04-23-2010 01:53 AM - edited 03-04-2019 08:15 AM
Hi all,
I would like to set up a cisco 2811 as a bridge and pass my public address through to my ASA firewall. At the moment I have the outside interface ATM0/3/0 in bridge-group 1 and BVI1 holds my public address. My inside interface Fa0/0 is configured with a 10.3.10.1/16 address with the outside interface of my firewall on 10.3.10.2/16.
I was hoping to acheive this with the following configuration: (I have changed the IP addresses)
-------------------------------------------------------------------------
!
Interface FastEthernet0/0
no ip address 10.3.10.1 255.255.0.0
no ip nat inside
switchport access vlan 1
!
interface vlan 1
bridge group 1
!
interface BVI1
no ip address 1.2.123.108 255.255.248.0
no ip nat outside
!
no bridge 1 route ip
-------------------------------------------------------------------------
I was then going to configure the outside interface of my firewall with the 1.2.123.108 255.255.248.0 address.
Would I then need to remove the default route 1.2.120.1 from the router and put it on the firewall?
What do I do about access-list 1?
Can anyone advise me as to any additional configuration I'll need to make this work?
My current router config is as follows:
-------------------------------------------------------------------------
bridge irb
!
!
!
interface FastEthernet0/0
description Connection to Firewall
ip address 10.3.10.1 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/3/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
bridge-group 1
pvc 0/101
encapsulation aal5snap
!
!
interface BVI1
ip address 1.2.123.108 255.255.248.0
ip nat outside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.2.120.1
!
!
ip http server
ip http access-class 25
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface BVI1 overload
!
access-list 1 permit 10.3.0.0 0.0.255.255
access-list 25 permit 10.10.10.0 0.0.0.7
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
login local
line aux 0
line vty 0 4
access-class 25 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 25 in
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
Router#
-----------------------------------------------------------------------------------------
Any help would be greatly appreciated.
Thanks
Regards
Egg
04-26-2010 01:57 AM
Hi All,
I really would appreciate some help here.
The problem:
I need to pass my public IP address of 1.2.123.108 255.255.248.0 which is currently on a 2811 router (see config below), through to my ASA 5510 firewall and just have the router as a transparent bridge with no ip addresses
Any advice would be much appreciated as I'm not that confident that my solution is going to work (see further below).
My current router config:
-------------------------------------------------------------------------------------
bridge irb
!
!
!
interface FastEthernet0/0
description Connection to Firewall
ip address 10.3.10.1 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/3/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
bridge-group 1
pvc 0/101
encapsulation aal5snap
!
!
interface BVI1
ip address 1.2.123.108 255.255.248.0
ip nat outside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.2.120.1
!
!
ip http server
ip http access-class 25
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface BVI1 overload
!
access-list 1 permit 10.3.0.0 0.0.255.255
access-list 25 permit 10.10.10.0 0.0.0.7
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
login local
line aux 0
line vty 0 4
access-class 25 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 25 in
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
Router#
--------------------------------------------------------------------------
My solution would be:
--------------------------------------------------------------------------
!
Interface FastEthernet0/0
no ip address 10.3.10.1 255.255.0.0
no ip nat inside
switchport access vlan 1
!
interface vlan 1
bridge group 1
!
interface BVI1
no ip address 1.2.123.108 255.255.248.0
no ip nat outside
!
no bridge 1 route ip
-------------------------------------------------------------------------
I was then going to configure the outside interface of my firewall with the 1.2.123.108 255.255.248.0 address.
Would I then need to remove the default route 1.2.120.1 from the router and put it on the firewall?
What do I do about access-list 1?
Can anyone advise me as to any additional configuration I'll need to make this work?
04-26-2010 03:09 AM
Is the reason you are needing to do this due to that being the only public address you have available to use? If not, I would suggest the use of another available public address in that range and proxy ARP. If so, you might be able to utilize static NAT mapping at the port level to support specific protocols as opposed to bridging. Based on the supplied config, the ATM is the public from your provider, right? Just wanted to make sure that is clear.
Tyler West, CCNP
CWI, Inc.
04-27-2010 12:57 AM
Hi Tyler,
Yes, just one ip address at the moment. I have a leased line on order but for the meantime I have to make do with what I've got and I need the public address from my provider, presently on the ATM shifted over to the ASA. I've been told this is quite a common set up but I can't seem to find any documentation on it. Any pointers would be much appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide