Cisco2621_withrealsubnet_oncablemodembridge

1.  
2.  
3.  
4. To recap: I have a real /28 assigned to my router through a bridged cable modem (no authentication) with a new cable provider. BUT they won't route the subnet to me. Instead they have the first IP of the subnet "hanging off their router" and not routing the /28 to me. So what I need to do is make my FE0/0 a bridge, then make my virual interface FE0/1.4 (you can use FE0/1 or whatever if you're not using a VLAN switch) Also into a bridge and let the devices hanging off THAT VLAN (or port or whatever you're doing)... see the FIRST IP in the subnet OVER AT the CABLE ISP....and NOT in my router. Meaning I am not "holding the /28 subnet" but I am making two ports on my 2621 router into bridges and Forwarding those packets only. FYI: Nat works fine assigning one of my new /28 IPs (real IP) to a "BVI" interface I created below, and also my cryptomap assigned to that but I haven't tested it yet. Overall...seems good I think.
5.  
6.  
7.  
8. 1.) This works.
9.  
10. 2.) Seems fine so far.
11.  
12. 3.) I know it's "a bandaid" and not proper routing. It upsets me to have to do this but I'm thankful the solution exists.
13.  
14.  
15.  
16. Note: Before I had a "Dialer" interface that was attached to FE 0/0. Now, with this new setup and no need for authentication with the new ISP, essentially everything I had on Dialer is now on BVI32. That means now NAT outside, cryptomap, rate stuff, etc. Put it all on BVI32. SO if you don't have a Dialer but have a bunch of stuff on FE 0/0 (your most outward facing WAN port), you might want to put it on the new BVI32 you're going to create.
17.  
18.  
19.  
20. Here are the instructions:
21.  
22. https://www.akadia.com/services/bridged_cisco_router.html
23.  
24.  
25.  
26. TEXT BACKUP FOR POSTERITY:
27.  
28.  
29.  
30. IN CASE that link above goes away, here is the "final config" they show in the html itself. So you can get everything you need from it. Don't forget to turn on "bridge irb" if it doesn't set right away. Turn on no ip redirects, and bridge 32 route ip ....but it's all in the text below. You just may need to do some of it manually if it barfs because you did something before the other thing...
31.  
32.  
33.  
34.  
35.  
36. Complete Configuration File... THIS IS NOT MY SETUP... This is what I made my setup FROM...
37.  
38. Here is the complete configuration file:
39.  
40. !
41. version 12.1
42. service timestamps debug datetime msec localtime show-timezone
43. service timestamps log datetime msec localtime show-timezone
44. service password-encryption
45. !
46. hostname c2621
47. !
48. logging buffered 4096 debugging
49. no logging console
50. enable secret 5 $1$elmZ$4.EfdgcLJz7MNUffP4HHA0
51. enable password 7 045C05030632
52. !
53. ip subnet-zero
54. no ip finger
55. no ip domain-lookup
56. !
57. ip inspect max-incomplete high 1100
58. ip inspect max-incomplete low 900
59. ip inspect one-minute high 1100
60. ip inspect one-minute low 900
61. ip inspect name Ethernet_HSZ ftp timeout 3600
62. ip inspect name Ethernet_HSZ tcp timeout 3600
63. ip inspect name Ethernet_HSZ http java-list 51 timeout 3600
64. ip inspect name Ethernet_HSZ smtp timeout 3600
65. ip inspect name Ethernet_HSZ udp timeout 15
66. ip inspect name Ethernet_HSZ cuseeme timeout 3600
67. ip inspect name Ethernet_HSZ h323 timeout 3600
68. ip inspect name Ethernet_HSZ rcmd timeout 3600
69. ip inspect name Ethernet_HSZ realaudio timeout 3600
70. ip inspect name Ethernet_HSZ streamworks timeout 3600
71. ip inspect name Ethernet_HSZ vdolive timeout 3600
72. ip inspect name Ethernet_HSZ sqlnet timeout 3600
73. ip inspect name Ethernet_HSZ tftp timeout 30
74. ip inspect name Ethernet_BVI smtp timeout 3600
75. ip inspect name Ethernet_BVI tcp timeout 3600
76. ip inspect name Ethernet_BVI udp timeout 15
77. ip audit notify log
78. ip audit po max-events 100
79. bridge irb
80. !
81. interface FastEthernet0/0
82. description DMZ
83. no ip address
84. duplex auto
85. speed auto
86. bridge-group 32
87. !
88. interface FastEthernet0/1
89. description HSZ
90. ip address 192.168.138.1 255.255.255.0
91. ip access-group 102 in
92. ip access-group 103 out
93. ip nat inside
94. ip inspect Ethernet_HSZ in
95. duplex auto
96. speed auto
97. !
