Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
373
Views
0
Helpful
1
Replies

integrate configuration of two devices into one

itadmincanada
Level 1
Level 1

‎02-27-2020 10:43 AM

I have two cisco routers, one newer 2811 connecting to an older 2600 in the following setup,

 

internet ----- fibre modem --- 2600  ----  2811 ---- internal network

 

the 2600 is being used as a router/firewall on the internet and has an IP address connecting to the fibre modem and responds to requests on our class C network (198.161.82.0/24) and allows us to pass request into the 2811 devices that then forwards these requests to the required internal servers.

 

I would like to take the configuration of the 2600 router and integrate into the 2811 device and remove the 2600 device from the mix.

I am not an expert with regards to configuring Cisco devices.

 

Partial configurations below:

 

2600 Router

service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption

boot-start-marker
boot-end-marker

logging buffered 64000 debugging
logging console informational
clock timezone MST -7
clock summer-time MDT recurring
aaa new-model

aaa authentication login default local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef

ip inspect max-incomplete low 150
ip inspect max-incomplete high 250
ip inspect one-minute low 150
ip inspect one-minute high 250
ip inspect tcp idle-time 600
ip inspect name cbac ftp
ip inspect name cbac http
ip inspect name cbac tcp
ip inspect name cbac udp
ip audit po max-events 100
ip reflexive-list timeout 1800

 

interface FastEthernet0/0
ip address 198.161.82.1 255.255.255.0
speed auto
full-duplex

 

interface FastEthernet0/1
ip address 64.141.118.202 255.255.255.252
speed auto
full-duplex

no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 64.141.118.201

ip access-list extended EXT_IN
remark DENY REQUESTS FROM INVALID HOSTS ON EXTERNAL INTERFACE
deny ip host 0.0.0.0 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.0.16.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
remark DENY COMMON WINDOWS NETWORK PORTS
deny tcp any any eq 88
deny udp any any eq 88
deny tcp any any eq 121
deny tcp any any eq 135
deny udp any any eq netbios-ns
deny tcp any any eq 139
deny tcp any any eq 389
deny udp any any eq 389
deny tcp any any eq 445
deny tcp any any eq 1026
remark ALLOW ANYTHING FROM PETROBONDOLO2
permit ip 192.168.0.0 0.0.0.255 any log
remark ALLOW ANYTHING FROM BETACANADA
permit ip 198.161.82.0 0.0.1.255 any log
remark ALLOW ANYTHING FROM PETROBONDOLO
permit ip 192.168.2.0 0.0.0.255 any log
remark ALLOW BOOTPC TO GET DHCP INFORMATION
permit udp any eq bootps any eq bootpc log
remark ALLOW NTP FROM TIME SERVERS
permit udp host 128.100.100.128 any eq ntp
permit udp host 209.87.233.53 any eq ntp
remark PERMIT THE USEFUL ICMP MESSAGES
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any traceroute
permit icmp any any unreachable
deny ip any any log
logging history size 250
logging history informational

access-list 1 deny 98.100.131.115 log
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 99 permit 64.141.43.0 0.0.0.248
access-list 99 permit 192.168.1.0 0.0.0.255 log
access-list 99 deny any log
ntp clock-period 17208305
ntp server 128.100.100.128
ntp server 209.87.233.53

 

2811 Router

version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.156-3.M1.bin
boot-end-marker

logging buffered 51200 warnings

no aaa new-model
clock timezone MST -7 0
clock summer-time MDT recurring

no ip source-route

no ip domain lookup
ip name-server 10.56.241.99
ip name-server 10.56.241.98
ip inspect max-incomplete low 150
ip inspect max-incomplete high 250
ip inspect one-minute low 150
ip inspect one-minute high 250
ip inspect tcp idle-time 900
ip inspect name VLAN1_CB1 ftp audit-trail on
ip inspect name GI01_CB1 http
ip inspect name GI01_CB1 smtp
ip inspect name GI01_CB1 tcp
ip inspect name GI01_CB1 udp
ip inspect name GI01_CB1 h323
ip inspect name GI01_CB1 realaudio
ip inspect name GI01_CB1 vdolive
ip inspect name GI01_CB2 ftp audit-trail on
ip reflexive-list timeout 1800
ip cef
no ipv6 cef

multilink bundle-name authenticated


redundancy

interface Embedded-Service-Engine0/0
no ip address
shutdown

interface GigabitEthernet0/0
description FIBRE
no ip address
shutdown
duplex auto
speed auto

interface GigabitEthernet0/1
description SWITCH
ip address 10.56.241.2 255.255.255.0
ip accounting output-packets
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto

interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto

interface GigabitEthernet0/0/0
description INTERNET
no ip address

interface GigabitEthernet0/0/1
description FW-B
no ip address

interface GigabitEthernet0/0/2
description FW-A
no ip address

interface GigabitEthernet0/0/3
no ip address
shutdown

interface Vlan1
ip address 198.161.82.21 255.255.254.0 secondary
ip address 198.161.82.4 255.255.254.0
ip access-group VLAN1_IN in
ip access-group VLAN1_OUT out
ip nat outside
ip inspect VLAN1_CB1 in
ip inspect VLAN1_CB1 out
ip virtual-reassembly in
rate-limit input access-group 150 248000 372000 496000 conform-action set-prec-transmit 3 exceed-action set-prec-transmit 0
rate-limit input access-group 151 248000 372000 496000 conform-action set-prec-transmit 7 exceed-action set-prec-transmit 3
rate-limit input access-group 152 248000 372000 496000 conform-action set-prec-transmit 7 exceed-action set-prec-transmit 3
rate-limit input access-group 153 248000 372000 496000 conform-action set-prec-transmit 7 exceed-action set-prec-transmit 3
rate-limit input 248000 372000 496000 conform-action set-prec-transmit 4 exceed-action set-prec-transmit 1

