cisco 1801 router config help please

quackers · 10 Mar 2015 at 19:19

Hi all,

as a learning exercise I've been having a play with an old Cisco 1801 router, I have a little test setup at home and the plan is to put it behind a Cisco pix 501 and have a play with Vlans from a Cisco 2950 switch and some test domains.

So, before even attempting to do that I wanted to make sure that I could get something working. The current setup is like this:

netgear router -- 1801 router -- laptop on a static ip
192.168.1.1 -- 192.168.1.100 - 192.168.2.101 -- 192.168.2.102

Using this config below and natting, the laptop can ping the netgear router (192.168.1.1) and access the internet.

******************************************
Router#show run
Building configuration...

Current configuration : 1250 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
dot11 syslog
!
!
ip cef
!
!
ip name-server 192.168.1.1
!
multilink bundle-name authenticated
!
!
vtp mode transparent
!
!
archive
log config
hidekeys
!
!
vlan 2
!
!
!
!
interface FastEthernet0
ip address 192.168.1.100 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
ip address 192.168.2.101 255.255.255.0
ip nat inside
ip virtual-reassembly
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0 overload
!
access-list 101 permit ip any any
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
********************************************

I don't want to be natting as the Pix will do this so I'm attempting to set it up like the tutorial in this link.

http://www.parkansky.com/tutorials/dmz.htm

For the life of me I can't get it working, I've all removed the natting bits on the inside/outside and the access lists above.

From the laptop 192.168.2.102 i can ping the vlan1 address 192.168.2.101 and fa0 192.168.1.100 but not the gateway of 192.168.1.1

I'm thinking that I need access-lists and i've tried lots

access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 permit any

And other various attempts on both interfaces in and out and I'm getting nothing, I have a feeling I'm missing something daft and it's doing my nut in now

Anyone got any ideas what's missing?

bluebeatle · 11 Mar 2015 at 15:09

Does the Netgear router have a route to your laptop subnet? Without the NAT it won't know how to forward to the IP of your Laptop without a route back.

quackers · 11 Mar 2015 at 16:30

Hi,

it probably doesnt as it's just a normal home broadband router, is that the problem i wonder?

bluebeatle · 11 Mar 2015 at 17:00

Adding a route should not be to hard. I think your problem will be the NAT on the Netgear will only work for the directly attached subnet. Getting NAT to work with the laptop subnet to allow internet access may require some creative networking.

quackers · 12 Mar 2015 at 13:11

Hi,

thanks for the help, I don't think the little netgear will do what's needed. I'll put the cisco router behind the pix and give that a bash

paradigm · 12 Mar 2015 at 13:36

What is the netgear in question?

The only home-grade router I've come across that wouldn't allow for any static routing was the piece of dirt provided by talktalk.#

That said, you won't regret ditching your consumer-grade kit in favour of proper equipment

quackers · 12 Mar 2015 at 19:50

It's a netgear wgr614, it's quite old now but I've just had a look and I can add static routes in. I'll give that a go when I get a chance over the weekend

quackers · 16 Mar 2015 at 13:29

Hi,

just so you know and if anyone else looks at this thread, I got it working this morning. I had to put the static route on the netgear router as bluebeatle had suggested and two in and out access rules on the FA0 interface and all was good.

Thanks for pointing me in the right direction

bluebeatle · 16 Mar 2015 at 13:36

Nice one. Glad to hear you got it working OK.

quackers · 16 Mar 2015 at 13:42

Thanks for the help, the next plan is to put it in place behind the Pix, should be fun

paradigm · 16 Mar 2015 at 13:51

With you only having a 501 remember that you'll be using the older syntax nat rules.

Also, don't bother with PDM

I'd be tempted to grab a cheap 515e, at least they are more like a current generation ASA in both CLI and the fact that they can be managed through ASDM.

quackers · 16 Mar 2015 at 14:03

I thought the cli on the 515 was similar to the 501, I'll have a look on ebay at them now.

I did look at the asa5500 on ebay but in the hundreds they are a little out of my price range for messing around with at home.

paradigm · 16 Mar 2015 at 14:29

It depends on what version of PixOS you get on your 515e (note the e). 515e will run 8.04 (and ASDM 6.1) which isn't far removed from the commands on a 5500 (assuming pre 8.3).

quackers · 16 Mar 2015 at 15:02

Right, thanks for the advice. Prices dont seem too bad, anywhere from 50 - 80