cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6255
Views
0
Helpful
7
Replies

878 - Bridging a Dialer interface to an Ethernet port?

Marklarius
Level 1
Level 1

Hi,

One of our branch offices is connected via an SDSL connection to a Cisco 878, which in turn NAT's a FortiGate 110-C behind it. Obviously, this creates a double-NAT network and is suboptimal.

What I'm trying to achieve is the ability to assign the single public address received from the ISP to the FortiGate's WAN side. My problems are further exacerbated by FortiGate's lack of support for PPPOA dialing (which would simplify issues as I would just bridge the ATM interface).

Is this even possible?

7 Replies 7

DialerString_2
Level 3
Level 3

Question. Why not assign the public address to the Cisco 878?  Or maybe set the 878 as a "permeter" router for the Firewall and nat everything going out - either on the firewall or the 878 - preferrable the router.

I have multiple ADSL connections setup and the link below helped me. I even have some that are bridged - so if you need a scrap config let me know I can post one for you. I don't know how it would relate to the SDSL - never touched it.

http://www.cisco.com/en/US/tech/tk175/tk818/tech_configuration_examples_list.html

E.

Yeah, I'm definitely going to NAT everything but I'd prefer to manage the network from the FortiGate rather than the 878 (habits + ease of access for other admins).

Judging by the material in the link specified (and obviously some Google), it looks like what I need is a BVI containing Vlan1 and Dialer0. I'm just not sure how I proceed from there, with regard to assigning the public IP to the FG while still having the Cisco perform the dialing.

I'd definitely like to see a sample confguration, if possible.

Thanks!

Here you go, Mark. The configs are from three different setup - ADSL bridge w/o BVI,  Cable connection with BVI and a WIFI connection with multiple BVI connected to Vlan.  Hope this helps some..

DialerString

Hmm.

The cable-modem configuration seems most appropriate. Would the following work (I can't test at the moment)?

bridge irb

bridge 1 protocol ieee

bridge 1 ip routing

!

interface BVI1

no shut

ip address 10.0.0.254 255.255.255.0

!

interface atm0

no shut

no ip address

no ip directed-broadcast

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux

!

interface Dialer0

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

encapsulation ppp

dialer pool 1

no cdp enable

ppp authentication chap callin

ppp chap hostname XXX

ppp chap password 0 YYY

bridge-group 1

!

interface vlan1

no shut

bridge-group 1

no ip address

!

ip route 0.0.0.0 0.0.0.0 Dialer0

Hey Mark,

Don't think this is going to work. It still doesn't achieve the results your looking for. Also your atm interface would need to be connected to the di0 interface using the "dialer pool-member 1" command.  You'll have to use the Di0 interface to pull the ip from the provider which is set to negotiate the ip address. You would need to bridge to the Ethernet connection to the Dialer via a BVI  and somehow have the FW receive the ip address - which isn't going to happened dynamically.  How big is your block of addresses from the provider?

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

interface Dialer0

ip address negotiated

dialer pool 1

!

Is you provider giving you a single static address with a /32 or do you have block of addresses?  I have single static /32 from the isp that is mapped to the loopback interface as such:

I had major problems with my provider at one time.

Int loopback 1

Ip address 1.1.1.1 255.255.255.255

!

Int di0

Ip unnumbered interface loopback 1

**I you have let's say a block of 4 (/30) - you could PROBABLY do something as such:

Interface di0

Ip unnumbered interface e0

!

Int e0

Desc "interface connected to FW"

Ip address 39.255.255.1 255.255.255.252

The firewall interface would be 39.255.255.2 255.255.255.252 - and your Admins could access the FW via a public address.

Hi,

Very old thread indeed :)

Have you ever managed to solve that?

I am in similar boat. Have CISCO 887 with PPPoA configured. Got a block of /29 addresses. Now, All I am trying to do is assign one of them to the watchguard firewall. 

Will bridging the Dialer0 with VLAN1 do the trick?

Or would it have to be a Static one-to-one translation?

Thanks!

hi, heres a configuration that works to have fw with public ip and the cisco router doing only the ppoe authentication,

vlan X is trunked to the firewall and the public ip is used as gateway for the firewall, vlan Y is used as management which is optional 

 

Building configuration...

Current configuration : 2224 bytes
!
! Last configuration change at 09:10:07 UTC Wed Nov 7 2018 by rob
version 15.2
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname mainint
!
boot-start-marker
boot-end-marker
!
!
enable secret xxxxxxxxxxx
enable password xxxxxxxxxxxxx
!
no aaa new-model
no process cpu extended history
no process cpu autoprofile hog
wan mode dsl
!
!
!
!
!
!
ip domain name xxxxxxxxxx
ip cef
no ipv6 cef
!
!
!
!
!
username xxxxxxx password xxxxxxxxxxx
!
!
controller VDSL 0
operating mode vdsl2
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
no cdp enable
!
interface Ethernet0.11
encapsulation dot1Q 11
pppoe-client dial-pool-number 1
!
interface FastEthernet0
switchport trunk native vlan Y
switchport trunk allowed vlan X,Y
switchport mode trunk
no ip address
no cdp enable
spanning-tree portfast
!
interface FastEthernet1
no ip address
shutdown
no cdp enable
!
interface FastEthernet2
no ip address
shutdown
no cdp enable
!
interface FastEthernet3
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed 100
no cdp enable
!
interface Vlan1
no ip address
!
interface VlanY(management)
ip address 192.168.0.8 255.255.255.0  ( example can be any local ip )
!
interface VlanX
ip address x.x.x.x(pub ip) x.x.x.x(netmask)
!
interface Dialer1
ip unnumbered VlanX
encapsulation ppp
dialer pool 1
ppp authentication pap chap ms-chap callin
ppp chap hostname xxxxxxx
ppp chap password  xxxxxx
ppp pap sent-username xxxxxx password xxxxxx
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no service-routing capabilities-manager
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line vty 0 4
password xxxxxxxxxx
login local
transport input ssh
!
scheduler allocate 60000 1000
!
end

Review Cisco Networking for a $25 gift card