router eigrp 10
network 10.0.0.0
redistribute static
passive-interface Vlan1
no eigrp log-neighbor-changes

ip forward-protocol nd

no ip http server
no ip http secure-server

ip nat translation timeout 60
ip nat translation tcp-timeout 60
ip nat translation udp-timeout 30
ip nat pool Internet 198.161.82.3 198.161.82.4 netmask 255.255.255.0
ip nat inside source list 101 pool Internet overload
ip nat inside source static 10.56.241.13 198.161.82.2
ip nat inside source static 10.56.241.230 198.161.82.10
ip nat inside source static 10.56.241.12 198.161.82.12
ip nat inside source static 10.56.241.9 198.161.82.21
ip nat inside source static tcp 10.56.241.190 80 198.161.82.75 80 extendable
ip nat inside source static 10.56.241.16 198.161.82.82
ip nat inside source static tcp 10.56.241.16 80 198.161.82.83 80 extendable
ip nat inside source static 10.56.241.97 198.161.82.97
ip route 0.0.0.0 0.0.0.0 198.161.82.1

ip access-list extended VLAN1_IN
deny ip host 0.0.0.0 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.0.16.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log deny ip host 83.204.35.241 any
deny ip 112.160.0.0 0.31.255.255 any
deny ip 211.44.226.0 0.0.255.255 any
deny ip 103.60.164.0 0.0.3.255 any
deny ip 46.20.6.0 0.0.0.255 any
deny ip 185.141.34.0 0.0.0.255 any
permit ip host 198.161.82.3 host 198.161.82.4 log
permit ip host 198.161.82.4 host 198.161.82.4 log
remark ALLOW ACCESS  SMTP AND DNS
permit tcp any host 198.161.82.2 eq smtp
permit tcp any host 198.161.82.2 eq domain
permit udp any host 198.161.82.2 eq domain
permit tcp any eq ident host 198.161.82.2
permit tcp any eq 123 host 198.161.82.2 eq 123
permit udp any eq ntp host 198.161.82.2 eq ntp
remark ALLOW ACCESS for DNS
permit tcp any host 198.161.82.12 eq domain
permit udp any host 198.161.82.12 eq domain
permit tcp any eq ident host 198.161.82.12
permit tcp any eq 123 host 198.161.82.12 eq 123
permit udp any eq ntp host 198.161.82.12 eq ntp
remark ALLOW ACCESS FOR FTP
permit tcp any host 198.161.82.21 eq ftp-data
permit tcp any host 198.161.82.21 eq ftp
remark ALLOW ANY TO WEB SERVERS
permit tcp any host 198.161.82.82 eq www
permit tcp any host 198.161.82.83 eq www
remark ALLOW SSH 
permit tcp any host 198.161.82.97 eq smtp
permit tcp any host 198.161.82.97 eq 443
remark ALLOW ACCESS
permit tcp any host 198.161.82.10 eq www
permit tcp any host 198.161.82.10 eq 443
remark PERMIT THE USEFUL ICMP MESSAGES
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any unreachable
evaluate tcptraffic
evaluate udptraffic
evaluate icmptraffic
deny ip any any

permit tcp 104.129.206.0 0.0.1.255 host 198.161.82.10 eq 22
permit tcp 165.225.0.0 0.0.1.255 host 198.161.82.10 eq 22
ip access-list extended VLAN1_OUT
permit tcp any any reflect tcptraffic timeout 300
permit udp any any reflect udptraffic timeout 300
permit icmp any any reflect icmptraffic timeout 300
permit gre any any
permit esp any any

route-map Internet permit 1
match ip address 101
match interface Vlan1

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps envmon
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps syslog
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 5 permit 10.56.241.0 0.0.0.255
access-list 101 permit ip 10.56.0.0 0.0.255.255 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 150 permit tcp any eq ftp-data any
access-list 150 permit tcp any eq ftp any
access-list 151 permit tcp any 10.56.241.0 0.0.0.255
access-list 152 permit tcp any 10.56.242.0 0.0.0.255
access-list 153 permit tcp any 10.56.243.0 0.0.0.255
access-list 154 permit tcp any eq www any
access-list 154 permit tcp any eq 443 any
access-list 155 permit tcp any eq ftp any

 

When i add the 64.141.x.x ip address to the 2811 gigabit 0/0 network port and modify the default route  to go out through this port, i can ping from the router, but no traffic from the internal network and cannot get traffic from internet to the 198.161.82.0/24 address.

 

Any assistance would be appreciated.

Labels:
0 Helpful
1 Reply 1

alan_schneider
Level 1
Level 1

‎02-27-2020 04:41 PM - edited ‎02-27-2020 04:42 PM

you have to configure inside source nat on that interface and clean up the configured static nat.

you might also want to remove the VLAN1_IN and VLAN1_OUT access-lists and get the connectivity working first then configure the ACLs.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card