Cisco 1811 Guru???

[makemorebeer]

i've got an 1811 that is configured to use a vlan on all 8 switch ports, an adsl line on F1, and a direct link to the Core Switch on F0. I'm in the process of decomissoning a pix 520 and when I enable the direct link to the core the internet gets knocked out. i'm running EIGRP for routeing with supplimental statics since our core doesn't support EIGRP. I am able to ping our proxy device on the vlan in the 1811. Any help here?

 

[burtsbees]

Please post a config---when you simply "no shut" on fa0, it shuts the fa1 down,or the link goes down?

Burt

 

[makemorebeer]

alright, the interface does not shutdown, but the link goes down. I've included a config that should be pretty much what what it'll be when i remove my Pix. here's the config. this is mainly an issue of communication between the switch and the router. could possibly be the Nat issue i mentioned on my other post.

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 15000 informational
logging console errors
logging monitor warnings
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local group radius
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name
ip name-server 10.1.254.1
ip name-server 10.1.254.11
ip name-server 10.1.254.7
ip ssh time-out 60
ip ssh authentication-retries 2
vpdn enable
!
!
!
crypto pki trustpoint TP-self-signed-2225951557
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2225951557
revocation-check none
rsakeypair TP-self-signed-2225951557
!
!
crypto pki certificate chain TP-self-signed-2225951557
certificate self-signed 01
***removed**
quit
username admin privilege 15 secret
!
!
crypto logging session
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key x address x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x
set peer x
set transform-set ESP-3DES-SHA1
match address 101
!
!
!
!
interface Tunnel0
ip address 10.10.1.1 255.255.255.0
ip mtu 420
tunnel source Dialer0
tunnel destination x
tunnel path-mtu-discovery
crypto map SDM_CMAP_1
!
interface FastEthernet0
description $ES_LAN$$FW_INSIDE$$ETH-LAN$
ip address 10.1.254.251 255.255.0.0
ip access-group sdm_fastethernet0_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
!
interface FastEthernet1
description ADSL$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
no ip address
ip verify unicast reverse-path
no ip redirects
ip mtu 500
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet2
description 10.1 network
switchport mode trunk
!
interface FastEthernet3
description
!
interface FastEthernet4
description
!
interface FastEthernet5
rmon promiscuous
rmon collection stats 6 owner config
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface FastEthernet9
description Monitor Port
rmon promiscuous
rmon collection stats 10 owner config
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
ip address 10.0.0.254 255.255.255.0
ip access-group sdm_vlan1_in in
ip mask-reply
ip information-reply
ip directed-broadcast
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
shutdown
!
interface Dialer0
description $FW_OUTSIDE$
ip address x
ip information-reply
no ip proxy-arp
ip mtu 500
ip nat outside
ip irdp
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname x
ppp chap password x
ppp pap sent-username x password x
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
crypto ipsec fragmentation before-encryption
!
router eigrp 1
passive-interface Async1
network 10.0.0.0
network 172.0.0.0 0.255.255.255
no auto-summary
!
ip local pool VPN 10.2.2.1 10.2.2.254
ip default-gateway x
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.0.0.0 255.255.0.0 Vlan1
ip route 10.1.0.0 255.255.0.0 FastEthernet0 permanent
ip route 172.21.0.0 255.255.0.0 Tunnel0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static 10.0.0.25 x
!
ip access-list extended sdm_fastethernet0_in
remark SDM_ACL Category=1
remark permit brewing_fw to ftp
permit tcp host 10.1.255.253 eq ftp any eq ftp log
remark permit x to WWW
permit tcp host 10.1.255.253 eq

http://www any

eq

http://www log

remark allow 10.1 network to x
permit ip 10.1.0.0 0.0.255.255 host x log
remark logging for x Traffic on port 8443
permit tcp any eq 8443 any eq 8443 log
remark allow 10.1.20 network to x (any)
permit ip 10.1.20.0 0.0.0.255 any log
remark Allow 10.1 network complete outbound access
permit ip 10.1.0.0 0.0.255.255 any log
remark allow 172.21 network complete outbound access
permit ip 172.21.0.0 0.0.255.255 any log
deny ip any any log
ip access-list extended sdm_vlan1_in
remark SDM_ACL Category=1
remark permit 10.0 network to 10.1 network
permit ip 10.0.0.0 0.255.255.255 10.1.0.0 0.0.255.255 log
remark catchall - allows everything out to the internet
permit ip 10.0.0.0 0.255.255.255 any log
remark denies any other traffic for logging
deny ip any any log
!
logging 10.1.254.87
logging 10.0.0.26
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.0.0 0.0.0.255 172.21.0.0 0.0.255.255
access-list 101 remark SDM_ACL Category=4
access-list 101 permit gre host x host x log
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.0.0.0 0.255.255.255 172.21.0.0 0.0.255.255 log
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.0.0.0 0.0.255.255 172.21.0.0 0.0.255.255 log
access-list 103 permit ip 10.0.0.0 0.255.255.255 any log
dialer-list 1 protocol ip permit
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
!

!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
exec-timeout 0 0
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
transport input telnet ssh
line vty 16 193
exec-timeout 0 0

!
end

 

[burtsbees]

Did SDM make NAT outside on FA1 and Dialer0? I am not sure that you need it on fa1...also, fa0 needs NAT inside (and no shut of course).

Burt

 

[makemorebeer]

yes SDM did make FA1 an outside. I don't htink it should be affecting anything though. so here goes again. i've got it so internet works and everything but once i disable the pix i'm no longer able to ping a certian device in the vlan. the other two devices int he vlan ping fine but this one will not. if i ping it from the router it's fine. if i ping the router from the device it sends back one packet and rejects the other three. this is repetative, no matter how many ping i send.

 

[plshlpme]

if you do a couple traceroutes from that device.. does it take the same path every time?

by disabling the pix does the default gateway change for any of your devices?

 

[makemorebeer]

traceroute gets lost at the internal interface F0 of the Router. takes the same route every time. I've checked each device that i believe this will effect and none have a default route to the pix. they all default route to the Core switch.

 

[makemorebeer]

based on the above config is it safe to assume that there is no NAT translations happening between the F0, and Vlan1 interfaces?

 

[plshlpme]

what kind of config is on your core switch?
is it a layer 3 switch or just simply doing switching?

all of your devices on the vlan are using 10.0.0.254 as their default gateway correct?

 

[makemorebeer]

yup, every device on there is using 10.0.0.254. i'm pretty sure the core switch is doing layer 3 and layer 2 switching. it's an HP 5300. it is also the default route for the internal network i.e. the exchange server, but it's got a static route directing all to the vlan as the vlan handles internet, and e-mail.

ip route 0.0.0.0/0 10.1.254.251

however if i try to run the static directly to the 10.0.0.254 vlan the switch throws back that it is not directly connected.