Router mode selection

I have set up a router 1 to connect to the broadband line to the WAN port and create a wired and wireless network successfully.  I bought a new router 2 and create another wireless network within my home.  I use an ethernet cable to connect to an ethernet port of router 1 and the WAN port of router 2.  The clients work correctly with router 2.  The router 2 status shows Double NAT.  The router 2 mode is set to DHCP and NAT.  Did I set to an incorrect mode?  Which model is right for this scenerio? The other two choices are DHCP Only and Off (Bridge Mode).  Thanks!

Technically, Bridge Mode is the correct setting for router 2, since router 1 is already providiing DHCP and NAT services.  That's why you see the Double NAT error now.
As it stands, devices that are connected to router 2 cannot "see" devices connected to router 1. So, if you have a printer connected to router 1, clients on router 2 will not be able to print, for example.
Double NAT also makes it virtually impossible to connect an online gaming console and play interactively over the Internet.
On the other hand, if you do not want clients on router 2 to see clients on router 1, or vice versa, the current setup that you have will do that. For example, the clients on router 2 might be "guests" that you do not want to allow access to devices on your main "private" network.
I'm not recommending Double NAT.....it can create other issues as well.......just pointing out the upsides and downsides.
Bottom line....it is a matter of what your requirements might be for your network.

Similar Messages

  • Can VIP and Rservers be in the same subnet in ACE Routed Mode

    Good Day,
    Sorry for the lengthy post.
    Currently I have a 6509s running in VSS mode with ACE30 in each chassis.
    I have 5 vlans, which the VSS is the L3 interface for each. 1 Vlan is for management, the others are the data vlans for the servers.
    The ACE is configured in bridge mode, with all VLANs going to a specific context (non Admin).
    Some of the Host on each VLANs are not utilized for load-balancing. The default gateway for each VLAN is configured on the VSS.
    I would like to setup the ACE in the routed mode, without having to change the IP address of each servers on different VLANs.
    Basically I want to turn off the SVIs on VSS and move the L3 interface on the ACE Context, and let it perform the local routing for all the hosts.
    I was going to add a new /30 L3 interface between the VSS and ACE to be utilized for default route traffic coming from the ACE Context, and static routes from VSS to ACE for traffic destined to host that are being load-balanced and not being load-balanced. Basically force the traffic through the load-balancer in/out.
    For future deployment, I was planning on using different IP address for the VIPs, and Real servers (most likely RFC 1918).
    From most of the examples I have seen the VIP and Rservers are in different Subnets. But because I am trying to not change the IP address of the rservers and VIP, I wanted to know if the VIP and Rservers can be configured to be in the same subnet where the ACE is in routed mode.
    Unfortunately I don't have a spare ACE to test scenario.
    As always any help would greatly be appreciated.
    Regards,
    Raman

    Link-local addresses are usually the self assigned IP address that a device will set when a DHCP server cannot be found. These are the addresses with 169.254.x.x subnet.
    If the router is assigning IP addresses for your network, then they will usually have a different IP subnet, possibly 192.168.0 for D-Link. And this subnet would be for the wired and wireless connections. So it would be more a case of bridging the two network topolgies rather than routing them.
    The network host is busy message could be more to do with the driver and the IP protocol selected when creating the queue than the connection being broken between the Mac and printer. If you were to open Network Utility and select the Ping tab, enter the IP address of the HP and set the pings to 4, pressing the Ping button will soon show if there is a path through the wireless to the printer.
    If you get a response to the ping you could then open Safari and type the ip address as the URL. This would then connect to the internal web page of the printer and possibly let you enable an IP protocol like LPR so that you can use LPD on the Mac instead of Bonjour to connect to the printer.
    As for the driver, you could look at using a Gutenprint driver instead of the HP driver or the hpijs package to get past the limitations that some printer drivers have with network connections.

  • How to configure a RV220W in normal routing mode (No NAT)

    Hi,
    I have been very busy the last few days in trying to configure this router in normal routing mode. I do not want to have double NAT in my network. This is my setup:
    C class IP network connected to the internet via a Fritzbox router. I need this router becasue of the VOIP services it provides. I want to use the RV220W to isolate certain users from the rest of the network. When I configure the router in WAN (NAT) it partially works, e.g. I can browse, send email but cant make a connection to a apple fileserver which is on the base network. When I try to operate in normal routing mode I cant get it to work. I am sure I am doing something wrong with the static routes. 
    Setup: 
    Internet <-> Fritzbox (192.168.12.0/24) network <-> RV220W <-> LAN 1 (192.168.1.0/24) users to be isolated.
    On the 192.168.12..0/24 network the printer, fileserver and PBX are connected. 
    Please help me in configuring this.
    The firmware is the latest 1.0.5.8.
    Thanks in advance!
    Peter

