Adding a Route – Cisco router

555 pts.
Tags:
Cisco
Cisco 1800
Cisco Routers
I have cisco 1800 series router that i want to add a route for all internet access is routed from the cable router/modem. Right now all the traffic is going over the T1 via cisco router. What i want to do is keep everything as is and only have the internet access route from the other devie. How would i add that to cisco 1800 series router. Example would be helpful. Thanks in advance

Answer Wiki

Thanks. We'll let you know when a new response is added.

To route everything to any device or interface, you need to add one of the following commands to the router

ip route 0.0.0.0 0.0.0.0 a.b.c.d

or

ip route 0.0.0.0 0.0.0.0 {interface.x}

Where a.b.c.d is the ip address of the router that connects to the Internet, and {interface.x} is the outgoing interface if this is a T1 or something like that then it will be ip route 0.0.0.0 0.0.0.0 serial0 or whatever that interface is called.

So if the router had the cable interface attached to itself, then use the second command, if that is on another router, use the first one.

FYI – 0.0.0.0 0.0.0.0 means everything that is not already defined in the routing table, and is also known as the default route.

I hope this helps, but if you are still needing assistance, please post a simple diagram (draw it in paint or something like that if needed) and the configurations (remove any passwords first, and change the IP addresses of any public interfaces, we can work through that OK).

