Announcement

Collapse
No announcement yet.

Configuration help needed on Router and Firewall front

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configuration help needed on Router and Firewall front

    Hii Everybody,

    I am a newbie in WAN platform and need your support here . I have a multilink configured from the same ISP who has given me 2 pools of /29 ip scheme ( public addresses ) . As of now i have configured in this way in my router . But, i need to utilize the public address in such a way that I configure NAT on my firewall ( Sonicwall ) . please do suggest me how can i go with the changes in the configuration . Do I need to add any route to point towards firewall ?

    Also my ISP provider says he is unable to ping my multilink IP from his end , neither do I . Any access list need to be applied to permit ICMP traffic here ?

    Find the configuration details with altered IP addresses .

    ***************************************

    interface Multilink10
    ip address 172.1.1.1 255.255.255.252
    ip nat outside
    load-interval 30
    ppp multilink
    ppp multilink group 10
    !
    interface FastEthernet0/0 ( not using as of now )
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
    ip address 11.1.1.1 255.0.0.0
    ip nat inside
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    ip address 10.45.1.1 255.255.0.0
    ip nat inside
    load-interval 30
    duplex auto
    speed auto
    !
    interface Serial0/0/0
    bandwidth 2048
    no ip address
    encapsulation ppp
    load-interval 30
    no fair-queue
    ppp multilink
    ppp multilink group 10
    !
    interface Serial0/0/1
    no ip address
    shutdown
    clockrate 2000000
    !
    interface Serial0/1/0
    bandwidth 2048
    no ip address
    encapsulation ppp
    load-interval 30
    no fair-queue
    ppp multilink
    ppp multilink group 10
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Multilink10
    !
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat pool BJPinternet x.x.x.226 x.x.x.235 netmask 255.255.255.240
    ip nat inside source list 10 pool BJPinternet overload
    !
    access-list 10 permit 10.0.0.0 0.255.255.255
    access-list 23 permit 10.10.10.0 0.0.0.7
    !
    control-plane

    **********************************

    Thanks in Advance,
    Max_csco
    Last edited by max_csco; 26th February 2009, 03:35.

  • #2
    Re: Configuration help needed on Router and Firewall front

    I wanna know if i can assign public ip on router fa0/1 ?

    If that is the case the first available ip in my public pool ( x.x.x.224/29 ) , I suppose x.x.x.225 on fa0/0 with " ip nat inside " and "ip nat outside on multilink .

    Then, do i need to assign the next available ip in the public pool on my firewall WAN interface ? i.e; x.x.x.226/29 ???

    Please do suggest ???

    Comment


    • #3
      Re: Configuration help needed on Router and Firewall front

      If the router config you are showing is the perimeter router (customer edge) that physically connects to the ISP, then I do not understand why your are configuring private address space on the router interfaces along with enabling NAT. I would think you would 1) disable NAT, and 2) use public address space on the router interfaces. Then let the firewall that connects to this router (sonicwall) do the NATing for your internal networks.

      I looked through some old configs I had on decommissioned internet circuits and found this. Might help explain my comments above. The only difference is I am using Frame Relay encapsulation instead of PPP, but the topology is the same as what you are describing in your post. The main difference is I am using public IP addreses on this router before its handed off to the firewall. Basically, the router is configured to do nothing more than "route" packets to/from the Multilink circuit. The firewalls "outside" interface connects to this router and has an IP address of 70.xx.xx.2. Its default gateway points to the routers 70.xx.xx.1 address. All NATing is done on the firewall.

      Code:
      interface MFR0
       description Multilink Frame Relay for Serial Interfaces S0/0/0 and S0/1/0
       no ip address
       frame-relay multilink bid Corporate-3MB
      !
      interface MFR0.1 point-to-point
       description Sub-Interface for MLFR. To ISP router
       ip address 68.xx.xx.14 255.255.255.252
       frame-relay interface-dlci 668 IETF
      !
      interface FastEthernet0/0
       description Connection to Firewall (70.xx.xx.2)
       ip address 70.xx.xx.1 255.255.255.192
       ip verify unicast reverse-path
       no ip redirects
       no ip unreachables
       no ip proxy-arp
       duplex full
       speed 100
      !
      interface Serial0/0/0
       description Connection to ISP SmartJack, circuit ID 45/.....
       no ip address
       encapsulation frame-relay MFR0
       no arp frame-relay
      !
      interface Serial0/1/0
       description Connection to ISP SmartJack, circuit ID 45/.....
       no ip address
       encapsulation frame-relay MFR0
       no arp frame-relay
      !
      ip route 0.0.0.0 0.0.0.0 68.xx.xx.13
      Think of the design in this way... The ISP has configured their router (provider edge) to route netblock 70.xx.xx.0/26 to this routers multi-link frame relay IP address of 68.xx.xx.14.

      Comment


      • #4
        Re: Configuration help needed on Router and Firewall front

        Thanks for your Response

        Do I need to add any static route pointing towards firewall if I assign public ip address on router fa0/1 and firewall wan interfaces .

        if for example: x.x.x.224/29 is my public ip pool
        i will assign x.x.x.25/29 on router fa0/1 & x.x.x.26 on firewall WAN interface, and 10.45.1.1 on firewall LAN interface . Is that the correct way ?

        And do i need to assign any access list in router for my internal subnets ?
        Last edited by max_csco; 26th February 2009, 23:48.

        Comment


        • #5
          Re: Configuration help needed on Router and Firewall front

          Hi Dear,

          It will become very feasible if you can provide the topology of ur setup.

          But i will try my level best to solve ur problem

          1)See in firewall just configure Private IP(192.168.168.240/24) to the outside interface .And just provide the default route in pix towards ur router .
          0.0.0.0 0.0.0.0 192.168.168.253

          2)In router provide the same IP (192.168.168.253/24)pool which u have provided in ur outside int of PIX to the one interface of router.

          Now put the Public IP(222.2.2.1) in another interface of router that is going to connect to the ISP router.


          In router give the default route towards ur ISP router.

          In ISP router one interface is connected with ur router just assigne thta public IP pool .

          Another interface is going to ISP MUX and that IP is diffrent that can only be set by ISP.



          I suppose diagram sholud be

          PIX------>-your Router-------->ISP router(In Customer premisis)>------->MUX-------ISP POP.



          If you have any doubt let me know

          Cheers
          DT

          Comment

          Working...
          X