1720 Router routing problem between networks

[mdbuddy]

This router is going to route between 2 subnets
10.10.1.0 inside 172.16.9.0 outside. The outiside is currently a network in our plant. So far I can't see what I'm doing wrong. Only thing I haven't added was to block port 80 for the PLC 172.x.x.x network.

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco1720
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$wzBF$nu0tc4XMsKhdQxHHFQDWm/
enable password cisco
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip domain lookup source-interface Ethernet0
ip domain name h.com
ip name-server 10.10.1.3
ip name-server 10.10.1.5
!
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description PLC Network
ip address 172.16.3.9 255.255.254.0
ip access-group 110 in
ip access-group 110 out
ip nat outside
no ip route-cache cef
no ip route-cache
full-duplex
no cdp enable
!
interface FastEthernet0
description connected to h LAN
ip address 10.10.1.79 255.255.252.0
ip broadcast-address 10.10.3.255
ip nat inside
no ip route-cache cef
no ip route-cache
speed auto
full-duplex
no cdp enable
!
ip default-gateway 10.10.1.1
ip nat inside source list 10 interface Ethernet0 overload
ip nat outside source list 10 interface FastEthernet0
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.1.1
no ip http server
ip http access-class 99
no ip http secure-server
!
ip dns server
ip dns primary h.com soa husadomain administrator.h.com 3600 1800 259200 3600
!
access-list 10 permit 10.10.1.0 0.0.0.255
access-list 110 permit ip any any
no cdp run
!
banner login ^CCWelcome to Cisco 1720 Router^C
!
line con 0
password cisco
login
line aux 0
password cisco
login
line vty 0 4
access-class 10 in
password cisco
login
!
end

 

[mdbuddy]

I got routing working between both nets, just now i need to block port 80, so no one on 172 net has access to web.
Current config


Current configuration : 1660 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco1720
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$wzBF$nu0tc4XMsKhdQxHHFQDWm/
enable password cisco
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip telnet source-interface Ethernet0
ip domain lookup source-interface FastEthernet0
ip domain name homanitusa.com
ip name-server 10.10.1.3
ip name-server 10.10.1.5
!
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description Connected to homanitusa LAN
ip address 10.10.1.79 255.255.252.0
ip access-group 110 in
ip access-group 110 out
ip nat outside
no ip route-cache cef
no ip route-cache
half-duplex
no cdp enable
!
interface FastEthernet0
description Connected to PLC Network
ip address 172.16.3.9 255.255.254.0
ip access-group 110 in
ip access-group 110 out
ip nat inside
no ip route-cache cef
no ip route-cache
speed auto
full-duplex
no cdp enable
!
router rip
version 2
network 172.16.0.0
no auto-summary
!
ip nat inside source list 10 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.1.1
no ip http server
ip http access-class 99
no ip http secure-server
!
!
access-list 10 permit 172.16.3.0 0.0.0.255
access-list 110 permit ip any any
access-list 110 deny tcp any any eq www
no cdp run
!
banner login ^CCWelcome to Cisco 1720 Router^C
!
line con 0
password cisco
login
line aux 0
password cisco
login
line vty 0 4
access-class 10 in
password cisco
login
!
end

 

[rudeboy]

Why have access-list 110 applied to both interfaces in both directions. I wouldn't apply the access-list to any interface that doesn't need to be restricted....

conf t
int ethernet0
no ip access-group 110 in
no ip access-group 110 out
int fastethent0
no ip access-group 110 in
no ip access-group 110 out
no access-list 110
access-list 110 deny tcp any any eq 80
access-list 110 permit ip any any
int fastethernet0
ip access-group 110 in

Please note that the permit ip any any must come after the deny statement. Packets are inspected from top to bottom, so if permit ip any any were at the top, all packets would get through.

 

[mdbuddy]

Thanks, I did the above, but on my LAN 10.10.1.0, I can't ping a host behind the router unless i change the gateway of the pc to point to the outside int E0. From behind the router FE0 i can ping any host on the 10.10.1.0 net. If i remove 'ip nat inside' from the config, i can only ping hosts behind routers outside int E0(10.10.1.79).

