mun_84
asked on
cisco 877 route to wan over fastethernet
HI Experts,
We have been using the router for Adsl connection and it is all working good however now we have fiber internet in place and i need to route all my connection to the FE 1 .
Currently I have vlan 1 192.168.0.10 and local ip data
vlan 2: 192.168.100.1 Wireless (Dot 1 Radio) (Fe0)
vlan 3: 192.168.200.1 Phone Lan (Fe2)
Vlan 4: external IP xxx.xxx.2x6.x34 /30 (Fe1)
Vlan 5: VPN backhaul 10.10.10.2/30 (Fe3)
I woudl like to route to the WAN via FE1. Please advise if this is possible. See my config below and i have advance ip services already. Let me know what changes are needed.
Current configuration : 7291 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname pfcisco
!
boot-start-marker
boot system flash:c870-advipservicesk9 -mz.124-22 .T1.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$u72h$7LBDWXc1cupMYDu5co nB81
!
no aaa new-model
clock timezone WST 8
!
crypto pki trustpoint TP-self-signed-223618724
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-22361 8724
revocation-check none
rsakeypair TP-self-signed-223618724
!
!
crypto pki certificate chain TP-self-signed-223618724
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323336 31383732 34301E17 0D303230 33303130 30303835
315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3232 33363138
37323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C14C325F 999A0888 8A446F30 9F4ED8DD 25994CA0 37712BB0 3087A411 F4B762A8
CC5F9932 647B4FDE BE0EF344 7C60418F 75A0DE3B 776B5340 843CBC11 91524A2B
9355C296 454EB064 9FD03BAD 4418B22A 8FB9770E FF036F63 4121C186 AFE2F78C
2DC7B2A6 6BE59571 C6AEF9BA C979F24C A76D5964 B5C93B52 769D2FC3 8C596FE9
02030100 01A37330 71300F06 03551D13 0101FF04 05300301 01FF301E 0603551D
11041730 15821370 66636973 636F2E70 66656E67 2E6C6F63 616C301F 0603551D
23041830 16801442 85B55C32 492BEBBB CEBF70ED 15E87AFB 1F5CDF30 1D060355
1D0E0416 04144285 B55C3249 2BEBBBCE BF70ED15 E87AFB1F 5CDF300D 06092A86
4886F70D 01010405 00038181 006E69F1 2181D2AA F638B98D 73202E32 F278AC61
8C6B3E75 39D047A8 9B8D8A14 477D6390 86BA9C17 1890D70D C92CFF40 71BEFF33
CE1BD671 AC00598C 068E6AE2 98C80E30 90F89027 62CA379C 87C0C8A9 22A95706
58A8CD90 985D0A3D AC258EE5 60809EAE A878B9DD 0FD8945E 86B6C12A 4B3DF103
9625C207 4B013741 EF87E3A5 7D
quit
dot11 association mac-list 700
dot11 syslog
!
dot11 ssid pfwifi
vlan 2
authentication open
authentication key-management wpa
wpa-psk ascii 7 08731F1A58495505130200
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool Wireless
network 192.168.100.0 255.255.255.0
domain-name pfeng.local
dns-server 192.168.0.1 203.153.224.42
default-router 192.168.100.1
!
!
ip cef
no ip bootp server
ip domain name pfeng.local
ip name-server 192.168.0.1
ip name-server xxx.xxx.xx.xxx
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username xxxxxxx privilege 15
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
description Fibre
switchport access vlan 4
!
interface FastEthernet2
switchport access vlan 3
!
interface FastEthernet3
description VPN Backhaul to Broome
switchport access vlan 5
duplex full
speed 10
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
encryption vlan 2 mode ciphers tkip
!
ssid pfwifi
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
channel least-congested 2412 2442 2462
station-role root
no cdp enable
!
interface Dot11Radio0.1
description Wireless vlan2
encapsulation dot1Q 2
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO- HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.10 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Vlan2
no ip address
!
interface Vlan3
ip address 192.168.200.1 255.255.255.0
!
interface Vlan4
ip address xxx.xxx.2x6.x34 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface Vlan5
ip address 10.10.10.2 255.255.255.252
!
