Cisco 881 SHDSL Router to Snapgear Firewall

CESExchange
CESExchange used Ask the Experts™
on
Hi Experts,

I ask for your assistance configuring our Cisco 881 and a Snapgear SG580 Firewall...

This is what we have...

Internet---Cisco881(SHDSL)----Snapgear SG580(Firewall)----LAN

We have the Cisco 881 router NAT'ting to the Firewall, although I want the Firewall to handle NAT.  At the moment, double NAT'ting is going on.

The network config looks something like this...

INTERNET--- WAN IP (59.167.X.X) CISCO 881-- LAN IP (10.10.10.2) ---- Snapgear SG580 (192.168.10.1) --- LAN (192.168.0.0/20)

Can you please suggest how we can configure the CISCO 881 to not NAT, and bind the WAN IP from Interface FE4 to the VLAN 1, then I'll have the Snapgear handle NAT, VPN and the Access Rules...
I'd like to ensure VPN passthrough is enabled too on the 881.
Or feel free to suggest anything else...

I've attached the config of the CISCO 881...

Thank you in advance for your help, much appreciated :)

Cisco 881 Config
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Just to be sure: You don't want the Cisco 881 to perform NAT Operations?
Then you will be needing one Global IP Address on the Firewall to perform NAT.
Why is it that you don't want Cisco 881 to NAT.
Also, generally it is recommended to have firewall connecting the global the local network and not the router.

Author

Commented:
Thank you for your reply...

I was hoping to use the Snapgear FW (which will be replaced with an ASA 5505 shortly) to perform all NAT'ing for simplicity of management.

We also have an ADSL connection, whereby the ADSL modem is configured in bridge mode, and the SNapgear handles the authentication and NAT.

Cheers
Istvan KalmarHead of IT Security Division
Top Expert 2010
Commented:
Hi,

you need:

no ip nat inside source list NAT interface fast 4 overload
ip nat inside source static ip 10.10.10.1  x.x.x.x
What I am saying is that you connect the Snapgear FW to the internet directly. Configure outside port of firewall as 59.167.x.x. Place the router if you need, in place of the firewall, and configure it accordingly. The inside IP address of the Firewall could be 10.x.x.x and that of router attached to the firewall be 10.x.x.y. The other port of the router can have IP Address of your public network.

Author

Commented:
Thanks for your help everyone, both solutions aboved worked perfectly.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial