From: Gregory Gombas (ggombas@gmail.com)
Date: Wed Dec 10 2008 - 21:15:11 ARST
Thanks, I guess that's what froggie meant by putting the ISP router in
bridge mode as well...unless of course the ISP has no ethernet
connections either...
On Wed, Dec 10, 2008 at 4:33 PM, Mark Cairns <m.a.cairns@gmail.com> wrote:
> Greg,
>
> That would make sense. My configuration was used to extend a subnet between
> ethernet segments on different routers. I did not need to communicate
> directly between ethernet devices and devices on the serial interface
> (frame-relay in my case).
>
> I guess I would ask the ISP to rebuild the circuit and give you a /30 to the
> router and a separate IP address which is routed to you. Then you can do
> what you need without a complicated configuration.
>
> Mark
>
> On Wed, Dec 10, 2008 at 4:02 PM, Gregory Gombas <ggombas@gmail.com> wrote:
>>
>> Hi Mark,
>>
>> I tried configuring the router in the middle as you described, I
>> think the problem is that the firewall is trying to communicate to the
>> ISP router via ethernet encapsulation, and the ISP router is trying to
>> talk to the firewall using HDLC encapsulation. Therefore the firewall
>> cannot arp for the ISP router's
>> IP, and even forcing a bogus static arp is not working.
>>
>> Is the router that's doing the bridging supposed to do some sort of
>> protocol translation?
>>
>> Thanks,
>> Greg
>>
>> On Tue, Dec 9, 2008 at 1:48 PM, Mark Cairns <m.a.cairns@gmail.com> wrote:
>> > Greg,
>> >
>> > I've connected 2 LANs on different routers with a serial link between
>> > them
>> > in bridged mode like this:
>> >
>> > no ip routing
>> > bridge 1 protocol ieee
>> > int ethernet x/x
>> > bridge-group 1
>> > int serial x/x
>> > bridge-group 1
>> >
>> > Not sure if it will work in your scenario, as you didn't mention the
>> > configuration that you tested.
>> >
>> > Mark
>> >
>> > On Tue, Dec 9, 2008 at 1:32 PM, Gregory Gombas <ggombas@gmail.com>
>> > wrote:
>> >>
>> >> Thanks Long, I have considered the static NAT, but I was just
>> >> wondering if the bridge concept was even feasible.
>> >>
>> >> Regards,
>> >> Greg
>> >>
>> >> On Tue, Dec 9, 2008 at 1:25 PM, Long Nguyen <longoc@gmail.com> wrote:
>> >> > Maybe you could use a static one-to-one NAT to the firewall?
>> >> >
>> >> >
>> >> > Long Nguyen
>> >> >
>> >> >
>> >> >
>> >> > On Tue, Dec 9, 2008 at 10:22 AM, Gregory Gombas <ggombas@gmail.com>
>> >> > wrote:
>> >> >>
>> >> >> Hi Gang,
>> >> >>
>> >> >> My client has a Cisco router with a T1 connection to the internet.
>> >> >> They were only allocated one IP from the ISP and that is assigned to
>> >> >> the serial interface of the Cisco router.
>> >> >> Currently the router is doing the NAT'ing and firewall functions for
>> >> >> the internal network, but they would like to install a separate
>> >> >> firewall behind the router so they can control the filtering and NAT
>> >> >> translations from this new firewall instead of the router.
>> >> >>
>> >> >> Can I put the router into bridge mode so that I can assign the
>> >> >> internet address directly to the firewall? I tried testing this in
>> >> >> my
>> >> >> lab but the problem is the arp requests from the firewall are
>> >> >> failing
>> >> >> due to the difference in encapsulations.
>> >> >>
>> >> >> The setup looks like this:
>> >> >>
>> >> >> ISP (55.55.55.1/30)
>> >> >> |
>> >> >> Router
>> >> >> |
>> >> >> Firewall (55.55.55.2/30)
>> >> >> |
>> >> >> Internal Network (192.168.1.0/24)
>> >> >>
>> >> >> Is this even feasible?
>> >> >>
>> >> >> Thanks,
>> >> >> Greg
>> >> >>
>> >> >>
>> >> >> Blogs and organic groups at http://www.ccie.net
>> >> >>
>> >> >>
>> >> >> _______________________________________________________________________
>> >> >> Subscription information may be found at:
>> >> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:08 ARST