So, we've had the two weeks from hell with a Verizon DSL install — but after four man days of our time spent, they finally have that working. But, now I'm struggling with our LAN config.
In short, I have a Verizon DSL connection with 5 static IPs. I want to NAT most of our machines through 1 static IP, and then the balance of static IPs would be used for public facing devices.
The design is:
Verizon DSL Modem -> Cisco 2600 E1/0 …
Cisco 2600 E0/0 -> 24 port managed switch
The 2600's public interface is at 69.24.8.18.
Below is the config that I currently have tried.
10.20.60.0-255 is the private addresses for the LAN (e0/0). I would like the Cisco to give these out via DHCP. The dns-server 68.94.156.1 68.94.157.1
are good DNS servers. This all looks to be working fine.
69.24.8.18-22
are our static IPs with Verizon. 69.24.8.1
is the default route through Verizon. Subnet mask is 255.255.255.0
69.24.8.18 is the 2600 address as I said. 69.24.8.19
is the NAT pool address for 10.20.60.xxx addresses to share — but I would love to conserve the IPs and make this pool use the same as the router address (69.24.8.18). I think that's possible, right?
192.168.1.1 is the address of the Verizon DSL Router. 192.168.1.10
is the address of the Cisco on that segment for convenience sake.
The switch is where I'd like to plug in all VoIP phones, and computers into … whether they have a 10.20.60.xxx or have a public address (e.g., 69.24.8.20-22
). Is that doable?
This can't be that hard — but I'm thinking I'm pretty lame. Any advice?
Cisco-2600#wr
Building configuration...
[OK]
Cisco-2600#sho run
Building configuration...
Current configuration : 2126 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname Cisco-2600
!
logging buffered 4096 debugging
no logging console
enable secret 5 $1$bNtd$Zc9axgSjxOr4nrts9kJVb/
enable password 7 010109114F0E0B0A
!
!
!
!
!
memory-size iomem 15
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
no ip source-route
ip dhcp excluded-address 10.20.60.1 10.20.60.99
ip dhcp excluded-address 10.20.60.200 10.20.60.254
!
ip dhcp pool dhcp-MainLAN
network 10.20.60.0 255.255.255.0
domain-name something.com
default-router 10.20.60.1
dns-server 68.94.156.1 68.94.157.1
lease 0 2
!
no ip bootp server
!
!
!
interface Loopback1
no ip address
!
interface Ethernet0/0
description Lakefield Private LAN
ip address 10.20.60.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
no ip mroute-cache
half-duplex
no cdp enable
!
interface Ethernet0/1
no ip address
no ip redirects
no ip mroute-cache
shutdown
half-duplex
no cdp enable
!
interface Ethernet1/0
description Verizon-DSL
ip address 69.24.8.18 255.255.255.0
ip nat outside
no ip mroute-cache
half-duplex
no cdp enable
!
router rip
network 10.0.0.0
network 69.0.0.0
!
ip nat pool NAT-Pool 69.24.8.19 69.24.8.19 netmask 255.255.255.0
ip nat inside source list 1 pool NAT-Pool overload
ip classless
ip route 0.0.0.0 0.0.0.0 69.24.8.1
no ip http server
!
logging trap debugging
logging facility local0
access-list 1 permit 10.20.60.0 0.0.0.255
no cdp run
snmp-server engineID local 000000090200003080F34140
snmp-server community RO RO
snmp-server community Cisco-2600 RO
snmp-server community public RO
banner login ^CC
********************************************
* This is a private network. No *
* unauthorized usage without *
* permission. Thank you. *
********************************************
^C
!
line con 0
exec-timeout 60 0
login
line aux 0
line vty 0 4
exec-timeout 1440 0
password 7 0519091A3549430C
login
!
ntp clock-period 17179828
ntp server 192.6.38.127
end
Cisco-2600#
Best Answer
I hate to suggest something non-cisco, but you are running older end of life'd Cisco routers -- so I will. When my PIX 506e burned up, I replaced it with a tinsy system from LogicSupply running Vyatta and have been nothing but impressed.
I just shipped out a production VMWare machine running 6 static IP's, 3 internal networks (10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24), all natting out of one IP, and all 6 external IP's randomly port forwarding inward with no respect for any one to one mappings.
If you had a spare machine you could replace the 2600 with, or purchase something solid state from LogicSupply -- you would be extremely impressed with Vyatta .. and want to shoot yourself in the foot for using the 2600 for anything but a doorstop.
It goes without saying -- but you've posted your private IP's, router, router config, and hashed password online. Your going to change that password right?