Cisco 1841 Routing Issues ! 2

[pinotek]

Wow, this has been a nightmare to say the least. This is the first time I've ever looked at a Cisco device and has been fun to say the least. Here is the scenario: We have a branch office that is connected to our admin office via a Full T1. Currently, this T1 is terminated using some old MultiTech Routers...and they absolutely stink. I purchased 3 Cisco 1841 Router w/the Integrated T1 Module. I configured the devices from scratch and was somewhat successful. I thought everything was perfect and gambled on Installing the devices (replacing the old mutitechs)yesterday afternoon. Upon plugging in the devices, to my amazement the T1 connection worked and NO ALARMS reported. I patted myself on the back. I sent a ping across the network over the T1 and the response times were AWESOME...literally 10X faster. response times went from 40ms to 4ms. After a few minutes things started getting weird. I was losing packets and the remote office could not ping anything on the ADMIN end, eventually had to put the old equipment back and hang my head in shame. I'll submit a new post with my configs to see if someone out there could help me with this, I don't know what to do anymore and seem to be going in circles now. Thanks in advance for your help. Have an emergency at a remote location and gotta run...I love this job.
Pino

 

[pinotek]

The Goal of the Entire project is to allow all traffic from the 172.22.1.0/24 Network over the T1 connection access to the Internet and the 172.16.0.0/16 Network. Now using the routes below I am able to ping google.com from the Remote Network but with Packet loss. I guess that’s better than nothing, but yahoo.com still gives TTL expired in transit message when pinging. From the Test PC on the Remote Network I can now ping the 172.16.1.10 Firewall and I get somewhat of an Internet access (certain site and really slow) but I can do neither from the 172.22.1.70 Router Itself. When trying to ping from the 172.22.1.70 (Remote Network) router to the 172.16.1.10 (Firewall Admin Network), the syslog on the firewall blocks it because it is a SPOOFED address. I think there is something seriously wrong with my ROUTING TABLES. Any Help would be greatly appreciated. I am a newbie at Cisco IOS so thanks for thhe understanding on the front end. I appreciate all your help.
Thanks,
Pino
dave_cosy@yahoo.com

Admin Network Config:

sh interface serial0/1/0
Serial0/1/0 is up, line protocol is up
Hardware is GT96K with integrated T1 CSU/DSU
Internet address is 200.2.10.2/24
MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP, CDPCP, loopback not set
Keepalive set (10 sec)

sh Interface FastEthernet0/0
FastEthernet0/0 is up, line protocol is up
Hardware is Gt96k FE, address is 001b.d44f.b522 (bia 001b.d44f.b522)
Description: $ETH-LAN$
Internet address is 172.16.1.70/16
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

sh ip route
Gateway of last resort is 200.2.10.1 to network 0.0.0.0

C 172.16.0.0/16 is directly connected, FastEthernet0/0
172.22.0.0/24 is subnetted, 1 subnets
S 172.22.1.0 [1/0] via 200.2.10.1
200.2.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 200.2.10.0/24 is directly connected, Serial0/1/0
C 200.2.10.1/32 is directly connected, Serial0/1/0
S* 0.0.0.0/0 [1/0] via 200.2.10.1
[1/0] via 172.16.1.10


Remote Network Config:

Serial:
Serial0/1/0 is up, line protocol is up
Hardware is GT96K with integrated T1 CSU/DSU
Internet address is 200.2.10.1/24
MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP, CDPCP, loopback not set
Keepalive set (10 sec)

FastEthernet Interface0/0
FastEthernet0/0 is up, line protocol is up
Hardware is Gt96k FE, address is 001d.71b0.3de4 (bia 001d.71b0.3de4)
Internet address is 172.22.1.70/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255

sh ip route
Gateway of last resort is 200.2.10.2 to network 0.0.0.0

S 172.16.0.0/16 [1/0] via 200.2.10.2
172.22.0.0/24 is subnetted, 1 subnets
C 172.22.1.0 is directly connected, FastEthernet0/0
200.2.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 200.2.10.0/24 is directly connected, Serial0/1/0
C 200.2.10.2/32 is directly connected, Serial0/1/0
S* 0.0.0.0/0 [1/0] via 200.2.10.2

 

[burtsbees]

You need a sh run from both ends, please.

Also, did you put in two default routes?

"S* 0.0.0.0/0 [1/0] via 200.2.10.1
[1/0] via 172.16.1.10"

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[pinotek]

Burtsbees (I love that stuff),

Thanks for the quick response. I was truly shocked, at the quickness of your reply. Anyway, if I remember correctly when I first began this endevour I don't think RIP was enabled by default so I added the default route in the initial config. I thought that would go away after enabling the RIP protocol. Apparently not! I was really confused by the 2 entries in the default route, I didn't even think that was possible. I will do "sh run" on both devices first thing in the morning about 7:30AM Central Time and will post ASAP. I was desperately hoping to have this working by Friday afternoon but if I (should I say "we")can't it's ok. The other devices are still working. Once again thanks for the help.

 

[pinotek]

Here is the Info Requested: I think there is definitely a routing issue after looking at these configs. I didn't even know this command [sh run]to begin with. Wow, i really suck at this cisco thing. I can't believe I made it this far along. Sounds like back to school for me. Thanks again for the help!

Admin Network Router: sh run [command]

Current configuration : 1062 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime localtime
no service password-encryption
!
hostname ADM-CM-T1-RTR
!
boot-start-marker
boot-end-marker
!
enable secret 5 -------------------------
enable password ------------
!
no aaa new-model
ip cef
!
ip name-server 172.16.1.10
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 172.16.1.70 255.255.0.0
loopback
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1/0
ip address 200.2.10.2 255.255.255.0
encapsulation ppp
service-module t1 clock source internal
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.1.10
ip route 0.0.0.0 0.0.0.0 200.2.10.1
ip route 172.16.0.0 255.255.0.0 172.16.1.10
ip route 172.22.1.0 255.255.255.0 200.2.10.1
!
!
ip http server
no ip http secure-server
!
logging 172.16.1.234
!
control-plane
!
line con 0

Remote Network Config: sh run [command]

Current configuration : 918 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CM-ADM-T1-RTR
!
boot-start-marker
boot-end-marker
!
enable secret 5 -------------------------
enable password ------------
!
no aaa new-model
ip cef
!
ip name-server 172.16.1.10
!
interface FastEthernet0/0
ip address 172.22.1.70 255.255.255.0
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1/0
ip address 200.2.10.1 255.255.255.0
encapsulation ppp
service-module t1 remote-alarm-enable
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.2.10.2
ip route 172.16.0.0 255.255.0.0 172.16.1.70
ip route 172.16.0.0 255.255.0.0 200.2.10.2
!
ip http server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
password ------------
login
!
scheduler allocate 20000 1000
end

 

[pinotek]

OK, here is where I'm at now. I have edited the Routing Table on the Admin Network Router (172.16.1.70). The effects of that were, I am now able to ping any host on the Internet and any host on the Remote Network. From the Remote Network I am only able to ping the Admin Network Router and nothing else. Here are the new Routing Entries for both devices.

Admin Network Routing Table

Gateway of last resort is 172.16.1.10 to network 0.0.0.0

C 172.16.0.0/16 is directly connected, FastEthernet0/0
172.22.0.0/24 is subnetted, 1 subnets
S 172.22.1.0 [1/0] via 200.2.10.1
200.2.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 200.2.10.0/24 is directly connected, Serial0/1/0
C 200.2.10.1/32 is directly connected, Serial0/1/0
S* 0.0.0.0/0 [1/0] via 172.16.1.10

Note: The Last Entry S* via 172.16.1.10 is the Firewall to the Internet.

Remote Network Routing Table

Gateway of last resort is 200.2.10.2 to network 0.0.0.0

172.22.0.0/24 is subnetted, 1 subnets
C 172.22.1.0 is directly connected, FastEthernet0/0
200.2.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 200.2.10.0/24 is directly connected, Serial0/1/0
C 200.2.10.2/32 is directly connected, Serial0/1/0
S* 0.0.0.0/0 [1/0] via 200.2.10.2

Note: The S* Entry reflect the Serial Interface on the Admin Network. If I remove this Entry I cannot ping the Admin Network Router.

 

[burtsbees]

You need NAT, it looks like...

ip nat inside on the ethernet interfaces
ip nat outside on the serial interfaces
an acl from the internal lan to any
ip nat inside source list whatever int s0/1/0 overload

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[pinotek]

I don't suppose there are detailed instruction to the NAT setup :O). I'm going to look for documentation on setting up Nat. Do I need to setup the NAT on both Routers?

What is the :

ip nat inside source list whatever int s0/1/0 overload ?

Thanks Again ! I can feel it, almost there.

 

[pinotek]

I found the info you posted. There is an article with what seems to be detailed instructions with diagrams. I'm going to try and wrap my brain around it.

Pino

 

[pinotek]

OK, I've read several documents on the topic of NAT and the Cisco IOS. I think I'm now understanding (somewhat) of how this works. The only problem I'm running into is that my config is different from the typical setups. The examples I've found are the 1-office getting out onto the Internet. My config has two office, one of which can get out onto the Internet (Admin Network NAT'D by the Firewall), the other office cannot because it does not have NAT enabled. When I enable the NAT on the Remote Network what addresses am I supposed to use for the Outside Local and Outside Global Parameters. That's where I'm stuck. I don't think I have to NAT anything on the Admin Network because it's already NAT'D by the Admin Network Firewall.
Thanks,
Pino

 

[Alterac]

Can you add the Remote Network (172.22.1.70/24) to the NAT on your firewall?

Also, the remote network should only need 1 route on it, the default route of:
ip route 0.0.0.0 0.0.0.0 200.2.10.2


Could you test both these scenarios and let us know?



Bill

 

[pinotek]

OK, I made it work but I'm not sure if it's a problem. Here is what I did. I was trying to look at any log file that had anything to do with Network traffic back and forth from ALL these devices. Here is what I've found:

Alterac, I had multiple default routes from the initial config when I first started with these awesome devices. After Burtsbees pointed that out I went ahead and deleted the routes I thought were wrong and ended up with the Routing you specified in your post on my remote network.

This is how I fixed the problem. I kept getting a BLOCKED icmp packet response from the Admin Network Firewall (172.16.1.10) when trying to ping from the Remote Network Router or any Device on the Remote Network. The reason for the firewall blocking was because the address was being clasified as SPOOFED. Which makes sense because the Originating IP was 172.22.1.33(Remote Network PC) but once those packets passed the Serial Interface they were changed to 200.2.10.1 (Serial Interface on the Admin Network). Because that address is never going to change, I added a route to Firewall(172.16.1.10) specifying that traffic from HOST 200.2.10.1 should be forwarded to the Admin Network Router Interface(172.16.1.70). After this change, everything worked. I can now ping the Internet from both Routers and can ping any Host from either Network to the other, NO PROBLEMS. I can't believe it ! I have so much running around in my brain right now, I don't know if any of this made any sense. Thank you guys so much for helping me think about this. Do you see anything wrong with the way I configured this?

Thanks,
Pino

 

[Alterac]

Could you post the working configs so we can take a final look?

Bill

 

[pinotek]

I will post the configs on Monday. From what it looked like before I left, everything stayed the same as my last post of the configs, with the exception of the additional route that I added to the Firewall(172.16.1.10). Its routing table now looks like this:

172.22.1.0/24 Next Hop: 172.16.1.70
200.2.10.1/24 Next Hop: 172.16.1.70

With that last route, the firewall no longer denied the packets coming from the Serial Interface of the Remote Network as SPOOFED packets. In my mind, because all traffic destined for the Internet will have the source address of the Serial Interface of the Remote Network I shouldn't ever really have an issue with packets being denied by the Firewall, due to the added Route. It makes sense to me, am I wrong in my logic? I can't thank you guys enough for the help you have offered. Where do I mail the gift certificates?

Pino

 

[Alterac]

Im assuming you added the NAT that burt suggested to the remote site, so that all traffic from that site appears to come from 200.2.10.1

Im pretty sure if you add a route on hte firewall to 172.22.1.0/24 Next Hop: 172.16.1.70

You could then remove the nat on the remote router.

Im just trying to keep things as simple as possible config wise.


Bill

 

[pinotek]

Alterac, I never added the NAT. However, I do have 2 routes in the Firewall

172.22.1.0/24 Next Hop 172.16.1.70
200.2.10.1/24 Next Hop 172.16.1.70

This last route in the Firewall allowed the Remote Network to access the Internet and all other devices from the Remote Network to the Admin Network. I believe the reason it is working without the NAT is because the Remote Network is using 200.2.10.2 as it's default route any traffic destined for a network other than 172.22.1.0/24, that traffic is forwarded to the Serial Interface of the Admin Network then routed according to the Admin Networks Routing Table? I also think that because the traffic coming from the Remote Network is being reported as 200.2.10.1(isn't that what NAT is supposed to do?) adding that entry to the Firewall allows the traffic to pass through the firewall and back to the Remote Network PC. I hope this makes sense. I will post all configs on Monday when I'm back at work. I also hope to Install these devices on Monday Morning. I was curious about a switch issue I found. My boss installed a DLINK Managed switch layer 2/3. I found that the switch has RIP disabled. do you see any reason why this shouldn't be enable so that Routing info can pass from device to device? Just Wondering !

Thanks,
Pino

 

[Alterac]

Technically you dont need to enable rip on it at all, if you dont need it, just disable it so its setup as a dumb switch.

I'll wait till monday for any other suggestions when im sure burtsbees will chime in again also


Bill

 

[burtsbees]

Get rid of these:

ip route 0.0.0.0 0.0.0.0 172.16.1.10
and
ip route 172.16.0.0 255.255.0.0 172.16.1.70
in the admin router. Also, everything should be a /24. The admin default route is pointing to your internal DNS server. Clean those up, NAT the admin side but not the remote site. After that, we can maybe guide you into creating an IPSEC GRE tunnel. I would just do that, and NAT the remote site so that it can get out to the internet via its own gateway.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[pinotek]

These past two days have been nuts to say the least. Putting out too many fires. I just installed the Routers into the production environment. Just a few things to report.

1.) I have not taken a recent snapshot of the running-config yet.

2.) The devices are working flawlessly in both directions.

3.) Ping times with MultiTech Devices = 40ms
Ping times with Cisco Devices = 4ms !!!

4.) All Routing is working and Internet is Superfast.

5.) I will get running-config info tomorrow and post.

These devices perform awesome. I cannot thank Burtsbees and Alterac enough for their help. You guys are awesome. Once again, where do I send the Gift Certificates? This site is amazing. I hope I will be able to help others as I've been helped.

Pino

 

[Alterac]

No problem.

I think burtsbees makes a living on these forums hah.

I just browse when im trying to keep my knowledge up to date and challenge myself with more problems.

Bill