Cisco 2900 series router query

Hello,

So, just wondering if i plug a WAN directly into the 2911's GE0/0 and then connect GE0/1 to the switch... will the Cisco 2911 pass traffic from int GE0/0 to GE0/1 (by default, but after enabling GE0/0 & GE0/1 with a 'no shutdown' command on both interfaces?!
LVL 1
DamianIT incAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andy BartkiewiczNetwork AnalystCommented:
I don't know about the NBN box specifically but if you are trying to plug your router directly into a DSL phone line then yes, you need a HWIC. If the DSL line plugs into a box that gives you an ethernet jack to plug into then no, you can just use the gig port on your router.
DamianIT incAuthor Commented:
Hi Andy,


No, the NBN box does not have a copper phone line connector (it can provide VoIP), it's an ethernet port that does not need any dialer or authentication, as far as I know, it's a WAN.
Andy BartkiewiczNetwork AnalystCommented:
Okay, in that case I would think you can just use the GE port on the router
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

DamianIT incAuthor Commented:
So if I enable GE0/0 and GE0/1 will the flow of traffic coming in on GE0/0 automatically flow onto GE0/1 ?!

And then is the IP address of GE0/0 meant to be the WAN Public IP address?

And does the IP address of GE0/1 then need to be my internal LAN IP address?
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
By default, traffic flows between interfaces depending on the routing table. Routing table depends on the interface state and on IP addresses on interfaces. For example, if you configure the IP addresses on both interfaces and enable them using the no shutdown command, traffic will flow automatically between these two interfaces. However, in most cases, the internal IP subnet will be a private range and unknown by the ISP; you will have to configure Network Address Translation in this case.
Therefore, If you are using this router as an internet gateway, you have to configure the following:
-  On GE0/0, configure the public IP address and enable the interface
- Add a default route to the provider IP address (Which will be in the same subnet of your IP address)
- On GE0/1, configure your LAN IP address
- Configure NAT between LAN interface and WAN interface.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DamianIT incAuthor Commented:
Hi Mustafa,


Thanks for the helpful advice.

So, when you mentioned "Configure NAT between interfaces" do you mean 'Configure NAT on each interface' ?!  ..because if you meant between, I am not experienced with a co-joined or merged type scenario....


For example, I currently have: (changed some numbers in the IP for privacy)

* * *
interface GigabitEthernet0/0
description Physical WAN
ip address 210.211.195.222 255.255.255.252
ip nat outside
load-interval 30
no ip directed-broadcast
no ip redirects
no ip proxy-arp
no ip mask-reply
no cdp enable
no mop enabled
no shutdown
ip route 0.0.0.0 0.0.0.0 210.211.195.221

ip nat inside source list 11 interface GigabitEthernet0/0 overload
access-list 11 permit 192.168.1.1 0.0.0.255

!
no ip nat service sip udp port 5060


* * *

And then I presume the IP address on GE0/1 would be 192.168.1.1 255.255.255.0


Regards,

Damian
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
Hi Damian,
Just correct the ACL to include 192.168.1.0 0.0.0.255 instead of 192.168.1.1 and add ip nat inside under G0/1 interface
DamianIT incAuthor Commented:
Hello Mustafa,


My next opportunity to try this will be most likely Sunday when I am on site with the router, I will report the results back here.

Much appreciated, thank you.
DamianIT incAuthor Commented:
PS. if I need to open TCP port 3389 on the public side to allow access to 192.168.1.2:3389 on the internal side.  Would it be appropriate to add this under Ge0/0?

ip nat inside source static tcp 210.211.195.222 3389
access-list 101 permit tcp any host 192.168.1.2 eq 3389
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
In static ACL, you need to enter both IP addresses (inside, outside) in the static nat entry and no ACL will be used. Your command will be as follows:
ip nat inside source static tcp 192.168.1.2 3389 interface 3389.
P.S: If you don't have a firewall in this network, make sure to configure an ACL on the outside interface and CBAC on the inside interface.
Hope this helps.
DamianIT incAuthor Commented:
Thanks Mustafa.

The only other firewall after the point of this Router is at the server, so I was hoping to provide a level of defense before the traffic hits the server so that the server firewall isn't dealing with the traffic.
DamianIT incAuthor Commented:
Hello Mustafa,

Just to update, I added "ip nat inside source static tcp 192.168.1.2 3389 GigabitEthernet0/0 3389" and the port I needed opened.  But I think Windows Firewall is on, so I am not entirely sure whether or not the Cisco is allowing everything through and that traffic is being thwarted by Windows Firewall.  But, I had limited time on location, so I had to leave, however.. I have access to the Cisco remotely now.

So, I'm curious to understand whether or not I have opened everything or just 3389 inwards to 192.168.1.2
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
Hi Damian,
You only opened 3389.
Post your config to see if anything else is opened.

Best regards
DamianIT incAuthor Commented:
Hi Mustafa,

I have edited the public IP addresses for added privacy, but here is the current running-config...


!
! Last configuration change at 10:15:57 UTC Sun Dec 24 2017
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
ip domain name router.com
ip name-server 10.153.11.99
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3557635225
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3557635225
 revocation-check none
 rsakeypair TP-self-signed-3557635225
!
!
crypto pki certificate chain TP-self-signed-3557635225
 certificate self-signed 01
  300D0609 2A864886 F70D0101 05050030..
  31312F30 2........CE1933BC
  E50DA539 0B17598B DC3B6265 8945D2
        quit
license udi pid CISCO2911/K9 sn FGL163811BR
!
!
username damian privilege 15 password 0 password
!
redundancy
!
!
!
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Physical_WAN_via_NBN$ETH-WAN$
 ip address 210.211.195.222 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface GigabitEthernet0/1
 description Physical_LAN$ETH-LAN$
 ip address 10.153.11.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
no ip nat service sip udp port 5060
ip nat inside source list 11 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.153.11.99 3389 interface GigabitEthernet0/0
389
ip route 0.0.0.0 0.0.0.0 210.211.195.221
!
access-list 11 permit 10.153.11.0 0.0.0.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
As for NAT, only tcp 3389 id opened but it is better to implement basic firewall by using inspection with CBAC and ACL.
To implement basic firewall on this router, please add the following commands:
Ip inspect name cbac tcp router-traffic
Ip inspect name cbac udp router-traffic
Ip inspect name cbac icmp router-traffic
Access-list 101 permit tcp any host 210.211.195.222 eq 3389
Int g0/0
Ip inspect cbac out
Ip access-group 101 in
DamianIT incAuthor Commented:
Ok, so if I understand correctly, these CBAC's are to be added at the 'configure terminal' level.. .and not in either of the interfaces?!

except these: which are intended to be implemented on G0/1
Ip inspect cbac out
Ip access-group 101 in
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
correct but apply them on external interface (g0/0)
DamianIT incAuthor Commented:
Ok.

And if applying these remotely I assume I could sever the connection... so should I be careful as to which line to add last, to avoid locking myself out ?
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
Usually, you shall be careful on ACL usage. Since it only includes a permit entry, then no worries if you add other lines. If you are planning to mansge the router from outside interface, you should permit telnet and/or ssh on acl 101.
HTH
DamianIT incAuthor Commented:
I am using SSH now, but maybe it is safer to do this locally when I am in front of the machine next time.


Thank you so much for your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wide Area Network (WAN)

From novice to tech pro — start learning today.