    Hello Peter,
    Sorry for the late reply, but I figured I would post anyone in case anyone else has this question.
    You can put the router in what is called router mode by logging into the admin page and going to Networking >> Routing >> Routing Mode and selecting Router.  
    I am only looking at an emulator, but I believe this will cause a reboot.  Once in router mode NAT and the firewall are disabled, however access rules do still work.  
    You will still need a static route from your Fritzbox to the 192.168.1.0/24 network on the RV220W, and the RV220W should have the Fritzbox as it's default gateway on it's WAN interface.  You may also need to create an ACL to allow traffic from the Fritzbox network through the RV's WAN port.
    Some Apple devices depend on the Bonjour protocol to work properly, which doesn't always traverse subnets well, so if after all of that it still doesn't work you may have an issue with Apple.
    Thank you for choosing Cisco,
    Christopher Ebert
    Network Support Engineer - Cisco Small Business Support Center

  • Does ACE-30 support multicast in routed mode?

    We currently have ACE20's, which only support multicast in bridge mode.
    Was wondering if it's the same on ACE30's, or if Cisco finally implemented support for mcast in routed mode.
    thx
    Kevin

    Could you please confirm if this applies to both ACE20 & ACE30, or just ACE20?
    If both, when does Cisco plan on supporting mcast in routed mode?
    thx
    Kevin

  • RV220W - in routing mode changes external Ip with router IP

    Good day.
    I just installed one RV220W in my network, in routing mode (not NAT) using on WAN port public Ip 193.111.184.xxx and on LAN side on IP from my company public C class (212.100.143.0). It's working, but main ang huge problem is than Router is changing any IP coming from intenet with it's own 212.100.143.xxx IP, which mess up everything (logs, counters, etc).
    It was using 1.0.1.0 firmware, I switched to 1.0.0.26 but nothing changed.
    Also I have a VPN - gate to gate with another location (RV042), and all computers from other side of tunnel reports same router IP 212.100.143.xxx when accesing servers from my side, which also is bad.
    Previously I user an RV082 for this joB and everything was great, except 100 Mb WAN/LAN ports of RV082, which I will use until get Rv220W working right.
    Any idea is apreciated.
    Thank you,
    Catalin Burla

    I have changed this weekend from a DSL using a Linksys by Cisco WAG54G2 to a Cisco RV220W Small Business Router and just found out the same problem. This is serious for me, for one, it completely destroys SPAM blocking with DNS blacklists.
    This is how it looked when using the linksys:
    Apr  9 03:18:17 vanroodewierda postfix/smtpd[49507]: connect from 189-041-10-204.xd-dynamic.ctbcnetsuper.com.br[189.41.10.204]
    Apr  9 03:18:18 vanroodewierda postfix/smtpd[49507]: NOQUEUE: reject: RCPT from 189-041-10-204.xd-dynamic.ctbcnetsuper.com.br[189.41.10.204]: 554 5.7.1 Service unavailable; Client host [189.41.10.204] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=189.41.10.204; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<189-041-10-204.xd-dynamic.ctbcnetsuper.com.br>
    This is how it looks when using the RV220W:
    Apr 10 18:34:29 vanroodewierda postfix/smtpd[31608]: connect from ciscorouter.rna.nl[192.168.2.254]
    And thus DNSBL is not possible. My RV220W uses One-to-One NAT to route one of the 5 outside WAN IP addresses I to the mail server on the LAN. Because I do not get the external IP address passed on to the inside, postfix has nothing to go on. I tried instead to use the  normal port forwarding in the IPv4 rules on my main WAN IP address, but that doesn't help.
    How and where can I report this and how long will it take Cisco to fix something like this? Because this is very important for me (and my users) and I'll have to return the router and buy another brand if it takes too long.

