General Directioin Wanted

[ITbeast]

I have a general scenario that I need to setup, but I just wanted to get pointed in the correct direction before I put more time into it.

I have two sites that need to be connected. There was a T1 run between the two sites for this purpose. I have two cisco routers (1602 w/T1 card & 1720 w/T1 card) that will be doing the work.

SiteA has a connection to the internet and a Windows domain. SiteB will need to access the internet through SiteA's connection, and will need to be able to have access to SiteA's LAN. SiteA will also need access to SiteB's LAN. Basically, the only reason for the cisco routers is facilitate the T1 line, it's not going to be doing routing or anything.

I believe the router setup should be pretty easy, but I'm not sure where to start. How would I set the routers to pass through everything.

 

[plshlpme]

the routers will have to "route" the lan subnets for both sites so that they can talk to each other..

static routing will be fine as this is a small network..

since site b will use site a's internet you could just use a default route on your router point to site a

fire away if you have more questions.

 

[ITbeast]

thanks for the help so far. i'm going to install the routers on monday and start doing some testing then. i will post more questions when i have them!

 

[ITbeast]

Ok, i have installed and started testing.

SiteA: 192.168.1.0/24 with access to internet
SiteB: 192.168.20.0/24 acess to internet will go through siteA


So, on my routers:
SiteA:
Serial0: 10.1.1.1/30
eth0: 192.168.20.199/24
ip route 192.168.20.0 255.255.255.0 10.1.1.2



SiteB:
Serial0: 10.1.1.2/30
eth0 192.168.1.9/24
ip route 192.168.1.0 255.255.255.0 10.1.1.1



*As I understand, this should allow me to ping to and from the LANs. I shouldn't have to worry about NAT, should I?

 

[brianinms]

Your routes are backwards.

Site A

ip route 192.168.1.0 255.255.255.0 10.1.1.2


Site B

ip route 0.0.0.0 0.0.0.0 10.1.1.1


What do you have for internet access at Site A, and what serves at the default gateway?

 

[ITbeast]

We have X-Data(fractional T1) for internet access. The default gateway 192.168.1.254

That should also be programmed in as a static route?

 

[brianinms]

You would need a route in router A to point site B to the internet, in addition the Internet router needs a route.

 

[ITbeast]

so it would be something like:

ip route 0.0.0.0 0.0.0.0 192.168.1.254 eth0


to point siteB to the internet?

 

[brianinms]

Wait, I am confused ... with your post listing your IP addresses they are backwards.

SiteA: 192.168.1.0/24 with access to internet
SiteB: 192.168.20.0/24 acess to internet will go through siteA


So, on my routers:
SiteA:
Serial0: 10.1.1.1/30
eth0: 192.168.20.199/24
ip route 192.168.20.0 255.255.255.0 10.1.1.2



SiteB:
Serial0: 10.1.1.2/30
eth0 192.168.1.9/24
ip route 192.168.1.0 255.255.255.0 10.1.1.1


Which one is right?

 

[ITbeast]

sorry, i guess i didn't double check

siteA:
serial0: 10.1.1.1/30
eth0: 192.168.1.9/24
ip route 192.168.20.0 255.255.255.0 10.1.1.2

siteB:
serial0: 10.1.1.2/30
eth0: 192.168.20.199
ip route 192.168.1.0 255.255.255.0 10.1.1.1

 

[brianinms]

Aight, then that would make your original routes correct.

 

[ITbeast]

I'm still having some issues on this and feel like i'm banging my head against the wall. Maybe some of you see something that I've over looked. Here are the configs:

RouterA:
Using 1074 out of 7506 bytes
!
! Last configuration change at 09:40:28 EST Mon Sep 17 2007
! NVRAM config last updated at 09:40:48 EST Mon Sep 17 2007
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname carl
!
enable password 7 020B07491F030C291E1E594E
!
!
!
!
!
clock timezone EST -5
ip subnet-zero
ip domain-name soundtechinc.com
ip name-server 192.168.1.15
ip name-server 192.168.1.254
!
!
!
!
interface Ethernet0
description Soundtech LAN
ip address 192.168.1.9 255.255.255.0
!
interface Serial0
no ip address
shutdown
service-module 56k clock source line
service-module 56k network-type dds
!
interface Serial1
description T1 to Acme
ip address 10.1.1.1 255.255.255.252
encapsulation ppp
fair-queue
service-module t1 clock source internal
service-module t1 timeslots 1-24
!
ip default-gateway 192.168.1.99
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.99
ip route 192.168.20.0 255.255.255.0 10.1.1.2
no ip http server
!
!
line con 0
login
transport input none
line vty 0 4
password 7 1048080A113B3B2527
login
!
end



