12-20-2014 11:22 PM - edited 03-07-2019 09:58 PM
ISP Provided a Managed Services Router 800 Series configured with Static Public IP and two IP DHCP Pool for our Fixed & Wireless LAN (10.10.10.0/32 - LAN & 10.10.11.0/32 - Wi-fi).
I have Cisco 2921/k9 to put behind this Managed Services Router 800 Series and all LAN Clients should route from 2921.
Any Suggestions on the configuration... i dont have any access on Managed Services Router (Blocked by ISP).
Internet<<<<<<(Cisco 800 - ISP Managed Services Router ) << - >> (Cisco 2921) <<< - >>> LAN Users
Solved! Go to Solution.
12-21-2014 03:30 PM
Hello
ip dhcp pool LAN-WIFI
network 10.10.10.0 /24
network 10.10.11.0 /24 secondary
override default-router 10.10.11.254
default-router 10.10.10.254
dns-server 8.8.8.8 8.8.8.8.4
lease 0 12
ip dhcp excluded-address 10.10.10.254
ip dhcp excluded-address 10.10.11.254
ip inspect name CBAC inspect tcp
ip inspect name CBAC inspect udp
ip inspect name CBAC inspect icmp
ip access-list extended inbound-wan-traffic
deny ip any any
int y/y -(public wan ip and interfce)
ip addres x.x.x.x y.y.y.y
no shut
ip nat enable
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
ip access-group inbound-wan-traffic IN
ip inspect CBAC out
int x.x (Lan interface)
no shut
ip nat enable
int x/x.10
Description LAN-Users
encapsulation dot1Q 10
ip addres 10.10.10.254 255.255.255.0
no shut
ip nat enable
int x/x.11
Description WLAN-Users
encapsulation dot1Q 11
ip addres 10.10.11.254 255.255.255.0
no shut
ip nat enable
ip route 0.0.0.0 0.0.0.0 x.x.x.x (public wan ip next hop)
access-list 10 permit 10.10.10.0.0.0.254.255
ip nat source list 10 interface (wan interface) overload
res
Paul
12-20-2014 11:31 PM
What is the exact model of 800 router and what is your WAN speed?
Why can't you remove the 800 and use the more-powerful 2921 instead?
12-20-2014 11:48 PM
ISP Managed Services Router is Cisco 887 VA (ADSL) and WAN speed is 20 Mbps.
We cannot remove this Managed Services Router, however 2921 is newly purchased with CME and we like to configure this 2921 as DHCP for LAN Users and Internet services.
12-21-2014 03:57 AM
WAN speed is 20 Mbps.
887 and 20 Mbps speed? Is this Upload & Download 20 Mbps? Because I think you're ISP has just "double crossed" you.
880 is rated at 25.6 Mbps. The value of 25.6 Mbps is expressed in a single-directional data traffic: Either Upload OR Download. Cisco 1941 can do 40 Mbps in both direction and with encryption. 880 can only do about 15 Mbps upload and 15 Mbps download and without encryption.
12-21-2014 05:23 AM
Leo the download is 20 Mbps and 1 Mbps upload... the problem needs to be fixed here is to configure the 2921 as gateway to my LAN... as ISP blocked the configuration and i can only obtain ip dynamically from 800 as 10.10.10.0/32 subnet.
12-21-2014 03:30 PM
Hello
ip dhcp pool LAN-WIFI
network 10.10.10.0 /24
network 10.10.11.0 /24 secondary
override default-router 10.10.11.254
default-router 10.10.10.254
dns-server 8.8.8.8 8.8.8.8.4
lease 0 12
ip dhcp excluded-address 10.10.10.254
ip dhcp excluded-address 10.10.11.254
ip inspect name CBAC inspect tcp
ip inspect name CBAC inspect udp
ip inspect name CBAC inspect icmp
ip access-list extended inbound-wan-traffic
deny ip any any
int y/y -(public wan ip and interfce)
ip addres x.x.x.x y.y.y.y
no shut
ip nat enable
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
ip access-group inbound-wan-traffic IN
ip inspect CBAC out
int x.x (Lan interface)
no shut
ip nat enable
int x/x.10
Description LAN-Users
encapsulation dot1Q 10
ip addres 10.10.10.254 255.255.255.0
no shut
ip nat enable
int x/x.11
Description WLAN-Users
encapsulation dot1Q 11
ip addres 10.10.11.254 255.255.255.0
no shut
ip nat enable
ip route 0.0.0.0 0.0.0.0 x.x.x.x (public wan ip next hop)
access-list 10 permit 10.10.10.0.0.0.254.255
ip nat source list 10 interface (wan interface) overload
res
Paul
12-21-2014 11:10 PM
I will implement this on 2921 and let you know guys..
Thanks for the help!
12-29-2014 10:12 PM
hi guys,
I little help required as i am already through with this issue...
i have successfully configured my own 2921 to work with ISP router with IP NAT, Internet is working for all my LAN Users. CONFIGURATION OF 2921 Attached.
After connecting the VPN from outside to managed services router... i am able to reach my 2921 (10.10.10.100) using telnet.. but unable to access Internal LAN interface which is (10.10.100.1) on-wards....
ISP Managed Router (10.10.10.1) >>>>>>>>>> (10.10.10.100) MY Router (2921) (10.10.100.1)>>>>>>>>>>DHCP Users (10.10.100.21 to 100)
Please give suggestions and advise if i need to so some more settings on 2921.
or what should i ask ISP to include what configuration in their managed services router.... they already include the below in access list.
access-list 10 permit 10.10.100.0 0.0.0.255
Regards,
Waqas
12-21-2014 08:11 AM
You need a default route on the 2921 to point to the next-hop (the ip address of the 800 router). This way all traffic coming from your internal vlans use the default route to get out to Internet. You also need one interface on the 2921 that connects to your internal switch. Since you have multiple vlans (voice and data) you need to trunk that interface to the switch with sub-interfaces and also trunk the switch side.
Question, you said
ISP Provided a Managed Services Router 800 Series configured with Static Public IP
but you are showing private IPs (10.10.10.0/32 - LAN & 10.10.11.0/32 - Wi-fi)
So did the provider give public IPs or you are using private?
What is the IP address of the interface that connects to the 800 router?
Can you provide "sh run" from your 2921 router?
HTH
12-21-2014 12:38 PM
He has one public address the way I read it.
The provider has given him two private scopes (for which he has the subnet incorrect!)
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide