsy
ID: 35113014
Are these routing through a firewall? If so what kind?
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:andrishelp
ID: 35113026
No firewall. This is just segmenting two parts of our network. I have a department that I want to set up with the 10.10.10.0 subnet that needs to connect to the the 192.168.0.0/22 network and then if needed out to the internet from that network.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 35113071
Please post the config of the router.
0
 

Author Comment

by:andrishelp
ID: 35113155
Sorry. I should have thought of that.


!This is the running config of the router: 10.10.10.1
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain name yourdomain.com
!
username lyon privilege 15 secret 5 $1$2CeA$5pQHesvSOR.v3HmA6tEfd.
!
!
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ETH-LAN$
 ip address 10.10.10.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description $ETH-LAN$
 ip address 192.168.1.61 255.255.252.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm 
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
end

0
 
LVL 2

Expert Comment

by:_valkyrie_
ID: 35113204
Packets are getting past, as long as your configuration looks like:

interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0

interface FastEthernet0/1
 ip address 192.168.1.61 255.255.252.0

ip route 0.0.0.0 0.0.0.0 192.168.0.1

Open in new window


Note: No ACLs are used.

And devices under 10.10.10.0 should use 10.10.10.1 as their gateway. But the return packets don't know where to go! Your 192.168.0.0/22 network is sending 10.10.10.0/24 traffic to their gateway which is 192.168.0.1 and it does not know where that network is.

Your router with IP 192.168.0.1 also needs a route:

ip route 10.10.10.0 255.255.255.0 192.168.1.61

Open in new window

0
 

Author Comment

by:andrishelp
ID: 35113238
ok. That makes a lot of sense. Let me try that. Thanks much.
0
 

Author Comment

by:andrishelp
ID: 35128475
I think I am still missing something. I got the route added to our router to the internet. I can ping devices into the secondary network but not out to the internet. I think that route I got added won't let any access out from there. It is going to direct a request back to my internal router. If I traceroute to the internet public address, I get 10.10.10.1 > 192.168.0.1 > then nothing...
0
 
LVL 2

Expert Comment

by:_valkyrie_
ID: 35128545
Assuming you're using NAT on 192.168.0.1, you need to add that subnet to the ACL for NAT. Without seeing the config from 192.168.0.1, I can't give you specifics but here is how I would do it:


Existing example:

ip nat inside source route-map rm-block-vpn-on-nat interface Vlan2 overload

ip access-list extended acl-block-vpn
! Insert deny statements for VPN IPs here
 permit ip 192.168.0.0 0.0.8.255 any

route-map rm-block-vpn-on-nat permit 1
 match ip address acl-block-vpn

Open in new window


Would change to:
ip nat inside source route-map rm-block-vpn-on-nat interface Vlan2 overload

ip access-list extended acl-block-vpn
! Insert deny statements for VPN IPs here
 permit ip 192.168.0.0 0.0.8.255 any
 permit ip 10.10.10.0 0.0.0.255 any

route-map rm-block-vpn-on-nat permit 1
 match ip address acl-block-vpn

Open in new window


Again, this is a generalized example to point you in the direction. If you need help with your specific config, post what you can on 192.168.0.1.
0
 
LVL 2

Expert Comment

by:_valkyrie_
ID: 35128552
Vlan2 should be your outside interface (I pulled some this from an old config file of mine)
0
 

Author Comment

by:andrishelp
ID: 35128783
I will look at this. My challenge with this is that Qwest manages our other router to get to the outside and I have to have them put in the new configs. It is kind of a hassle because you have to submit a ticket to them to do it. I will let you know what happens.
0
 
LVL 2

Accepted Solution

by:
_valkyrie_ earned 500 total points
ID: 35128799
Ah, then just ask them to add 10.10.10.0/24 to the NAT rule. They should be able to handle it from there easily.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question