Re: ISP connection

newIntern · ‎05-19-2023

Hello,
I received the mission to explore the possibility of replacing the ISP's router (it's been crashing) with a CISCO 3925 (I know... absolute). The ISP router has a WAN interface and other LAN interfaces that I can connect to firewalls. The ISP makes a subnet (/29) available to us, which we use for firewalls and other equipment. The connection with the ISP via pppoe is simple and I already did it but after realizing that the other interfaces of the 3925 are also WAN, but I have to keep the public IPs on the firewalls and other WAN interfaces cannot have an IP of the same range as the interface connected to the ISP. I'm out of ideas.

MHM Cisco World · ‎05-19-2023

I try to get what you want here I could not, can you more elaborate ?

newIntern · ‎05-19-2023

Hello,

O attached a picture of what I wrote in the post.

MHM Cisco World · ‎05-20-2023

why you use router if you want FW use public IP ? that I can not understand.
if you dont have SW then
the FW if using HA then you can config the router as IRB

https://community.cisco.com/t5/network-management/two-firewall-to-one-router/m-p/4741011

balaji.bandi · ‎05-19-2023

What version of Code running on Router, you can use bridge mode to retain Public IP extended to Lan side

configure access port or trunk port on switch to extend the VLAN to FW

is that works for you ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

newIntern · ‎05-19-2023

Hello,

Thanks for the repply.

Right now I can not say the version of the software. I Will check it on monday.

I did not understand every aspect of your idea.

Was your idea based on the picture I attached in the post?

Thanks.

balaji.bandi · ‎05-20-2023

Was your idea based on the picture I attached in the post?

yes correct, if you like to have Public IP on FW you need configure bridge mode ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎05-20-2023

Hello

@newIntern wrote:

@newIntern wrote:
The ISP makes a subnet (/29) available to us, which we use for firewalls and other equipment. The connection with the ISP via pppoe

I have to keep the public IPs on the firewalls and other WAN interfaces -cannot have an IP of the same range as the interface connected to the ISP. I'm out of ideas.

Looking at your diagram you need to bridge the two interfaces on the wan rtr as such the fws will be able to retain their ip addressing.

bridge 1 protocol ieee
bridge 1 route ip
bridge irb

int x/x
Description WAN
no ip address
bridge-group 1

int x/x
Description LAN
no ip address
bridge-group 1

int bvi 1
ip address x.x.x.1 255.255.255.248

Just in case the rtr doesn't support IRB, you could use BDI

int x/x
Description WAN
service instance 1 ethernet
encapsulation dot1q 1
bridge-domain 1

int x/x
Description LAN
service instance 1 ethernet
encapsulation dot1q 1
bridge-domain 1

interface BDI1
ip address x.x.x.1 255.255.255.248

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

newIntern · ‎05-20-2023

Ok thanks. I understood this config.

But how do I connect to the ISP? Should I use PPPoE on the interface facing the ISP? Can BVI interface be configured with PPPoE? Or should I set an IP address, that can talk to the ISP, on the BVI interface?

There is any other options that works?

Thanks a lot.

newIntern · ‎05-21-2023

I spoke to my ISP and they only connect via PPPoE.

MHM Cisco World · ‎05-21-2023

Let do some summary'

-Fw HA not support pppoe

- router can NATing so you can do NATing for public IP connect to router to FW OUTside interface

That only what you need no need any more PPPoE for BVI of router.

newIntern · ‎05-22-2023

Thanks for the repply,

I understand that my questions seem meaningless taking into account that it was enough that the connection to the isp was pppoe, the connection of the router to the firewalls was in a private network range (ex. 192.168.2.0/30) and the router would be configured nat for IP public, VPNs would be configured on the router as well.

But the problem is that they don't want to change the settings of the firewalls that have many VPNs and other things that only having a public ip in their interface would be possible. And I don't have much to do about it.

That said, with my post I try to find a solution that meets what I was asked and that I tried to convey in the photo that I attached to the post.

OBS: By the way, the firewalls are in HA so I put a switch there.

So my question remains and boils down to:

1-I can do it by configuring a bridge on the 3925 router (it supports IRB, BVI, ...)

2-Since ISP only provides PPPoE, in which interface should I configure this, BVI or physical that is facing ISP? The other thing else I should do?

OBS: the solution must take into account the scheme of what I want this in the initial post.

Thank you very much.