Using 2821 as default gateway 3

[CertifiedNut]

I have a 2821 set up on my network to replace an old 3Com router. I have a few satic routes set up that are needed to route through to another site.
However, when i try to access the internet from the network, i have lost access. I know this is down to the new default gateway, but don't know what i need to add to the config to get the route to the internet via my PIX firewall (ip add 10.0.10.250). Can anyone help with how i set it up so that it routes all other traffic, not destined for the site to site link, to the internet firewall on my network - I believe it's called setting the gateway of last resort??? I posted the config below.

Thanks

Nut

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MOTADGW
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip domain name yourdomain.com
!
username cisco privilege 15 secret 5 $1$3WLd$EXDEYhtYinFFfX1dQyZs/1
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.0.10.254 255.255.255.0
duplex full
speed 100
!
interface GigabitEthernet0/1
ip address 192.168.20.10 255.255.255.0
duplex auto
speed auto
!
interface Group-Async0
physical-layer async
no ip address
no group-range
!
interface Group-Async1
physical-layer async
no ip address
!
ip default-gateway 10.0.10.250
ip classless
ip route 10.0.10.0 255.255.255.0 192.168.20.20
ip route 10.1.0.0 255.255.0.0 192.168.20.20 name xxxxxx
ip route 10.2.0.0 255.255.0.0 192.168.20.20 name xxxxxxxxx
ip route 191.1.0.0 255.255.0.0 192.168.20.20 name xxxxx
ip route 192.168.168.100 255.255.255.255 192.168.20.20 xxxxxxx
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
control-plane
!
banner exec ^C

% Password expiration warning.

---------------------------------------------------------------------
^C
banner login ^C
---------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to

http://www.cisco.com/go/sdm

---------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end

 

[jeter]

Did you use the same ip addresses that were on the 3com router? Where does your trace route end? Is your Pix performing NAT translation?

“Reserve your right to think, for even to think wrongly is better than not to think at all”

CCNA,CCNP,Network+
Tek-TIP Member 19,650

 

[CertifiedNut]

Hi, thanks for your reply. No the new router has a diffrent IP address. It has 2 ethernet interfaces the 2nd of which is connected to a PIX which in turn is connected to the remote site across a WAN connetion. The 2821 has been configured to route specific traffic to that PIX firewall which is destined for the remote site. All other traffic is required to be routed back through the local LAN and internet traffic exit out of another PIX which is conneted to our ISP. Whilst the 2821 is functioning fine when it comes to routing the traffic across the WAN link, it fails to route any other traffic out to the Internet PIX. Trace route gets as far as the default gateway 2821 router and then ends at the first hop.

 

[lerdalt]

What I see missing is a default route. Try adding:
ip route 0.0.0.0 0.0.0.0 10.0.10.250

What that should do is if the router does not recognize a destination for any other traffic, its going to push it out to your pix firewall.

 

[burtsbees]

Your router does not know how to get to 10.0.10.250, although Gigabit Ethernet 0/0 seems to be directly connected to it (assuming the mask is /24, like the GE0/0 interface). In other words, I imagine that from the router you can ping the PIX, but before the router (pinging "through" the router), you cannot. Put in a routing protocol that sends mask info to other routers in routing updates, or create static routes, however you want to do it. What I do is use EIGRP, and you can make EIGRP more secure by using authentication between routers. Right now, it looks like your router tries routing packets destined for the pix in the opposite direction it needs to go, out GE 0/1---this is assuming that the next hop address that GE0/1 is directly connected to has the IP/mask of 192.168.20.20/24...

Burt

 

[CertifiedNut]

Thank you all for your input. The problem has now been resolved with your help and everything works well.

Thanks again.

Rick

 

[burtsbees]

Could you post the solution please? Thank you.

Burt

 

[jneiberger]

The solution, I'm sure, was that he thought the command "ip default-gateway x.x.x.x" was the same as "ip route 0.0.0.0 0.0.0.0 x.x.x.x", which it is not.

The "ip default-gateway" command is only used when the router is in bridging mode and is acting as a network host on a bridged LAN, not a router.

I did the same thing when I was starting out with Cisco routers. It drove me batty trying to figure out why it wasn't working.

 

[lerdalt]

I think its a common mistake confusing those too lines. I'm betting a survey on who made that mistake when first starting out would bring in some pretty high numbers.

 

[burtsbees]

Ah, yes---good catch.

Burt