dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
10355
superkingkon
join:2010-05-27
Boston, MA

2 edits

superkingkon

Member

HELP>> Separate home network and Cisco home lab

Hi guys,

I have a home network and a cisco lab. i would like to connect them together but both of them have different ip range.

Home network: 10.10.10.0
Cisco lab: 192.168.1.1

My current topology:
comcast -- cable modem -- linkssy wrt54g -- home network -- ??? -- cisco lab

how can i connect both of them together? do i place a router in the middle? i have a spare cisco 2620 router

i want to do this so that when i am connected to the home network, i can surf the web and also telnet to my cisco lab. Also, i can telnet/ssh from outside to my lab when i'm outstation.

I would appreciate if you could guide me through this, thanks.
meta
join:2004-12-27
00000

2 edits

meta

Member

Click for full size
Click for full size
Click for full size
Click for full size
The core issue in doing that is going to be the fact your linksys doesnt have a route to a not-directly-connected-network (eg your lab and its networks).

The way I see it you have 4 options:

Option 0: Dont connect the lab to the internet, use a serial terminal server to manage the equipment. It completely isolates the lab.

Option A: Add another NAT device in front of the lab so that the linksys has a return path to the equipment.

Option Blue: Replace the linksys with a real router and hang the lan, the lab, and the interwebs off different interfaces.

Option IV: Do Blue but use logical sub-interfaces and build a dot1q trunk to a switch and put them in different vlans on the same switch. This requires you have a switch that does 802.1q trunks and supports vlans etc.

(edited to attach pictures, also hellfire smells funny.)
(Images were created with over 9000 hours in MS PAINT.)
superkingkon
join:2010-05-27
Boston, MA

superkingkon

Member

Thanks for the options

I would like to know more on Option A and Option Blue.

But let's do Option A first.

If i'm going add a router in between the linksys and lab, what will be the configuration on linksys and also the router?

On linksys, i can see port forwarding, but it forwards to ip that is in the same subnet. As i've explained earlier, home network and lab will be in different network.

Sorry, i'm still new and learning

Appreciate if i could get further help here. Thanks in advance.
meta
join:2004-12-27
00000

3 edits

meta

Member

The advantage of option A is that it requires no changes to the linksys. It would be ignorant of any information behind the other NAT device. You could use an old router (like the 2600) or pix/asa or whatever to NAT the lab networks behind it to an IP on the current LAN subnet of 10.10.10.X.

Blue is imo the cleaner option. If you are interested in more capability, you can replace the linksys all together with a router that supports this kind of lan-to-lan routing. While you could probablly rig the 2600 to do it, it would probablly be painfully slow (the 2600s were T1 and lower routers, and will choke on 5 or 10meg cable available now).

If you have a budget to do it right, there are cheap 3725s on ebay that will perform all the functions of a residential gateway (sans wireless, keep the wrt54g and turn off dhcp, etc. treat it like a standalone AP) and perform dynamic routing with the lab.

In the end what it all boils down to is that whatever the default gateway for one network is, needs to know how to get to the other network(s) and the internet.
superkingkon
join:2010-05-27
Boston, MA

2 edits

superkingkon

Member

The reason i'm choosing A is that the linksys router doesn't belong to me. I'm living with another housemate. So, i prefer not to touch that part

If i really have to replace the linksys, like Option Blue, i can change that, but i don't have budget for a 3700 series router. Just speed a couple of hundreds on few 2600 and XMs and max memories + accessories :P

anyway, i'll be using a 2600 for option A, care to guide me on the configurations?

Thanks in advance.
meta
join:2004-12-27
00000

meta

Member

the base config is very simple. If you pretend the lan is "the internet" and just perform an outbound PAT on the cisco, it will work.

If you need explicit configuration still, post interface names, ips, where they are plugged in, etc.

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

1 edit

TomS_ to superkingkon

MVM

to superkingkon
The Linksys should have the ability to configure static routes, or even run RIP.

So you just connect one of the interfaces on one of your lab routers to your Linksys, give that interface an IP on your LAN, add a static route on the Linksys for the lab IP range pointing to the IP address of the lab router, and then on the lab router add a default route pointing back towards the Linksys.

All other lab devices then default route via the lab router connected to the Linksys.

