Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1439
  • Last Modified:

Cisco 2800 router config to route all traffic to internal firewall

Hello,
I am trying to setup a Cisco 2800 route as an internet access router only.  There is an internal firewall that will be doing all the NAT, DHCP, firewall, etc.  The Cisco 2800 at 192.168.3.250 is just there is bond 2 T1 lines together and route all traffic to internal firewall at 192.168.3.1.
I have started with a config but want to make sure everything is correct.  Please let me know what I have to change to make it a pass through router for internet access.  The config is below:



version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname AttRouter
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5 $1$vpHB$0R9J90kjSIcmSSQvVUaK31
enable password 7 08061C4A1A143B1419
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
multilink bundle-name authenticated
!
!
!
!
!
username root password 7 0257174F2C071B247B4F10
archive
 log config
  hidekeys
!
!
!
!
!
interface Multilink1
 ip address 10.154.49.250 255.255.255.252
 no peer neighbor-route
 no keepalive
 no cdp enable
 ppp chap hostname 1stService
 ppp multilink
 ppp multilink group 1
 ppp multilink fragment disable
!
interface GigabitEthernet0/0
 ip address 192.168.3.250 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 no ip address
 ip verify unicast source reachable-via rx allow-default 100
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 no fair-queue
 no cdp enable
 ppp chap hostname 1stService
 ppp multilink
 ppp multilink group 1
!
interface Serial0/1/0
 no ip address
 ip verify unicast source reachable-via rx allow-default 100
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 no cdp enable
 ppp chap hostname 1stService
 ppp multilink
 ppp multilink group 1
!
interface Serial0/2/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
!
interface Serial0/3/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.3.250
!
!
no ip http server
no ip http secure-server
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
!
!
control-plane
!
banner motd ^C hello ^C
!
line con 0
 exec-timeout 5 0
 login authentication local_auth
 transport output telnet
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 password 7 00550012235A1F03382055
 login authentication local_auth
 transport input telnet
!
scheduler allocate 20000 1000
!
end


thank you
0
Matt_Kennedy
Asked:
Matt_Kennedy
  • 7
  • 6
1 Solution
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
The "ip route" command is wrong, you used the router as the gateway, not the firewall. Change to

ip route 0.0.0.0 0.0.0.0 192.168.3.1

Open in new window


I'm sort of missing routes for the other networks behind the multilink connection though ... I assume there are one or multiple subnets behind it, or? If so, add routes for them to, as e.g.

ip route 192.168.200.0 255.255.255.0 10.154.49.249

Open in new window


Also the setup seems a bit unusual - but I may just not know enough of your network configuration ... if the multilink connection is Internet uplink, it ought to be the other way around, sending the default route towards the Internet, and all internal networks to the firewall ...
0
 
Matt_KennedyAuthor Commented:
Garry-G,

Thank you for your reply.  

If this route sends traffic to the firewall
ip route 0.0.0.0 0.0.0.0 192.168.3.1
How would the router affect VPN connections on the firewall?

Also,
I'm not sure what you mean by this statement:
I'm sort of missing routes for the other networks behind the multilink connection though ... I assume there are one or multiple subnets behind it, or? If so, add routes for them to, as e.g.
ip route 192.168.200.0 255.255.255.0 10.154.49.249


There is only one subnet behind the router on the LAN, however there are 3 VPN tunnels the firewall connects to outside the LAN.
Is that what you are referring to?
thank you
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Maybe you could clarify your network setup ... is the 2-channel multilink connection your Internet uplink? What's your LAN interface/IPs? e.g.