RouterB:
lenny#sh conf
Using 1250 out of 29688 bytes
!
! Last configuration change at 08:50:53 EST Tue Sep 18 2007
! NVRAM config last updated at 09:41:39 EST Tue Sep 18 2007
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service dhcp
!
hostname lenny
!
enable password 7 060B0C33584B0A115747425C
!
!
!
!
!
memory-size iomem 25
clock timezone EST -5
ip subnet-zero
ip domain-name domain.local
ip name-server 192.168.20.254
ip dhcp excluded-address 192.168.20.1 192.168.20.99
ip dhcp excluded-address 192.168.20.200 192.168.20.255
!
ip dhcp pool 192.168.20.0/24
network 192.168.20.0 255.255.255.0
default-router 192.168.20.199
!
!
!
!
interface Serial0
description T1 to Soundtech
ip address 10.1.1.2 255.255.255.252
encapsulation ppp
fair-queue
service-module t1 timeslots 1-24
!
interface FastEthernet0
description Acme LAN
ip address 192.168.20.199 255.255.255.0
speed auto
!
ip default-gateway 10.1.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.20.254
ip route 192.168.1.0 255.255.255.0 10.1.1.1
ip http server
!
!
line con 0
password 7 00091014105E080E5D711C19
transport input none
line aux 0
password 7 151F081E102F282C7A636575
login
line vty 0 4
password 7 1048080A113B3B2527
login
!
no scheduler allocate
end

lenny#



At this point there is a gateway on both LANs. Thus you see the default gw's as 192.168.1.99 and 192.168.20.254. There are static routes on those devices directing traffic headed for the other LAN to go through the cisco router

 

[ITbeast]

food for thought:

used cisco configmake v2.6 and setup the network in that exactly how i set it up physically. it gives me almost the exact same configuration.

do these configs look right to anyone else?

 

[plshlpme]

if you want site B to access the internet through Site A...
then your static route needs to point it to site A..

no ip route 0.0.0.0 0.0.0.0 192.168.20.254
ip route 0.0.0.0 0.0.0.0 10.1.1.1

 

[ITbeast]

Thanks plshlme, you are correct. at the time i had it going through .254 for testing.

This thing is working 75% of the way. I'm really stuck on this one part b/c i've been over and over the configs and can't find any errors.

siteA can talk to siteB just fine. i can ping from a machine at siteA to anything at siteB and i can open up terminal server sessions across the connection. that part is great.

siteB can talk to siteA's gateway (which is a linux server) and use siteA internet connection. (i'm typing this post from siteB using siteA's internet connection in fact) but i can't talk to anything else at siteA. all my pings die. here are results of a tracert:
C:\Documents and Settings\user>tracert 192.168.1.15

Tracing route to 192.168.1.15 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.20.199
2 5 ms 5 ms 5 ms 10.1.1.1
3 * * * Request timed out.


so you can see it going through the router and hit the router on the other end of the t1, then you never hear from it again.

i guess this has to be a routing issue, i just don't get how it works in one direction and not the other. it should be noted that there are static route statements on the gateway at siteA:

route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.1.9

route add -net 10.1.1.0 netmask 255.255.255.252 gw 192.168.1.9

 

[plshlpme]

hmm i cant see anything wrong with your config either..
i assume all hosts at site a are using your gateway server as their default gateway..

so the only logical thing is that the end hosts are returning the packets to the gateway and for some reason its either natting them and firing them into the internet or just discarding them altogether..

i wonder if on that linux server you could put in some IPTABLES rules and log traffic sourced from your particular host and see what its doing with it...

 

[eliotB]

Hi!

You should change your passwords ASAP! They have been exposed to everyone on the Internet and these forums.

enable passwords have an extremely weak encryption. They can be cracked in less than 1 second!

use the enable secret command instead for now on.

also, never post your passwords on the forums, even if they are in hash form. Not even the enable secret MD5 hash.

I would have PM'd you, but I don't think this forum has that ability.

-E

 

[ITbeast]

thanks for the heads up eliotB. i shall take your warning.


plshlpme, that is a good idea. after i think about it, it's pretty obvious that the problem lies at the linux server. i'll throw in some rules and start monitoring the traffic.

 

[burtsbees]

Here is a good Cisco level 7 (enable password) cracker...

http://www.kazmier.com/computer/cisco-apps.html

Burt

 

[burtsbees]

Oh---this one lets you copy and paste...

http://www.ifm.net.nz/cookbooks/passwordcracker.html

All you do is copy everything after the "enable password 7"
and paste it in there.

Burt