General discussion

Locked

A simple? Cisco question

By kwoerner ·
I'll pay 3000 points for this.
I'm new to Cisco and need to set up a router between the inside of my firewall and the network. Why is long and drawn out, but there's a reason.
Here's how I need it set. I want my computers to use this router as agateway. The inside port (e0) of the router has an IP address of 10.2.1.1/13. This is the gateway I want to point my computers at. The outside port of the router (e1) has an address of 10.1.1.1/13. The next port is the inside of the firewall, 10.2.1.20/13. The outside port of the firewall is a public address, then on to another router and the T1. If I can just get all out bound traffic to hit the inside port of the firewall, it should take care of it from there.
So here's the question. I've set the ip addresses on each of the ports, so what else do I need to do and how? Let me know if you need any mor info and I'll gladly provide it.
It's probably something simple, but I've never done it before and will pay 3000 points for an answer.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

A simple? Cisco question

by Some Guy in Seattle In reply to A simple? Cisco question

Each device needs to have a default gateway set. You're on the right track by setting all your internal devices on 10.2.1.1/13 to point to your internal router (by the way there's nothing wrong with doing this, if anything you can block all the NetBIOS stuff from hitting your firewall). Once it gets to the internal router, you need it to have a default gateway as well so it knows what to do with traffic for networks it doesn't know about (i.e. local networks 10.1.1.1/13 and 10.2.1.1/13). Setthis gateway to the firewall's internal address. On the firewall, same thing - set to point to the internet router. Internet router also (depending on ISP setup) can have a default gateway as set by the ISP or (if on cisco, I don't know others) you can have it have a default gateway of the internet interface or 0.0.0.0.

Now, how to do this. From a privileged prompt (#) on the internal cisco router type in the command:

ip route 0.0.0.0 0.0.0.0 10.2.1.20

This sets the router to point all unknown traffic (0.0.0.0 in cisco lingo) to point to the next hop router (ther firewall at 10.2.1.20).

That's half the battle. The other half is making sure that the traffic can get back in to your network. Since you have multiple subnets and routers, each device needs to know where all the remote subnets are. For this case you will probably only need to give the firewall a static route to direct traffic back to the remote (from the perspective of the firewall) 10.2.1.1 network. Depending on your model/OS of firewall this will be a specific type command. However, the theory is the same and the command will be something to the effect of "ip route 10.2.1.1/13 10.1.1.1". This will direct the firewall to point all this stuff to thelocal interface of your internal router which will then make sure it gets to the 10.2.1.1 network.

Collapse -

A simple? Cisco question

by Some Guy in Seattle In reply to A simple? Cisco question

continued...

By the way, this process is the same for any kind of traffic that needs to get to a remote network through a separate router. Define a gateway that you want the majority of the traffic to go to (usually in the direction of the internet) and then statically setup everything else. Since you are running NAT on the firewall this means you probably don't want to set up static routes on the internet router to point directly to the 10.x.x.x networks.

Anyways, any problems just mail zebedee@workmail.com and I can give you more details.

Hope that helps -

Collapse -

A simple? Cisco question

by Some Guy in Seattle In reply to A simple? Cisco question

One last thing - don't forget to do a "copy run star" command on the cisco to save the config!

Collapse -

A simple? Cisco question

by kwoerner In reply to A simple? Cisco question

Thanks, this really helped.

Collapse -

A simple? Cisco question

by kmagress In reply to A simple? Cisco question

The answers from "Some Guy in Seattle" are right on track, but there were a few things I thought I'd mention:

1> With a 13 bit subnet mask, 10.2.x.x and 10.1.x.x are the same subnet. You won't need the intervention of the router to pass trafficto the firewall at all, and are likely to see ICMP redirects telling clients that they have a direct route available. Are you sure about the subnet mask? If you are, consider changing it to a /16 or /24. I doubt you really need subnets that support over 500,000 hosts.

2> Assuming you change subnet masks, check your inside vs. outside addresses. The list you give above places the clients, router, and firewall all on the 10.2.x.x subnet, which doesn't sound like what you want to accomplish. From the sound of things you want 10.2.x.x to handle communication between clients and your router and 10.1.x.x between your router & your firewall.

3> Most firewalls support RIP or OSPF, so you can exchange routes with them directly if you don't want to use static routes on the firewall for it to learn your internal topology. If your firewall does, having it set a default route pointing to the Internet (either your router connecting to the ISP or the ISP's router - whatever the next hop from the firewall is) and redistribute that as a default route might simplify your life. Then if your default route vanishes on your internal router, you know that communications between it and your firewall are hosed.

There's my thoughts. Hope it helps.

Collapse -

A simple? Cisco question

by kwoerner In reply to A simple? Cisco question

Thanks for the info.

Collapse -

A simple? Cisco question

by Dennis Cooper, Raleigh In reply to A simple? Cisco question

It looks like your internal Router is basically a VLAN routing device. This is not so uncommon. We call them routers on a stick. (No serial)

The above answers are a good source for subnetting & routing. You should use them to check your configs.

I would like to add one thing. If you configured the router without the ethernet ports plugged in you might have a command towards the top of your config...
"no ip routing" This is something I have noticed in the last year or so. It is something that you don't enter, or expect, so you don't look for it. Check near the top of your config and make sure you don't have this command.

Collapse -

A simple? Cisco question

by kwoerner In reply to A simple? Cisco question
Collapse -

A simple? Cisco question

by kwoerner In reply to A simple? Cisco question

This question was closed by the author

Back to Networks Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums