Solved: How to configure cisco catalyst 3560 switch that is connected to Cisco 3825 Integrated Service Route...

Rabnawaz Anwar · ‎10-06-2011

The provider has given public IP Range and ask that it is enough information to configure cisco catalyst 3560 interface that is connected to Cisco 3825 router.But without knowing IP of router interface that is connected to switch how can we configure it? and then what local default gateway address

of router is used for our inside clients?

We have talk to provider about this issue but he says we could not provide you access to router.You should configure switch interface that is connected to router interface.we are planning to use 192.168.0.0 range for our local area network and divide it to 4 VLANS for our local network containing different servers,printers and User systemsand IP phones.Please help us in configuring the 3750 switch so that we could be able to communicate LAN with router manage by service provider.

Jon Marshall · ‎10-07-2011

1) i recommended a firewall because i assumed that the ISP was simply providing you with a router. If they are configuring the firewall for you on the 3825 then yes you don't need to have a separate firewall.

2) Yes you configure a vlan for using public IPs. That would be the way to do it with what you have. But if the ISP is providing firewalling etc. then i would have thought it would be fairly trivial to do the NAT for you as well. This is where i am unsure of what the provider router is doing.

Do you know for a fact they are doing the firewalling for you ?

3) You need to check with your provider as to exactly what they are doing with the router. For example if you setup a server with a public do you then need to tell the provider the IP and what access you want to allow to it so they can configure the rules.

Even with all that, you still need an IP to use as the default-gateway so they need to tell you.

Jon

View solution in original post

Jon Marshall · ‎10-12-2011

Add this to your 1841 config -

acess-list 101 permit ip 192.168.0.0 0.0.0.255 any

ip nat inside source list 101 interface fa0/0

the above should NAT all your 192.168.0.x addresses to the IP assigned to the outside interface of your 1841. The problem you have at the moment is that the 3825 does not know how to route traffic back to the 192.168.0.0/24 network. The above config should sort that out.

Jon

View solution in original post

johnlloyd_13 · ‎10-14-2011

hi,

you would need to enable NAT on your interfaces and try again.

int f0/0

ip nat out

int f0/1

ip nat in

View solution in original post

johnlloyd_13 · ‎10-14-2011

Hi,

Glad to hear it's now working. You would need to enable DHCP on your 1841 this time:

Router(config)#ip dhcp excluded-address 192.168.0.1 192.168.0.10

Router(config)#ip dhcp pool LAN

Router(dhcp-config)#network 192.168.0.0 255.255.255.0

Router(dhcp-config)#default-router 192.168.0.1

Router(dhcp-config)#dns-server 4.2.2.2

Please don't forget to rate helpful posts. Thanks!

Sent from Cisco Technical Support iPhone App

View solution in original post

Jon Marshall · ‎10-06-2011

Couple of confusing things -

1) if they have given you a public range where are they expecting you to use it ? Normally you would have firewall that would use NAT but you are connecting the router directly to your switch. The 3560 cannot do NAT so you would have to use these public IPs on the actual devices if you want them to be accessed from the internet.

A provider usually provides a P2P subnet and then optionally some additional public IPs for your internet access and servers you want to be able to access from the internet.

If this is an internet connection then you really don't want to connect the provider router directly into your switch. You need some protection from the internet. I suspect the provider thinks this is what you have. I really wouldn't recommend connecting this up straight from the router to the switch. As i say this assumes this is for internet.

2) Your provider needs to give you a default-gateway unless you are using DHCP to get an IP from them. You cannot guess the IP, they need to tell you.

Jon

Rabnawaz Anwar · ‎10-07-2011

Hi Jon,

Can u please clear my folllowing points?

After studying data sheet and other literature for Cisco 3825 integrated service router I have find out that it has advance security services emebedded into it.Also the main advantage of using integrated service router is to have integrated services built into it and we dont have to deploy extra device for thar services.

1) So why you are recommending to use Firewall device?

2) Also if we dont use any device between switch and router and connect switch direct to router manage by provider then is there any solution for doing that?Can we configure a VLANs and configure separate VLAN for Internet having public IP and other VLANs for voice,data,servers and printers of internal local network?

Also If we use firewall device as according to you and configure interface with IP from the range given by provider then according to my cisco knowledge the primary function of router is to communicate two different networks and each interface of router is configured with different network but in our case the provider has given us public IP of router and range and ask us to configure interface of router facing toward our local network with public IP of same range.

3) Is it in this way that provider has configured other interface on which they are providing service with different IP other than Range given to us?

Jon Marshall · ‎10-07-2011

1) i recommended a firewall because i assumed that the ISP was simply providing you with a router. If they are configuring the firewall for you on the 3825 then yes you don't need to have a separate firewall.

2) Yes you configure a vlan for using public IPs. That would be the way to do it with what you have. But if the ISP is providing firewalling etc. then i would have thought it would be fairly trivial to do the NAT for you as well. This is where i am unsure of what the provider router is doing.

