Cisco Switching/Routing :: 2621 / Public IPs / How To Use Less On An Interface
Jul 24, 2012
I have a 2621 that I am configuring on the internet. My ISP gives me a static DHCP assigned address and then two more static addresses that are not part of the same block. (e.g. 1.2.3.4 is static via dhcp and then they give me 5.6.7.8/30).
I have fa0/0 getting 1.2.3.4 ia dhcp. I have 5.6.7.8 on a loopback interface for PAT/NAT as I have the main one on fa0/0 doing vpn to a remote ASA. The problem is that I have yet another device that needs a public IP, mainly 5.6.7.9... I want to hook that device up to fa0/2 (this box has three fa interfaces). How do I setup fa0/2 if I want to give the device on it a real live public IP address? I have done this before, but it must have been 10 years back on an even older CISCO and I can not remember how I did it.
I've got a 2621 configured as my main gateway to the internet - right now it's obtaining a DHCP ip from a the ISP's proprietary router set to bridged mode.
As of now, I'm unable to ping the internal interface of the router. I can ping external IP's only, even though I have DNS servers listed, i am unable to resolve host names. I'm running a few servers to which people are able to connect to my web server, among other services. I even have a crypto map setup to another 2621 across the country and can ping all internal ips on the other end... I JUST CANNOT PING THE INTERNAL INTERFACE of the router!!
I've noticed that when I ping the router during it's boot process (using linux un-interupted) I get a response in a very short window, then dies again. I'll post my config below:
How would I go about giving a server on the inside interface of my ASA a public IP address. I have a /28 on the outside interface and I'd like to give a server a public IP and not NAT.
I'd not sure how to go about getting this done.
show run nat= nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.192_27 NETWORK_OBJ_192.168.0.192_27 no-proxy-arp route-lookup nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.0.192_27 NETWORK_OBJ_192.168.0.192_27 no-proxy-arp route-lookup(code)
I need to setup a vlan between the 6509 and 2621 router. This needs to be a VLAN (200) the runs between the devices that uses DOT1Q trunking. The end result is all the networks (vlans) on the 6509 can talk to the LAN on the 2600 (10.133.22.0 / 23) and visa versa.
Device 1 6509 with CatOS / IOS Config I did on the MSFC: Interface Vlan 200 ip address 10.10.10.1 255.255.255.248
Setup is like this: Poly com IP phones -> Cisco 2960 switches -> Cisco 2621XM router running 12.28(r). A Windows 2003 server running on HP Proliant DL380 G4 with the correct DHCP scope is configured for the IP phones, also sitting on a Cisco 2960 switch.
A typical port config on the 2960 is: interface FastEthernet0/1 switchport mode access switchport voice vlan 60 mls qos trust cos auto qos voip trust spanning-tree portfast spanning-tree bpduguard enable
Relevant section of the config on the 2621XM router: interface FastEthernet0/0 no ip address no ip redirects no ip proxy-arp ip pim sparse-dense-mode [Code] .......
This used to work on a Windows 2000 server which sat on different piece of hardware, but stopped immediately after the migration to Windows 2003 server was done. There was no change on the router or switches prior to or after the server migration. I see DHCP server log on the 2003 server giving DHCP NACK because the phones are apparently asking for IP's in the data VLAN.
I have a lab setup to take my CCNA and CCNP and I'm having issues trying to get WAN connectivity back to a switch at the end of my network. My lab environment consists of 1 - 2950 switch, 1 - 2620 and 1 - 2621XM. I have 1 Ethernet connection from each router to the switch and 1 serial connection from the 2620 to the 2621XM. I have the serial interfaces in a shutdown state right now so there is no loop since I do not have Spanning tree setup on the ports on the switch yet.
Right now using the fast ethernet ports on the routers and I have no issues its when I shut down those Ethernet ports and try using the serial interfaces when I start having issues. So my network layout is Ethernet from switch port f0/4 to port f0/0 on 2620 and serial from s0/1 on the 2620 to s0/2 on the 2621XM. My 2621XM f0/1 is whats connected to the WAN and I have no issues getting to the WAN from my 2621Xm or my 2620 but when I try pinging any website or even my WAN default gateway from my switch I get nothing!
Ive also noticed that when I do a IP NAT translation (after accessing the WAN from my 2620) on my 2621XM the source IP is of my serial connection not the ip of my 2620 router? I have my default gateway on the 2620 as the the IP of my serial interface on the 2621XM and vice versa because my LAN network is 172.16.1.0 and my WAN is 172.16.9.0. I have a /31 setup between my serial connections 172.16.11.0 (s0/1) is on the 2620 and 172.16.11.1(s0/2) is on the 2621XM. I used the SDM (ver 2.5) to setup NAT to have f0/1 with Nat outside and s0/2 as Nat inside. Encapsulation is HDLC between the serial links. Ive attached the running configs of the switch and routers.
