Cisco 2801 Configuration Discussion

Discussion in 'Cisco' started by MCScrapE, Feb 24, 2005.

  1. MCScrapE

    MCScrapE Guest

    I have a 2801 with the Advanced IP feature set. I have two T1s from
    different ISPs and I will use BGP for them. Internally I have 50 vlans
    which I plan to configure by using sub-interfaces on fa0/0. I also
    need to establish a VPN tunnel from this 2801 to a PIX at another site.
    Finally, I will be using NAT.

    At other locations I have been using 2 1760s - 1 as the edge router to
    terminate the T1s and the other as the firewall/internal router. My
    thinking is to converge all of the functions of the two 1760s into one
    2801.

    I am stuck on how to do the NAT on a single 2801. I have my switch
    stack configured with a trunk port that would connect to fa0/0 which
    would as I mentioned be sub-interfaced with private IP addresses. My
    thinking is that I somehow have to configure fa0/1 with public IP
    address ending in .1 and configure routing somehow to use fa0/1 as a
    "bridge". Thus fa0/1 would be my outside interface and fa0/0 would be
    the inside interface.

    Maybe I am over-comlicating the situation and I just have to set my
    interfaces appropriately and set the ip routes to use the serial
    interfaces and the NAT commands will do what I am looking to do. Or
    maybe I should just get a cheap router to use as an edge router and
    stick with the 2 router setup. Any suggestions would be appreciated.
    Thank you.
     
    MCScrapE, Feb 24, 2005
    #1
    1. Advertisements

  2. MCScrapE

    cabinmirror Guest

    Your set up is not ideal as far as security goes (ideal would be
    external router, firewall, internal router), but it is workable.

    Use a loopback interface for your ".1" public ip address:

    int loopback 0
    ip address pub-ip-r.r.r.1 255.255.255.0

    This is not your "outside" interface for NAT, but now your router knows
    about your routable IP block (aka your NAT pool). I beleive you will
    still need to add a static route for BGP purposes.

    Your "ip nat outside" statements will be on both serial interfaces,
    your "ip nat inside" will be on all your internal sub interfaces:

    int f0/0.x
    ip address x.x.x.x 255.255.255.0
    ip nat inside

    int f0/0.y
    ip address y.y.y.y 255.255.255.0
    ip nat inside

    int s0
    ip address isp-a.a.a.a 255.255.255.252
    ip nat outside

    int s1
    ip address isp-b.b.b.b 255.255.255.252
    ip nat outside

    ip nat pool outside pub-ip-r.r.r.20 pub-ip-r.r.r.220 netmask
    255.255.255.0
    ip nat inside source list 130 pool internet overload
    access-list 130 remark ***nat list denying vpn destinations***
    access-list 130 deny ip x.x.x.0 0.0.0.255 remote vpn network
    access-list 130 deny ip y.y.y.0 0.0.0.255 remote vpn network
    access-list 130 permit ip any any
     
    cabinmirror, Feb 24, 2005
    #2
    1. Advertisements

  3. MCScrapE

    Hansang Bae Guest

    Are only going to get 0/0? Do you care which subinterface uses what T1?

    Why not use your serial interfaces if you don't care which T1 is used?

    That would work as well. I would advise not doing Nat-on-a-stick as
    sending packets to the loopback causes it to be process switched.



    --

    hsb


    "Somehow I imagined this experience would be more rewarding" Calvin
    **************************ROT13 MY ADDRESS*************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Feb 25, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.