The only catch here will be whether the Linksys will perform NAT on IPs other than the subnet it itself sits in. Worst case scenario is that the lab router connected to the Linksys needs to NAT the lab IP range, so your LAN will be single NATed through the Linksys, but the lab will be double NATed through the lab router then the Linksys.

But hey, it is a lab.
jmillermo
join:2010-05-02
Tokyo, Japan

jmillermo to superkingkon

Member

to superkingkon
I use TomS_'s approach with my network. My router will perform nat on any address you send through it so it doesn't cause me any problems.
superkingkon
join:2010-05-27
Boston, MA

1 edit

superkingkon

Member

Hey nosx,

Thanks for the info.
As i'm a beginner, i might need some explicit details
Here are my info ...

comcast -- linksys -- FA0/0(R1)FA0/1 -- 2950 -- R2/R3/R4

FA0/0 on R1 IP: 10.10.10.254
FA0/1 on R1 IP: 192.168.1.1

Thanks in advance
superkingkon

superkingkon to TomS_

Member

to TomS_
Hi TomS_,

Thanks for the info.
Kinda confused on your brief explanation :P ... i'm still new.
Care to show me to details steps based on the topology/info above?

I would like to learn as much as possible... different steps, different scenarios..

Thank you very much

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

2 edits

TomS_

MVM

Hi sorry it was too brief. :-)

If you have a router that has two ethernet interfaces, or perhaps a router and switch that you can do VLAN trunking with, use one of the ethernet interfaces or a sub-interface and connect it to your existing Linksys router with an ethernet cable, just like you would connect any other device.

Give this interface an IP address in your LAN subnet, and add a default route towards the Linksys so that your lab router can get out to the Internet.

Then using the other ethernet interface on the lab router, or another sub-interface, connect to other equipment in your lab using your lab subnet. Something like the following diagram:

[Internet]----[Linksys]----[lab router]----[lab switch]----[lab devices]
                  |
                  +----[LAN device]
                  |
                  +----[LAN device]
 

or perhaps

[Internet]----[Linksys]----[lab switch]----[lab router]
                  |              |
                  |              +----[lab devices]
                  |
                  +----[LAN device]
                  |
                  +----[LAN device]
 

In the second diagram, the lab switch port that is connected to the Linksys would be an access port in say VLAN 2, and the switch ports that the other lab devices are connected to might be access ports in VLAN 3. VLAN 2 and 3 are then trunked into the lab router.
superkingkon
join:2010-05-27
Boston, MA

superkingkon

Member

Thanks for the info

There is nothing to be sorry off I should thank you for being patience with me.

I think i'll go for the first option as i want to keep my cisco equipments for the lab only.

so, the equipments line-up would be:

internet -- linksys -- Fa0/0(Cisco R1)Fa0/1 -- 2950 -- lab devices

Linksys WRT54G IP: 10.10.10.1

So, on my R1, I should do:

config t
config#int fa0/0
config(int)#ip address 10.10.10.254 255.255.255.0
config(int)#int fa0/1
config(int)#ip address 192.168.1.1 255.255.255.0
exit
exit
#ip route 0.0.0.0 0.0.0.0 10.10.10.1

is that it?

on my other lab devices, i'll add the same default route?
#ip route 0.0.0.0 0.0.0.0 10.10.10.1

and if i want to telnet from home network (10.10.10.0) to lab, can i just telnet 192.168.1.3 (one of the other routers in the lab)?

thank you very much

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_

MVM

said by superkingkon:

on my other lab devices, i'll add the same default route?
#ip route 0.0.0.0 0.0.0.0 10.10.10.1
Spot on for everything but the above (and one less exit).

Your other lab devices will need to default route via 192.168.1.1 as thats the IP address on the interface facing the lab on the router connected to the Linksys.

Make sure you add a static route on your Linksys to route 192.168.1.0/24 via 10.10.10.254 though, otherwise your LAN devices wont know how to get to the lab devices.

superkingkon
join:2010-05-27
Boston, MA

superkingkon

Member

said by TomS_:

Make sure you add a static route on your Linksys to route 192.168.1.0/24 via 10.10.10.254 though, otherwise your LAN devices wont know how to get to the lab devices.