I have a Cisco ASA 5505 and I have my internal and external interfaces configured but I currently cannot ping from the inside to an IP Address on the outside. I had this setup and working and I have another set of equirement that I am replacing that is working with my service provider so I know it is a configuration issue. When I ping 4.2.2.2 for example I get:
Destination host unreachable
Do I need to add a static route from my inside interface to my outside interfaces?
I have a quick query which i need ratified before proceeding. I have the following scenario -
Two Cisco 3750v2 switches with stackwiseISP allocated block of /26 (64 addresses)8 customers each with a VLAN and SVIInternet facing VLAN and SVIDefault route to ISP router Lets say the ISP has given me the network range 10.10.10.0/26 (we'll assume this is routable on the internet for the purposes of this example) and a default gateway to the internet of 10.10.10.1 within this range. I have configured a public facing VLAN as follows -
VLAN 300 name PUBLIC int VLAN 300 IP Address 10.10.10.2 255.255.255.252
I have then created a default route as follows -
ip route 0.0.0.0 0.0.0.0 10.10.10.1
With this configured, the switch can successfully route upstream to the internet with no problems. I have then moved onto the customers and depending on what service they have purchased, I have subnetted the 10.10.10.0/26 range into smaller subnets. See as follows -
Customer A - 10.10.10.4/30 Gateway IP - 10.10.10.5 Useable IPs - 10.10.10.6 Customer B - 10.10.10.8/29 Gateway IP - 10.10.10.9 Useable IPs - 10.10.10.10 - 10.10.10.14
This continues for each customer depending on how many IP's the have purchased. I have then assigned these IP ranges to a customer VLAN and SVI as follows -
Customer A VLAN 10 name CUST-A-VLAN int VLAN 10 ip address 10.10.10.5 255.255.255.252
[code].....
It is then up to the customer as to what equipment they use and how they NAT or firewall their internal networks.
I have a Cisco 2821 Router. Its ethernet Interface(E1) is connected to an ISP's Gateway.The outside interface IP is 207.x.x.1, The ISP has given 6 public IPs (202.x.x.1- 202.x.x.6) to use in LAN.
I have configured the router`s Internal Interface(E0) with a public IP address. (i.e. 202.x.x.1)
My Internal LAN PCs are in a private range of 192.168.1.0/24 subnet. Now I wanted my PC users to access the Internet while the Routers public IP remains on internal interface. How can I do the same?
I have a spare 2621 sitting on my desk and i would like to run a little experiment. i had two LAN segments that are seperated right now, but would like to stick this router between them and route traffic between them?
Current configuration : 1221 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption(code)
I'm moving into a new data center. I don't consider myself a network engineer or anything but I do understand the basics. The new data center I am moving into routes my network to me a bit differently than my old data center. The IOS on the Cisco 2621 is: c2600-i-mz.123-26.bin
I am assigned a /29 block which they configure as the routing network, it looks like this: Routing Network: A.A.A.0Routing Network Sub net Mask: 255.255.255.248Routing Network Def Gateway: A.A.A.1Customer Usable Address: A.A.A.4
I've been assigned a /28 block which is B.B.B.240/28. They stated that in order for me to use my allocated blocks, I had to act as my own gateway, routing the traffic through the routing network. This goes just a bit beyond my networking knowledge, though I still understand it, I just don't know exactly how to execute. I'm assuming my 2621 with 2 Fast Ethernet interfaces should be able to handle this routing scenario.
Any sample configs, or possible a link to a how to to get this setup? I was going to use FreeBSD to do the routing, but a appliance based Cisco router is much more attractive of an option to me.
My main issue was trying to connect virtuelly via GNS3 and my router setup on it. I have three Cisco 2621 XM routers set up. They all came with 2 Fast Ethernet ports. However, only one of them has a Serial port. So, what I'm doing is connecting the routers together with the fast ethernet ports using crossover cables. So, I baselined two routers to start with. Very simple AAA, set up IP HTTP server, IP HTTP Secure Server, etc. Privledge lvl 15 access, etc.
