Help on a cisco router 1812

[testing1234]

Hope someone can help.

I thought this would be a simple task but I must be getting confused.

This is what I am trying to do.

fe0 will be going out to the internet with an external address 217.150.x.x

With vlan1 being 10.10.10.1 255.255.255.248 on ports fe2 to fe5

vlan2 with ports fe6-fe9 I want to be able to connect a firewall with one of the external address 217.150.x.x so the firewall can use the 1812 router to get out to the internet.

I would be greatfull for any ideas

ed

 

[burtsbees]

What do you have so far?

Burt

 

[testing1234]

This is what I have so far.

BCR-01#sh run
Building configuration...

Current configuration : 4902 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname BCR-01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
logging console critical
enable secret 5 $1$/ba3$KiM9sHtO8L7PlCm6fhPEh0
enable password 7 02005449095701
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
no ip routing
!
!
no ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-4138671831
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4138671831
revocation-check none
rsakeypair TP-self-signed-4138671831
!
!
crypto pki certificate chain TP-self-signed-4138671831
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313338 36373138 3331301E 170D3038 30343136 31343436
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31333836
37313833 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E1EA E4F0213F 039E40CB 50D7A3CF FA825CC4 E5F73771 B97E1809 A86BD628
AF15459E CCE21B83 BC6EAEA2 E2EB49C5 17948564 5A6FFA9E 6CC259A4 9C694BC5
A0321532 A6ADE5B1 097A59F1 41369519 D6D42F07 9E73E5DA 272CB432 6FAD8FA2
638F3A3E D8BF5B1C 6500D6E3 32BA0DDF EDD05504 12491519 DE8EBA40 B2A70DE8
68230203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06424352 2D303130 1F060355 1D230418 30168014 F1987ACC
D0188B69 135B448C 89994194 CB41F9FC 301D0603 551D0E04 160414F1 987ACCD0
--More--   188B6913 5B448C89 994194CB 41F9FC30 0D06092A 864886F7 0D010104 05000381
810013E8 C3175543 AE76C8CD 4F52DC9B 01B9832F B7F787AE 9FCA749F C71A3E86
7028865B 5CFB02F2 9FB5FAAF 46F9A8E3 9BFCF516 1AE0C81B 345F1CC0 A3B228A4
BEC291E7 FCAE3B81 A75F6BD6 59009D4F 567A1040 533907BE BBD85A05 9D1AD91D
9131B110 CB03F111 17717B8C 5A933EF8 E43569F5 B6011180 467B8465 95B74562 1D9B
quit
username admin privilege 15 secret 5 $1$Y.Gv$bHEt33Oe5OL2LOZffjYqE.
!
!
!
!
!
!
interface FastEthernet0
description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$
ip address 217.150.xx.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
duplex auto
speed auto
!
--More--  interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
switchport access vlan 2
!
interface FastEthernet7
switchport access vlan 2
!
interface FastEthernet8
switchport access vlan 2
!
interface FastEthernet9
switchport access vlan 2
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.248
ip access-group sdm_vlan1_in in
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
ip tcp adjust-mss 1452
!
interface Vlan2
no ip address
!
interface Async1
no ip address
no ip redirects
no ip unreachables
--More--   no ip proxy-arp
encapsulation slip
no ip route-cache
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended access1
remark allow out from internal network
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_fastethernet0_in
remark permit any
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_vlan1_in
remark SDM_ACL Category=1
remark Allow all Acess
--More--   permit ip any any
ip access-list extended sdm_vlan2_in
remark SDM_ACL Category=1
remark vlan2 to fe0
permit ip any any
ip access-list extended sdm_vlan2_out
remark SDM_ACL Category=1
permit ip any any
!
logging trap debugging
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
ransport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
password 7 094A1E1B1B5419
transport input telnet ssh
line vty 5 15
password 7 094A1E1B1B5419
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

 

[burtsbees]

These are a waste of time and resources...
ip access-list extended access1
remark allow out from internal network
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_fastethernet0_in
remark permit any
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_vlan1_in
remark SDM_ACL Category=1
remark Allow all Acess
--More--   permit ip any any
ip access-list extended sdm_vlan2_in
remark SDM_ACL Category=1
remark vlan2 to fe0
permit ip any any
ip access-list extended sdm_vlan2_out
remark SDM_ACL Category=1
permit ip any any

and therefor, this is not needed...

interface Vlan1
ip access-group sdm_vlan1_in in

In order for your vlan 1 to ge out, you need NAT...
access-list 1 permit 10.10.10.0 0.0.0.7
ip nat inside source list 1 int fa0 overload
int fa0
ip nat outside
int vlan1
ip nat inside

This should actually be under int fa0...
ip tcp adjust-mss 1452

Tell me where you're at after those changes.

Burt

 

[testing1234]

Burt

Can I give you access to the router so you can look at it.

I got advice to create a vlan2 with a public ip address so I can plug the firewall in there.

The router should not be doing and nat. It should alow access in and out from any.

Give me your email address so I can give you the info.

Regards

 

[burtsbees]

Why not put the firewall in front of the router and NAT with the firewall if necessary? I'm not following you on why vlan 1 is not to be natted, yet still get out to the internet...

Burt

 

[testing1234]

hi Burt

Thanks for effort. I have it all sorted.

regards

 

[burtsbees]

Can you share the answer?

Burt

 

[testing1234]

Here is the answer.

bridge irb
!
interface FastEthernet0
no ip address
bridge-group 1
!
interface FastEthernet6
switchport access vlan 2
no shutdown
!
interface FastEthernet7
switchport access vlan 2
no shutdown
!
interface FastEthernet8
switchport access vlan 2
no shutdown
!
interface FastEthernet9
switchport access vlan 2
no shutdown
!
interface Vlan2
no ip address
bridge-group 1
!
interface BVI1
ip address 217.150.x.x 255.255.x.x
no shutdown
!
ip default-network 0.0.0.0
ip route 0.0.0.0 0.0.0.0 217.150.x.x
!
bridge 1 protocol ieee
bridge 1 route ip
!