I'm not sure if the linksys wrt54g is able to add default route.
I'll try to look for it when i reach home later. I'm still in the office.

btw, do i need any acl on the router to further protect? .. like enable only telnet or ssh?

second question: if i'm going to ssh from the internet to my home cisco lab, what address i need to use? as i can see on the linksys wrt54g router, the port forwarding is only able to forward it to its network, that is 10.10.10.0 ... but my lab is 192.168.1.0

Appreciate if you could help me with these questions, thanks.

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

1 edit

TomS_

MVM

You dont add a default route on the Linksys, just a static route to route the lab subnet to the lab router.

Im not sure how you do it on a Linksys, as I dont tend to use them, but you should be able to do this easily.

If you want access to your devices from outside your network you'll need one or more port forwards configured on the Linksys, I think they call them "virtual servers", or did at one stage.

Forward, for example, TCP port 23 to 10.10.10.254, then you can telnet to the WAN IP of the Linksys to gain access to the first lab router (providing your ISP doesnt block telnet into your network). From there you can telnet to any of the other devices.

For SSH you need to forward TCP port 22, but you also need to have an IOS on your router(s) that support crypto features.

You might be better off, as suggested, setting up a console server using something like a 2509, and then allow telnet/SSH into that. You can then use the console server to access all of your other devices.

Otherwise, get yourself an old/cheapie PC, install Linux or FreeBSD, and forward TCP port 22 to that box. You will then SSH into that box, and use it to telnet or SSH into your lab gear.

You can use an ACL to lock down where you are allowed to telnet to/from. This is probably a good idea, but you will need to know exactly where you will be telnetting from on the outside, and allow only those IPs. If you are moving around a lot, or the IP address you will be telnetting from changes all the time, you might be better off with my suggestion above of setting up a Linux/FreeBSD server and using that as your method for external access.
superkingkon
join:2010-05-27
Boston, MA

superkingkon

Member

Click for full size
Static Route page
Click for full size
Routing table
Hi,

I'm facing quite a bit of problems

first off, my cisco router int ip:

R2#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.10.10.10 YES manual up up
Serial0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 192.168.1.254 YES manual up up
Serial0/1 unassigned YES NVRAM administratively down down
R2#

from the router, i'm able to ping the linksys - 10.10.10.1
from the router, i'm able to ping my pc - 192.168.1.8

but i can't ping the linksys from my pc
192.168.1.8 can't ping 10.10.10.1

my pc can ping the router fa0/0 - 10.10.10.10 and fa0/1 - 192.168.1.254

my pc settings:
ip: 192.168.1.8
subnet: 255.255.255.0
gateway: 192.168.1.254

Appreciate if you further help me, thanks.

oh, on my linksys, i'm not sure how to add a static route. attached are 2 screen shots of the static route page and the routing table of the linksys.

On that page, if i choose router (not gateway), all my home network devices would not be able to go onto net.

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_ to superkingkon

MVM

to superkingkon
You probably cant ping the Linksys, or more technically correct, the Linksys doesnt know how to get back to your PC because you havent yet added the route to the Linksys to tell it how to get back to your PC.

This is what the static route is meant to achieve, if you can figure out how to add it in.

Think of it like addressing a letter to someone, but not writing your return address on the envelope...

Can you leave it as Gateway and add in the route?

If not, I am sorry but I cant help you with that one. Im not familiar with Linksys devices.

Time to start playing and discovering - part of the fun of networking.
superkingkon
join:2010-05-27
Boston, MA

superkingkon

Member

great!

i'm 1 step closer

ok, i've managed to add the static route - using gateway.

destination IP: 192.168.1.0
subnet: 255.255.255.0
gateway: 10.10.10.10

and now the pc connected to lab switch is able to ping the linksys router - 10.10.10.1

now, the problem is, i still can't access the web from the pc which is connected to lab switch, and also, can't ping any ip on the internet.

Appreciate if you could please help, thanks.

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

1 edit

TomS_

MVM

Its probably a case of the Linksys not NATing traffic from IPs other than what is directly connected to it in the 10.10.10.0/24 subnet.

Not a lot you'll be able to do about that unless theres some security option or setting you can add in somewhere to allow it.

You might be interested in checking out DD-WRT or one of those similar types of projects. They open up a heck of a lot more functionality on certain Linksys devices above what comes in the standard factory firmware.

Alternatively, you could setup the router that you connected to the Linksys to perform NAT for the lab subnet.

