Hello
I just received an assignment to make connection from my company`s network SPOKE nr. 5 to the Cooperate Company`s network and access to Web servers
Because the Cooperate Company`s web servers are physical located at the same building with SPOKE 5 and they also own the public IP of SPOKE 5.
The Cooperate Company hooked up 2 optical fibers straight to our routers (Cisco 1921) and just opens the following
TCP, port 80 and 443 and IP xx.xx.27.12.
Have to run NAT
The optical fibers are in place and I am waiting for equipments (2 x Cisco 1921, port dula mode SFP, SFP transceiver module)
For my company, it is the most import that all users on SPOKE nr. 5 ALWAYS access to the web servers and internet.
But I also want to give users from others SPOKES to access the Cooperate Company`s web servers
I put a sketch about the network infrastructre and about what I will configure Cisco routers
--------------------------------------------------------------------------------------------
R1. - Primary
ip dhcp excluded-address xx.xx.10.1 xx.xx.10.50
ip dhcp excluded-address xx.xx.10.150 xx.xx.10.254
!
ip dhcp pool SPOKE5
network 10.0.10.0 255.255.255.0
default-router xx.xx.10.254
dns-server xx.xx.115.19 xx.xx.115.20
interface FastEthernet0/0
description ***Outside***
ip address xx.xx.xx.53 255.255.255.0
ip nat inside
standby 1 ip xx.xx.xx.52
standby 1 timers 1 3
standby 1 priority 150
standby 1 preempt
standby 1 name HSRP1
standby 1 track 1 decrement 100
duplex auto
speed outo
!
!
track 1 ip sla 1
track 1 interface FastEthernet0/0 line-protocol
!
!
interface FastEthernet0/1
description ***Inside***
ip address xx.xx.10.10 255.255.255.0
ip nat outside
standby 2 ip xx.xx.10.254
standby 2 timers msec 250 msec 750
standby 2 priority 110
standby 2 preempt
standby 2 name HSRP2
duplex auto
speed outo
!
ip nat inside source list ACL-NAT interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.52
ip route 0.0.0.0 0.0.0.0 xx.xx.10.1
ip access-list extended ACL-NAT
permit tcp any host xx.xx.27.12 eq --------------------------------------------------------------------------------------------------
R2. - Secondary
ip dhcp excluded-address xx.xx.10.1 xx.xx.10.150
ip dhcp excluded-address xx.xx.10.254
!
ip dhcp pool SPOKE5
network 10.0.10.0 255.255.255.0
default-router xx.xx.10.254
dns-server xx.xx.115.19 xx.xx.115.20
interface FastEthernet0/0
description ***Outside***
ip address xx.xx.xx.54 255.255.255.0
ip nat inside
standby 1 ip xx.xx.xx.52
standby 1 timers 1 3
standby 1 priority 100
standby 1 preempt
standby 1 name HSRP1
standby 1 track 1 decrement 100
duplex auto
speed outo
!
!
track 1 ip sla 1
track 1 interface FastEthernet0/0 line-protocol
!
!
interface FastEthernet0/1
description ***Inside***
ip address xx.xx.10.11 255.255.255.0
ip nat outside
standby 2 ip xx.xx.10.254
standby 2 timers msec 250 msec 750
standby 2 priority 90
standby 2 preempt
standby 2 name HSRP2
duplex auto
speed outo
!
ip nat inside source list ACL-NAT interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.52
ip route 0.0.0.0 0.0.0.0 xx.xx.10.1
ip access-list extended ACL-NAT
permit tcp any host xx.xx.27.12 eq
-------------------------------------------------------------------------------------------------------
SPOKE 5 - Internett Acsess
username tad privilege 15 secret 5 DJFKSDJFAJDFKAJSDFJASDØFJ
!
!
!
track 10 ip sla 10
!
class-map type inspect match-any inside-outside-cmap
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect inside-outside-pmap
class type inspect inside-outside-cmap
inspect
class class-default
drop
!
zone security outside
zone security inside
zone-pair security inside-outside source inside destination outside
service-policy type inspect inside-outside-pmap
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key UUUUUUU address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile OUR
set security-association lifetime seconds 900
set transform-set strong
!
!
!
!
!
