Bridging a 2801

omgjames1 · ‎10-26-2010

so this is what i have....

isp ---> serial port 2801 ---> security gateway -----> core switch

I would like to make the 2801 transparent, can someone please tell me how to do this?

Calin C. · ‎10-26-2010

Hello!

What are you trying to achieve?

Here is a sample configuration for Transparent Bridging, but without knowing your objective, I don't know if any of this fit with your scenario. You can check them, to have an idea:

http://www.cisco.com/en/US/tech/tk331/tk660/technologies_tech_note09186a0080094471.shtml#ex1

Cheers,

Calin

aqeel.karim · ‎10-27-2010

Similar to Calin's question... What are you trying to achieve?

Cisco does have a hidden feature called L2TPv3 that allows you to make a routed interface appear like a L2 across a WAN circuit. Search for Layer 2 Tunneling Protocol version 3 on Cisco website.

I used this function with the Defense Logistics Agency, where the DHCP, mail and DNS server was at a hub site. So, without creating a new IP space on the remote router. I took a C2811 router with a L2 Switch hanging off the other FA int. Placed the users on a Vlan and bridge the Vlan to the Psuedo-wire code.

The WAN interface had OSPF running across the ISP and the other routed interface connected to a C2960-8 port 10/100 switch. The users were able to get a DHCP address, DNS resolution and email access without the need of local resources. The caveat meant that if the WAN went down there would be no connectivity for the local users. To get around that we placed helper address on int's so, if DHCP failed a static address can be assigned locally. Still allow any local printers to communicate and some work could be acheived.

One other point, the only means of troubleshooting is to look at the mac-table on the hub side. Because the remote side doesn't registers the mac in the ARP table. But you can look at the L2TP traffic to see if the tunnel is established. Its been a while but I think we did not have to stop IPSec across the WAN as the L2TP is already encrypted traffic.

God I miss that type of work! LOL

Is that similar to what you are trying to achieve?

Aqeel

paolo bevilacqua · ‎10-27-2010

You cannot do this tyoe of bridging.

You will assing a Ip address as give by ISP to "secuirty gateway", and everyhting will work fine with normal routing.

aqeel.karim · ‎10-27-2010

Paolo,

I disagree, the ISP IP will be applied to the C2801 as indicated in his diagram. If not, your WAN won't even light up because the gateway is behind the router. The L2Pt2v3 works perfectly as the gateway would be connected to his hub site and look like its inside the firewall.

Please explain how the ISP IP will be assigned the Gateway without it being connected to the ISP? The diagram shows the C2801 first, then the Gateway. If the gateway is connected to the ISP, then you are right disregard. But he still will require local resources.

I would put the router first, and then use the gateway to filter everthing outbound. But again, I don't fully know what he is trying to accomplish.

paolo bevilacqua · ‎10-27-2010

I disagree, the ISP IP will be applied to the C2801 as indicated in his diagram. If not, your WAN won't even light up because the gateway is behind the router. The L2Pt2v3 works perfectly as the gateway would be connected to his hub site and look like its inside the firewall.

That is not what the OP wants to do.

OP has a single router, not two. He has a single site, not two.

OP only wants to make the router "transparent", to give firewall a public IP address.

If ISP did not assing a LAN subnet (unlikely), OP can use static NAT instead.

However, OP can not and should not do any type of bridging.

aqeel.karim · ‎10-27-2010

You're right transparent bridging is not needed. And again, it wasn't clear of what he was trying to do. My assumption is that he had a larger network than one site. From that standpoint a FW accomplishes hiding his inside network from the world. Or at least filters what comes in.

omgjames1 · ‎10-27-2010

ok,

the security gateway is an Astaro appliance.

the Astaro can only accept ethernet (RJ-45) (the isp delivers a serial (T-1) ) so I need to pass the internet through the 2801 and assign an outside IP address to the Astaro.

aqeel.karim · ‎10-27-2010

My thoughts exactly... I don't know too, many FW's and Gateway devices that can transform serial bits. Usually, that is the job a router.

So, unless your router's outside interface can NAT to your inside Gateway and then send the traffice back out the same interface that it came in on without creating a loop. I think you will need a few IP address.

1-IP for the router to ISP

and

1-IP for the FW int.

You can either get a bigger mask, so both int's would look like the same subnet. From there the Gateway will do the filter and the router would do the traffic passing.

Aqeel

paolo bevilacqua · ‎10-27-2010

aquell.karim

If with "mr. know it all" you are referring to me, please be advised that is disrepectuful to use monikers for people that we don't know and we are not friend to. Beside, the one you have chosen is not particularly funny, and very out of place within a professional discussion.

So I kindly ask you to either edit your post, or chances are, will be removed by administrators.

aqeel.karim · ‎10-27-2010

Your assumption would be wrong as I never mentioned your name. My recommendation to you would be confirm who my message was addressed to before making a recommendation to Cisco Forum administrators.

And right now I feel threatened by your statements.

paolo bevilacqua · ‎10-27-2010

aqueel.karim,

Mine is a logical assumption, since I am the only person responding in this thread beside you. Denying the evidence is offending the intelligence of the reader.

You should not feel threatened by the fair post review process done by administrators, that I have now started due to your unfriendly attitude.