1800 simple LAN, I thought

[iolair]

I have an 1800 that I bought to connect two subnets. I plugged in the 1800, plugged in each subnet to an ethernet port on the 1800. The main subnet is 10.213.89.0/24, and the other one is 10.213.93.0/24. I configured each interface (fa0 and fa1) with an ip address. And typed in "no shutdown". Since .93 connects to the Internet via .89, I put a static default route on the router to "help" .93 find the default gateway on .89. It doesn't work. What have I forgotten? When I telnet to the router, I can ping PC's on either side. I can not ping anything on the .93 side from .89, not even fa1, which is .93.5 - but, PC's on the .93 side CAN ping .89.9, fa0. When I "show cdp neighbors", the router can see the switches on either side. Is this just not possible? Or have I forgotten something very basic and simple? Or does the router think both subnets are actually one subnet? I did type in "no autosummarization" even though I'm not using a routing protocol, I'm just trying to connect the two subnets. Thanks.

Iolair MacWalter
Director of IT

 

[stubnski]

did you configure any ACL's?


Stubnski

 

[Minue]

Hello
Please post a configs of the routers

Regards

 

[iolair]

Stubnski,
No, I didn't configure any ACL's, just want to pass packets from one subnet to the other. And back.

Minue,
Here is the config:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname dorm_rtr
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$oyp6$M4ygjfDiHySGfoXb7nG1E0
!
!
!
!
interface FastEthernet0
description LocalLink
ip address 10.213.89.9 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1
description DormSide
ip address 10.213.93.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
!
ip route 0.0.0.0 0.0.0.0 10.213.89.1
!
!
!
line con 0
password cisco
login
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
password cisco
login
!
!
!
end

The dorm switch and computers have only this way in and out, I think that's called a "stub" network? I tried typing in "ip classless", but it won't write that to the startup-config for some reason. But, it didn't help anyway. I looked at a config for a "router on a stick", and I didn't see anything that was different, since that's sort of what I'm doing?

Thanks.


Iolair MacWalter
Director of IT

 

[unclerico]

The PC's on the 10.213.89.0/24 network are using 10.213.89.1 as their default gateway? On the router with the 10.213.89.1 interface, do you have a route statement identifying the 10.213.93.0/24 network and how to get there?

ip route 10.213.93.0 255.255.255.0 10.213.89.9

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[iolair]

Yes, all the PC's on .89 use .89.1 as the gateway. It's actually a PIX 506E, and no, I don't have an ip route to .93 on it. The PIX then connects to a 2800 that is onsite, but only the main office has access to it, so I can't do anything there as far as configuration goes. But, I do have total access to the PIX. Oops. Let me fix that. Thanks.

Iolair MacWalter
Director of IT

 

[Minue]

Hello
Your problem is that the PC’s on the 10.213.89.0/24 PC doesn’t know how to get to the 10.213.93.0/24 network and is sending packets to the Firewall.If you do a “tracert” you will see this behaviour.
Your design is a bit strange,but it’s possible to make it work.I guess your goal is to make both networks speak to each other and have Internet connectivity.Please confirm.So I can start looking for a work-around.
Regards

 

[iolair]

Minue,
Yes, that's correct. What I really need is for .93 to access the Internet via the firewall. I was trying to keep .93 off of .89 for security reasons. Our servers are on .89, and students are very creative at hacking systems. Or so it seems. Originally, I had a Windows 2003 Server with "routing and remote access" enabled that was doing the job just fine, until it got hacked. I worked on it for several weeks, but was never able to get the service running properly again, so I thought I would use the 1800 to achieve the same thing, without the ability for it to be so easily hacked by the students. Since I, as administrator, am on .89, I wanted to be able to ping them and admin the switch out there as well from my office, instead of having to travel to the dorm (less than 1/2 mile). Make any sense?

Thanks.

Iolair MacWalter
Director of IT

 

[Minue]

Well as I said before your design is tricky!A quick work-around for to reach the .93,would be to put another default-gateway under the Windows PC that your'e using for management.
I never did ask,but can the .93 reach Internet as it is now?
Regards

 

[iolair]

No, .93 can not reach the internet now. They can reach both interfaces on the 1800 though - .93.5 AND .89.9. PC's on the .89 side can only see the .89.9 interface. The dorm PC's that are on the .93 subnet were able to reach the Internet using the Windows 2003 Server before the students destroyed it. Maybe the easiest thing is to build a new W2K3 server and make it more secure?

Iolair MacWalter
Director of IT

 

[Minue]

That's because Windows was Natting for you!I think you will have to configure NAT on the router or do something on the Firewall,Maybe a VLAN.
Regards

 

[Minue]

To do a better design,you can use the VLAN1 on the 1800 to connect to the PIX and do Natting on the router for both subnet.The you can use access-lists to lock down the students.
Regards
ps.How's your Internet setup?Is the PIX natting the .89 network?What's going on at the WAN router.I am not good with the PIX,but if you post a conf,so I can understand the network better maybe we can find a solution.

 

[iolair]

Minue,
Thanks again. The way we work now, the PIX is connected to a 2800 router that connects to a T1 line that is connected on the other end (main office) to a router of some sort. Since I'm one branch of hundreds, I'm sure they're using some kind of hub and spoke setup downtown, but what I don't know, since I don't have any kind of access to the router, even though it's physically here. Our NAT happens downtown, and they have actually assigned the subnet numbers to us. Yes, I'll bet Windows was converting those .93 numbers into some form of .89 number. I like your suggestion of using the 1800's vlan1 - I think I have enough knowledge to config access-lists, and that will help a lot! What I don't know, I can look up. Good thing I've got a test lab setup nearby.

Thanks.

Iolair MacWalter
Director of IT

 

[Minue]

Hello
I think the PIX is natting the .89 only(Can you please post the conf.)And then it's being NAT again at the HUB.To verify try to do a tracert to a public IP address(ex. 4.2.2.2),the last private IP will be the one natting to the Internet.Tell me if it's the 2800 by counting the hops.
For now the solutions are:Create VLAN's on the PIX for both subnets and use the SVI interface on the 1800 or simply NAT the .93 to .89,this is the easiest solution.Or NAT both subnets on the 1800.
Regards

 

[iolair]

Thanks. I believe I'll NAT .93 to .89, since that's easiest. Thanks again for your help.

Iolair MacWalter
Director of IT