Cisco 2811 with 2 DSL Lines 1

[vdalehubbard]

Greeings!

I have two DSL lines coming into my Cisco 2811 router. Behind the router I have a PIX. I wanted to know what configuration I should use on the router to be able to do this. "ip route 0.0.0.0. 0.0.0.0 FastEthernet0/1" put that on every outgoing fastethernet port? Also, what should I enable on each ethernet? Thanks!

 

[anddaley]

Ok you need to give more info.... having 2 DSL lines to your router is not the issue....The real issue is how you plan to use them.

1) You could decide to use them for redundancy so if one link goes down the other will failover automatically or

2) You could divide trafic whereby you have some of your network go over one link and the rest go through the other.

Its based on these that you would determine how to configure the router.

 

[vdalehubbard]

The 2nd option, to divide traffic. I found out that our ISP has the outside IP addresses they have given us seperated into the two DSL lines. So, the 2nd option to divide is what I'm trying to do.

 

[anddaley]

OK. Now what you do next depends on how your ip addressing is.

You could

1) Assign an entire range to go through a particular interface

ip route 10.168.6.0 255.255.0.0 10.168.6.1

2) Do static route for each host

ip route 10.168.6.10 255.255.0.0 10.168.6.1
ip route 10.168.6.11 255.255.0.0 10.168.6.1
ip route 10.168.6.12 255.255.0.0 10.168.6.1

You decide.

If you have a DMZ with web servers or a mail server you could let these go through one connection and everybody else goes through the other....

But like I said....You decide.

However if you dont have an IP from your ISP on each interface or at least on one interface then its an entirely different ball game.

 

[vdalehubbard]

Yes, I do have an IP address from my ISP. I was going to assign two of them for the outside interfaces being connected to my DSL modems and then an internal address for my interface going to my PIX. So, with 206.**.**.*** being my outside IP addresses I have, would my configuration look like this?:

ip route 206.**.**.*09 255.255.255.0 206.**.**.*13
ip route 206.**.**.*22 255.255.255.0 206.**.**.*14

(09 & 22 are my gateways and 13 & 14 are my interfaces)

 

[anddaley]

yes the command string is correct.

However I am a bit concerned about the addresses of gateways being in the string.

All that does is allow only the gateways to go through.

You need to specify either the entire network address that the gateways are on:

eg. a network address would be 192.0.0.0 255.255.255.0 router 192.0.0.1
gateway 192.0.0.2
server 192.0.0.10

so to specify the network you would put
"ip route 192.0.0.0 255.255.255.0 206.0.0.13"


Or you could specify each host in a separate route

"ip route 192.0.0.2 255.255.255.0 206.0.0.13"
"ip route 192.0.0.10 255.255.255.0 206.0.0.13"

"ip route 192.0.0.11 255.255.255.0 206.0.0.14"
"ip route 192.0.0.12 255.255.255.0 206.0.0.14"

and so on.

 

[vdalehubbard]

So, my command would be:

ip route 192.168.1.0 255.255.255.0 206.*.*.*13
ip route 192.168.1.0 255.255.255.0 206.*.*.*14

This will allow my whole internal network (192.168.1.0 to 192.168.1.256) to be able to go back and forth through my two interfaces of 13 & 14.

Just want to double check to be sure I understand.

 

[anddaley]

Another option would be to create access-lists and apply them to each interface

create the access-list like this:
"access-list 110 permit tcp 10.0.0.0 255.255.0.0 any"


and then apply it to the interface like this:

"ip access-group 110 out"

You could have access-list deny parts of you network from going through a particular inteface.

"access-list 110 deny tcp 10.0.0.0 255.255.0.0 any"

and then on the inteface

"ip access-group 110 out"


Let me know if you undertand this.

 

[anddaley]

Yes thats right.

 

[vdalehubbard]

Okay, got everything hooked up last night but came across two snags.

One, the extra Ethernet interface I put in is working with the lights going when plugged in. But I can't configure through command line, like it's not there.

Second, I was able to get the PIX hooked up behind the router to try this out. I can ping the outside interfaces of the router from the PIX, but can not ping the DSL modem that is the next hoop past the outside interfaces of the router. So, I figure the route commands aren't working? Here is my network:

PIX (Outside E0 10.10.10.2 255.255.255.0) to
Router (FastEthernet 0/1 10.10.10.1 255.255.255.0)

Router (FastEthernet 0/0 206.**.**.*13 255.255.255.0) to
DSL Modem (206.**.**.*09 255.255.255.240)

I used the routes we discussed here. That didn't work so I used this since I have the 10 network between router and PIX:

ip route 0.0.0.0 0.0.0.0 206.**.**.*09

Course, that didn't work either. Any suggestions?

 

[anddaley]

Sorry for not checking in sooner I have been really busy today.

Ok regarding the interface card..I hope that you installed it in the router with the power off...Interface cards are not hot swapable.

The routing we discussed should work...Bring it back to how it work before and try again.

 

[vdalehubbard]

Never did work before, won't get past DSL modems.

 

[anddaley]

The other thing I mentioned was access-list

Creat and apply the folowing to both interfaces that are connected to the internet links.

at the config prompt do the following one at a time
Route(config)#access-list 110 permit tcp any any eq www
Route(config)#access-list 110 permit tcp any any eq smtp
Route(config)#access-list 110 permit tcp any any eq pop3
Route(config)#access-list 110 permit tcp any any eq 443
Route(config)#access-list 110 permit tcp any any eq ftp
Route(config)#access-list 110 permit udp any any eq isakmp
Route(config)#access-list 110 permit udp any any eq 10001
Route(config)#access-list 110 permit esp any any

When you are done go to each intface and type the following

router(config-if)#ip access-group 110 in
router(config-if)#ip access-group 110 out

 

[vdalehubbard]

That sounds good but I have a PIX doing the access list behind the router. Think we should do away with that?

 

[anddaley]

Put the following in:

Router(config)# ip route 0.0.0.0. 0.0.0.0 FastEthernet0/1
Router(config)# ip route 0.0.0.0. 0.0.0.0 FastEthernet0/0

and let me know what happens

 

[vdalehubbard]

Put those in, nothing new happened.

BUT, I did run NAT on the router and I was able to ping the modems with the router. But I was still not able to ping them with PIX that is behind the route. I had PAT running on the PIX, I turned it off with no difference. Any more ideas?

 

[anddaley]

Check if you have these lines on the PIX:

"access-list in-out permit icmp any any"

"access-list out-in permit icmp any any" (optional)