[the problem is this: We have an ISP who have provided a router. The router
has an IP address on our LAN. We want to put a filtering router between the
ISP's router and our LAN without readressing and with no access to the ISP's
router]
> Ben, we all know you'll be trying this as soon as you get a spare
> router. Please do us a favor and report back the results?
>
> Thanks,
>
> Paul
In my lab config, I had:
One 1605 - inside (trusted lan) 10.200.200.2/24, outside 192.168.254.254/24
(bogus)
One 1603 - ISP router LAN IP 10.200.200.1/24, Loopback (pretend Internet)
10.200.50.1/24.
One laptop, behind 1605 inside, 10.200.200.50/24, gateway 10.200.200.2
All that was required was the following pair of routes:
ip route 0.0.0.0 0.0.0.0 10.200.200.1
ip route 10.200.200.1 255.255.255.255 eth0 (outside)
Basically, the bogus ip address on the outside is just to trick the
interface into knowing it's running IP. After that, it arps on e0 for the
10.200.200.1 address (because of the interface route).
Running the interface unnumbered does not work (the parser rejects it on a
multiaccess interface), and running the outside with no ip address does not
work (won't route through a non-ip interface).
Incoming ACLs work fine!
Another nasty trick to add to the bag...
Cheers!
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