Regards,

Reg

Discuss This Question: 17  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Kwt712
    Hi Reg, I have a T1 that goes from our main office to this site A where i have the cisco router. From the Site A T1 is going into Cisco 1800 series router. The router is going into the switch (all the pc are connecting through this switch) and the Business Cable Modem/Router is plugged into the switch. Right now the T1 is allowing the site A to have the internet from the main office which i am trying to eliminate. The way it will work is all the internet access will be from the new Business Cable Modem and all the other Network access will be from the T1 in Cisco Router and to the Site A employees. since i am not able to put a diagram up here. I have attach the link that you can use to access the diagram that i put together. http://www.4shared.com/file/113473275/3977299e/Basic_diagram.html I appreciate all your help with this. Thanks
    555 pointsBadges:
    report
  • BlankReg
    Thanks for the diagram, that really helps to understand your network. On the Cisco 1800, if you look at the config, it will have a route with 0.0.0.0 0.0.0.0 which either then has the IP address of the router at the Main Office, or it has the interface that the T1 is connected to, which will be serial something. This may be the only route, and if the Site A guys need to access anything at the Main Office, you will need to also add routes for the Main Office networks. If there are other routes, then ignore the next bit ! You need to add these routes. They should look like the 0.0.0.0 0.0.0.0 ones, but replace the 0.0.0.0 0.0.0.0 with the subnets at the main office, and a reverse subnet mask. so if the network at the main office is 10.0.0.0 255.0.0.0 then the route to add is with the command ip route 10.0.0.0 0.255.255.255 serial0 (or whatever is at the end of the existing route). When you have added all the routes to the Main Office networks, you can add the Internet route ip route 0.0.0.0 0.0.0.0 192.168.x.2 This will send any traffic that doesn't match the Main Site routes you added, to the cable modem/router, and then out to the Internet. If I haven't made this clear enough, just copy the IP route commands that are on the Site A router, and the networks on the Main Office, in a message below, and I can send you back the exact config. We are nearly there :-)
    12,325 pointsBadges:
    report
  • Kwt712
    null Hi Reg, I have copied the config of the cisco1800 series. The Cable Modem/Router that i am trying to use ONLY for the internet has no static ip address. I will either have to use the DHCP address and make it a static in the cisco router or call the vendor to add a static ip for me. Appreciate your help with this.
    555 pointsBadges:
    report
  • Kwt712
    http://www.4shared.com/file/113606929/89d5f338/Cisco1800.html i think i forgot to add the link to the config file in my previous message that i just posted
    555 pointsBadges:
    report
  • Kwt712
    Just to give you more information. The cable modem has a DHCP 72.43.xx.xx with Subnet Mask 255.255.255.192 and gateway of 72.43.xx.xx. All the pc's on site A is using a static ip address. So do i need to add the Cable Modem Gateway as the primary dns and keep the one from main office as a secondary dns. I am really confused as to how to route a traffic for internet separate from T1 cause T1 is also hosting a very slow internet connection from the main office that i don't want the user to access that. I hope this helps Currently we have a pc with static route for example IP: 192.168.xx.xx Subnet Mask: 255.255.255.0 Gateway: 192.168.xx.xx Primary DNS: 192.168.0.xx (do i replace this with the cable modem gateway here 72.43.xx.xx) Secondary DNS: 192.168.0.xx Any help with this would be appreciated. Thanks
    555 pointsBadges:
    report
  • Kwt712
    Sorry to be a pain. Is there a free tool for me to monitor a traffic to see if this works correctly after i make your suggested changes. Thanks again
    555 pointsBadges:
    report
  • BlankReg
    No pain, no gain :-) Last thing first ! You can go to http://www.whatsmyip.org/ and it will tell you what your IP address is that is going out on the Internet. If you try it now, from one of the PC's on Site A, you will see the Internet address of the Main site router, as that is the route out. The current config on the C1800 has a default route ip route 0.0.0.0 0.0.0.0 192.168.15.1 This routes all non-local traffic to the main site, over the T1, including traffic to the Internet. What we need to do is pass this to the local cable modem. You are also using a routing protocol, EIGRP, and this is (I guess) also configured on the Main site router. That means we don't need to worry about adding routes for the Main Site resources, as this does it for us. What you now need to do is remove this 0.0.0.0 0.0.0.0 route, and change it to send this site's Internet traffic to the local cable modem. Connect the Cable Modem to the 1800, using the interface FastEthernet0/1. This may need a cross-over cable if the modem doesn't do this automatically. Now add the following config. conf t interface FastEthernet0/0 ip nat inside interface FastEthernet0/1 desc ** Link to Cable Modem ** ip address dhcp ip nat outside no shut ! ip nat inside source list 100 interface FastEthernet0/1 overload ! access-list 100 permit ip 192.168.16.0 0.0.0.255 any ! no ip route 0.0.0.0 0.0.0.0 192.168.15.1 ! end wr Check that the interface lights are on on the FastEthernet 0/1 interface, and on the ethernet on the cable modem. Now what should happen is that the router gets an IP address from the cable modem, and should also get the default route, which it then adds to the routing table. The nat commands and the access list translate the local IP addresses to the IP address of the FastEthernet 0/1 interface, once it has got it's IP from the cable modem, and it should all work (fingers crossed !). Let it settle down a bit, a couple of minutes should be enough, and do the command show ip interface brief You should see that the FastEthernet 0/1 now has an IP address. Then do the command show ip route You should see a route 0.0.0.0 0.0.0.0 despite the fact that we removed this, but now it has the destination of an address via the cable modem. Next try to access the Internet from one of the PCs on the LAN. If the route is not there, then you could try to add the command ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 But I am sure that is not necessary (it has been a while since I did one like this, I usually use a ASA firewall and the command to get the route is implicit in the dhcp command). That should be it. The Site A users will now use the cable modem for their Internet, and theMain Site will still use their local Internet, and the only traffic over the T1 will be site-to-site traffic. Let me know the result.
    12,325 pointsBadges:
    report
  • Kwt712
    Hi, thank you for giving me the configuration. I have the following already for FastEthernet 0/0 description abc ip address 192.168.16.x 255.255.255.0 duplex auto speed auto you mention to add this interface FastEsthernet 0/0 ip nat inside so i don't need the ip address 192.168.16.x 255.255.255.0 anymore. please confirm thanks
