Cisco guru's. Get in here!

Discussion in 'OT Technology' started by SLED, May 17, 2005.

  1. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    ok cisco experts, i have been using this sample config at our T1 customer's until now. We're now installing Cyberguard firewall's behind the cisco's to do vpn, qos, etc. Let me start off by saying that i know little to nothign about IOS or even routing in general. what i would like is this:

    the 2600 routers are there really just for the csu/dsu and outside routing. I would like it to do no filtering and just have the internal cyberguard do all the dirty work. I would imagine that the cyberguard's WAN interface would need to have an external address to do this. Right now it is setup to nat to a class A netowrk (via the 2600) and then the cyberguard NAT's the class A to the
    internal class C. This is really just a temporary deal until i get this figured out. So i would imagine that i need to assign an ip address to the serial interface of the 2600, and another to the FastEthernet, and then yet another to the Cyberguard WAN port? Then i'm guessing some routing magic has to happen. I'm not sure what i need to do, or where to start. It seems like a pretty simple configuration, but i'm not a network guy. Thanks for the help. here is what my crazy configuration looks like now:


    :bowdown: :bowdown:
     
    Last edited: May 17, 2005
  2. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    balzz? :hsugh:
     
  3. ShapeShifterz

    ShapeShifterz Longtime Lurker

    Joined:
    Mar 15, 2000
    Messages:
    183
    Likes Received:
    0
    Location:
    Bay Area, CA
    Typically from my experience, the serial interface will have a network address that is of the same subnet as the ISPs. Then the other interface (ethernet 0/0) will have an IP from your public address space. The firewall's WAN interface will also have an address from this space. Not familiar with Cyberguard, but you'll somehow let it know what your public address space is so that it will 'listen' for those IPs in addition to its own WAN IP. Lastly, the default gateway on this 2600 should be the serial interface.
     
  4. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,629
    Likes Received:
    41
    Location:
    Atlanta, GA
    First I would create a new private subnet 192.168.1.0/255.255.255.252 for example. Set the router ethernet to 192.168.1.1 and the watchguard to 192.168.1.2

    I would then setup a 1 to 1 static NAT mapping.
     
    Last edited: May 17, 2005
  5. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    this was my original plan but the cisco doesn't know about the protocol GRE which is used with the vpn technology on the cyberguard. So in other words, i have no way of telling the cisco, route all GRE traffic to internal address 192.168.1.2 or whatever. I'm thinking that i'll just have to setup simple routing on my main router's end to get it done. ah well. i have somebody coming out tomorrow to help me look at it. thanks guys.
     
  6. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,629
    Likes Received:
    41
    Location:
    Atlanta, GA
    Let us know what the guy tomorrow (today) says. :x:
     
  7. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    will do, meeting him later this morning. :coold:
     

Share This Page