Announcement

Collapse
No announcement yet.

CISCO 857 NO NAT/FIREWALL Config?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • CISCO 857 NO NAT/FIREWALL Config?

    Hi to all, a newbie on the Petri forum.

    Very long winded so please bear with me.....

    I have a Cisco 857 ADSL router together with a Watchguard X2500 firewall. I am trying to use the firewall as an endpoint for our VPN's so need to disable NAT and firewall on the 857 and use the router as a "dumb modem" rather than the fully functional device that it is.

    I need to use the Cisco purely as a medium to connect to the internet and allow our watchguard as act as the VPN and firewall.

    I have a pool of public IP addresses but want to merely use publics on all 3 interfaces - router, internal and external plus the firewall. I haven't much Cisco experience on so have cobbled together a config which not suprisingly doesnt work. Can someone please have a look at the config and see where I am wrong (or even let me know where I am right!!)?

    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    !
    hostname XXXX_ADSL
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200
    logging console critical
    enable secret 5 XXXXXXXXXXX
    !
    no aaa new-model
    !
    ip subnet-zero
    !
    !
    ip cef
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    no ip bootp server
    ip domain name XXXXXXXXXX.co.uk
    ip name-server 82.112.104.177
    ip name-server 82.112.104.178
    !
    !
    !
    username admin privilege 15 secret 5 XXXXXXXXXX
    !
    !
    archive
    log config
    hidekeys
    !
    !
    ip tcp synwait-time 10
    !
    !
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    description $ES_WAN$$FW_OUTSIDE$
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet0
    ip address X.X.X.74 255.255.255.248
    no shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface Dialer0
    ip address X.X.X.73 255.255.255.248
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname [email protected]
    ppp chap password 7 XXXXXXXXXXXX
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    login local
    no modem enable
    line aux 0
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    end


    Many thanks

    Simon

  • #2
    Re: CISCO 857 NO NAT/FIREWALL Config?

    We have almost the same situation except that we wanted todeactivate the firewall, allocate the router the first IP address and have the rest of the ipaddresses being passed through to any of the Fast ethernet interfaces.
    With a little help from our reseller we arrived at this .....................
    ===================================

    !This is the running config of the router: 123.124.125.126
    !----------------------------------------------------------------------------
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname xxxxxxxx.yyyyyyy.co.uk
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    !
    no aaa new-model
    clock timezone PCTime 0
    clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
    !
    crypto pki trustpoint TP-self-signed-115674303
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-115674303
    revocation-check none
    rsakeypair TP-self-signed-115674303
    !
    !
    crypto pki certificate chain TP-self-signed-115674303
    certificate self-signed 01
    3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31313536 37343330 33301E17 0D303230 33303130 30303730
    335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3131 35363734
    33303330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    A71BC6F5 EC763D05 C322C24D 13DF15BE B43AF3B1 F79BD1A8 23732E3C 8045C461
    79B91749 F969EA51 E6E4BC6C 5CE7E42D E4AB1190 E0CD188F A944511D 14F7EF62
    18CAA2B8 FE742AB7 36037DDF A6BACEC5 3D51F14F DE4B587A A4E7834B AE29B709
    90A4A2A0 1E3B1637 4A148C59 3F039F86 88988FC4 DDF08065 CDAC5C94 5DFF6E17
    02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
    11041A30 18821672 6F757465 72312E6A 61676761 7264732E 636F2E75 6B301F06
    03551D23 04183016 8014DC1B 5A16E1F0 411D745D BCAB401D B18C1CEA B987301D
    0603551D 0E041604 14DC1B5A 16E1F041 1D745DBC AB401DB1 8C1CEAB9 87300D06
    092A8648 86F70D01 01040500 03818100 051EA70C 943520D4 10A3D151 19F45CFA
    83101968 488BD170 5AEDA800 5B8AA57A C90C0DD6 E8B6EEDB 6FC7B178 74B19F2A
    5CFA26B6 5B443FD8 132C5388 8408D8F2 B6310B70 07025BE0 9441BE46 D46B7809
    782AC7ED BB1CCB7F CF9CC167 C670191D D35CA652 86A4360F 978FF1D1 F05A8B68
    44DD755C BFEDA96C 76BC1279 ECE59273
    quit
    !
    !
    ip cef
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip name-server 212.69.40.3
    ip name-server 212.69.36.3
    !
    !
    !
    username xxxxxxx privilege 15 secret 5 $1$FLTQ$SjD5kBp5DASHiUgAxI.SL1
    username yyyyyyy privilege 3 secret 5 $1$l4yr$mSmHGgqhrhy6dRPxUzDwK.
    !
    !
    archive
    log config
    hidekeys
    !
    !
    !
    bridge irb
    !
    !
    interface ATM0
    description --- ADSL connection to Internet ---
    no ip address
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    description WAN
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
    description Office
    ip address 123.124.125.126 255.255.255.248
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    no autostate
    !
    interface Dialer0
    description Internet
    ip unnumbered Vlan1
    ip virtual-reassembly
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname [email protected]
    ppp chap password 0 abcdefghi
    !
    no ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip route 0.0.0.0 0.0.0.0 212.69.63.55 !First Hop
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    dialer-list 1 protocol ip permit
    no cdp run
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    login local
    no modem enable
    line aux 0
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    sntp server 194.164.127.4
    sntp server 194.207.34.9
    sntp source-interface Dialer0
    end
    =======================================

    There may be extraneous stuff in this config, but all I can say is that it works fine. The router has the first address and the subsequent addresses are being used by the firewall that sits behind the Cisco and masquerades four of the IP addresses for web servers and other services that we present to the outside world.

    Cheers

    Chris

    Comment

    Working...
    X