I then set my Router A's inside Fa0/1 port with a 192.168.1.0/24 network. The outside port Fa0/0 is 10.0.0.0/30 network.Router B is set up similar, 192. 168. 2. 0/24 insice Fa0/1, Fa0/0 is 10.0.0.0/30 network outside. So, three networks 192.168.1.0, 192.168.2.0, 10.0.0.0 network. [code] I then repeated the same on Router B, just transposing 2.0 network for interesting traffic, and Peer 10.0.0.2 for the Fa0/0 interface on Router A.When I "test" the tunnel, I get an error message. So, since I'm connected to Router B (which was working, had routing, and had Router A's network 1.0 in it's routing table), the error msg says that I need to add a route into the routing table (192.168.1.0). It was there up until I attempted to put the VPN in place. It's like it stopped the routing.
At face value, it looks like this should be working! But when I debug the ospf process, it looks like hello packets aren't tranversing across to the other side. Is it because I just have the 192.xxx.xxx.xxx networks as "interesting" traffic? Can I have multiple networks marked as "interesting"? I thought that's what the peer statements were doing to allow the tunnel to be established.
I've got a 1U server that has Citrix XenServer 5.6 installed on it. It has 2 physical ethernet interfaces, both connected to the same network switch, one interface has a public IP address on it and the 2nd interface has a private rfc1918 address on it (this can be changed if necessary). I use the private1918 interface to do administrative tasks, transfer data amongst the servers and guest VMs, etc. I'm given a /29 IP address allocation by a friend to use for my servers (using his FTTP internet connection). I want to set up a few guest VMs, but really most of them do not need to be using public IP addresses.
Is there a way to NAT the public interface on XenServer so that guest VMs can use rfc1918 addresses & get online, instead of using the few IP addresses I am given? Also how would I enable portforwards so that I can get applications to work like asterisk, SMTP, etc.?
We have Cisco IP phones behind a 2600 series router:Most of the time when the PBX receives a packet from the phone, the source IP of the packet is set to the public IP of the router (1.2.3.4) as expected. However, once in a while, we get packets (at the PBX) with the source IP set to the private IP of the phone (10.0.0.12).The router is configured by our provider, and they can't give us any explanation for this behaviour. Is it safe to assume that PAT is not configured properly at the router?
the cisco 2921 Router has a default ip hhtp access class command found in it. Just i changed the default IP to the new ip i will use.The Router is accessable from the LAN only but not from the internet configured the Public ip . I think this is due to the standard access list 23 . how will i access the Router from the Internet using the Public IP.
This is existing network diagram and find attached file for configuration of Router and L3 Switch:ISP provided 6 Mbps internet access link with ethernet Handoff which is terminated over Cisco 1841.ISP also provided pool of 30 Public ip's 125.63.74.33 /27 , range from 125.63.74.34 to 125.63.74.62.In my current setup, all Inside to ouside traffic going out through 125.63.74.34 public ip because this public-ip NAT overload with Router F0/1 interface.
1) I want to divide 6 Mbps link physically into three parts 2Mbps, 2Mbps, 2Mbps for three VLANs.
2) I want to also configure each vlan IN/OUT traffic with different Public ip. is it possible or not ?
Vlan2 = 172.25.162.0 /24 => Inside to outside / Outside to inside traffic through 125.63.74.40 Vlan3 = 172.25.163.0 /24 => Inside to outside / Outside to inside traffic through 125.63.74.41 Vlan4 = 172.25 164.0 /24 => Inside to outside / Outside to inside traffic through 125.63.74.42
How can i configure above desired setup with CBWFQ
I have two Windows Boxes connected to RV042 ; each has its own static IP assigned to it and each runs bunch of virtual machines , for which I had configured port forwarding .My hosting company claims that my server(s) are listening on IP 192.168.0.1 on a public interface (i.e., one that uplinks to their network). They see this same IP on two different MACs my uplink interface. I am not really sure how it is possible since 192.168.0.1 was assigned to router itself.
We have a 2911 Router running 15.0(1)M4. G 0/0 is our LAN interface, and it has three subinterfacesG0/0.1 is our data LAN, and the gateway for our Windows machines. This is the interface this question concerns.G0/0.23 is a separate LAN for various equipmentG0/0.192 is another LAN for equipmentG 0/1 is connected to the internet, and has a public address.S 0/0/0 is a T1 PPP, connected to our core data centerS 0/1/0 is a backup T1 PPP, again, connected to our core data center.There are three static routes entered:ip route 0.0.0.0 0.0.0.0 10.12.1.1 100 This is the first PPPip route 0.0.0.0 0.0.0.0 10.13.1.1 200 This is the secondary PPPip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 255 It currently has a cost of 255 while i figure this one out. xxx.xxx.xxx.xxx represents the cable company gateway, which I can ping properly. I've also used "gigabitethernet 0/1" in place of the next hop ip with the same results. The public interface is properly connected, and can ping it's next hop (the cable company gateway). When I change the static route for gigabitethernet 0/1 to a cost of "0", the router can properly ping DNS names, such as google.com through the public interface.
