Networking: Linksys Wireless Router into Cisco 2610XM

Memo · 01-23-2006, 01:58 PM

So, let me explain my set up:

I have a Cisco 2610XM router picking up internet from a fiber optic T-1. I have a NAT overload on the Cisco 2610XM. My LAN is usin ip range 172.30.7.xxx with 172.30.7.3 being the router.

I have hooked up a Linksys WRT54G Wireless Router to my switch on the LAN to serve as a hot spot. I've set the router to be:

IP: 172.30.7.249
Subnet: 255.255.255.0
Gateway: 172.30.7.3

The internal network for this router is using 192.168.1.xxx.

The problem is that the wireless users on the Linksys WRT54G can ping and access internal ips of the larger subnetwork of the Cisco router. For example, a wireless user can ping 172.30.7.14 and even connect to it by usin the ip address. I do not want them to be able to access anything ouside of the 192.168.1.xxx range and the internet. However, I am not sure exactly what I must do to make this happen, any networking pros?

TIA,

Memo

Jcranmer · 01-23-2006, 06:43 PM

I'm not sure you are going to be able to do what you want to do with that config. Since you want them to have internet access you can't put in a fake default gateway on the linksys, which is what I was orignally thinking.

The fact that the linksys doesn't have any way to build access lists, and it's external interface is on the same network that you want to limit access to is where I think the problem is going to be. At least I can't think of a way.

GilbertsGrape · 01-24-2006, 07:12 PM

If you have an old pc around I would use zone cd

http://www.publicip.net/

And make users authenticate with a server or at least create an account so you can track users... you know with homeland security and all I would want to know who all the users on my net are and be able to track them down. And if your users already authenticate with AD local server you can use the same username and authentication.

or I would invest in one of these Public/private hotspot gateway
http://www.dlink.com/products/?sec=0&pid=402

or this one

http://www.dlink.com/products/?pid=173

Or both
(Both is what we do where I work at) users have a list of 3 web sites they can connect to with out authentication with proper credentials. And if they have authenticated the can go anywhere they want on the www but do not have access to out intranet

also if your router or switch alows you to configure ports i would configure the port your AP plugs int to be on a differnt subnet. that would help keep ppl off your private net

gwilks98 · 01-25-2006, 02:50 PM

I think you're confusing subnets with vlans. I *think* you need a switch that's capable of building two different vlans and then is capable of filtering allowed traffic between the two.

I'd be interested to see you do a tracert to see the path this data is taking to hop subnets. I'm wondering if it passes through the routing tables of both routers..

JeffBX may be a better guy to answer this one. He seems to know his stuff.

Jeffbx · 01-26-2006, 07:28 AM

Dang, I don't have a good answer except you need somone who knows the Cisco IOS.

I think Gwilks is right on the money that you need to configure seperate VLANs to keep the internet traffic away from the internal ranges. But I'm not too good with Cisco programming - I think you'll need a seperate interface on your 2610 for each VLAN, but I don't know how many that switch supports.

OR - you need to run your internet connection through a (preferably hardware based) firewall. The firewall itself will act as a VLAN, and you can use that to keep the traffic segregated. So T1 into the firewall, then both switches into the firewall.

01-23-2006, 01:58 PM	#1
Memo Admiral Join Date: Apr 2001 Location: East Village Posts: 5,659	Networking: Linksys Wireless Router into Cisco 2610XM So, let me explain my set up: I have a Cisco 2610XM router picking up internet from a fiber optic T-1. I have a NAT overload on the Cisco 2610XM. My LAN is usin ip range 172.30.7.xxx with 172.30.7.3 being the router. I have hooked up a Linksys WRT54G Wireless Router to my switch on the LAN to serve as a hot spot. I've set the router to be: IP: 172.30.7.249 Subnet: 255.255.255.0 Gateway: 172.30.7.3 The internal network for this router is using 192.168.1.xxx. The problem is that the wireless users on the Linksys WRT54G can ping and access internal ips of the larger subnetwork of the Cisco router. For example, a wireless user can ping 172.30.7.14 and even connect to it by usin the ip address. I do not want them to be able to access anything ouside of the 192.168.1.xxx range and the internet. However, I am not sure exactly what I must do to make this happen, any networking pros? TIA, Memo

01-24-2006, 07:12 PM	#3
GilbertsGrape Captain Join Date: Sep 2000 Location: You can’t get there from here, USA Posts: 1,797	If you have an old pc around I would use zone cd http://www.publicip.net/ And make users authenticate with a server or at least create an account so you can track users... you know with homeland security and all I would want to know who all the users on my net are and be able to track them down. And if your users already authenticate with AD local server you can use the same username and authentication. or I would invest in one of these Public/private hotspot gateway http://www.dlink.com/products/?sec=0&pid=402 or this one http://www.dlink.com/products/?pid=173 Or both (Both is what we do where I work at) users have a list of 3 web sites they can connect to with out authentication with proper credentials. And if they have authenticated the can go anywhere they want on the www but do not have access to out intranet also if your router or switch alows you to configure ports i would configure the port your AP plugs int to be on a differnt subnet. that would help keep ppl off your private net Last edited by GilbertsGrape : 01-24-2006 at 07:15 PM. Reason: Automerged Doublepost

01-25-2006, 02:50 PM	#4
gwilks98 Vice Admiral Join Date: Aug 2000 Location: StL Posts: 4,300	I think you're confusing subnets with vlans. I think you need a switch that's capable of building two different vlans and then is capable of filtering allowed traffic between the two. I'd be interested to see you do a tracert to see the path this data is taking to hop subnets. I'm wondering if it passes through the routing tables of both routers.. JeffBX may be a better guy to answer this one. He seems to know his stuff. __________________ "I know the pieces fit, cause I watched them fall away." "Cold silence has A tendancy to Atrophy any Sense of compassion." MJK Last edited by gwilks98 : 01-25-2006 at 02:53 PM.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

01-23-2006, 06:43 PM	#2
Jcranmer Commander Join Date: Jan 2001 Location: Pekin, IN Posts: 1,377	I'm not sure you are going to be able to do what you want to do with that config. Since you want them to have internet access you can't put in a fake default gateway on the linksys, which is what I was orignally thinking. The fact that the linksys doesn't have any way to build access lists, and it's external interface is on the same network that you want to limit access to is where I think the problem is going to be. At least I can't think of a way.

01-26-2006, 07:28 AM	#5
Jeffbx Fleet Admiral Join Date: Mar 2000 Location: Michigan Posts: 9,390	Dang, I don't have a good answer except you need somone who knows the Cisco IOS. I think Gwilks is right on the money that you need to configure seperate VLANs to keep the internet traffic away from the internal ranges. But I'm not too good with Cisco programming - I think you'll need a seperate interface on your 2610 for each VLAN, but I don't know how many that switch supports. OR - you need to run your internet connection through a (preferably hardware based) firewall. The firewall itself will act as a VLAN, and you can use that to keep the traffic segregated. So T1 into the firewall, then both switches into the firewall.

User Name
Password
Remember Me?