Matt_Kennedy
asked on
Cisco 2800 router config to route all traffic to internal firewall
Hello,
I am trying to setup a Cisco 2800 route as an internet access router only. There is an internal firewall that will be doing all the NAT, DHCP, firewall, etc. The Cisco 2800 at 192.168.3.250 is just there is bond 2 T1 lines together and route all traffic to internal firewall at 192.168.3.1.
I have started with a config but want to make sure everything is correct. Please let me know what I have to change to make it a pass through router for internet access. The config is below:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname AttRouter
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5 $1$vpHB$0R9J90kjSIcmSSQvVU
enable password 7 08061C4A1A143B1419
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
multilink bundle-name authenticated
!
!
!
!
!
username root password 7 0257174F2C071B247B4F10
archive
log config
hidekeys
!
!
!
!
!
interface Multilink1
ip address 10.154.49.250 255.255.255.252
no peer neighbor-route
no keepalive
no cdp enable
ppp chap hostname 1stService
ppp multilink
ppp multilink group 1
ppp multilink fragment disable
!
interface GigabitEthernet0/0
ip address 192.168.3.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
no ip address
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no fair-queue
no cdp enable
ppp chap hostname 1stService
ppp multilink
ppp multilink group 1
!
interface Serial0/1/0
no ip address
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no cdp enable
ppp chap hostname 1stService
ppp multilink
ppp multilink group 1
!
interface Serial0/2/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Serial0/3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.3.250
!
!
no ip http server
no ip http secure-server
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
!
!
control-plane
!
banner motd ^C hello ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
password 7 00550012235A1F03382055
login authentication local_auth
transport input telnet
!
scheduler allocate 20000 1000
!
end
thank you
I am trying to setup a Cisco 2800 route as an internet access router only. There is an internal firewall that will be doing all the NAT, DHCP, firewall, etc. The Cisco 2800 at 192.168.3.250 is just there is bond 2 T1 lines together and route all traffic to internal firewall at 192.168.3.1.
I have started with a config but want to make sure everything is correct. Please let me know what I have to change to make it a pass through router for internet access. The config is below:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname AttRouter
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5 $1$vpHB$0R9J90kjSIcmSSQvVU
enable password 7 08061C4A1A143B1419
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
multilink bundle-name authenticated
!
!
!
!
!
username root password 7 0257174F2C071B247B4F10
archive
log config
hidekeys
!
!
!
!
!
interface Multilink1
ip address 10.154.49.250 255.255.255.252
no peer neighbor-route
no keepalive
no cdp enable
ppp chap hostname 1stService
ppp multilink
ppp multilink group 1
ppp multilink fragment disable
!
interface GigabitEthernet0/0
ip address 192.168.3.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
no ip address
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no fair-queue
no cdp enable
ppp chap hostname 1stService
ppp multilink
ppp multilink group 1
!
interface Serial0/1/0
no ip address
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no cdp enable
ppp chap hostname 1stService
ppp multilink
ppp multilink group 1
!
interface Serial0/2/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Serial0/3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.3.250
!
!
no ip http server
no ip http secure-server
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
!
!
control-plane
!
banner motd ^C hello ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
password 7 00550012235A1F03382055
login authentication local_auth
transport input telnet
!
scheduler allocate 20000 1000
!
end
thank you
ASKER
Garry-G,
Thank you for your reply.
If this route sends traffic to the firewall
ip route 0.0.0.0 0.0.0.0 192.168.3.1
How would the router affect VPN connections on the firewall?
Also,
I'm not sure what you mean by this statement:
I'm sort of missing routes for the other networks behind the multilink connection though ... I assume there are one or multiple subnets behind it, or? If so, add routes for them to, as e.g.
ip route 192.168.200.0 255.255.255.0 10.154.49.249
There is only one subnet behind the router on the LAN, however there are 3 VPN tunnels the firewall connects to outside the LAN.
Is that what you are referring to?
thank you
Thank you for your reply.
If this route sends traffic to the firewall
ip route 0.0.0.0 0.0.0.0 192.168.3.1
How would the router affect VPN connections on the firewall?
Also,
I'm not sure what you mean by this statement:
I'm sort of missing routes for the other networks behind the multilink connection though ... I assume there are one or multiple subnets behind it, or? If so, add routes for them to, as e.g.
ip route 192.168.200.0 255.255.255.0 10.154.49.249
There is only one subnet behind the router on the LAN, however there are 3 VPN tunnels the firewall connects to outside the LAN.
Is that what you are referring to?
thank you
Maybe you could clarify your network setup ... is the 2-channel multilink connection your Internet uplink? What's your LAN interface/IPs? e.g.
Internet====Cisco2800---Fi
(add info about internal IPs that aren't clear from just the Cisco config alone)
Internet====Cisco2800---Fi
(add info about internal IPs that aren't clear from just the Cisco config alone)
P.S. - is the 192.168.3.x a "sanitized" version of the config, that on the live system is the public IP network of both the router and the external firewall interface?
ASKER
yes,
The internet connection comes over the 2 channel multilink into the Cisco 2800 . From there all traffic should be directed to the GigabitEthernet port which is connect to the LAN side of the firewall. From the firewall the traffic is sent to the LAN.
Now I have a statement in the firewall directing 0.0.0.0 traffic out to the Cisco 2800.