interface Dialer0
ip address xxx.xx.xxx.xxx 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname pfeng3
ppp chap password 7 1407140E02033A2A373B6B6D
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.166 255.255.255.255 FastEthernet1
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.0.1 443 interface Dialer0 443
ip nat inside source static tcp 192.168.0.1 1723 interface Dialer0 1723
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.166 3389 interface Dialer0 3389
ip nat inside source list 2 interface FastEthernet1 overload
ip nat inside source list 3 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.170 9000 interface Dialer0 9000
ip nat inside source static tcp 192.168.0.170 18004 interface Dialer0 18004
ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 25
ip nat inside source static tcp 192.168.0.170 8080 interface FastEthernet1 8080
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 3 remark SDM_ACL Category=130
access-list 3 remark Wireless Lan
access-list 3 permit 192.168.100.0 0.0.0.255
access-list 101 permit tcp any any eq 3389
access-list 101 permit ip any any
access-list 102 permit ip any any
access-list 102 remark Wireless traffic
access-list 700 permit 0026.ff79.55e0 0000.0000.0000
access-list 700 permit 0023.146c.6c18 0000.0000.0000
access-list 700 permit 000e.35cf.2cdd 0000.0000.0000
access-list 700 permit dc2b.6109.1d12 0000.0000.0000
access-list 700 permit dc2b.6138.47e7 0000.0000.0000
access-list 700 permit 74f0.6d4d.765d 0000.0000.0000
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
control-plane
!
banner exec ^CSuccessful Login! Save Settings before making any changes.^C
banner login ^C
Authorised Users only! Please Contact Administrator.^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
password 7 14071408051729247578
login
transport input telnet ssh
transport output none
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 203.161.12.165 prefer
end
Thanks in advance.
We have been using the router for Adsl connection and it is all working good however now we have fiber internet in place and i need to route all my connection to the FE 1 .
Currently I have vlan 1 192.168.0.10 and local ip data
vlan 2: 192.168.100.1 Wireless (Dot 1 Radio) (Fe0)
vlan 3: 192.168.200.1 Phone Lan (Fe2)
Vlan 4: external IP xxx.xxx.2x6.x34 /30 (Fe1)
Vlan 5: VPN backhaul 10.10.10.2/30 (Fe3)
I woudl like to route to the WAN via FE1. Please advise if this is possible. See my config below and i have advance ip services already. Let me know what changes are needed.
Current configuration : 7291 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname pfcisco
!
boot-start-marker
boot system flash:c870-advipservicesk9
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$u72h$7LBDWXc1cupMYDu5co
!
no aaa new-model
clock timezone WST 8
!
crypto pki trustpoint TP-self-signed-223618724
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-223618724
!
!
crypto pki certificate chain TP-self-signed-223618724
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323336 31383732 34301E17 0D303230 33303130 30303835
315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3232 33363138
37323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C14C325F 999A0888 8A446F30 9F4ED8DD 25994CA0 37712BB0 3087A411 F4B762A8
CC5F9932 647B4FDE BE0EF344 7C60418F 75A0DE3B 776B5340 843CBC11 91524A2B
9355C296 454EB064 9FD03BAD 4418B22A 8FB9770E FF036F63 4121C186 AFE2F78C
2DC7B2A6 6BE59571 C6AEF9BA C979F24C A76D5964 B5C93B52 769D2FC3 8C596FE9
02030100 01A37330 71300F06 03551D13 0101FF04 05300301 01FF301E 0603551D
11041730 15821370 66636973 636F2E70 66656E67 2E6C6F63 616C301F 0603551D
23041830 16801442 85B55C32 492BEBBB CEBF70ED 15E87AFB 1F5CDF30 1D060355
1D0E0416 04144285 B55C3249 2BEBBBCE BF70ED15 E87AFB1F 5CDF300D 06092A86
4886F70D 01010405 00038181 006E69F1 2181D2AA F638B98D 73202E32 F278AC61
8C6B3E75 39D047A8 9B8D8A14 477D6390 86BA9C17 1890D70D C92CFF40 71BEFF33
CE1BD671 AC00598C 068E6AE2 98C80E30 90F89027 62CA379C 87C0C8A9 22A95706
58A8CD90 985D0A3D AC258EE5 60809EAE A878B9DD 0FD8945E 86B6C12A 4B3DF103
9625C207 4B013741 EF87E3A5 7D
quit
dot11 association mac-list 700
dot11 syslog
!
dot11 ssid pfwifi
vlan 2
authentication open
authentication key-management wpa
wpa-psk ascii 7 08731F1A58495505130200
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool Wireless
network 192.168.100.0 255.255.255.0
domain-name pfeng.local
dns-server 192.168.0.1 203.153.224.42
default-router 192.168.100.1
!
