Solved

Cisco 1841 Router Configuration Segment Network

Posted on 2011-03-11
13
843 Views
Last Modified: 2012-05-11
I have a few Cisco 1841 Routers with T1 Serial CSU/DSU Wic cards. These routers were used for our old T1 lines, etc. I want to try and use them on our network to segment out two portions of the network.  Can I do this without purchasing new cards for them? For example, I want to set up a separate segmented network using a different IP scheme (ie. 10.10.10.0/24) which will connect to another network internally (192.168.0.0/22). Any help would be appreciated.
0
Comment
Question by:andrishelp
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Sure. The 1841's have two 10/100 ports that can be used to connect ethernet LANs together.
0
 

Author Comment

by:andrishelp
Comment Utility
Understood. I have configured Eth0/0 as 10.10.10.1 and Eth0/1 as 192.168.1.61. I then  have tried to put a default route into the config from 0.0.0.0 to Ethernet0/0 192.168.0.1 which is the next router it should hop to and it won't get past the 10.10.10.0 network.
0
 
LVL 8

Expert Comment

by:ZombieAutopsy
Comment Utility
Are these routing through a firewall? If so what kind?
0
 

Author Comment

by:andrishelp
Comment Utility
No firewall. This is just segmenting two parts of our network. I have a department that I want to set up with the 10.10.10.0 subnet that needs to connect to the the 192.168.0.0/22 network and then if needed out to the internet from that network.
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Please post the config of the router.
0
 

Author Comment

by:andrishelp
Comment Utility
Sorry. I should have thought of that.


!This is the running config of the router: 10.10.10.1
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain name yourdomain.com
!
username lyon privilege 15 secret 5 $1$2CeA$5pQHesvSOR.v3HmA6tEfd.
!
!
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ETH-LAN$
 ip address 10.10.10.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description $ETH-LAN$
 ip address 192.168.1.61 255.255.252.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
end

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 2

Expert Comment

by:_valkyrie_
Comment Utility
Packets are getting past, as long as your configuration looks like:

interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0

interface FastEthernet0/1
 ip address 192.168.1.61 255.255.252.0

ip route 0.0.0.0 0.0.0.0 192.168.0.1

Open in new window


Note: No ACLs are used.

And devices under 10.10.10.0 should use 10.10.10.1 as their gateway. But the return packets don't know where to go! Your 192.168.0.0/22 network is sending 10.10.10.0/24 traffic to their gateway which is 192.168.0.1 and it does not know where that network is.

Your router with IP 192.168.0.1 also needs a route:

ip route 10.10.10.0 255.255.255.0 192.168.1.61

Open in new window

0
 

Author Comment

by:andrishelp
Comment Utility
ok. That makes a lot of sense. Let me try that. Thanks much.
0
 

Author Comment

by:andrishelp
Comment Utility
I think I am still missing something. I got the route added to our router to the internet. I can ping devices into the secondary network but not out to the internet. I think that route I got added won't let any access out from there. It is going to direct a request back to my internal router. If I traceroute to the internet public address, I get 10.10.10.1 > 192.168.0.1 > then nothing...
0
 
LVL 2

Expert Comment

by:_valkyrie_
Comment Utility
Assuming you're using NAT on 192.168.0.1, you need to add that subnet to the ACL for NAT. Without seeing the config from 192.168.0.1, I can't give you specifics but here is how I would do it:


Existing example:

ip nat inside source route-map rm-block-vpn-on-nat interface Vlan2 overload

ip access-list extended acl-block-vpn
! Insert deny statements for VPN IPs here
 permit ip 192.168.0.0 0.0.8.255 any

route-map rm-block-vpn-on-nat permit 1
 match ip address acl-block-vpn

Open in new window


Would change to:
ip nat inside source route-map rm-block-vpn-on-nat interface Vlan2 overload

ip access-list extended acl-block-vpn
! Insert deny statements for VPN IPs here
 permit ip 192.168.0.0 0.0.8.255 any
 permit ip 10.10.10.0 0.0.0.255 any

route-map rm-block-vpn-on-nat permit 1
 match ip address acl-block-vpn

Open in new window


Again, this is a generalized example to point you in the direction. If you need help with your specific config, post what you can on 192.168.0.1.
0
 
LVL 2

Expert Comment

by:_valkyrie_
Comment Utility
Vlan2 should be your outside interface (I pulled some this from an old config file of mine)
0
 

Author Comment

by:andrishelp
Comment Utility
I will look at this. My challenge with this is that Qwest manages our other router to get to the outside and I have to have them put in the new configs. It is kind of a hassle because you have to submit a ticket to them to do it. I will let you know what happens.
0
 
LVL 2

Accepted Solution

by:
_valkyrie_ earned 500 total points
Comment Utility
Ah, then just ask them to add 10.10.10.0/24 to the NAT rule. They should be able to handle it from there easily.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now