  • ACE in routed mode

    My first question, can anyone recommend some very heavy reading discussing the ACE modules and associated traffic flows and order of operations?  Not just how-to scenarios.
    And the primary question that brings me here:
    I've got an ACE module in a 6500 chassis that's configured for routed mode.  For the purpose of this question we'll say that on the ACE I have a single VLAN for vIPs and a single VLAN for rservers.  vIP VLAN is 12 and rserver VLAN is 101.  I have a pair of App servers being load balanced, and a pair of Web servers being load balanced.
    When user devices send traffic to the Web servers vIP, traffic hits the SVI for VLAN 12 and the service-policy is applied manipulating that traffic and sending it to the VLAN 101 SVI and on down to an rserver.  The same if user devices are sending traffic to the App servers vIP.
    When a Web server tries to send over to the App servers vIP, I get no response.  In fact, from the Web server I can't even ping my gateway (SVI for VLAN 101).  How do I get the Web server to send traffic loadbalanced across the App servers?
    Here's an example ACE config:
    access-list ALL line 8 extended permit ip any any
    probe tcp 5555
      port 5555
      interval 5
      passdetect interval 30
    probe http HTTP
      interval 5
      passdetect interval 30
      expect status 200 200
    rserver host APP01
      description App Server 1
      ip address 10.10.101.15
      probe 5555
      inservice
    rserver host APP02
      description App Server 2
      ip address 10.10.101.16
      probe 5555
      inservice
    rserver host WEB01
      description Web Server 1
      ip address 10.10.101.17
      probe HTTP
      inservice
    rserver host WEB02
      description Web Server 2
      ip address 10.10.101.18
      probe HTTP
      inservice
    serverfarm host APP-SERVERS
      predictor leastconns
      rserver APP01
        inservice
      rserver APP02
        inservice
    serverfarm host WEB-SERVERS
      predictor leastconns
      rserver WEB01
        inservice
      rserver WEB02
        inservice
    sticky ip-netmask 255.255.255.255 address both WEB-STICKY
      replicate sticky
      serverfarm WEB-SERVERS
    sticky ip-netmask 255.255.255.255 address both APP-STICKY
      replicate sticky
      serverfarm APP-SERVERS
    class-map match-any APP-VIP
      description App Servers VIP
      2 match virtual-address 10.10.12.21 tcp eq 5555
    class-map match-any WEB-VIP
      description Web Servers VIP
      2 match virtual-address 10.10.12.20 tcp eq https
      3 match virtual-address 10.10.12.20 tcp eq www
    policy-map type loadbalance first-match L7-APP-SERVERS
      class class-default
        sticky-serverfarm APP-STICKY
    policy-map type loadbalance first-match L7-WEB-SERVERS
      class class-default
        sticky-serverfarm WEB-STICKY
    policy-map multi-match L4-CONTEXT-A-VLAN
      class WEB-VIP
        loadbalance vip inservice
        loadbalance policy L7-WEB-SERVERS
        loadbalance vip icmp-reply
      class APP-VIP
        loadbalance vip inservice
        loadbalance policy L7-APP-SERVERS
        loadbalance vip icmp-reply
    interface vlan 12
      description ACE-CONTEXT-A-vIPs
      ip address 10.10.12.5 255.255.252.0
      alias 10.10.12.4 255.255.252.0
      peer ip address 10.10.12.6 255.255.252.0
      access-group input ALL
      service-policy input MGMT-ACCESS
      service-policy input L4-CONTEXT-A-VLAN
      no shutdown
    interface vlan 101
      description ACE-CONTEXT-A-SERVERS
      ip address 10.10.101.2 255.255.255.0
      alias 10.10.101.1 255.255.255.0
      peer ip address 10.10.101.3 255.255.255.0
      access-group input ALL
      no shutdown

    Hi Adam,
    You can check Gilles'  DC t-shooting guides that should give you a very good overwiew about packet processing on the ACE; also you can check
    the Cisco wiki site where you find the scenarios plus a detailed explanation for traffic management.
    Now going back to your issue, you problem can be splitted in two parts.
    1. Web server not able to ping VLAN 101 ACE's SVI.
    ACE is a closed device, meaning that access to each Interface/VLAN needs to be explicitly configured; you need to apply the management policy
    to the 101 SVI to allow ICMP or any other management protocol. You can apply the same (service-policy input MGMT-ACCESS) or create a new
    one just for ICMP, that's up to you.
    2. Web servers not able to communicate with APP servers thorugh VIP.(vise-versa)
    Problem here is that servers are trying to communicate through SVI 101 but no VIPs are applied to it so the ACE will simply discard the packets
    for 10.10.12.20/10.10.12.21 on that interface, servers have the ARP and everything to reach those VIPs but the ACE has not been instructed to do
    load balancing for clients reaching it out through VLAN 101.
    In order to do load balancing between APP & Web Servers you need to configure  L4-CONTEXT-A-VLAN on SVI 101 as well.
    Also since your servers are sitting all in the same VLAN you're going to need client NAT to prevent assymetric routing on server-to-server communications.
    I've attached a sample with NAT based on your config.
    HTH
    Pablo