98. interface Ethernet1/0
99. description Internet
100. no ip address
101. bridge-group 32
102. !
103. interface BVI32
104. ip address 194.246.125.195 255.255.255.240
105. ip access-group 150 in
106. no ip redirects
107. ip nat outside
108. ip inspect Ethernet_BVI in
109. !
110. ip nat inside source list 101 interface BVI32 overload
111. ip classless
112. ip route 0.0.0.0 0.0.0.0 194.246.125.193
113. no ip http server
114. !
115. logging trap debugging
116. logging facility user
117. logging 192.168.138.21
118. !
119. ! Disabling NAT between HSZ and DMZ for some hosts
120. !
121. access-list 101 deny tcp host 192.168.138.28 194.246.125.192 0.0.0.15
122. access-list 101 deny tcp host 192.168.138.21 194.246.125.192 0.0.0.15
123. access-list 101 deny tcp host 192.168.138.15 194.246.125.192 0.0.0.15
124. access-list 101 deny udp host 192.168.138.28 194.246.125.192 0.0.0.15
125. access-list 101 deny udp host 192.168.138.21 194.246.125.192 0.0.0.15
126. access-list 101 deny udp host 192.168.138.15 194.246.125.192 0.0.0.15
127. access-list 101 permit ip 192.168.138.0 0.0.0.255 any
128. !
129. ! Extended Access-Lists
130. !
131. access-list 102 permit ip 192.168.138.0 0.0.0.255 any
132. access-list 102 deny ip any any log
133. access-list 103 permit tcp 194.246.125.192 0.0.0.15 host 192.168.138.28 eq domain
134. access-list 103 permit tcp 194.246.125.192 0.0.0.15 host 192.168.138.15 eq domain
135. access-list 103 permit udp 194.246.125.192 0.0.0.15 host 192.168.138.28 eq domain
136. access-list 103 permit udp 194.246.125.192 0.0.0.15 host 192.168.138.15 eq domain
137. access-list 103 permit tcp 194.246.125.192 0.0.0.15 host 192.168.138.28 eq smtp
138. access-list 103 permit tcp 194.246.125.192 0.0.0.15 host 192.168.138.15 eq smtp
139. access-list 103 permit tcp host 194.246.125.196 host 192.168.138.21 eq 22
140. access-list 103 permit tcp host 194.246.125.196 host 192.168.138.28 eq 143
141. access-list 103 permit tcp host 194.246.125.196 host 192.168.138.15 eq www
142. access-list 103 deny icmp any any log
143. access-list 103 deny ip any any log
144. access-list 150 permit udp any any eq domain
145. access-list 150 permit udp any eq domain any range 1000 65000
146. access-list 150 permit tcp any any eq domain
147. access-list 150 permit tcp any eq domain any range 1000 65000
148. access-list 150 permit tcp 194.246.125.192 0.0.0.15 eq www any
149. access-list 150 permit tcp 194.246.125.192 0.0.0.15 eq smtp any
150. access-list 150 permit tcp 194.246.125.192 0.0.0.15 range 1000 65000 any eq smtp
151. access-list 150 permit tcp any 194.246.125.192 0.0.0.15 eq smtp
152. access-list 150 permit udp 194.246.125.192 0.0.0.15 range 1000 65000 any eq ntp
153. access-list 150 permit udp any 194.246.125.192 0.0.0.15 eq ntp
154. access-list 150 permit tcp host 194.246.125.196 eq 22 any
155. access-list 150 permit tcp host 194.246.125.196 host 192.168.138.21 eq 22
156. access-list 150 permit tcp host 194.246.125.196 host 192.168.138.28 eq 143
157. access-list 150 permit tcp host 194.246.125.196 host 192.168.138.15 eq www
158. access-list 150 permit tcp host 194.246.125.196 eq 443 any
159. access-list 150 permit tcp host 194.246.125.196 eq 3970 any
160. access-list 150 permit tcp host 194.246.125.196 eq 7777 any
161. access-list 150 permit tcp host 194.246.125.196 eq 7778 any
162. access-list 150 deny icmp any any log
163. access-list 150 deny ip any any log
164. bridge 32 protocol ieee
165. bridge 32 route ip
166. !
167. line con 0
168. transport input none
169. line aux 0
170. line vty 0 4
171. password 7 030F5A070D
172. login
173. !
174. end
175.  
176.  
177.  
178.  
179.  
180. keywords: RCN, Spectrum, Time Warner, Arris, cable modem, ip address, bridge, subnet, routing