andrishelp
asked on
Cisco 1841 Router Configuration Segment Network
I have a few Cisco 1841 Routers with T1 Serial CSU/DSU Wic cards. These routers were used for our old T1 lines, etc. I want to try and use them on our network to segment out two portions of the network. Can I do this without purchasing new cards for them? For example, I want to set up a separate segmented network using a different IP scheme (ie. 10.10.10.0/24) which will connect to another network internally (192.168.0.0/22). Any help would be appreciated.
Don Johnston
Sure. The 1841's have two 10/100 ports that can be used to connect ethernet LANs together.
ASKER
Understood. I have configured Eth0/0 as 10.10.10.1 and Eth0/1 as 192.168.1.61. I then have tried to put a default route into the config from 0.0.0.0 to Ethernet0/0 192.168.0.1 which is the next router it should hop to and it won't get past the 10.10.10.0 network.
Are these routing through a firewall? If so what kind?
ASKER
No firewall. This is just segmenting two parts of our network. I have a department that I want to set up with the 10.10.10.0 subnet that needs to connect to the the 192.168.0.0/22 network and then if needed out to the internet from that network.
Please post the config of the router.
ASKER
Sorry. I should have thought of that.
!This is the running config of the router: 10.10.10.1
!-------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain name yourdomain.com
!
username lyon privilege 15 secret 5 $1$2CeA$5pQHesvSOR.v3HmA6t
!
!
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-LAN$
ip address 192.168.1.61 255.255.252.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
control-plane
!
banner login ^C
--------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
--------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
end
!This is the running config of the router: 10.10.10.1
!-------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain name yourdomain.com
!
username lyon privilege 15 secret 5 $1$2CeA$5pQHesvSOR.v3HmA6t
!
!
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-LAN$
ip address 192.168.1.61 255.255.252.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
control-plane
!
banner login ^C
--------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
--------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
end
Packets are getting past, as long as your configuration looks like:
Note: No ACLs are used.
And devices under 10.10.10.0 should use 10.10.10.1 as their gateway. But the return packets don't know where to go! Your 192.168.0.0/22 network is sending 10.10.10.0/24 traffic to their gateway which is 192.168.0.1 and it does not know where that network is.
Your router with IP 192.168.0.1 also needs a route:
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
interface FastEthernet0/1
ip address 192.168.1.61 255.255.252.0
ip route 0.0.0.0 0.0.0.0 192.168.0.1Note: No ACLs are used.
And devices under 10.10.10.0 should use 10.10.10.1 as their gateway. But the return packets don't know where to go! Your 192.168.0.0/22 network is sending 10.10.10.0/24 traffic to their gateway which is 192.168.0.1 and it does not know where that network is.
Your router with IP 192.168.0.1 also needs a route:
ip route 10.10.10.0 255.255.255.0 192.168.1.61ASKER
ok. That makes a lot of sense. Let me try that. Thanks much.
ASKER
I think I am still missing something. I got the route added to our router to the internet. I can ping devices into the secondary network but not out to the internet. I think that route I got added won't let any access out from there. It is going to direct a request back to my internal router. If I traceroute to the internet public address, I get 10.10.10.1 > 192.168.0.1 > then nothing...
Assuming you're using NAT on 192.168.0.1, you need to add that subnet to the ACL for NAT. Without seeing the config from 192.168.0.1, I can't give you specifics but here is how I would do it:
Existing example:
Would change to:
Again, this is a generalized example to point you in the direction. If you need help with your specific config, post what you can on 192.168.0.1.
Existing example:
ip nat inside source route-map rm-block-vpn-on-nat interface Vlan2 overload
ip access-list extended acl-block-vpn
! Insert deny statements for VPN IPs here
permit ip 192.168.0.0 0.0.8.255 any
route-map rm-block-vpn-on-nat permit 1
match ip address acl-block-vpnWould change to:
ip nat inside source route-map rm-block-vpn-on-nat interface Vlan2 overload
ip access-list extended acl-block-vpn
! Insert deny statements for VPN IPs here
permit ip 192.168.0.0 0.0.8.255 any
permit ip 10.10.10.0 0.0.0.255 any
route-map rm-block-vpn-on-nat permit 1
match ip address acl-block-vpnAgain, this is a generalized example to point you in the direction. If you need help with your specific config, post what you can on 192.168.0.1.
Vlan2 should be your outside interface (I pulled some this from an old config file of mine)
ASKER
I will look at this. My challenge with this is that Qwest manages our other router to get to the outside and I have to have them put in the new configs. It is kind of a hassle because you have to submit a ticket to them to do it. I will let you know what happens.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.