  • Ace routing mode desging issue

    need some assistance in configuring an application using routing mode on cisco ace
            clients ---asa--3750--cisco ace--- servers behind vip
                                                                |
                                                              visa card transaction servers
    i am able to setup a vip on ace using routing mode on ACE,as the  servers need to see the client ip ,so we are not  performing SNAT,this  part is working fine
    when a request comes from the client ,it goes to the vip and to one of the backend servers ,and the request will be forwaded back to the ace ,as the default gateway on the servers is pointing to the server vlan on ace.
    but if the transaction from the servers need to go to the visa card transaction servers ,how can we acheive this ,and after fetching the data from visa servers,does the reply will be fwd to the ACE or ASAs directly
    Or do we need to have static routes defined on the visa servers to point to ASA
    please advise me on this

    Clint
    No they are completely in a different network ,
    When a client hits the VIP ,the request goes to the ASA
    ASA fwd the  vip traffic to the ACE (VIP) interface  ,and from there it fwd the traffic to the (server vlan) interface and to the appropriate backend servers.
    Backend server responds back to the (server vlan ) interface and the traffic fwd back to the ASA.
    But when  visa card transaction need to take place ( farm servers ) need to route the traffic to the visa servers which will be in different subnet range .
    Do the farm serevrs send the request back to the ASA and can we configure static routes on ASA to point to the visa servers.
    Are on the farm servers can we have static routes for the visa servers
    Or can I defind static routes on ACEs for the visa servers.

  • Can I configure csm as one arm and routing mode at the same time?

    My csm currently is configured as the routing mode and bridge mode, resently I have a service requirement which I think the one arm mode should be the best resolution. Can anybody let me know if there will be any affect if I add the one arm mode to the currently production environment?
    Thanks in advance.
    Jason

    Gille,
    Thanks for your quick response. I notice you have same opinion about the one arm mode in your other post, but I think in the multi-tire data center design with fw in bridge mode and csm in one arm mode with RHI, do give us a lot of flexibilty. If I use policy routing instead of source nat, can I overcome these limit you metioned?
    Do you know who csm could handle the TFTP traffic? I may have too much question, I am realy looking for your suggestion.
    Thanks
    Jason

  • How BOM and routing is selected for Planned order and Production order?

    Hi,
    Can any1 plz tell me how BOM and routing is selected for a planned order and production order. ?

    Hello Mathisuthan,
    BOM and Routing selection for the planned order and production order through production version, If u have more than one BOM and more than one Routing then u can maintain this information as Production Version in the system.
    Production version you maintained
    MM01/MM02 -- MRP4--- Production version
    Or you can create Production Versions in Mass also with Transaction Code "C223"
    In the case no production version maintained/created  for the material, then system by default  will pick the first BOM and routing.
    I hope this information helpful to you.
    Regards
    Umesh Mali

  • Example Config ACE routed mode with NAT

    Hi all,
    i have a two-arm loadbalancer (routed mode).
    client ->vlan100->[VIP]Loadbalancer[NAT] ->vlan200-> serverfarm
    But i have my problems to configure the NAT. Can anybody show me a example configuration of a two-arm loadbalancer with NAT?
    Especially the access-list, class-map, policy-map and on which interface the NAT-Policy must be added.
    BR
    Dominik

    Hi Dominik,
    Something like this:
    access-list ANYONE line 10 extended permit ip any any
    rserver host SERVER_01
      ip address 10.198.16.2
      inservice
    rserver host SERVER_02
      ip address 10.198.16.3
      inservice
    rserver host SERVER_03
      ip address 10.198.16.4
      inservice
    serverfarm host REAL_SERVERS
      rserver SERVER_01
        inservice
      rserver SERVER_02
        inservice
      rserver SERVER_03
        inservice
    class-map match-all VIP-30
      2 match virtual-address 192.168.1.30 tcp eq www
    class-map type management match-any REMOTE_ACCESS
      description remote-access-traffic-match
      2 match protocol telnet any
      3 match protocol ssh any
      4 match protocol icmp any
    policy-map type management first-match REMOTE_MGT
      class REMOTE_ACCESS
        permit
    policy-map type loadbalance first-match SLB_LOGIC
      class class-default
        serverfarm REAL_SERVERS
    policy-map multi-match CLIENT_VIPS
      class VIP-30
        loadbalance vip inservice
        loadbalance policy SLB_LOGIC
        loadbalance vip icmp-reply active
        nat dynamic 1 vlan 452
    interface vlan 451
        ip address 192.168.1.2 255.255.255.0
      access-group input ANYONE
      service-policy input CLIENT_VIPS
      no shutdown
    interface vlan 452
      description Servers vlan
      ip address 10.198.16.1 255.255.255.0
      access-group input ANYONE
      nat-pool 1 10.198.16.5 10.198.16.5 netmask 255.255.255.0 pat
      no shutdown
    ip route 0.0.0.0 0.0.0.0 192.168.1.1
    Cesar R
    ANS Team