    555 pointsBadges:
    report
  • BlankReg
    Sorry for not making it clear. The commands above are in addition to those already there. Just add these and the nat will work. You still need the IP address command and the descripton, speed and duplex for the interface to work correctly, but you don't need to do anything to keep these. I hope that is clearer ?
    12,325 pointsBadges:
    report
  • Kwt712
    Hi, You are a life savr. I did add the command you gave me and i didn't have to add an ip route. It works great. The only concern i have is that internet is not firewalled. Do you recommend anything on that i can use to make sure that group don't bring down anything unusual from the web. Thanks a million, you are a GENIUS.
    555 pointsBadges:
    report
  • BlankReg
    Glad we got it working :-) You may want to change the IOS for the firewall version, although I think for about the same cost you can buy a ASA5505 which is a 'real' firewall ! Probably worth checking the prices local to you. There are other firewalls, and some do say that they do virus checks on the data passing through, how true that is I am not sure. Most will do a reasonable job, but one of the advantages of using NAT is that it hides your network from the Internet, as the router cannot allow connections to initiate from the Internet in, only from your network out. You must make sure that all of the PCs have up to date virus checking software on them, and are running a personal firewall. One thing you must also do is protect the router from login attempts from the Internet. You didn't copy that part of the config, so I am not sure if this is in place already. You need to create an access list to only allow your local networks, and apply it as an access-class to the virtual terminal lines that are used for telnet. access-list 1 permit 192.168.15.0 0.0.0.255 access-list 1 permit 192.168.16.0 0.0.0.255 line vty 0 4 access-class 1 in That should give some food for thought. The main vulnerability are the PCs, if those have virus check, and the usual firewall, you are fairly well protected already. More layers of protection are good, as any attack has to overcome each one, and thereby lessens the possibility. If you have any more questions on this, please again feel free to ask, either here or in a new question. Best Regards, Reg
    12,325 pointsBadges:
    report
  • BlankReg
    Forgot one other thing to do (and probably forgot others as well, but if they come to mind, I will post them), which is that you should turn off the webserver on the router. Use the command line if you need to make changes, and that is sort of protected by the commands in my previous post. I presume you have set an 'enable secret' password already ? Do the command no ip http server Don't for get to save the config with a 'wr' command. You can also remove the config you posted so we could work on this issue !
    12,325 pointsBadges:
    report
  • Kwt712
    Hi ... i iam attaching the current configuration on Cisco 1841 router. Can you tell me where i need to add the lines to make it more protected. Also, i do use ASA5510 Firewall at the main office, not sure if that would help. I am looking to put a small firewall to protect the Remote site that you help me with the Cable Modem, any suggestion would be greatly appreciated. Here is what i have on the Cisco1841 Router sh conf Using 1440 out of 196600 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname xxxxxx1841 ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings enable secret ! no aaa new-model ! resource policy ! clock timezone mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! no ip dhcp use vrf connected ! no ip domain lookup ip domain name xxxx ! interface FastEthernet0/0 description xxxx Ave LAN ip address 192.168.16.1 255.255.255.0 ip nat inside duplex auto speed auto ! interface FastEthernet0/1 description ** Link to Cable Modem ** ip address dhcp ip nat outside duplex auto speed auto ! interface Serial0/0/0 description T1 to xxxx_host ip address 192.168.15.2 255.255.255.0 ! router eigrp 10 network 192.168.15.0 network 192.168.16.0 no auto-summary ! ip classless ! ip http server ip http authentication local ip http timeout-policy idle 5 life 86400 requests 10000 ip nat inside source list 100 interface FastEthernet0/1 overload ! access-list 100 permit ip 192.168.16.0 0.0.0.255 any ! control-plane ! line con 0 exec-timeout 5 0 password login line aux 0 line vty 0 4 password login transport input telnet line vty 5 15 password login transport input telnet ! end
    555 pointsBadges:
    report
  • BlankReg
    For the firewall, I would recommend an ASA5505, especially as you are already a bit familiar with this range. It configures exactly like the 5510 you already have. If you need help with the config, as always - ask :-) To harden the router you can try the following. I presume that the other site uses 192.168.14.0 so I added this to access list 1 to allow you to manage this router from there. If it is not right, or there are other subnets, add them to access list 1 in the same way as these others. To harden the router you can try the following. ! service tcp-keepalive-in service tcp-keepalive-out no ip source-route no http server ! access-list 1 permit 192.168.14.0 0.0.0.255 access-list 1 permit 192.168.15.0 0.0.0.255 access-list 1 permit 192.168.16.0 0.0.0.255 ! line vty 0 15 access-class 1 in ! ip access-list extended Internet-In deny ip any 192.168.0.0 0.0.255.255 deny ip 192.168.0.0 0.0.255.255 any permit icmp any any echo-reply deny icmp any any permit ip any any ! interface FastEthernet0/1 ip access-group Internet-In in ! Now the above are no substitute for a firewall, but may help to mitigate some types of attack. They are probably good practice, and should not stop any legitimate traffic, but may prevent some unwanted stuff from the Internet. Of course, if you suddenly find things don't work, undo the commands, by either adding 'no' or removing the 'no' if it has one already ! I hope this helps.
    12,325 pointsBadges:
    report
  • Kwt712
    Hi Reg, I have a question about the router command you helped me with ! access-list 100 permit ip 192.168.16.0 0.0.0.255 any ! Why do i need to have this access list if it there is no interface attach to it ... can you help me with this. thanks
    555 pointsBadges:
    report
  • BlankReg
    Hi, Access-lists are not just used on interfaces for filtering traffic. They are used to define traffic that will be processed in a certain way. In this configuration is is used to define the IP addresses that we will NAT when sending traffic out to the Internet. It is used in the line ip nat inside source list 100 interface FastEthernet0/1 overload This allows all your LAN traffic to use the Internet, and the source address is translated to the IP address of the FastEthernet0/1 interface, which is the IP address you get from the Internet Service Provider.
    12,325 pointsBadges:
    report
  • Kwt712
    This is always helpful
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following