However, devices on the data LAN cannot reach any public addresses except for the router's public interface, let alone DNS names (I am using 8.8.8.8 as my test IP). If I revert the cost back to 255, making the PPP the gateway of last resort, these devices can again connect. (they travel through the PPP to our Data center's internet)
This confuses me. If our server, on the same LAN as the router can ping the public interface (it's definitley not leaving the 2911, as latency is less than 1ms), and the router itself can ping outside addresses, what is preventing the router's public interface from passing traffic to the internet from any source other than itself? I have attached our running config in the hopes that there is something obvious I'm missing (the public ip addresses have been changed so they are not exposed). I simply want clients on our 10.23.0.0 LAN to get to the internet via the public interface of the local router, and still connect to corporate resources using the PPP links. MAS_2911#sho run
Building configuration...
Current configuration : 5666 bytes ! ! Last configuration change at 01:47:50 eastern Sat Sep 24 2011 by redacted
We have many remote offices that we want to add public wifi and a couple of other services that would be completely outside of our internal network. Each office has a 3750 with plenty of open ports. How can I safely create a vlan for public access on these switches which currently have our internal network on. I have read that people are doing this to save on the cost of purchasing a dedicated switch. Some people are using access lists and one person mentioned creating a private vlan for the public network. I looked up private vlan and it seemed bit confusing.
I have an ASA 5505 configured with internal network, a DMZ, and a VPN on seperate subnets. The implicit rules allow my internal client computers to connect to the web servers on the DMZ IP, but I can not connect to the public NAT address from the internal network. I have a DNS server on my internal network and it does resolve to the public IP correctly. NAT seems to be working correctly because if I go outside the network and connect to the public IP or qualified name then I can get to everything correctly. I do not see any messages in the Cisco logs and the packet trace tool shows the route of http from an internal IP adddress to the external (NATed) address is allowed.
Specifically, I can go to http://192.168.1.121 from the internal (192.168.0/24) network, but I can not go to http://72.22.214.121 (the NAT address) from the internal network. If I am outside my cisco then I can go to http://72.22.214.121 easily. [code]
I'm building a new colo presence with a full class C of public IP's. The idea is to connect to our ISP with a 3750x switchstack and they will be providing two ethernet drops that conect directly into two seperate switches on their side with HSRP and BGP at the routing level, so we will just point to their virtual IP (gateway address).I'm not sure how to either segment the public ip block or statically route each ip address and the interaction of vlans/svi with HSRP groups. Just use the switch at layer 2 or handle the internal routing with eigrp or ospf at layer3?
getting my additional IP addresses working on my ASA 5510. I have a /29 allocation and outbound access and inbound access to my internal www server is working fine through the default outside interface. However, I now need to setup a second IP address that maps internally to a different web server. When I setup a new network object with automatic NAT translation to the new IP address, it does not work. If I setup the same scenario using the outside interface, it works fine. What is the proper way to setup additional IP address on my ASA v8.4?
Our ASA 5510 was configured with a public interface, a DMZ interface, and a private interface. I have a remote access VPN using AnyConnect client and LDAP authentication for Active Directory. We are changing ISP (groan!), which means all new public IP addresses. The new circuit is installed, so I have a second public interface (same security level as the first public interface, wholly different IP address range) enabled on the ASA. I hope to transition whatever I can, which means get the VPN access through either public interface. Can I just enable client access on the second public interface at the Anyconnect Connection Profiles tab in ASDM? That seems too simple. Can they share the one address pool?
I have a Cisco ASA 5520 (Ver 8.2(4)) with all four interfaces in use (Public, Private, DMZ, Local offices) and an IPS module, so there are no spare interfaces. I have used all of Public IP's on the current interface for various services (these need one to one mapping, so I can't port map mainly due to SSL certificate issues) and I need to add another Public IP range. The secondary option on ASA interfaces does not exist as on routers/switches and I need to use an additional non contiguous IP address range for additional services advertised on the Public interface that are NAT'd to be servers in my DMZ.