!
interface Tunnel0
description SPOKE5
ip address 192.168.1.5 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication UUUUUUU
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 115.9.9.20
ip nhrp map multicast 115.9.9.23
ip nhrp map 192.168.1.3 95.21.3.15
ip nhrp map multicast 95.21.3.16
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 192.168.1.1
ip nhrp nhs 192.168.1.3
zone-member security inside
no ip route-cache cef
no ip split-horizon
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile OUR
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
description ***Outside***
ip address 85.152.18.11 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security outside
duplex auto
speed auto
!
!
interface Vlan1
description ***Inside***
ip address 10.0.10.1 255.255.255.0
ip access-group 199 in
ip nat inside
ip virtual-reassembly
zone-member security inside
ip tcp adjust-mss 1452
!
!
router ospf 1
router-id 192.168.1.5
log-adjacency-changes
area 1 stub no-summary
network 10.0.10.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 1
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 101 interface FastEthernet4 overload
ip route 10.0.0.0 255.255.252.0 192.168.1.1 track 10
ip route 0.0.0.0 0.0.0.0 85.152.18.10
ip route 0.0.0.0 0.0.0.0 xx.xx.10.254
!
ip nat inside source list ACL-NAT interface FastEthernet0/0 overload
ip access-list extended ACL-NAT
permit tcp any host xx.xx.27.12 eq
access-list 23 permit 10.0.0.0 0.255.255.255
access-list 23 permit 192.168.1.0 0.0.0.255
-------------------------------------------------------------------------------------
Could any Cisco experts help me to check configurtion which will work with the following situations
1) PC 1 and PC 2 will basically receives IP address from R1 (active) or R2 (when R1 is down)
PC 1 and PC 2 can access to and internet.
2) When R1 is down and R2 must be active
When R1 is up and R2 must be inactive
3) When I take out optical fiber-WAN or R45 Ethernet cable-LAN and Live track on R1 can detect disconnected and failover to R2
4) How can I let users from others SPOKES to access
I greatly appreciate someone who can come with assistance
Please ask questons if you do not understand.
Thanks in advanced
Sincerely
Try
I just received an assignment to make connection from my company`s network SPOKE nr. 5 to the Cooperate Company`s network and access to Web servers
Because the Cooperate Company`s web servers are physical located at the same building with SPOKE 5 and they also own the public IP of SPOKE 5.
The Cooperate Company hooked up 2 optical fibers straight to our routers (Cisco 1921) and just opens the following
TCP, port 80 and 443 and IP xx.xx.27.12.
Have to run NAT
The optical fibers are in place and I am waiting for equipments (2 x Cisco 1921, port dula mode SFP, SFP transceiver module)
For my company, it is the most import that all users on SPOKE nr. 5 ALWAYS access to the web servers and internet.
But I also want to give users from others SPOKES to access the Cooperate Company`s web servers
I put a sketch about the network infrastructre and about what I will configure Cisco routers
--------------------------------------------------------------------------------------------
R1. - Primary
ip dhcp excluded-address xx.xx.10.1 xx.xx.10.50
ip dhcp excluded-address xx.xx.10.150 xx.xx.10.254
!
ip dhcp pool SPOKE5
network 10.0.10.0 255.255.255.0
default-router xx.xx.10.254
dns-server xx.xx.115.19 xx.xx.115.20
interface FastEthernet0/0
description ***Outside***
ip address xx.xx.xx.53 255.255.255.0
ip nat inside
standby 1 ip xx.xx.xx.52
standby 1 timers 1 3
standby 1 priority 150
standby 1 preempt
standby 1 name HSRP1
standby 1 track 1 decrement 100
duplex auto
speed outo
!
!
track 1 ip sla 1
track 1 interface FastEthernet0/0 line-protocol
!