From
10.10.1.0---->172.16.3.0 ping ok if using 10.10.1.79 as gateway

172.16.3.0---->10.10.1.0 ping ok with/out 'ip nat inside', only thing is with nat turned on I can ping any host on 10.10.1.0 net, which is preferred and great. With it ip nat inside removed I can only ping hosts using the routers outside ip as a gateway.

Also for some reason if the ip nat inside is removed, the access-list 110 deny tcp any any eq 80 statement is ignored and you get to the web. With it 80 is blocked.

Hosts on the 10.10.1.0 net shouldn't have to have the outside ip of the router 10.10.1.74 as their gateway in order to reach hosts on the 172.16.3.0 side.

Current config, i maybe still missing something!
==============================================

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco1720
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$wzBF$nu0tc4XMsKhdQxHHFQDWm/
enable password cisco
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip telnet source-interface FastEthernet0
ip domain lookup source-interface FastEthernet0
ip domain name homanitusa.com
ip name-server 10.10.1.3
ip name-server 10.10.1.5
!
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description Connected to homanitusa LAN
ip address 10.10.1.74 255.255.252.0
no ip redirects
ip nat outside
no ip route-cache cef
no ip route-cache
full-duplex
no cdp enable
!
interface FastEthernet0
description Connected to PLC Network
ip address 172.16.3.9 255.255.254.0
ip access-group 110 in
no ip redirects
ip nat inside
no ip route-cache cef
no ip route-cache
speed auto
full-duplex
no cdp enable
!
router rip
version 2
network 172.16.0.0
no auto-summary
!
ip nat inside source list 10 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.1.2
no ip http server
ip http access-class 99
no ip http secure-server
!
!
access-list 10 permit 172.16.3.0 0.0.0.255
access-list 10 permit 172.16.2.0 0.0.0.255
access-list 110 deny tcp any any eq www
access-list 110 permit ip any any
no cdp run
!
!
line con 0
password cisco
login
line aux 0
password cisco
login
line vty 0 4
access-class 10 in
password cisco
login
!
end
====================================================
Thanks

 

[rudeboy]

Let's start from the begining...
1)why are you NATing? Generally, there is no need at all to NAT LAN to LAN traffic.
2)What are the default gateways for the PC's in each segment. If you only have one router touching the 10.10.1.x segment, then the interface of the router that touches that segment should be the default gateway.
3)It would be nice to know your topology.(kind of a repeat of #2 above). The router has a default gateway of 10.10.1.2. What is that device?

 

[mdbuddy]

Not needing to NAT, just threw it in troubleshooting config. It will be removed or can be.

PC(10.10.1.X)--->PIX(10.10.1.2)FIREWALL GATEWAY

PC(172.16.3.X)--->(172.16.3.9)1720(10.10.1.74)--->Direct connect to 10.10.1.0 LAN.1720's default gateway is 10.10.1.2

I have the hosts on the 172 lan with a default gateway of 172.16.3.9

 

[mdbuddy]

Another question. If i can reach host 10.10.1.4 or 10.10.1.200 with nat on, but when i remove it I can only ping hosts using the 1720 router as it's gateway and can't ping 10.10.1.4 or 10.10.1.200. With nat on i can ping by ip address any host on the 10.10.1.0 LAN; off only can ping hosts using 1720 as gateway.

 

[rudeboy]

Make all PC's on both LANs point to the 1720 router as their gateway. You already have the 1720 pointing to the PIX as it's gateway. This will allow both LANs to see each other and will also allow the 10.10.1.x network internet access.

As packets were coming from the 172.16.3.x LAN, they were getting NAT'ed to 10.10.1.74. The 10.10.1.x network can talk to any 10.10.1.x IP without the need for a default gateway.

 

[mdbuddy]

After thinking about it I made more sense out of it and i only really need to move about4 hosts on 10.10 side to the 1720 outside ip for their gateway. Just 1 more hop.

Thanks for the help