Cisco-800 routing problems

[aZLAn2000]

Hi,

I have a Cisco 800 on a DSL line for our mailservers. Our mailservers are both behind the cisco and a firewall that is in invisible mode (bridge). I want the mailservers to be able to communicate directly with all the clients on our internal network but can only do this by setting a route on each server instead of directly on the Cisco 800.

I have the following setup:

Cisco-800 outside ip: xx.xx.xx.xx
Cisco-800 inside ip: 217.157.xxx.17/30
-|
-|
-|
-\-- Firewall (Bridged)
-||
-||(DMZ)
-|\--Mailserver1 ip: 217.157.xxx.19/30
-|\--Mailserver2 ip: 217.157.xxx.20/30
-|
----Internal Router outside: 217.157.xxx.18/30
----Internal Router inside: 10.10.0.1/16

So what i want exactly is to setup a route on the Cisco-800 to route traffic from/to 10.10.0.0/16 to 217.157.40.18. Is this possible and howto ? I am not using the dsl for internet traffic so i won't be transmitting 10.10-addresses out on the Internet anyways.


Regards,
Christian

 

[lambent]

I assume your servers are using Cisco 800 inside IP as their default gateway.

And I assume the Internal Router outside, DMZ and Cisco 800 inside segments are all in the same subnet (cause the firewall is in bridge mode, or is it? Please correct me.)

And if your clients PCs in the Internal Router inside segment do not go to the Internet via this firewall and Cisco 800 router, and their default gateway is still set to the Internal Router inside IP, then all you need to do is to:

1) Set static routes in your servers for the destination network 10.10.0.0/16, using Internal Router outside IP as the next hop IP address
2) Nothing to do with client PCs provided that their default gateway is the Internal Router inside IP.

Many assumptions and would be glad that if you can provide more details.

 

[aZLAn2000]

Hi,

Your assumptions are correct. What I want is to get rid of the static routes on the servers and place it in the Cisco-800 instead. My internal clients get the 217.157.xx.16/29 route from my internal router (which is a layer-3 switch). Is it possible change that on the Cisco router?

/Christian

 

[lambent]

Maybe I've misunderstood your question and thought that you only want static routes on your servers.

And yes, it's feasible to set static routes on your Cisco 800 router and then set the inside IP of Cisco 800 router as the default gateway of your servers. However the performance will not be good as you're doing one-arm routing, in which you use the same interface to forward inbound and outbound traffic.

Also your firewall outside will receive packets from your DMZ (forwarded by the Cisco 800) back into the internal LAN segment. Depending on the firewall setup, the anti-spoofing feature may not allow these packets to pass through.

And...there's asymmetric routing...

All in all, it's feasible but not recommended.

 

[aZLAn2000]

Hi,

I am aware of the one-arm routing and the traffic will pass the router twice. I am prepared to live with that . Actually its not only the 2 servers. I have one spare IP i occasionally use for equipment that needs to be reached from the outside. The ip address is given as DHCP address from one of the servers because the equipment requires that. Because of this only people from the outside can reach it. Another annoying thing is that I can't configure the router from the internal network but have to connect to one of the servers and telnet from there.

The firewall is a Netscreen-100 which can handle spoofing etc. just fine .

Do you have some pointers on how to set up the static route?

- By the way. Thanks for your thoughts so far

 

[ChrisAC]

I presume that you are looking for;

ip route 10.10.0.0 255.255.0.0 217.157.40.18

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[aZLAn2000]

Is it that simple? Thought I had tried that but I will give it a shot tomorrow for sure.

/Christian