Cisco 2801 Configuration Discussion

Discussion in 'Cisco' started by MCScrapE, Feb 24, 2005.

  1. MCScrapE

    MCScrapE Guest

    I have a 2801 with the Advanced IP feature set. I have two T1s from
    different ISPs and I will use BGP for them. Internally I have 50 vlans
    which I plan to configure by using sub-interfaces on fa0/0. I also
    need to establish a VPN tunnel from this 2801 to a PIX at another site.
    Finally, I will be using NAT.

    At other locations I have been using 2 1760s - 1 as the edge router to
    terminate the T1s and the other as the firewall/internal router. My
    thinking is to converge all of the functions of the two 1760s into one

    I am stuck on how to do the NAT on a single 2801. I have my switch
    stack configured with a trunk port that would connect to fa0/0 which
    would as I mentioned be sub-interfaced with private IP addresses. My
    thinking is that I somehow have to configure fa0/1 with public IP
    address ending in .1 and configure routing somehow to use fa0/1 as a
    "bridge". Thus fa0/1 would be my outside interface and fa0/0 would be
    the inside interface.

    Maybe I am over-comlicating the situation and I just have to set my
    interfaces appropriately and set the ip routes to use the serial
    interfaces and the NAT commands will do what I am looking to do. Or
    maybe I should just get a cheap router to use as an edge router and
    stick with the 2 router setup. Any suggestions would be appreciated.
    Thank you.
    MCScrapE, Feb 24, 2005
    1. Advertisements

  2. MCScrapE

    cabinmirror Guest

    Your set up is not ideal as far as security goes (ideal would be
    external router, firewall, internal router), but it is workable.

    Use a loopback interface for your ".1" public ip address:

    int loopback 0
    ip address pub-ip-r.r.r.1

    This is not your "outside" interface for NAT, but now your router knows
    about your routable IP block (aka your NAT pool). I beleive you will
    still need to add a static route for BGP purposes.

    Your "ip nat outside" statements will be on both serial interfaces,
    your "ip nat inside" will be on all your internal sub interfaces:

    int f0/0.x
    ip address x.x.x.x
    ip nat inside

    int f0/0.y
    ip address y.y.y.y
    ip nat inside

    int s0
    ip address isp-a.a.a.a
    ip nat outside

    int s1
    ip address isp-b.b.b.b
    ip nat outside

    ip nat pool outside pub-ip-r.r.r.20 pub-ip-r.r.r.220 netmask
    ip nat inside source list 130 pool internet overload
    access-list 130 remark ***nat list denying vpn destinations***
    access-list 130 deny ip x.x.x.0 remote vpn network
    access-list 130 deny ip y.y.y.0 remote vpn network
    access-list 130 permit ip any any
    cabinmirror, Feb 24, 2005
    1. Advertisements

  3. MCScrapE

    Hansang Bae Guest

    Are only going to get 0/0? Do you care which subinterface uses what T1?

    Why not use your serial interfaces if you don't care which T1 is used?

    That would work as well. I would advise not doing Nat-on-a-stick as
    sending packets to the loopback causes it to be process switched.



    "Somehow I imagined this experience would be more rewarding" Calvin
    **************************ROT13 MY ADDRESS*************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    Hansang Bae, Feb 25, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.