  • Sharing a VLAN between FWSM and ACE (Routed Mode)

    Anybody in here with experience on sharing a Vlan between an ACE and a FWSM module?
    I have a transfer network between the ACE and the FWSM in the same chassis. FWSM gets several vlans and ACE gets some Vlans.
    I wanted to configure it like this.
    firewall vlan group 10 <FWSM only vlans>
    firewall vlan group 20 <shared FWSM and ACE vlan>
    or
    svclc vlan group 20 <shared FWSM and ACE vlan>
    svclc vlan group 30 <ACE only vlans>
    The design hides the client side network and the server side network for the ACE behind the FWSM module.
    Layout:
    |-- Clients <--> MSFC <--> FWSM <--> ACE <--> Server --|
    So allocation on the 65xx would be like this.
    firewall module n vlan-group 10,20
    svclc module n vlan-group 20,30
    Any obvious issues with this design if you share the vlan(s) referred in group 20 with both modules?
    FWSM and ACE will be in routed mode.
    Thanks for reading...
    Roble

    Never mind...
    Just found the perfect answer for this in a another posting from Syed.
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=SNA%20Data%20Center%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dddee0b/0#selected_message
    Roble

  • ACE routed mode design issue

    I am configuring ACE in routing mode ,
    Below is my ACE interface config.
    interface vlan 28
      description "CLIENT VLAN"
      ip address 192.168.10.11 255.255.255.248
      peer ip address 192.168.10.12 255.255.255.248
      mtu 1500
      mac-sticky enable
      access-group input ALL
      service-policy input remote_mgmt_allow_policy
      service-policy input POLICY
      no shutdown
    interface vlan 29
      description "SERVER VLAN"
      ip address 192.168.10.19 255.255.255.248
      peer ip address 192.168.10.20 255.255.255.248
      mtu 1500
      mac-sticky enable
      access-group input ALL
      service-policy input remote_mgmt_allow_policy
      service-policy input POLICY
      no shutdown
    When I  configuring my servers in vlan 29 and  point the default gateway to 192.168.10.19  it works fine no issues,but when this ACEs goes down and the standby becomes active ,my servers default gateway will be still pointing to 192.168.10.19  do i need to manually change it .20
    or can I configure HSRP,Please advise me on this

    Hi ,
    Yes the alias should be set as gateway for the servers.
    The alias is a shared address between the peers. This address will be on the ACTIVE ace. 
    Regards
    Dan

  • CSM bridge vs router mode

    Hi,
    Can the CSM be used in both the bridge and router mode for different VLANS ? Or does it need to use all router mode and all bridged mode ?

    you can have a mix of both.
    Gilles.

  • Create Development mode selection popup

    Hi All,
              I have to implement the popup as like Development mode selection popup. What is the component name of the popup. how to implement it?
    thanks,
    dhina

    What language or SDK are you using for your development?  There are other forums where this question can be moved, as this isn't the right forum for development-related questions.
    Peter Hansen -- (BB10 and dev-related blog posts at http://peterhansen.ca.)
    Author of White Noise and Battery Guru for BB10 and for PlayBook | Get more from your battery!

  • ISE iPEP + 3rd party device VPN bridge or route mode

    Dear All,
    I would like to get some advice from the community regarding my idea.
    We would like to integrate ISE iPEP with a 3rd party VPN device using bridge mode.
    However i can only find documents describing the following scenarios,
    - routed mode with VPN device
    - bridge mode with Wireless Controller
    So the questions is that is bridge mode supported if i would like to integrate ISE iPEP with a 3rd party VPN device or is it even possible to achive this kind of deployment?
    Thank you in advance.
    Best Regards,
    Erik Molnar

    Thanks for the reply Marcin.  Both of your suggestions are good ones, however in this scenario both DC firewalls are alive at the same time, so there needs to be some kind of logic on the device at the remote site to say that it should only use tunnel B if tunnel A is down.
    Thinking on this, is it possible to run an 'interface' or 'routed' mode IPSEC VPN with the ASA?  I know this is possible with the Fortigates and think it's the default mode for Junipers.  If that were possible we might be able to have both tunnels up and have OSPF run over them which would be another way to solve this problem.

Maybe you are looking for