Do you know for a fact they are doing the firewalling for you ?

3) You need to check with your provider as to exactly what they are doing with the router. For example if you setup a server with a public do you then need to tell the provider the IP and what access you want to allow to it so they can configure the rules.

Even with all that, you still need an IP to use as the default-gateway so they need to tell you.

Jon

Rabnawaz Anwar · ‎10-12-2011

Hi

We have finally decided to use another router i.e cisco 1841 to connect with provider router i.e Cisco 3825 and configure it with firewall,vlans and access list etc.

At present I have connected the 1841 router interface fast ethernet0/0 with service provider 3825 thru cross over cable and configured with a public IP given by provider IP Range.The other interface fast ethernet 0/1 is configured with local IP i.e 192.168.0.1.Also I have configure default route on internal router to 3825 router public IP.also I have configured default gateway on 1841 to ip of provider router 3825.

Now when I connect PC with internal router fast ethernet 0/1 port and configure pc with 192.168.0.2 and default gateway as 192.168.0.1(i.e Local IP of Router 1841) .When I check internet.I could not browse.Also I could not ping service provider router public ip.But could ping 1841 router interfaces ips.

I have also checked provider service by connecting PC directly with 3825 router and configure it with one of the IP range given by them.The internet service running. so there is no problem at service provider end.

Please help me in configuring the 1841 router.Please tell me what other configuration needed to use internet for local clients.

Jon Marshall · ‎10-12-2011

Add this to your 1841 config -

acess-list 101 permit ip 192.168.0.0 0.0.0.255 any

ip nat inside source list 101 interface fa0/0

the above should NAT all your 192.168.0.x addresses to the IP assigned to the outside interface of your 1841. The problem you have at the moment is that the 3825 does not know how to route traffic back to the 192.168.0.0/24 network. The above config should sort that out.

Jon

Rabnawaz Anwar · ‎10-14-2011

Hi jon,

Still could not ping the 3825 router manage by provider through laptop connected with 1841 router.

I have check this scenario in Packet tracer.Same results after adding configuration suggested by you.

Please help

johnlloyd_13 · ‎10-14-2011

hi,

kindly add the "overload" keyword and give it a try.

ip nat inside source list 101 interface fa0/0 overload

Rabnawaz Anwar · ‎10-14-2011

Hi,

It takes overload automatically.

But still could not able to ping 3825 router.

I want to tell you that I have redraw all this scenario in Packet Tracer.If I add static route in 3825 router for our local area network then it could be ping thru laptop connected to 1841 router.

Is it mean that we have to contact service provider and ask him to add route in their router 3825 for our local area network?

johnlloyd_13 · ‎10-14-2011

hi,

could you post your running-config on your 1841?

i don't think it's necessary to contact your ISP since you've mentioned it's working when directly connected using a laptop with the static IPs given to you.

Rabnawaz Anwar · ‎10-14-2011

hi,

Here is the running configuration on Cisco 1841 router.

Where: X.X.X.X = PUBLIC IP OF CISCO 3825 ROUTER

Router#sh run
Building configuration...

Current configuration : 597 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address X.X.X.X 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip classless

ip route 0.0.0.0 0.0.0.0 X.X.X.X
!
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end

Router#
Router#

RABNAWAZ ANWAR

johnlloyd_13 · ‎10-14-2011

hi,

you would need to enable NAT on your interfaces and try again.

int f0/0

ip nat out

int f0/1

ip nat in

Rabnawaz Anwar · ‎10-14-2011

Thanx john the problem is solved.Now its working

But a new problem occurs when we deploy the router in our production network .The dhcp configured preveously with other service provider not offering IPs to the client.Have restart the service but unable to give IPs.

when we connect our lan with preveous service provider router.It start offering IPs.

Please suggest

johnlloyd_13 · ‎10-14-2011

Hi,

Glad to hear it's now working. You would need to enable DHCP on your 1841 this time:

Router(config)#ip dhcp excluded-address 192.168.0.1 192.168.0.10

Router(config)#ip dhcp pool LAN

Router(dhcp-config)#network 192.168.0.0 255.255.255.0

Router(dhcp-config)#default-router 192.168.0.1

Router(dhcp-config)#dns-server 4.2.2.2

Please don't forget to rate helpful posts. Thanks!

Sent from Cisco Technical Support iPhone App

Rabnawaz Anwar · ‎10-18-2011

Hi,

We are currently using cisco 1841 router connected to service provider router and plan to replace this router in future with cisco firewall.Kindly guide me in selecting cisco firewall products as I have searched and found different security product.We require not advance level product.Simple product that must have firewall and VPN support and could be easily configurable and manageable.

How to configure cisco catalyst 3560 switch that is connected to Cisco 3825 Integrated Service Router manage by service provider?