Have fun.
meta
join:2004-12-27
00000

meta

Member

The default firmware on the WRT54G (im looking back in time to like 2004ish here) doesnt do what DD-WRT or some of the newer software mods do.

It was either a gateway OR a router. If you are using it as a NAT device, it wouldnt NAT or route back to anything else internally. If you were using it as a pure router, its NAT support was weak (broken).

The reason my options were supplied is that configuring another device with an IP on the 10.10.10.X LAN to PAT all the devices behind it would cause the linksys to both NAT the outbound traffic to the internet, as well as return all traffic to the correct device (the PAT gateway for the lab).

In other options (say Blue or IV) the other issue is that if your router doesnt support dynamic routing (ex OSPF or BGP) to learn how the lab "cloud" topology is setup more complicated than a flat LAN on the back side wouldnt correctly return traffic.

That all aside, if you want to go with option A:
int fa0/0
  ip address 10.10.10.254 255.255.255.0
  ip nat outside
  no shut
 exit
int fa0/1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  no shut
 exit
 
ip nat inside source list ACL_MATCH_LOCAL interface FastEthernet0/0 overload
 
ip access-list extended ACL_MATCH_LOCAL
 permit ip 192.168.0.0 0.0.255.255 any
 deny   ip any any
 
ip route 0.0.0.0 0.0.0.0 10.10.10.1 (assuming thats the linksys)
 
That will nat anything in the 192.168 space behind the 2600 to the 10.10.10.254 ip so that the linksys will nat it to the internet and send return traffic to the 2600.

You will either need to reconfigure the PC and tweek the router config, or add port forwarding config on the cisco, or nat the lab devices out to different IPs on the 10.10.10. space to initiate a connection from the outside (pc on 10.10.10.) to the inside (lab on 192.168.)

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_

MVM

What he said.
superkingkon
join:2010-05-27
Boston, MA

superkingkon to meta

Member

to meta
Thanks for the info.

On the linksys advanced routing, i've managed to put in

Gateway
RIP: disabled
dest ip: 192.168.1.0
subnet: 255.255.255.0
gateway: 10.10.10.10 - int fa0/0

is the gateway correct? should i leave the RIP disabled?

Thanks for the configuration for my 2600. I'll try it at home tonight.

so, on the lab pc (192.168.1 space), what will be the gateway?
also, on other lab devices (router, switches), do i enter ip route 0.0.0.0 0.0.0.0 192.168.1.1 (ip for int fa0/1)?

btw, i did that on my lab cisco switch last night, it seems it doesn't recognize that command. should i put in ip default-gateway as 192.168.1.1? may i know what is the difference?

Thanks for being patience with me.
superkingkon

superkingkon to meta

Member

to meta
said by meta:

You will either need to reconfigure the PC and tweek the router config, or add port forwarding config on the cisco, or nat the lab devices out to different IPs on the 10.10.10. space to initiate a connection from the outside (pc on 10.10.10.) to the inside (lab on 192.168.)
Thanks for all the code.
After applying it, router/switches can ping to 10.10.10.0 address and also ping the ip addresses on the internet. PC in the lab are able to surf the net.

So, i guess going out is not a problem now.

The next thing is going into the lab devices. I couldn't telnet or even ping the 192.168.1.0 network from 10.10.10.0 network.

second, i would like to telnet/ssh into the lab devices from the internet. on the linksys, i think i can forward ip and port. so, i think it should be port 22 and 23 forward to 10.10.10.10 (int fa0/0), is that right?

Thanks for your patience and appreciate your help.
meta
join:2004-12-27
00000

1 edit

meta

Member

Since the linksys doesnt know what the 192.168. network is or how to get there, any traffic you send to it from your pc on the 10.10.10. net wont get there.

You will need to forward ports on the cisco, or configure static 1:1 nat rather than PAT on the cisco. These both fall under the category of "ip nat source static ...".

Example:
ip nat inside source static tcp 192.168.1.1 23 interface fa0/0 101
ip nat inside source static tcp 192.168.1.2 23 interface fa0/0 102
ip nat inside source static tcp 192.168.1.3 23 interface fa0/0 103

This is an example of whats commonly called "port forwarding". Where different ports on the 10.10.10.10. IP are redirected to internal hosts on different ports.

In this case, if you telnet to 10.10.10.10 on tcp port 102, you would be forwarded to 192.168.1.2 on tcp port 23.

