Solved: Setting up a cisco router behind a broadband modem

Areyouserious · ‎10-03-2018

Hello everyone I'm trying to set up routing between a basic broadband modem and a cusco 2811.

I have two sites which both comprise of a GRA tunnel established between them using a pair of Cisco 2811 Routers.

each Router is connected to a basic broadband modem through ethernet cable connection but all devices including the switch the modem and the router and all in. Devices are on the same network on each end. for devices that need to use the tunnel their gateway is pointed to the IP address of the Cisco routers.

I want to set up VLANs and different IP networks on the Cisco switches connected to the routers using router on a stick.

but to do this properly I need to set up routing between the Cisco routers and the broadband modems on each end. The purpose is to in enhance security by implementing vlans, and eventually apply access control lists to prevent certain VLANs talking to each other.

At the moment all devices can talk to each other unrestricted and no vlans are set up

I have IP telephones, security systems, computers ect, that need to be on separate VLANs so they can't talk to each other.

at the same time, the security system on site B needs to be accessible through the GRE tunnel through to site A.

problem is the broadband modems are using NAT. I had a go last night but was unsuccessful. I figured that NAT had to be implemented on the Cisco routers instead of the modems, and to have a default route Set up on each router. for example: 0.0.0.0 0.0.0.0 192.168.1.1

0.0.0.0 0.0.0.0 102.168.1.2

I tried using RIP V2, as one of my broadband modems wouldnt allow RIP routing if nat was enabled on the dsl service interface.

at the moment I can't afford to purchase the DSL interface card for my Cisco routers otherwise I would set them up directly connected .

my main question is how do you set up routing between a broadband modem and a Cisco router, so that the vlans on a switch connected to this router can all access the Internet but can't talk to each other.

i'm assuming that I will also have to enable sone access control lists but another problem to is that I'm worried this will stop the GRE tunnel from working.

just wondering if anyone can help me set up NAT, and some ACL's.

Thanks

Georg Pauwen · ‎10-03-2018

Hello,

basically, you need to have a NAT statement for all VLANs and then use access list to restrict access. Below is a sample config with three VLANs:

hostname 2811
!
ip cef
no ipv6 cef
!
interface FastEthernet0/0
description Uplink to Broadband Modem
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.10
encapsulation dotq 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip access-group VLAN_10 in
!
interface FastEthernet0/1.20
encapsulation dotq 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip access-group VLAN_20 in
!
interface FastEthernet0/1.30
encapsulation dotq 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip access-group VLAN_30 in
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
!
access-list extended VLAN_10 extended deny 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list extended VLAN_10 extended deny 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list extended VLAN_10 extended deny 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list extended VLAN_10 extended deny 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list extended VLAN_10 permit ip 192.168.10.0 0.0.0.255 any
!
access-list extended VLAN_20 extended deny 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list extended VLAN_20 extended deny 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list extended VLAN_20 extended deny 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list extended VLAN_20 extended deny 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list extended VLAN_20 permit ip 192.168.20.0 0.0.0.255 any
!
access-list extended VLAN_30 extended deny 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list extended VLAN_30 extended deny 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list extended VLAN_30 extended deny 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list extended VLAN_30 extended deny 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list extended VLAN_30 permit ip 192.168.30.0 0.0.0.255 any

View solution in original post

Georg Pauwen · ‎10-03-2018

Hello,

basically, you need to have a NAT statement for all VLANs and then use access list to restrict access. Below is a sample config with three VLANs:

hostname 2811
!
ip cef
no ipv6 cef
!
interface FastEthernet0/0
description Uplink to Broadband Modem
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.10
encapsulation dotq 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip access-group VLAN_10 in
!
interface FastEthernet0/1.20
encapsulation dotq 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip access-group VLAN_20 in
!
interface FastEthernet0/1.30
encapsulation dotq 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip access-group VLAN_30 in
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
!
access-list extended VLAN_10 extended deny 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list extended VLAN_10 extended deny 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list extended VLAN_10 extended deny 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list extended VLAN_10 extended deny 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list extended VLAN_10 permit ip 192.168.10.0 0.0.0.255 any
!
access-list extended VLAN_20 extended deny 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list extended VLAN_20 extended deny 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list extended VLAN_20 extended deny 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list extended VLAN_20 extended deny 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list extended VLAN_20 permit ip 192.168.20.0 0.0.0.255 any
!
access-list extended VLAN_30 extended deny 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list extended VLAN_30 extended deny 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list extended VLAN_30 extended deny 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list extended VLAN_30 extended deny 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list extended VLAN_30 permit ip 192.168.30.0 0.0.0.255 any

Areyouserious · ‎10-03-2018

Wow thankyou soo much. I'll give it a go and let you know. Would the GRE tunnel require an ACL to work?

