Configure Cisco 1921 with /29 ext and /27 int

So its been a long time since I have had to setup a cisco router, and I need a little advice.

Details:

Installing Ethernet fiber connection - ISP will drop a fiber connection and extend to my router which is a Cisco 1921. They have provided me with a /29 to connect my WAN int to their router, and a /27 to assign to my LAN int, which will be connected to a firewall. I will need to have all of the /27 ip's forwarded to my firewall, and the firewall will do all the NATing, to my private scope. below is the config I started and need assistance finishing it up. I have bolded the text that I'm not sure is correct. Also my circuit is not yet installed so I can not test at this moment.

Please do not respond by guessing - I am looking for responses from Cisco guys that can do this in their sleep.

Current configuration : 3298 bytes
!
! Last configuration change at 14:13:12 UTC Fri Oct 4 2013 by cisco
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CC_EDGE_ROUTER
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
ip cef
!
!
!
!
ip domain name XXXXXXXXXX.COM
no ipv6 cef
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-1142544723
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1142544723
 revocation-check none
 rsakeypair TP-self-signed-1142544723
!
!
crypto pki certificate chain TP-self-signed-1142544723
 self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313432 35343437 3233301E 170D3133 30343236 30333138
  35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31343235
  34343732 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CD2F A181D3F4 A6AF36AF EDF517DF 7569D879 E22DB3D2 5BE18B2C A12F53BC
  63AE4403 766D26E7 6B14D1AC 61E35B3C 2E1765FD 85B972FE 72CE6323 C538AF05
  D663CE7B E1B078C0 B18482A9 B29E06F3 E122FF4C A58805B7 D5ED06CB D125E8F3
  87CC5D82 F5DDAB83 742F3707 629F013D 8902F89C 5E82CCD4 AA77DB1F A80F9411
  C33B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 147AF4B6 EA69992D A01AA16B 2710BB86 4B192827 0A301D06
  03551D0E 04160414 7AF4B6EA 69992DA0 1AA16B27 10BB864B 1928270A 300D0609
  2A864886 F70D0101 05050003 8181002A 768B953D B29C52E5 08E51A7D D971CC54
  1094CCCE 03646F60 7654CE1F C6A347A9 126F60AB 293103D5 1AAAA4DB 7738CEAE
  D3D1BB4C BD254BB8 614CF52B 4A26AB84 0A9B193C BF235EC0 D854DA38 8FD1E422
  178671F2 59E722CA 6012B875 21C62C63 B5CE1A47 50F54266 77F62AC3 54C2B3AD
  73EDB644 317F972E 80C4B092 EA4211
        quit
license udi pid CISCO1921/K9 sn FGL171724JH
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description $ETH-WAN$COMCAST-EXT-0/0$
 ip address 50.200.X.X 255.255.255.248
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description $ETH-LAN$COMCAST-INT-0/1$
 ip address 50.204.X.X 255.255.255.224
ip nat outside
 ip virtual-reassembly in

 duplex auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 50.204.X.X
!
!
!
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line 2
 no activation-character
  transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

CC_EDGE_ROUTER#
LVL 3
TheonWAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
If your firewall is doing NAT, then you do not want the "ip nat outside" on the g0/1 interface.  The virtual reassembly is a DOS attach preventative measure.

The default route (what I can see) look okay. It should be pointing the providers router.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TheonWAuthor Commented:
I thought that the NAT should be removed, also on the route, ISp assigned me a /27 so if the ip they assigned me is 50.204.99.64/27 my first usable is .65 which would be assigned to int 0/1 - .64 should be default route, the /29 should not even come into paly since it is only PTP.

My firewall will by 66-97

CORRECT?
0
Don JohnstonInstructorCommented:
so if the ip they assigned me is 50.204.99.64/27 my first usable is .65 which would be assigned to int 0/1 - .64 should be default route,

I don't follow you here. The "default route" on the router will be 0.0.0.0/0 with a next hop address being the providers router.  On your firewall, you will also have a default route but the next hop address will be whatever address you assign to the g0/0 interface of the router.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

TheonWAuthor Commented:
right I understand that, so let me expand a little.
IP range 50.204.99.64/27
IP Address of 0/1 50.204.99.65/27
ip default route 0.0.0.0 0.0.0.0 50.204.99.64

on my firewall I already have that set with a default route pointing to 50.204.99.65

I just need to confirm the cisco info is correct
0
Don JohnstonInstructorCommented:
ip default router 0.0.0.0 0.0.0.0 50.204.99.64

No. The next hop address must be the IP address of the next router towards the internet.  In your example, the next hop address is a network address and it's for the local network.
0
TheonWAuthor Commented:
.64 will be on the isp router and would be my next hop, the /29 net is not visible so it would not be the next hop.

do I need to turn on routing on the cisco?
0
Don JohnstonInstructorCommented:
.64 will be on the isp router and would be my next hop, the /29 net is not visible so it would not be the next hop.
I totally don't get what you're saying. But if you're saying the 50.204.X.64 is the ISP's router then that's good.

the /29 net is not visible so it would not be the next hop.
If you're connected to a network, it's visible.

do I need to turn on routing on the cisco?
"ip routing" has been on by default in Cisco routers for a while now. So unless it was disabled, you shouldn't need to turn it on.
0
TheonWAuthor Commented:
what I meant was that you do not use the ip's in the routes. However, I should still be able to ping the /29 ip's from the cisco.

Anyway, I have made the changes to the config file and will test on the 16th once the circuit is turned up.

Thanks for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.