The other example would work by doing the same thing with different IPs instead of the same 10.10.10.10. interface ip.

Once you are "inside" the lab you would be able to telnet around from one device to another. I reccomend using telnet everywhere inside the lab, since changing hostnames requires a SSH rekey. sometimes you can accidentally lock urself out of a device by changing its hostname, so its RSA pub-priv key pair no longer matches so the SSH process on the router/switch refuses to use it and wont negotiate the crypto for a SSH session lol.
superkingkon
join:2010-05-27
Boston, MA

superkingkon

Member

said by meta:

In this case, if you telnet to 10.10.10.10 on tcp port 102, you would be forwarded to 192.168.1.2 on tcp port 23.
Thanks for the great explanation

for the example above, should it be tcp port 23 instead of 102? or did i understand it wrongly?

so, on my linksys, i'll still port forward 23 to 10.10.10.10, right?

well. since telnet is working as clear text, after this tutorial, i will configure ssh access from the outside, not the inside (as u recommended ). That means, i'll port forward 22 to 10.10.10.10.

and on the router, i'll
ip nat inside source static tcp 192.168.1.1 22 interface fa0/0 101

is that correct?

as for the 101, 102 or 103... it's just a sequential representation for the nat statement, is that correct? or is it a port number?

Thanks for being patience with me
meta
join:2004-12-27
00000

meta

Member

Those are the port numbers. You would telnet to port 101 to get to port 23 (telnet) on lab device 192.168.1.1, and 102 to get to port 23 on lab device 192.168.1.2, and so on and so forth.

If you forward port 22 or 23 on the linksys to 10.10.10.10, you will be telnet or ssh'ing into the 2600. This might not be a bad thing because you could in turn telnet or ssh FROM the 2600 into the lab deeper and use it like a jump box.
superkingkon
join:2010-05-27
Boston, MA

superkingkon

Member

said by meta:

Those are the port numbers. You would telnet to port 101 to get to port 23 (telnet) on lab device 192.168.1.1, and 102 to get to port 23 on lab device 192.168.1.2, and so on and so forth.

If you forward port 22 or 23 on the linksys to 10.10.10.10, you will be telnet or ssh'ing into the 2600. This might not be a bad thing because you could in turn telnet or ssh FROM the 2600 into the lab deeper and use it like a jump box.
Thanks. If i understand you correctly, in the home lab, if i telnet to 10.10.10.10 port 101, i'll be telneting into 192.168.1.1 port 23 directly? and if i telnet to 10.10.10.10 port 23, i'll be only telneting to the 2600, right?

On the linksys, if i port forward 101 to 10.10.10.10, i'll be telneting directly into 192.168.1.1 port 23 right? and if i forward port 23 to 10.10.10.10, i'll be telneting into 2600, right?

Thank you very much
superkingkon

superkingkon to meta

Member

to meta
said by meta:

Blue is imo the cleaner option. If you are interested in more capability, you can replace the linksys all together with a router that supports this kind of lan-to-lan routing. While you could probablly rig the 2600 to do it, it would probablly be painfully slow (the 2600s were T1 and lower routers, and will choke on 5 or 10meg cable available now).
So if 2600 couldn't take that speed and the current wrt54g is still doing good, does it means the linksys is better than the cisco 2600?
meta
join:2004-12-27
00000

meta

Member

Your assessment regarding the port forwarding is correct. 101 on 10.10.10.10 forewards to 23 on 192.168.1.1, so you would forward an external port on the public IP attached to the linksys outside interface to 101 on the 10.10.10.10 ip.

"better" is a relative term. SOHO gear was build for fast cheap speed and not alot of reliability. The cisco gear was built for features and stability. While the linksys is certainly newer by many generations. The 2600s are very very old. I have a few ancient 2600s still running at work with an uptime approaching 7 years. Feature wise there is no comparison, the Cisco boxes do much much more these days than just push packets.
superkingkon
join:2010-05-27
Boston, MA

superkingkon

Member

Thanks... i'll try out the port forwarding ater when i get back home.

So, about Option Blue, 1 outside interface and 2 inside interfaces, can i use the same config as for Option A router?

btw, i see that lots of people using 870w/890w for gateway.. how is the performance compared to 2600? what do think of 1721 as well?

Thank you.