03-12-2012 02:31 PM - edited 03-04-2019 03:38 PM
Dear All
I have just had an EFM (ethernet first mile) circuit installed to replace an adsl broadband line and would really appreciate some help to reconfigure the router, a Cisco 1800, to use the EFM.
The current adsl is handled by a Vigor 2800 router which is connected to FastEthernet0 on the Cisco 1800. The current WAN addresses are configured on the Vigor and there is also a routed block of addresses of which 3 are in use: 84.xxx.xxx.41 is set as the IP of the Vigor, 84.xxx.xxx.42 is FastEthernet0 on the 1800 and 84.xxx.xxx.43 is assigned to a PIX firewall.
To use the EFM, the 1800 router needs to be connected by ethernet to a RAD LA-210 NTE unit.
The ISP has supplied new IP addresses for the WAN and Routed Block as follows:
WAN: 123.xxx.7.30/31
ISP end: 123.xxx.7.30
My end: 123.xxx.7.31
Mask: 255.255.255.252
Routed Block: 123.xxx.5.240/29
Usable IP addresses: 123.xxx.5.241 - 123.xxx.5.246
Mask: 255.255.255.248
I've had a go, but I've so far been unable to reconfigure the 1800 to use the EFM instead of the Vigor adsl. The current (edited) configuration is copied below, I'd be grateful if anyone could tell me what I need to change or add to use the new WAN and Routed Block addresses. Thanks in advance.
!CURRENT (EDITED) CONFIG FOR VIGOR ADSL
!
!
interface FastEthernet0 <<currently connected to Vigor adsl>>
ip address 84.xxx.xxx.42 255.255.255.248
ip access-group 101 in
ip nat outside
ip inspect WebsenseFilter out
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2 <<currently connected to network switch>>
!
interface FastEthernet3
duplex full
speed 10
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface FastEthernet9
!
interface Vlan1
ip address 192.168.46.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 84.xxx.xxx.41 <<this is an address on Vigor adsl>>
ip route 192.168.50.0 255.255.255.0 192.168.46.252
ip route 192.168.55.0 255.255.255.0 192.168.46.250
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map Nat-Map interface FastEthernet0 overload
ip nat inside source static tcp 192.168.46.5 25 84.xxx.xxx.42 25 extendable
ip nat inside source static tcp 192.168.46.1 443 84.xxx.xxx.42 443 extendable
ip nat inside source static tcp 192.168.46.5 1723 84.xxx.xxx.42 1723 extendable
ip nat inside source static tcp 192.168.46.1 3389 84.xxx.xxx.42 3389 extendable
!
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit icmp any any
access-list 101 permit udp any eq ntp any
access-list 101 permit udp any eq domain any gt 1023
access-list 101 permit tcp any any established
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit tcp any any eq 3389
access-list 101 deny ip any any
access-list 110 deny ip 192.168.46.0 0.0.0.255 192.168.47.0 0.0.0.255
access-list 110 deny ip 192.168.46.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 110 deny ip 192.168.46.0 0.0.0.255 192.168.49.0 0.0.0.255
access-list 110 deny ip 192.168.46.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 110 deny ip 192.168.46.0 0.0.0.255 192.168.52.0 0.0.0.255
access-list 110 deny ip 192.168.46.0 0.0.0.255 10.0.110.0 0.0.0.255
access-list 110 permit ip 192.168.46.0 0.0.0.255 any
access-list 150 permit ip 192.168.46.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 150 permit ip 192.168.50.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 151 permit ip 192.168.46.0 0.0.0.255 192.168.47.0 0.0.0.255
access-list 152 permit ip 192.168.46.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 153 permit ip 192.168.46.0 0.0.0.255 192.168.49.0 0.0.0.255
access-list 156 permit ip 192.168.46.0 0.0.0.255 192.168.52.0 0.0.0.255
access-list 157 permit ip 192.168.46.0 0.0.0.255 192.168.53.0 0.0.0.255
access-list 159 permit ip 192.168.46.0 0.0.0.255 10.0.110.0 0.0.0.255
!
!
!
route-map Nat-Map permit 10
match ip address 110
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
password xxxxxxxxx
login local
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
03-13-2012 03:18 AM
Looking at your current config, the following changes should do the trick.
interface FastEthernet0
ip address 123.xxx.7.31 255.255.255.252
ip access-group 101 in
ip nat outside
ip inspect WebsenseFilter out
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
!
ip route 0.0.0.0 0.0.0.0 123.xxx.7.31
!
ip nat inside source static tcp 192.168.46.5 25 123.xxx.7.31 25 extendable
ip nat inside source static tcp 192.168.46.1 443 123.xxx.7.31 443 extendable
ip nat inside source static tcp 192.168.46.5 1723 123.xxx.7.31 1723 extendable
ip nat inside source static tcp 192.168.46.1 3389 123.xxx.7.31 3389 extendable
03-13-2012 03:48 AM
Hi Dean, thanks for this. What happens with the routed block addresses in this scenario? If an external user connects to 123.xxx.5.242 for example, how does this get routed to the correct location? I need to assign one of these addresses to general incoming traffic (OWA, remote site links etc) and another address to route to a PIX firewall handling connections from Cisco VPN client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide