Second Interface activation

[BabylonDrifter]

I have a 2621 router with 2 Ethernet interfaces and a wic card. Currently my 0/0 Ethernet port is online and plugged into my PIX, and thereafter my domain. All that works fine—the issue is that I have a tenant that is leasing space and wanting to use our internet. I would like to completely separate this individual off our LAN for various reason, so I was wondering if I could activate the 0/1 Ethernet interface attach a dinky linksys router and then attach their 3 workstations and server to the linksys router. Why the linksys for DHCP and because it has a hub built in. First off I am very new to Cisco routers, so is this a dumb thing to do? If this idea has merit what do I do to turn on the 2nd interface. I do have a spare public IP # to assign this interface.


Thanks

 

[rbelt]

It kinda' depends on how your current system is set up, how separated you need your systems to be and what services they need. What you propose could work fine if they just want to surf the web, just turn on the second interface and assign it an address/network and (assuming you are using NAT on the outside interface) add the network to the NAT pool. If they need to host resources, then the situation gets much more complex and you will need to add additional addresses to the external interface...

I'm sure others will add more or correct me but that's my take.

//RB

 

[routerman]

You may be better using the PIX to provide their Internet connection. Put them onto a DMZ port on the PIX and let that device handle the security between your network and theirs. If they dont need to access any devices on your network then the set up for this would be pretty straight forward.
The advantage of this solution is added security for the tennent.

If they used the router solution they would still need some form of firewall, that would be less management overhead for you though. Also they could use their own firewall for the NAT function. You would need 2 registered IP addresses for their link unless your outside router is running NAT.

 

[BabylonDrifter]

Thanks,

What do I need to enter to bring up the second interface?
do I need to enter fastEthernet0/1 to edit that line?


this is what I have

interface FastEthernet0/1
no ip address
no ip directed-broadcast
shutdown
duplex auto
speed auto

 

[rbelt]

interface FastEthernet0/1
ip address w.x.y.z <sub-mask>
no shutdown


but there are other issues here. If you have NAT on this box, you will need to tend to the pool.

//RB

 

[gconnect]

you don't need to purchase anything else, as this is not 2 complicated
you need to do a few things

i am assuming that you are using NAT on the Serial Card for your existing LAN
i am also assuming that you can define a default route on that linksys



1 attach a crossover cable from the linksys to the cisco router

2 give the outside int of the Linksys an IP address

3 give the second int an ip (172.16.1.1) enable the second interface

4 give the inside IP of the Linksys (toward their LAN) something like 172.17.1.0/24 or whatever the tenent currently uses as long as it doesn't conflict with your LAN

5 create an access-list and place it outbound on the second interface

access-list 101 deny IP 172.17.1.0 0.0.0.255 YOURLAN
access-list 101 permit ip any any

int ethernet 0/1 (second interface)
ip access-group 101 out

assuming you are using NAT Overload on the ouside int you should be fine

access-list 102 permit ip YOURLAN any
access-list 102 permit ip 172.17.1.0 0.0.0.255

int eth0/0
ip nat inside

int eth0/1
ip nat inside

int ser0/0
ip nat outside

ip nat inside source list 102 interface s0/0 overload (this syntax my be a little off)

ip route 0.0.0.0 0.0.0.0 ser0/0

the traffic from their LAN should be ushered out to the Inet via the default route on the Cisco router. the access-list should let them send to anywhere BUT YOUR LAN.

 

[gconnect]

how much of this is already poublic IPs
does only your perimter router have a public ip or do your 2 existing interfaces and the outside of the PIX have public IP's




if the router has all public addresses and your PIX has a public address on it's outside interface

you can play around with ip ununmberred and nat

i.e-

int ser 0/0
ip addresss 1.2.3.4 255.255.255.0
ip nat outside

int eth 0/0
ip address whatever

int e0/1
ip unnumberred se0/0
ip nat inside

this is just an untested thought to kick around