!
interface FastEthernet0/1
description ***Inside***
ip address xx.xx.10.10 255.255.255.0
ip nat outside
standby 2 ip xx.xx.10.254
standby 2 timers msec 250 msec 750
standby 2 priority 110
standby 2 preempt
standby 2 name HSRP2
duplex auto
speed outo
!
ip nat inside source list ACL-NAT interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.52
ip route 0.0.0.0 0.0.0.0 xx.xx.10.1
ip access-list extended ACL-NAT
permit tcp any host xx.xx.27.12 eq --------------------------------------------------------------------------------------------------
R2. - Secondary
ip dhcp excluded-address xx.xx.10.1 xx.xx.10.150
ip dhcp excluded-address xx.xx.10.254
!
ip dhcp pool SPOKE5
network 10.0.10.0 255.255.255.0
default-router xx.xx.10.254
dns-server xx.xx.115.19 xx.xx.115.20
interface FastEthernet0/0
description ***Outside***
ip address xx.xx.xx.54 255.255.255.0
ip nat inside
standby 1 ip xx.xx.xx.52
standby 1 timers 1 3
standby 1 priority 100
standby 1 preempt
standby 1 name HSRP1
standby 1 track 1 decrement 100
duplex auto
speed outo
!
!
track 1 ip sla 1
track 1 interface FastEthernet0/0 line-protocol
!
!
interface FastEthernet0/1
description ***Inside***
ip address xx.xx.10.11 255.255.255.0
ip nat outside
standby 2 ip xx.xx.10.254
standby 2 timers msec 250 msec 750
standby 2 priority 90
standby 2 preempt
standby 2 name HSRP2
duplex auto
speed outo
!
ip nat inside source list ACL-NAT interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.52
ip route 0.0.0.0 0.0.0.0 xx.xx.10.1
ip access-list extended ACL-NAT
permit tcp any host xx.xx.27.12 eq
-------------------------------------------------------------------------------------------------------
SPOKE 5 - Internett Acsess
username tad privilege 15 secret 5 DJFKSDJFAJDFKAJSDFJASDØFJ
!
!
!
track 10 ip sla 10
!
class-map type inspect match-any inside-outside-cmap
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect inside-outside-pmap
class type inspect inside-outside-cmap
inspect
class class-default
drop
!
zone security outside
zone security inside
zone-pair security inside-outside source inside destination outside
service-policy type inspect inside-outside-pmap
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key UUUUUUU address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile OUR
set security-association lifetime seconds 900
set transform-set strong
!
!
!
!
!
!
interface Tunnel0
description SPOKE5
ip address 192.168.1.5 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication UUUUUUU
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 115.9.9.20
ip nhrp map multicast 115.9.9.23
ip nhrp map 192.168.1.3 95.21.3.15
ip nhrp map multicast 95.21.3.16
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 192.168.1.1
ip nhrp nhs 192.168.1.3
zone-member security inside
no ip route-cache cef
no ip split-horizon
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile OUR
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
description ***Outside***
ip address 85.152.18.11 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security outside
duplex auto
speed auto
!
!
interface Vlan1
description ***Inside***
ip address 10.0.10.1 255.255.255.0
ip access-group 199 in
ip nat inside
ip virtual-reassembly
zone-member security inside
ip tcp adjust-mss 1452
!
!
router ospf 1
router-id 192.168.1.5
log-adjacency-changes
area 1 stub no-summary
network 10.0.10.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 1
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 101 interface FastEthernet4 overload
ip route 10.0.0.0 255.255.252.0 192.168.1.1 track 10
ip route 0.0.0.0 0.0.0.0 85.152.18.10
ip route 0.0.0.0 0.0.0.0 xx.xx.10.254
!
ip nat inside source list ACL-NAT interface FastEthernet0/0 overload
ip access-list extended ACL-NAT
permit tcp any host xx.xx.27.12 eq
access-list 23 permit 10.0.0.0 0.255.255.255
access-list 23 permit 192.168.1.0 0.0.0.255
-------------------------------------------------------------------------------------
Could any Cisco experts help me to check configurtion which will work with the following situations
1) PC 1 and PC 2 will basically receives IP address from R1 (active) or R2 (when R1 is down)
PC 1 and PC 2 can access to and internet.
2) When R1 is down and R2 must be active
When R1 is up and R2 must be inactive
3) When I take out optical fiber-WAN or R45 Ethernet cable-LAN and Live track on R1 can detect disconnected and failover to R2
4) How can I let users from others SPOKES to access
I greatly appreciate someone who can come with assistance
Please ask questons if you do not understand.
Thanks in advanced
Sincerely
Try