Currently there is a statement in the Cisco 2800 that directs all outbound traffic to the multilink 0.0.0.0 0.0.0.0.0 multilink
So, my question is how does the traffic coming into the Cisco 2800 know the send everything over the gigabitethernet port to get to the firewall?
The internet connection comes over the 2 channel multilink into the Cisco 2800 . From there all traffic should be directed to the GigabitEthernet port which is connect to the LAN side of the firewall. From the firewall the traffic is sent to the LAN.
Now I have a statement in the firewall directing 0.0.0.0 traffic out to the Cisco 2800.
Currently there is a statement in the Cisco 2800 that directs all outbound traffic to the multilink 0.0.0.0 0.0.0.0.0 multilink
So, my question is how does the traffic coming into the Cisco 2800 know the send everything over the gigabitethernet port to get to the firewall?
ASKER
If your question is whether or not the config posted is actual or not, then, yes, they are not the actual addresses.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Just to clarify the LAN subnet is 192.168.3.X
the WAN address is 10.154.49.249
Does this mean the ip route will have to go to 192.168.3.X to get to the firewall which is on the land?
the WAN address is 10.154.49.249
Does this mean the ip route will have to go to 192.168.3.X to get to the firewall which is on the land?
The "LAN-LAN" or the LAN between router and firewall, with the actual "LAN" (where servers/users reside) behind the firewall on a different RFC network?
Internet=====Cisco2800----
Is 192.168.3.1 a replacement for some other IP x.y.z.1, which is from a non-RFC1918 range (that is, public IPs)
Internet=====Cisco2800----
Is 192.168.3.1 a replacement for some other IP x.y.z.1, which is from a non-RFC1918 range (that is, public IPs)
ASKER
Sorry for not clarifying,
The Cisco 2800 and the firewall are in the same building. the Cisco 2800 is just there is bond the T1 lines coming into the building then pass all traffic to the firewall. So, the LAN between the Cisco 2800 and firewall is the LAN-LAN.
The Cisco 2800 and the firewall are in the same building. the Cisco 2800 is just there is bond the T1 lines coming into the building then pass all traffic to the firewall. So, the LAN between the Cisco 2800 and firewall is the LAN-LAN.
so what's on the other side of the firewall if the 192.168.3.1 is on the internal network?
ASKER
The network is laid out like this:
| switch
VPN site 1---------------- | multilink ----------- node
| ----------- CAT5e ------------node
VPN site 2---------------- INTERNET | Cisco 2800 ------------- firewall ------------node
| ----------- ------------node
VPN site 3---------------- |
The multilink is at 10.154.49.249
The Cisco gigabait is at 192.168.3.251
The firewall is at 192.168.3.1
The traffic flows from the vpn sites over the internet to the cisco 2800 over the multilink interface out the gigabit interface to the firewall LAN interface and so to a switch (also on the LAN) and out to the nodes on the LAN. The firewall does not have a direct connection to the internet. It will be passing all traffic out to the Cisco 2800 gigabit interface (LAN side) and out through the multilink (WAN side) and back out into the Internet.
I hope this is clearer.
So my question is: does a route need to be added to the Cisco to point all traffic to the firewall like ip route 0.0.0.0 0.0.0.0 192.168.3.1 and then do I need a route on the firewall to point all traffic to the cisco 2800 LAN interface like 0.0.0.0 0.0.0.0 192.168.3.251 ?
| switch
VPN site 1---------------- | multilink ----------- node
| ----------- CAT5e ------------node
VPN site 2---------------- INTERNET | Cisco 2800 ------------- firewall ------------node
| ----------- ------------node
VPN site 3---------------- |
The multilink is at 10.154.49.249
The Cisco gigabait is at 192.168.3.251
The firewall is at 192.168.3.1
The traffic flows from the vpn sites over the internet to the cisco 2800 over the multilink interface out the gigabit interface to the firewall LAN interface and so to a switch (also on the LAN) and out to the nodes on the LAN. The firewall does not have a direct connection to the internet. It will be passing all traffic out to the Cisco 2800 gigabit interface (LAN side) and out through the multilink (WAN side) and back out into the Internet.
I hope this is clearer.
So my question is: does a route need to be added to the Cisco to point all traffic to the firewall like ip route 0.0.0.0 0.0.0.0 192.168.3.1 and then do I need a route on the firewall to point all traffic to the cisco 2800 LAN interface like 0.0.0.0 0.0.0.0 192.168.3.251 ?
Again, the default route goes towards the Internet from the router (GW 10.154.49.249), not towards the firewall. Otherwise you couldn't reach the Internet and with it the VPN sites. The "connected" route ("show ip route connect") for the 192.168.3.0/24 network already takes care of the traffic to the firewall and inside network. The firewall's default route stays like it is now (assuming it's pointing towards 192.168.3.250, not .251, at least according to the router config listed above).
Open in new window
I'm sort of missing routes for the other networks behind the multilink connection though ... I assume there are one or multiple subnets behind it, or? If so, add routes for them to, as e.g.
Open in new window
Also the setup seems a bit unusual - but I may just not know enough of your network configuration ... if the multilink connection is Internet uplink, it ought to be the other way around, sending the default route towards the Internet, and all internal networks to the firewall ...