I have seen an example of adding a static arp on the Private interface to allow a secondary gateway to be used for outbound traffic, but I need to allow 14 new IP addresses to be NAT'd from the Public to DMZ and possibly also for outbound NAT'ing (from either Private or DMZ to the Public). I have a L2 switch between the ISP router and the firewall, so using VLAN's is not an option unless the ISP can be persuaded (highly unlikey) to add the seondary IP's as a sub interface with tagging. Anyway if this was actioned then we would have a massive outage on our current IP range during the transistion.
we have two Cisco ASA 5510 in failover configuration.We tried to change the public IP address on the Outside interface of the primary device but it didn't works. The new IP is not reachable from Internet nor pingable from device on the same LAN.The new IP address is in the same subnet of the old IP.
From the switch on which the ASA is connected and from another Cisco PIX we can see the ARP entry. In the analysis, on the old public IP address there was a VPN site-to-site and Webvpn defined.We tried also to shut/no shut the interface and reboot the device.
I have run out of public facing IP addresses and I need more. Assuming I have been issued 1.1.1.0/24 and my new/additional range/subnet issued is 2.2.2/0/24 - Can I carry on with the same configuration on my ASA5510 and just add static NAT for new services in the 2.2.2.0/24 range.
i.e.existing config route 0.0.0.0 0.0.0.0 1.1.1.254 (upstream ISP) Interface outside ip address 1.1.1.1 255.255.255.0 NAT 2.2.2.1 to 10.1.2.3
or, assume my ISP will deliver 2.2.2.1 to my outside interface (1.1.1.1.1/24) and if my NAT is in place it will get delivered to 10.1.2.3 inside. or, put another way I dont need change my set-up as I just static route to my ISP!
my real public IP is a /27 can I use my broadcast address (its a legit public IP address)?
i.e 1.2.3.0/27 = 1.2.3.1 to 1.2.3.31 Outside interface = 1.2.3.1/27
Can I use 1.2.3.31 and NAT it to an internal server?
Got an ASA5525-X with 8.6 release. We have an inside interface (10.11.1.0/24) and a DMZ interface (10.254.1.0/24). On that DMZ interface theres an SMTP server; by using the Public server feature in ASDM we created a rule so we have mapped the 10.254.1.29 internal ip to an external ip 217.x.x.x Everything is fine; working ok, but for several reasons we need to access the public ip 217.x.x.x from an inside ip (10.11.1.10). I tried to do it by creating an exemption for the dynamic nat; if i don't do that i have a 'deny ip spoof from...' message rolling on my syslogs.Seems to do the trick.....but only for pings! i ping the public ip from the inside ip, and got the reply from the internal ip on the DMZ. But if i want to telnet port 25 from inside to public; its not working.
how to totaly disable Admin/ASDM access on our public interface of our 5510. I don't want to change IPSec or SSL access to the outside interface. Just totaly disable access to Admin/ASDM from the outside without halting all other access.
Quick question here. Using 3750E series switches with multiple VLANS configured. These switches serve as our 'core'. I have SVIs configured for the different VLANs and add inbound ACLs in each of the SVIs to control traffic between VLANS. This switch also terminates a P2P Ethernet link which connects to our Colo facility. The port used for this is configured as an L3 port. I noticed today that I was able to send traffic across this L3 link that I thought should have been blocked by an ACL I had in place but it wasn't. So the traffic flowed from a port in say VLAN 20 across this L3 link (assigned with an IP address). Would this traffic flow not cause traffic to be checked against an ACL applied in the inbound direction on the SVI of VLAN 20 (int vlan 20)? Traffic does get checked when routing between SVIs. Why would it not get checked when routing between SVI and L3 interface?
On a pair of my CISCO7609-s (engine:sup720-3B IOS Version:12.2(33)SRD4),some interfaces is configured as routing interface but also them are attend MSTP caculation and i really caught BPDU packet go out from these ports. [code]
We got a layer3 switched network, with one vlan for every switch, routed by a cat4006. [code] So can we put some ports on different switches in, let`s say vlan 50, with different ips? For example, Port 0/3 on Switch 1 and 0/8 on Switch 2, but keeping the ip of the "old" vlan? Or is it necessary to configure a specified vlan interface with ip-adress for every vlan if i want to route it?
I am a recent student to Cisco products and I have purchased some (what I thought was good) lab equipment to learn with on a budget. What I have is a 2948G switch and a 2620 router. My issue is this: the router has only one fast Ethernet port. Is it possible to use V LAN's and V LAN Interfaces on the router and switch to somehow emulate a second interface to connect to a WAN or sub net?
i've got a Cisco 877 router connected to an ADSL link. i'm using the show dsl interface atm just to have a look on its performance. i've tried to search on Cisco website on how to interpret the output but a blog gave me more info [URL]. My question now is, what readings do i consider? is it on the left (ATU-R) or on the right (ATU-C)?
