Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
0
Helpful
3
Replies

Cisco 1811 Site to Site Metro E and WAN Internet Configuration

johnmconnors
Level 1
Level 1

‎03-15-2010 12:41 PM - edited ‎03-04-2019 07:48 AM

I am assisting a customer with configuring their Cisco 1811 for internet and site to site communication over a Metro Ethernet circuit - basically it is a layer 2 connection at each site that connects them together.

Each site has its own separate class C address range 192.168.1.0, 192.168.2.0 and 192.168.3.0.  I set an interface address on each side whereby the last octet corresponds with the network it is assigned to so the FE/0 address for the 192.168.1.0 network is 172.16.1.1, the interface address for the 192.168.2.1 network is 172.16.1.2 and the interface address for the 192.168.3.1 network is, 172.16.1.3.

I have route statements configured on each side to route traffic accordingly depending on the location.  For example, from network 192.168.1.0 to get to the 192.168.2.0 network I have added a static route that shows up in the routing table as "S    192.168.2.0/24 [1/0] via 172.16.1.2"

Everything works great until I try to configure and connect the WAN port for internet traffic.  I tried to set it as the default route, but it keeps taking precedence for all of the traffic and even the internal traffic that I have static routes configured for do not work.

Can somebody assist me with what I am trying to accomplish?  I need to know the proper way to configure the WAN internet connection so it is just used for internet traffic and not the site to site traffic.

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎03-15-2010 01:11 PM

Tom

Can you post the router config ?

Jon

0 Helpful

johnmconnors
Level 1
Level 1
In response to Jon Marshall

‎03-15-2010 01:27 PM

Below is the relevant configuration.  I added the default route as a last resort to try to get things working so that is my last attempt and most likely a partial cause of the error.

I must admit I am a bit rusty on my Cisco configs and unfortunately or not I have had to refer to the Cisco configuration professional to help.

Essentially, I don't need any inspection at this point in the site to site communication (FastEthernet0), I may later as I have an opportunity to monitor and tweak the traffic.  I don't need any NAT translation on this interface because it is essentially just an extended internal network.

I want to direct all traffic that is not designated to go to either of the remote sites (essentially it should just be internet traffic), to go out the FastEthernet1 interface. At this time and I just need to allow port 3389 through this interface to redirect to an internal server for RDP connections.


!
class-map type inspect match-all sdm-cls--2
match access-group name IncomingCox
class-map type inspect match-any Internet
match protocol http
match protocol https
class-map type inspect match-all sdm-cls--1
match class-map Internet
match access-group name InternetOut
class-map type inspect match-any RDP
match protocol user-RDP
class-map type inspect match-all sdm-cls-sdm-policy-sdm-cls--2-1
match class-map RDP
match access-group name RDP
!
!
policy-map type inspect sdm-policy-sdm-cls--1
class type inspect sdm-cls--1
  pass
class class-default
policy-map type inspect sdm-policy-sdm-cls--2
class type inspect sdm-cls-sdm-policy-sdm-cls--2-1
  pass
class type inspect sdm-cls--2
  drop log
class class-default
!
zone security CoxInternet
zone security InternalLAN
zone-pair security sdm-zp-InternalLAN-CoxInternet source InternalLAN destination CoxInternet
service-policy type inspect sdm-policy-sdm-cls--1
zone-pair security sdm-zp-CoxInternet-InternalLAN source CoxInternet destination InternalLAN
service-policy type inspect sdm-policy-sdm-cls--2
!
!
interface FastEthernet0
description $ETH-WAN$
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
description $ETH-WAN$
ip address 2*.***.***.*** 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security CoxInternet
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.200 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip virtual-reassembly
zone-member security InternalLAN
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 192.168.2.0 255.255.255.0 172.16.1.2 permanent
ip route 192.168.3.0 255.255.255.0 172.16.1.3 permanent
ip route 0.0.0.0 0.0.0.0 FastEthernet0 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
ip access-list extended IncomingCox
remark CCP_ACL Category=128
deny   ip any any
ip access-list extended InternetOut
remark CCP_ACL Category=128
permit ip any any
ip access-list extended RDP
remark CCP_ACL Category=128
permit ip any host 24.248.222.221
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.10
no cdp run
!

0 Helpful

johnmconnors
Level 1
Level 1
In response to johnmconnors

‎03-15-2010 02:34 PM

Here is a link to a diagram that I hope explains the basic configuration I am attempting to achieve.

http://www.personaljohn.com/images/diagram.pdf

With the current config, everything works fine until I plug the WAN Inernet connection into the FastEthernet1 port.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card