!
ip cef
no ip bootp server
ip domain name pfeng.local
ip name-server 192.168.0.1
ip name-server xxx.xxx.xx.xxx
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username xxxxxxx privilege 15
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
description Fibre
switchport access vlan 4
!
interface FastEthernet2
switchport access vlan 3
!
interface FastEthernet3
description VPN Backhaul to Broome
switchport access vlan 5
duplex full
speed 10
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
encryption vlan 2 mode ciphers tkip
!
ssid pfwifi
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
channel least-congested 2412 2442 2462
station-role root
no cdp enable
!
interface Dot11Radio0.1
description Wireless vlan2
encapsulation dot1Q 2
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.0.10 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Vlan2
no ip address
!
interface Vlan3
ip address 192.168.200.1 255.255.255.0
!
interface Vlan4
ip address xxx.xxx.2x6.x34 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface Vlan5
ip address 10.10.10.2 255.255.255.252
!
interface Dialer0
ip address xxx.xx.xxx.xxx 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname pfeng3
ppp chap password 7 1407140E02033A2A373B6B6D
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.166 255.255.255.255 FastEthernet1
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.0.1 443 interface Dialer0 443
ip nat inside source static tcp 192.168.0.1 1723 interface Dialer0 1723
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.166 3389 interface Dialer0 3389
ip nat inside source list 2 interface FastEthernet1 overload
ip nat inside source list 3 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.170 9000 interface Dialer0 9000
ip nat inside source static tcp 192.168.0.170 18004 interface Dialer0 18004
ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 25
ip nat inside source static tcp 192.168.0.170 8080 interface FastEthernet1 8080
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 3 remark SDM_ACL Category=130
access-list 3 remark Wireless Lan
access-list 3 permit 192.168.100.0 0.0.0.255
access-list 101 permit tcp any any eq 3389
access-list 101 permit ip any any
access-list 102 permit ip any any
access-list 102 remark Wireless traffic
access-list 700 permit 0026.ff79.55e0 0000.0000.0000
access-list 700 permit 0023.146c.6c18 0000.0000.0000
access-list 700 permit 000e.35cf.2cdd 0000.0000.0000
access-list 700 permit dc2b.6109.1d12 0000.0000.0000
access-list 700 permit dc2b.6138.47e7 0000.0000.0000
access-list 700 permit 74f0.6d4d.765d 0000.0000.0000
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
control-plane
!
banner exec ^CSuccessful Login! Save Settings before making any changes.^C
banner login ^C
Authorised Users only! Please Contact Administrator.^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
password 7 14071408051729247578
login
transport input telnet ssh
transport output none
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 203.161.12.165 prefer
end
Thanks in advance.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
will try in 2-3 hrs and let you guys know
ASKER
how about the access list? will that need to be deleted and redo?
the interface fe1 should have an "ip nat outside" on it.
acl is fine
ASKER
i cant apply ip nat outside on FE1
ASKER
i manage to get it working however then i close dialer 0 and shutdown i loose internet connectivity. Can you point to what is doing on. Thanks.
ASKER
i tried RDP 3389 to my local desktop and it doesnt work too?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
how about this line here do i need to change it?
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 1 interface Dialer0 overload
ASKER
i dont think you can assign ip nat outside on FE3 as it is a swichtport. If i dont make it a switchport i cant assign an ip address? this is an 877w router by the way
Once you remove the "ip nat outside" from the dialer intf, this line would not carry anything...So doesnt really matter if it is there or not
ASKER
not really . I just did that and now i lost connectivity to the router!
ASKER
I figured it out. instead of using interface FastEthernet 1 you have to you the vlan that the nat outside is on.
ip nat inside source list 1 interface valn 4 overload
ip nat inside source static tcp 192.168.0.166 3389 interface vlan 4 3389
ip nat inside source list 2 interface vlan 4 overload
ip nat inside source list 3 interface vlan 4 overload
Thanks Sumandan for getting me hald way there!
ip nat inside source list 1 interface valn 4 overload
ip nat inside source static tcp 192.168.0.166 3389 interface vlan 4 3389
ip nat inside source list 2 interface vlan 4 overload
ip nat inside source list 3 interface vlan 4 overload
Thanks Sumandan for getting me hald way there!
Sure thing....But as a practice, a router is used to route traffic out over an L3 WAN interface, with an ip address on its outside interface.There are quite a few policies/commands that may not apply on a Vlan interface as compared to a routed interface. But since your requirements are pretty straight forward and simple, you could use the vlan ( mostly a switching scenario) to achieve what you needed.
ASKER
well i get what you mean however on an 877 you dont have FE as layer 3 unless you make it a switchport. I get what you mean and will use it in my Cisco knowledge. Thanks agian
Sorry guys, but I'm just reading what's actually been done here, and it appears that my solution was what was actually done!?
ASKER
Yea and so i rewarded you accordingly. Sumandan appeared more helpful as he was quick with the responses.
ASKER