Reconfigure from adsl to efm

nigel.mcpeake · ‎03-12-2012

Dear All

I have just had an EFM (ethernet first mile) circuit installed to replace an adsl broadband line and would really appreciate some help to reconfigure the router, a Cisco 1800, to use the EFM.

The current adsl is handled by a Vigor 2800 router which is connected to FastEthernet0 on the Cisco 1800. The current WAN addresses are configured on the Vigor and there is also a routed block of addresses of which 3 are in use: 84.xxx.xxx.41 is set as the IP of the Vigor, 84.xxx.xxx.42 is FastEthernet0 on the 1800 and 84.xxx.xxx.43 is assigned to a PIX firewall.

To use the EFM, the 1800 router needs to be connected by ethernet to a RAD LA-210 NTE unit.

The ISP has supplied new IP addresses for the WAN and Routed Block as follows:

WAN: 123.xxx.7.30/31

ISP end: 123.xxx.7.30

My end: 123.xxx.7.31

Mask: 255.255.255.252

Routed Block: 123.xxx.5.240/29

Usable IP addresses: 123.xxx.5.241 - 123.xxx.5.246

Mask: 255.255.255.248

I've had a go, but I've so far been unable to reconfigure the 1800 to use the EFM instead of the Vigor adsl. The current (edited) configuration is copied below, I'd be grateful if anyone could tell me what I need to change or add to use the new WAN and Routed Block addresses. Thanks in advance.

!CURRENT (EDITED) CONFIG FOR VIGOR ADSL

!

interface FastEthernet0 <<currently connected to Vigor adsl>>

ip address 84.xxx.xxx.42 255.255.255.248

ip access-group 101 in

ip nat outside

ip inspect WebsenseFilter out

ip virtual-reassembly

duplex auto

speed auto

crypto map VPNMAP

!

interface FastEthernet1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet2 <<currently connected to network switch>>

!

interface FastEthernet3

duplex full

speed 10

!

interface FastEthernet4

shutdown

!

interface FastEthernet5

shutdown

!

interface FastEthernet6

shutdown

!

interface FastEthernet7

shutdown

!

interface FastEthernet8

shutdown

!

interface FastEthernet9

!

interface Vlan1

ip address 192.168.46.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

ip route 0.0.0.0 0.0.0.0 84.xxx.xxx.41 <<this is an address on Vigor adsl>>

ip route 192.168.50.0 255.255.255.0 192.168.46.252

ip route 192.168.55.0 255.255.255.0 192.168.46.250

!

no ip http server

no ip http secure-server

ip nat inside source route-map Nat-Map interface FastEthernet0 overload

ip nat inside source static tcp 192.168.46.5 25 84.xxx.xxx.42 25 extendable

ip nat inside source static tcp 192.168.46.1 443 84.xxx.xxx.42 443 extendable

ip nat inside source static tcp 192.168.46.5 1723 84.xxx.xxx.42 1723 extendable

ip nat inside source static tcp 192.168.46.1 3389 84.xxx.xxx.42 3389 extendable

!

access-list 101 permit tcp any any eq 22

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq 1723

access-list 101 permit gre any any

access-list 101 permit icmp any any

access-list 101 permit udp any eq ntp any

access-list 101 permit udp any eq domain any gt 1023

access-list 101 permit tcp any any established

access-list 101 permit esp any any

access-list 101 permit udp any any eq isakmp

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit tcp any any eq 3389

access-list 101 deny ip any any

access-list 110 deny ip 192.168.46.0 0.0.0.255 192.168.47.0 0.0.0.255

access-list 110 deny ip 192.168.46.0 0.0.0.255 192.168.48.0 0.0.0.255

access-list 110 deny ip 192.168.46.0 0.0.0.255 192.168.49.0 0.0.0.255

access-list 110 deny ip 192.168.46.0 0.0.0.255 192.168.51.0 0.0.0.255

access-list 110 deny ip 192.168.46.0 0.0.0.255 192.168.52.0 0.0.0.255

access-list 110 deny ip 192.168.46.0 0.0.0.255 10.0.110.0 0.0.0.255

access-list 110 permit ip 192.168.46.0 0.0.0.255 any

access-list 150 permit ip 192.168.46.0 0.0.0.255 192.168.48.0 0.0.0.255

access-list 150 permit ip 192.168.50.0 0.0.0.255 192.168.48.0 0.0.0.255

access-list 151 permit ip 192.168.46.0 0.0.0.255 192.168.47.0 0.0.0.255

access-list 152 permit ip 192.168.46.0 0.0.0.255 192.168.51.0 0.0.0.255

access-list 153 permit ip 192.168.46.0 0.0.0.255 192.168.49.0 0.0.0.255

access-list 156 permit ip 192.168.46.0 0.0.0.255 192.168.52.0 0.0.0.255

access-list 157 permit ip 192.168.46.0 0.0.0.255 192.168.53.0 0.0.0.255

access-list 159 permit ip 192.168.46.0 0.0.0.255 10.0.110.0 0.0.0.255

!

route-map Nat-Map permit 10

match ip address 110

!

control-plane

!

line con 0

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

password xxxxxxxxx

login local

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Dean Watson · ‎03-13-2012

Looking at your current config, the following changes should do the trick.

interface FastEthernet0

ip address 123.xxx.7.31 255.255.255.252

ip access-group 101 in

ip nat outside

ip inspect WebsenseFilter out

ip virtual-reassembly

duplex auto

speed auto

crypto map VPNMAP

!

ip route 0.0.0.0 0.0.0.0 123.xxx.7.31

!

ip nat inside source static tcp 192.168.46.5 25 123.xxx.7.31 25 extendable

ip nat inside source static tcp 192.168.46.1 443 123.xxx.7.31 443 extendable

ip nat inside source static tcp 192.168.46.5 1723 123.xxx.7.31 1723 extendable

ip nat inside source static tcp 192.168.46.1 3389 123.xxx.7.31 3389 extendable

nigel.mcpeake · ‎03-13-2012

Hi Dean, thanks for this. What happens with the routed block addresses in this scenario? If an external user connects to 123.xxx.5.242 for example, how does this get routed to the correct location? I need to assign one of these addresses to general incoming traffic (OWA, remote site links etc) and another address to route to a PIX firewall handling connections from Cisco VPN client.