Georg Pauwen · ‎10-03-2018

Hello,

unless you put the broadband router in bridge mode I don't think you can configure a GRE tunnel from the Cisco. This is because the Cisco doesn't have a public address to source the tunnel from...

Areyouserious · ‎10-03-2018

I was going to say. Thats one thing i could not get my head around. How is the modem meant to route traffic back through to the cisco router with no reference what so ever, in this case the nat traversal would be the reference with its port number but now this is occurring on the cisco router. ive never bridged a modem i to a cisco router before, would you have to add setting to the cisco router for the bridging to work on the modem?

Georg Pauwen · ‎10-03-2018

Hello,

when you configure the modem in bridge mode, the Cisco router effectively becomes the Internet facing device, with a public IP address being assigned to the FastEthernet interface connected to the modem. This will enable you to build the tunnel.

What brand/model is the modem ? There is usually a setting to enable bridge mode, if you indicate which modem you have, I can look up the exact command for that model...

Areyouserious · ‎10-03-2018

Hi there,

its a TP-LINK TDW9970.

Sorry, im just a little confused as the last time I configured bridge mode, was through a windows computer, and the settings such as the ISP account Username and password had to be configured on the computer connected to the modem.

Thanks heaps

Georg Pauwen · ‎10-03-2018

Hello,

I checked the manual (link attached, page 15, item 4.4.1 WAN Settings), your modem does support bridge mode.

That said, in your original post you say:

--> I have two sites which both comprise of a GRA tunnel established between them using a pair of Cisco 2811 Routers.

Does that mean you already have the tunnel up and working behind the modems ? Can you post the configuration of the 2811 you have ?

https://static.tp-link.com/2018/201802/20180222/1910011944_TD-W9970(EU)_V2_User%20Guide.pdf

Areyouserious · ‎10-04-2018

Thanks guys, and Thankyou for looking up the manual for me.

I managed to get it up and running on one end.

Only problem was getting the tunnel start up.

The tunnel doesn't seem to work, but I could ping google.com, and surf the web from locally connected computers.

I also tried adding "ip nat inside" to the tunnel interface.

But the bridging was successful at least on one end, still yet to try bridging on the other end.

Would the tunnel it'self need an ACL?

This is the config for the tunnel.

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key PASSWORD address XXX.XXX.XXX.XXX
!
!
crypto ipsec transform-set SET1 esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE
set transform-set SET1
!
!
!
!
!
!
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip mtu 900
tunnel source 192.168.1.1
tunnel mode ipsec ipv4
tunnel destination XXX.XXX.XXX.XXX
tunnel protection ipsec profile IPSEC_PROFILE

Georg Pauwen · ‎10-04-2018

Hello,

the tunnel doesn't need an ACL. You can use a static route pointing to the tunnel to route whatever you want across the tunnel, e.g.:

ip route 192.168.2.0 255.255.255.0 tunnel 0

Areyouserious · ‎10-04-2018

What about when the ALC's for Vlans are applied ect.....

Correct me if im incorrect but my initial understanding is that one you apply an ACL anywhere, it usually locks everything else down by default?

Georg Pauwen · ‎10-04-2018

Hello,

the ACLs are applied to the VLAN interfaces and only affect inter-VLAN routing. Static routes for traffic between tunnels are not affected...

Areyouserious · ‎10-04-2018

Thanks for your reply,

What if id like to apply ACL's to prevent traffic coming from one subnet on site B being able to access a subnet on site A?

Would I need to apply it in anyway to the tunnel interface IP subnet?

Georg Pauwen · ‎10-04-2018

Hello,

ACLs should be applied as close to the source as possible. So in your case, just add the subnet you want to deny access to to the access list already applied to the source VLAN interface...

Areyouserious · ‎10-04-2018

Okay thankyou,

Sorry for all the questions.....

So one of my vlans must not be able to access the internet, however, the vlan itself needs to be accessible via the tunnel0.

Reason why is this vlan runs security equiptment that has been hacked from the internet alot recently.

I'm also interested in setting up CBAC aswell for extra protection.

How would I go about applying this?