Internet====Cisco2800---Firewall---LAN

(add info about internal IPs that aren't clear from just the Cisco config alone)
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Garry GlendownConsulting and Network/Security SpecialistCommented:
P.S. - is the 192.168.3.x a "sanitized" version of the config, that on the live system is the public IP network of both the router and the external firewall interface?
0
 
Matt_KennedyAuthor Commented:
yes,

The internet connection comes over the 2 channel multilink into the Cisco 2800 . From there all traffic should be directed to the GigabitEthernet port which is connect to the LAN side of the firewall.  From the firewall the traffic is sent to the LAN.
Now I have a statement in the firewall directing 0.0.0.0 traffic out to the Cisco 2800.
Currently there is a statement in the Cisco 2800 that directs all outbound traffic to the multilink  0.0.0.0 0.0.0.0.0 multilink
So, my question is how does the traffic coming into the Cisco 2800 know the send everything over the gigabitethernet port to get to the firewall?
0
 
Matt_KennedyAuthor Commented:
If your question is whether or not the config posted is actual or not, then, yes, they are not the actual addresses.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
"From there all traffic should be directed to the GigabitEthernet port" - what you mean is all traffic addressed to your public IPs is supposed to be directed to the GigE port ... the default route still has to go from the internal LAN to the firewall to the router and out the ML-connection ... so:

ip route 0.0.0.0 0.0.0.0 10.154.49.249

is the right statement after all. If the "192.168.3.0/24" in reality is some public IP range, than everything is fine, your Firewall is most likely doing proxy arp and providing NAT between the internal LAN  behind the firewall and the outside.

As for VPN connection, they will be using the outside IP address of the firewall, which according to your info and the "anonymization" made in the config above is 192.168.3.1 ... the real IP ought to be reachable from the Internet, the router will not have any problem just handing the IPSEC (or whatever) packets through to the firewall ...
0
 
Matt_KennedyAuthor Commented:
Just to clarify  the LAN subnet is 192.168.3.X    
the WAN address is 10.154.49.249
Does this mean the ip route will have to go to 192.168.3.X to get to the firewall which is on the land?
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
The "LAN-LAN" or the LAN between router and firewall, with the actual "LAN" (where servers/users reside) behind the firewall on a different RFC network?

Internet=====Cisco2800----Firewall----[Servers|Users-Machines|Printers|whatever]

Is 192.168.3.1 a replacement for some other IP x.y.z.1, which is from a non-RFC1918 range (that is, public IPs)
0
 
Matt_KennedyAuthor Commented:
Sorry for not clarifying,

The Cisco 2800 and the firewall are in the same building.  the Cisco 2800 is just there is bond the T1 lines coming into the building then pass all traffic to the firewall. So, the LAN between the Cisco 2800 and firewall is the LAN-LAN.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
so what's on the other side of the firewall if the 192.168.3.1 is on the internal network?
0
 
Matt_KennedyAuthor Commented:
The network is laid out like this:
                                                       |                                                                switch
VPN site 1----------------                       |   multilink                                             ----------- node
                                                       |    -----------                     CAT5e                ------------node
VPN site 2----------------      INTERNET |                 Cisco 2800 ------------- firewall  ------------node
                                                       |    -----------                                               ------------node
VPN site 3----------------                       |  

The multilink is at 10.154.49.249
The Cisco gigabait is at 192.168.3.251
The firewall is at 192.168.3.1

The traffic flows from the vpn sites over the internet to the cisco 2800 over the multilink interface out the gigabit interface to the firewall LAN interface and so to a switch (also on the LAN) and out to the nodes on the LAN.  The firewall does not have a direct connection to the internet.  It will be passing all traffic out to the Cisco 2800 gigabit interface (LAN side) and out through the multilink (WAN side) and back out into the Internet.
I hope this is clearer.
So my question is:  does a route need to be added to the Cisco to point all traffic to the firewall like ip route 0.0.0.0 0.0.0.0 192.168.3.1  and then do I need a route on the firewall to point all traffic to the cisco 2800 LAN interface like 0.0.0.0 0.0.0.0 192.168.3.251 ?
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Again, the default route goes towards the Internet from the router (GW 10.154.49.249), not towards the firewall. Otherwise you couldn't reach the Internet and with it the VPN sites. The "connected" route ("show ip route connect") for the 192.168.3.0/24 network already takes care of the traffic to the firewall and inside network. The firewall's default route stays like it is now (assuming it's pointing towards 192.168.3.250, not .251, at least according to the router config listed above).
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now