Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Router Config Help 1

Status
Not open for further replies.

golson

MIS
Jan 22, 2002
27
US
I am a newbe with cisco config, I can do some basics on our current config but thats about it.
We have a Cisco 1600 router that is our internet edge router. It is currently configured with a Wan address and 2 address on the Wan interface for outgoing NAT. The internal interface is configured for the LAN and NAT is enabled for incoming Mail Web Server ect.... My question is we just purchaced a SonicWall firewall, how would I configure the Cisco router to just route from the wan to the lan port with out dong any NAT. I will let the SonicWall do that. I know I will have to remove the inside source nat entrys, give the Lan interface a new address(I dont want to change my LAN subnet). Since we have more than 1 routeable IP from our ISP I am not sure how to configure the Wan.

Sorry for the lenghty thread...

Thanks in advance

Gary
 
Hi

I would advise you disable NAT by removing the 'ip nat inside' and 'ip net outside' commands off the WAN and LAN interfaces. Also remove any static NAT/dynamic NAT translations present in the config .

As far as reconfiguring the interfaces go, I'd remove the WAN address and set it to 'ip unnumbered e0' and then set the address on e0 to the WAN interfaces current address.

The Sonicwall's outside Internet-facing interface should use one of the spare public addresses now assigned to the LAN interface on the 1600.

I think this will achieve what you want.

 
Would also recommend upgrading to at least a 1721 for the router. That old 1600 is not supported anymore and the ethernet on it is 10base-t half duplex. At least on the 1700 you get one fast ethernet port.
 
Kisco,

Just so I understand... Remove ip nat inside and outside with the "no ip nat inside" and "no ip nat outside" commands. Then remove all the static nat entrys. Next set the Serial0 interface to "ip unnumbered Serial0" and then set the LAN interface to the address that Serial0 was previously. Lastly set the SonicWall Wan interface to one of our open public ips. I will assume that the gateway address that I configure on the SonicWall will be the address of the ISP's gateway not the cisco router in this scenerio.

Do I need to configure a secondary address somewhere, with the nat config 1 address was incoming and 1 address was used for outgoing traffic?

Thanks for your help and patience with my lack of knowledge!

Gary
 
My bad,

it is a 1700

sorry for the mis-information.

Gary
 
Hi

Almost right :)

Here is an example config script (execute from config mode)

int s0
no ip address y.y.y.y 255.255.255.0
no ip nat outside
ip unnumbered fa0
int fa0
no ip nat inside
no ip address x.x.x.x 255.255.255.0
ip address y.y.y.y 255.255.255.0



where y.y.y.y is s0's current address, x.x.x.x is the current LAN address

The Sonicwall's default gateway should be the LAN interface on the 1700 router. In terms of NATing on the Sonicwall, if you were using one address for outgoing traffic, you should be able to configure NAT overloading using the Sonicwall's new public IP address and translate all outbound traffic behind it (also called PAT).

For inbound traffic, you can set up port forwarding using the Sonicwall's external address. For example, if you want to pass SMTP (port 25) traffic to an internal mail server, you could set up port forwarding nay mail traffic to the Sonicwall's external IP to an internal server.

Alternatively, if you have more than 2 public IP's available, you could have a static NAT configured on the Sonicwall to translate any traffic to another public address is directly translated to an internal server.
 
Thank you very much for the detailed explination!! I will give it a go....

Thanks for your help!

Gary
 
Well I gave it a go and was totally unsucessfull. I must be missing somthing. Taking the SonicWall out of the equasion I gave the router the config below. I then connected my laptop via crossover and gave it (y.y.y.171) I could ping the router internal interface (y.y.y.169)but that is all. From the router I could not ping my gateway address (y.y.y.170).
What am I missing? Below is the config I used, if someone could give me a basic config that will allow me to get internet access allowing everyting that would be a huge help. All I need is internet access I will have the firewall I am going to configure do the rest.

Thanks in advance!!!!!

!version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!hostname Router
!
enable secret 5 $1$VP2o$knxxxxxx3VnuFytZF/
enable password xvxxxxx
!
ip subnet-zero
ip name-server x.x.x.x
ip name-server x1.x1.x1.x1
!
!
!
!
interface FastEthernet0
ip address y.y.y.169 255.255.255.248 (WANIP ADDRESS)
speed auto
!
interface Serial0
ip unnumbered FastEthernet0
!
ip classless
no ip http server
!
!
access-list 1 permit any
!
line con 0
password xxxxx
login
line aux 0
line vty 0 4
password xxxxx
login
!
no scheduler allocate
end
 
add this:

ip route 0.0.0.0 0.0.0.0 serial0

Also, you might have to tell your ISP to ip unnumber thier side of the T1.

Just to clean things up, you don't need access list 1 anymore with out NAT.
 
I tried this config next... It did not work either...

Now reading your post you say I do not need any access rules at all? So I should remove all the access-lists?

Also you say tell my ISP to ip number their side of the T1? can you explain what you mean by that so when I call them I know why I am asking them to do this?

If it wouldnt be too much trouble could you post a working config so I can compare?

I know this is pretty remedial but I have been thrown into this and learning on the fly....

Thanks for you assistance!

Gary



!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 $1$VP2oxxxxxxxxxxxx3VnuFytZF/
enable password xxxxxxx
!
ip subnet-zero
ip name-server 216.xxx.xxx.3
ip name-server 216.xxx.xxx.4
!
!
!
!
interface FastEthernet0
ip address 216.xxx.xxx.169 255.255.255.248
ip access-group 102 out
speed auto

!
interface Serial0
ip unnumbered FastEthernet0
ip access-group 101 in
!
ip default-gateway 216.xxx.xxx.170
ip classless
ip route 0.0.0.0 0.0.0.0 216.xxx.xxx.170
no ip http server
!
!
access-list 101 permit ip any any
access-list 102 permit ip any any
!
 
This should be your config file.

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 $1$VP2oxxxxxxxxxxxx3VnuFytZF/
enable password xxxxxxx
!
ip subnet-zero
ip name-server 216.xxx.xxx.3
ip name-server 216.xxx.xxx.4
!
!
!
!
interface FastEthernet0
ip address 216.xxx.xxx.169 255.255.255.248
speed auto

!
interface Serial0
ip unnumbered FastEthernet0
!

ip classless
ip route 0.0.0.0 0.0.0.0 serial0
no ip http server
!
!
!

You will need to tell your ISP that you are running an IP unnumbered configuration and using the /29 subnet on your LAN side. They will configure their serial interface to have ip unnumbered like yours.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top