Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6164
Views
0
Helpful
1
Replies

Cisco 877 and U-verse NVG510 IP Passthrough - block of public addresses

bbiales00
Level 1
Level 1

‎02-15-2012 07:47 AM - edited ‎03-07-2019 04:57 AM

Related to this post:

[Home Network] Motorola NVG510 (IPDSLAM) IP Passthrough

Anybody setup passthrough mode of the Motorola NVG510 router ATT makes you use with U-Verse to a CISCO 877 or similar, with a block of public addresses they want to use?

It is SOOOOO frustrating that I have to deal with this NVG510. It is NOT a very business class router... I am assuming that I need to put it into "passthrough" mode for the Cisco to be able to manage what happens with my assigned public addresses. If there is another way, let me know!


Here's what I plan to do: I've read the "related to" post above, about putting the NVG510 into passthrough mode, and I plan to do this as it discusses. I'll assume that works for now. But it will assign the router's WAN IP Address to the router's "outside" interface, not one of my private IP addresses.  On the Cisco side, here is what I would do:


vlan1 interface is my "inside" private network.


Create vlan2 interface using dhcp to get IP/gateway from the nvg510, or set it up manually, whichever works... This interface will be the "outside" NAT interface. But this interface's address will be the router's WAN address, NOT the first of my 5 public assigned usable addresses...

Here is how it will be setup:

interface FastEthernet0

switchport access vlan 2

!

interface Vlan2

description internet

ip address dhcp

ip nat outside

ip virtual-reassembly

crypto map xxxx

!

Then - make it my default NAT interface:

ip nat inside source list 110 interface Vlan2 overload


If I stop there...

I assume I could then NAT ports from my different private addresses to the various servers in my office. But the router won't have an interface with that first assigned-to-me public address. The reason I ask is that we have a site-to-site crypto-map defined, and the interface it is defined on determines the IP Address it will communicate from. I wanted this to be my own assigned public address, not the WAN address of the router... Not sure how I would do that though... Same with the default NAT assigned to vlan2 - by default machine in access list 110 will get to the internet with the WAN address of the nvg510, not my private address.


So, my question for any Cisco guru's out there...

Can I create interface vlan3, somehow linked to vlan2, give it the first private address in my block, and then move the cypto-map to this interface, and also change the default nat to vlan3 now instead of vlan2?

ip nat inside source list 110 interface Vlan3 overload


How would I go about doing such a thing? I am not a Cisco expert, I understand just the basics... This is a bit more complicated than I can figure out. Or maybe it is not possible?

Will I have to, for any computer that needs unsolicited traffic through the internet to use one of my assigned public addresses, to setup a one-to-one NAT for that address to that internal address?  And everyone else is stuck using the WAN address.  If this is the case, it is not right...  What were they thinking when they designed this router and forced us to use it as a business class UVerse customer?  This should NOT be so difficult/complicated...

Any comments / suggestions will be most welcome!

Labels:
0 Helpful
1 Reply 1

bbiales00
Level 1
Level 1

‎02-16-2012 10:10 AM

See http://www.dslreports.com/forum/r26895551-Cisco-877-NVG510-IP-Passthrough-block-of-public-addresses

I got some help there.  Turns out there is no reason to use Passthrough mode in the NVG510 at all. 

Here is what I did, as described in the link above, in case it will help other businesses that get UVerse service and want to connect their existing router/firewall to the Motorola NVG510...

I'm using 1.1.2.56/255.255.255.248 public range in this example for demonstration purposes, where the NVG510 has the .62 address assigned to it. So I get to use .57,58,59,60, and 61.

First, setting up the NVG510 was very simple, though not at all intuitive...

On the NVG510, Home Network/Subnet page, I clicked the radio button to support public addresses through DHCP. While I'm not actually going to use DHCP to assign any addresses, this is where I assign the NVG510 itself the lsat public address in my public address block assigned to me by ATT, 1.1.2.62 for this discussion. I've turned off the wireless AP, to ensure no other device will be assigned any of these DHCP addresses by accident. The only device plugged into the NVG510 is my Cisco 877 - into FastEthernet0 port.


Now for the Cisco 877 configuration details:

The crypto map will end up communicating with the default address of Vlan2, in this example 1.1.2.57.  If you don't have any site-to-site VPNs, you can ignore the crypto map related lines below.  I already had one setup through Dialer1 interface, so part of this exercise was to ensure it still worked going through the NVG510 instead of the DSL interface I used to use. 

Also, the default route is specified as the .62 public address, which I assigned to the NVG510 in the public DHCP section described above.

Any machine address specified in access-list 110 will have access to the internet  through the default address of vlan2 - in this case the .57 address.  Then for inbound traffic, I forward to specific machines at specific addresses.  And I can now NAT inbound traffic from the internet at any of the public IP addresses, any port, as I see fit. The key is that I can NAT the 5 available public IP's the same way I used to when using DSL directly attached to my Cisco 877, but now using Vlan2 instead of the old configuration that used Dialer1, which is no longer there...

Here are the relevant sections of my configuration:

crypto map myMapKey local-address Vlan2

!

...

interface FastEthernet0

switchport access vlan 2

no cdp enable

!

...

interface Vlan2

description internet

ip address 1.1.2.57 255.255.255.248

ip address 1.1.2.58 255.255.255.248 secondary

ip address 1.1.2.59 255.255.255.248 secondary

ip address 1.1.2.60 255.255.255.248 secondary

ip address 1.1.2.61 255.255.255.248 secondary

ip nat outside

ip virtual-reassembly

crypto map myMapKey

!

...

ip route 0.0.0.0 0.0.0.0 1.1.2.62

...

ip nat inside source list 110 interface Vlan2 overload

ip nat inside source static tcp 192.168.1.10 80 1.1.2.57 80 extendable

ip nat inside source static tcp 192.168.1.20 80 1.1.2.58 80 extendable

ip nat inside source static tcp 192.168.1.30 80 1.1.2.59 80 extendable

...

I hope this is helpful to someone else trying to do this...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card