Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

routing between external public and internal private nets

Status
Not open for further replies.
csross

csross

MIS
Joined
Dec 21, 2003
Messages
92
Location
US
My network at work is bounded on both sides by Cisco routers. One Cisco is connected to the internet via T1 lines. The Ethernet interface is a public address (192.123.60.1) On the other side, I have a 3620 with 3 interfaces that connects to cablevision and is replacing my cablemodem router. It gets a DHCP address on the interface connected to cablevision. On another interface it supplies addresses to a 10 pc network and Nats. On the 3rd interface, I have the address 192.123.60.243, to provide a bridge between the two networks.

All functionality is working except the communication between the 192 and 10 networks. The can ping their respective interfaces, but they can't talk to each other.

Here is the configuration. I tried it without an acl on the inbound fe0/0 (cable) interface, without success.

------------------------------

Current configuration : 1775 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 10router
!
boot system flash slot0:c3620-io3-mz.122-15.T12.bin
logging queue-limit 100
ip subnet-zero
!
!
ip name-server 192.123.60.2
ip name-server 192.123.60.173
ip name-server 66.88.81.177
ip dhcp excluded-address 10.1.1.1 10.1.1.100
ip dhcp excluded-address 10.1.1.254

ip dhcp pool 10network
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
dns-server 192.123.60.2 192.123.60.173 66.88.81.177
!
ip audit notify log
ip audit po max-events 100
!
interface FastEthernet0/0
ip address dhcp
ip access-group 101 in
ip nat outside
duplex auto
speed auto

interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.123.60.243 255.255.255.0
shutdown
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto

ip nat inside source list 1 interface FastEthernet0/0 overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 101 deny icmp any any log
access-list 101 deny tcp any any eq telnet log
access-list 101 deny tcp any any eq ftp log
access-list 101 deny tcp any any eq ftp-data log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 224.0.0.0 31.255.255.255 any log
access-list 101 deny ip 225.0.0.0 0.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 permit ip any any
 
Sort by date Sort by votes
I am assuming that all machines on the 192.123.60.x subnet are using 192.123.60.1 as the default gateway. This router that connects to the internet via T1 probably has no route back to the 10.1.1.x subnet. You could solve this by using static routes or by using a routing protocol such as EIGRP.

Try placing this static router on the router connected to the T1
ip route 10.1.1.0 255.255.255.0 192.123.60.243
 
Upvote 0 Downvote
I can't do that because of a problem it may cause with out product.

The 10 network has an ip nat inside statement, the FE0/0 is ip nat outside and then I overload the FE0/0 interface to cablevision. What I was thinking is to do the same thing with the FE1/0 inerface. Specify it as ip nat outside, and using the same source list (1) and overload it

ip nat inside source list 1 interface FastEthernet1/0 overload. I'm thinking this interface is very similar to the other interface connected to cablevision and it has a 192 address.

Any Thoughts?
 
Upvote 0 Downvote
Doing that would allow the machines in the 10 network to be nat'ed to "1" 192 address. The problem would occur when you wanted to access a 10 machine from a 192 machine. How would you specify which machine to access? Forgive me, but I am still leaning towards simply putting in one static route on the router connected to the T1. The only traffic that would be affected is the traffic from the 192 network to the 10 network.
 
Upvote 0 Downvote
I am going to add the route to the 10 network on the internet router via 192.123.60.243, but I want to limit unwanted traffic to the 10 network from the outside (which probably won't happen but you never know). I only want traffic that originated on the 10 to come back. I could use the established keyword on an ACL, but thats only tcp traffic and our DNS, etc, servers are on the 192 network. I also don't want any syn packets coming into the 10 network via the 192.123.60.243. Any ideas on an access list for the inbound 192.123.60.243 interface?

Thanks
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
411
badwolf1686
B
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
569
CPM86
CPM86
Pankaj88
  • Locked
  • Question Question
BGP Routing Clarification
Replies
0
Views
521
Pankaj88
Pankaj88
Lccarter
  • Locked
  • Question Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
474
Lccarter
Lccarter
dchapman00
  • Locked
  • Question Question
Cisco 7961 external busy lamp
Replies
0
Views
205
dchapman00
dchapman00

Part and Inventory Search

Sponsor

Back
Top