Solved: 1841 Router, DSL WIC, vlan routing

sofofoods · ‎10-11-2012

I have a Cisco 1841 router with a DSL wic connected to a provider that has given us 5 separate static IPs. I can route any one of the IPs for incoming internet traffic (i.e. web server). However, I can't figure out how to do the reverse.

I want to setup a VLAN in my network and exclusively route all user internet traffic to one specific DSL IP address. Also, the vlan will not have access to any other network resource other then the internet.

Why? Colleague of mine asked if we setup a testing ground exclusive from our network. I'd thought it would be cool.

Scott

nickbonifacio · ‎10-12-2012

Hi Scott,

I am thinking NAT pool...

Let's assume 192.168.1.7 is the static outside address you want to use. Let's also assume that 10.0.80.0/24 is the subnet on the inside, fa0/0 is inside int and fa0/1 is outside int.

ip nat pool POOL 192.168.1.7 192.168.1.7 netmask 255.255.255.0

ip acces ex ACL_OUTB //feel free to add any traffic you would like, I will use 80 and 443 for this example

permit tcp 10.0.80.0 0.0.0.255 any eq 80

permit tcp 10.0.80.0 0.0.0.255 any eq 443

ip nat source list ACL_OUTB pool POOL overload //I believe you need overload since you want more than one translation, otherwise you can try it without?

int fa0/0

ip nat inside

int fa0/1

ip nat outside

Nick Bonifacio CCIE #38473

View solution in original post

ciscoamit_497 · ‎10-13-2012

Dear Scott,

This seems an easy config...as per my understanding of your requirement...Currently you a 5 IPs from ISP...and u can usee anything that you want...

In all case you suppose to use nat for the communication with Internet.

Nick is right with his config..but I would also like to add if you want vlan only needs communicate to Internet and not with other part of network then you should nat it in the Nick's fashion and advertise a default static route to ur DSL ip..

And under the vlan u can configure some sort of access-list filtering so users of vlan can only communicate with the required network parts..

And its all upto u to how you want to prepare the access-list.

Hope this would be helpful to u.

Regards,

Amit

Please rate helpful posts...

View solution in original post

nickbonifacio · ‎10-16-2012

Hi Scott,

Let me make sure I understand what you are asking: " Can I setup pools for each static ip this way?"

So if you had another network 10.0.70.0/24 on the inside and you wanted to use192.168.1.3 on the outside?

Yes, you could do it by creating an additional pool with a different name. Another access list with a different name, etc.

Does that help?

Nick Bonifacio CCIE #38473

View solution in original post

nickbonifacio · ‎10-17-2012

HI Scott,

Exactly right. Everything is based on the ACL. You could even put entries toward the top if you wanted certain IPs to not be able to use that pool.

i.e.

3 deny tcp host 10.0.80.17 any eq 80

Does that make sense?

Thanks!

Nick

Nick Bonifacio CCIE #38473

View solution in original post

sofofoods · ‎10-12-2012

I should mention that I want my network to have a seperate IP from the VLAN for internet traffic. (they would both have thier own)

nickbonifacio · ‎10-12-2012

Hi Scott,

I am thinking NAT pool...

Let's assume 192.168.1.7 is the static outside address you want to use. Let's also assume that 10.0.80.0/24 is the subnet on the inside, fa0/0 is inside int and fa0/1 is outside int.

ip nat pool POOL 192.168.1.7 192.168.1.7 netmask 255.255.255.0

ip acces ex ACL_OUTB //feel free to add any traffic you would like, I will use 80 and 443 for this example

permit tcp 10.0.80.0 0.0.0.255 any eq 80

permit tcp 10.0.80.0 0.0.0.255 any eq 443

ip nat source list ACL_OUTB pool POOL overload //I believe you need overload since you want more than one translation, otherwise you can try it without?

int fa0/0

ip nat inside

int fa0/1

ip nat outside

Nick Bonifacio CCIE #38473

ciscoamit_497 · ‎10-13-2012

Dear Scott,

This seems an easy config...as per my understanding of your requirement...Currently you a 5 IPs from ISP...and u can usee anything that you want...

In all case you suppose to use nat for the communication with Internet.

Nick is right with his config..but I would also like to add if you want vlan only needs communicate to Internet and not with other part of network then you should nat it in the Nick's fashion and advertise a default static route to ur DSL ip..

And under the vlan u can configure some sort of access-list filtering so users of vlan can only communicate with the required network parts..

And its all upto u to how you want to prepare the access-list.

Hope this would be helpful to u.

Regards,

Amit

Please rate helpful posts...

nickbonifacio · ‎10-15-2012

Hi Scott,

Any Luck? Anything else you need help with?

Nick

Nick Bonifacio CCIE #38473

sofofoods · ‎10-15-2012

First of all....THANK YOU Very much for the responses.

Let me see if I'm getting this right.......

dialer0

ip address 192.168.1.6 255.255.255.248 //.7 would be the broadcast so I changed to .6

ip mtu 1452

ip flow ingress

ip flow egress

ip nat outside

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname XXXXXXXXXXXXXXXXXXXXXXX

ppp chap password 7 XXXXXXXXXXXXX

ppp pap sent-username XXXXXXXXXXXXXX password 7 XXXXXXXXXXXX

inside (fa0/1.1)

discription vlan3

10.0.80.0/24

ip nat inside

ip nat pool POOL 192.168.1.2 192.168.1.2 netmask 255.255.255.0 // .2 would be the ip I want to use just for vlan 3

ip acces ex ACL_OUTB //feel free to add any traffic you would like, I will use 80 and 443 for this example

permit tcp 10.0.80.0 0.0.0.255 any eq 80

permit tcp 10.0.80.0 0.0.0.255 any eq 443

ip nat source list ACL_OUTB pool POOL overload

What I'm having troube with is how vlan3 is exclusive to using 192.168.1.2. Can I setup pools for each static ip this way?

I figured that ACL was the key for blocking network access. Thank you for that!

Scott

sofofoods · ‎10-16-2012

I either got that completely right or completely wrong....

my guess is wrong....

???

nickbonifacio · ‎10-16-2012

Hi Scott,

Let me make sure I understand what you are asking: " Can I setup pools for each static ip this way?"

So if you had another network 10.0.70.0/24 on the inside and you wanted to use192.168.1.3 on the outside?

Yes, you could do it by creating an additional pool with a different name. Another access list with a different name, etc.

Does that help?

Nick Bonifacio CCIE #38473

sofofoods · ‎10-17-2012

First off....THANK YOU for responding! I really appreciate it.

You answers are GIANT leaps forward for me. Very cool!

One thing I can't wrap my head around is how this created pool would be exclusive to the particular vlan. Is it because the ACL won't allow anyone else access? If so, wouldn't I have to stop the other routes from allowing the new vlan?

Again, THANK you for taking time to answer my questions!

Scott

nickbonifacio · ‎10-17-2012

HI Scott,

Exactly right. Everything is based on the ACL. You could even put entries toward the top if you wanted certain IPs to not be able to use that pool.

i.e.

3 deny tcp host 10.0.80.17 any eq 80

Does that make sense?

Thanks!

Nick

Nick Bonifacio CCIE #38473

sofofoods · ‎10-17-2012

AWESOME! THANK YOU!