ddr1
asked on
2611 configuation help!
I just purchased a 2611 to replace an old 2500 and astrocom csu.
I cant seem to get this to work, serial0/0 is my T1 connection, and when i have it hooked up the interfaces all show as up
ethernet0/0 is my external lan ( i run a gnatbox firewall inside)
i think i have some issues with the routing but i am not sure
please help!
mmrouter#sh run
Building configuration...
Current configuration : 1000 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mmrouter
!
enable secret 5 $1$gUBu$Fpvsj9AIAWKASa5fBi
enable password XXXXXXXXXXXX
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 66.114.229.225 255.255.255.224
half-duplex
no mop enabled
!
interface Serial0/0
ip address 63.121.108.126 255.255.255.252
no fair-queue
!
interface Ethernet0/1
ip address 172.16.55.2 255.255.0.0
half-duplex
no mop enabled
!
router rip
version 2
redistribute connected
network 63.0.0.0
network 66.0.0.0
network 172.16.0.0
!
ip classless
ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password
login
line vty 5 15
password XXXXXXXXXXX
login
!
no scheduler allocate
end
I cant seem to get this to work, serial0/0 is my T1 connection, and when i have it hooked up the interfaces all show as up
ethernet0/0 is my external lan ( i run a gnatbox firewall inside)
i think i have some issues with the routing but i am not sure
please help!
mmrouter#sh run
Building configuration...
Current configuration : 1000 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mmrouter
!
enable secret 5 $1$gUBu$Fpvsj9AIAWKASa5fBi
enable password XXXXXXXXXXXX
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 66.114.229.225 255.255.255.224
half-duplex
no mop enabled
!
interface Serial0/0
ip address 63.121.108.126 255.255.255.252
no fair-queue
!
interface Ethernet0/1
ip address 172.16.55.2 255.255.0.0
half-duplex
no mop enabled
!
router rip
version 2
redistribute connected
network 63.0.0.0
network 66.0.0.0
network 172.16.0.0
!
ip classless
ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password
login
line vty 5 15
password XXXXXXXXXXX
login
!
no scheduler allocate
end
ASKER
well i could have an internal client change the gateway and bypass the firewall couldnt i?
Not if your internal LAN is also a private IP address space and your firewall does NAT. The internal clients should never be able to see the 66.114.x.x network.
ASKER
why ip route 0.0.0.0 0.0.0.0 63.121.108.125
and not ip route 0.0.0.0 0.0.0.0 Serial0/0
or ip route 0.0.0.0 0.0.0.0 63.121.108.126
and anyone who uses the 172.16.x.x could use 172.16.55.1 as the gateway (pro interface on firewall) (66.114.229.228 is the external interface) or 172.16.55.2 if i wanted to bypass the firewall....
right?
and not ip route 0.0.0.0 0.0.0.0 Serial0/0
or ip route 0.0.0.0 0.0.0.0 63.121.108.126
and anyone who uses the 172.16.x.x could use 172.16.55.1 as the gateway (pro interface on firewall) (66.114.229.228 is the external interface) or 172.16.55.2 if i wanted to bypass the firewall....
right?
If your Serial interface is 63.121.108.126, then the ISP's rotuer must be 63.121.108.125. You want to use the UPSTREAM IP address as the default route instead of your own IP address, or the interface. If you don't then packets leaving the router must arp for the next hop.
From Cisco's documentation:
If you point a static route to a broadcast interface, the route will be inserted into the routing table only when the broadcast interface is up. This configuration is not recommended because when the next hop of a static route points to an interface, the router considers each of the hosts within the range of the route to be directly connected through that interface. For example, ip route 0.0.0.0 0.0.0.0 Serial0/0.
With this type of configuration, a router will perform Address Resolution Protocol (ARP) on the Serial interface for every destination the router finds through the default route because the router will consider all of these destinations as directly connected to Serial 0/0.
This kind of default route, especially if it is used by a lot of packets to many different destination subnets, can cause high processor utilization and a very large ARP cache (along with attendant memory allocation failures).
Specifying a numerical next hop on a directly connected interface will prevent the router from performing ARP for each destination address.
Nobody can use 172.16.55.2 as their gateway and bypass the firewall. Why? Because 172.16.x.x cannot be routed on the Internet and your router is not doing NAT.
Question for you:
Why do you have your firewall looped back to the router?
Typically, we would see:
WAN LINK <-->Serial-router-Eth<--><
You have your LAN looping back to the 2nd Ethernet interface??
WAN <--> router E0 -> public IP <-> firewall --|
E1 -> Private IP <-> firewall--|<--LAN
From Cisco's documentation:
If you point a static route to a broadcast interface, the route will be inserted into the routing table only when the broadcast interface is up. This configuration is not recommended because when the next hop of a static route points to an interface, the router considers each of the hosts within the range of the route to be directly connected through that interface. For example, ip route 0.0.0.0 0.0.0.0 Serial0/0.
With this type of configuration, a router will perform Address Resolution Protocol (ARP) on the Serial interface for every destination the router finds through the default route because the router will consider all of these destinations as directly connected to Serial 0/0.
This kind of default route, especially if it is used by a lot of packets to many different destination subnets, can cause high processor utilization and a very large ARP cache (along with attendant memory allocation failures).
Specifying a numerical next hop on a directly connected interface will prevent the router from performing ARP for each destination address.
Nobody can use 172.16.55.2 as their gateway and bypass the firewall. Why? Because 172.16.x.x cannot be routed on the Internet and your router is not doing NAT.
Question for you:
Why do you have your firewall looped back to the router?
Typically, we would see:
WAN LINK <-->Serial-router-Eth<--><
You have your LAN looping back to the 2nd Ethernet interface??
WAN <--> router E0 -> public IP <-> firewall --|
E1 -> Private IP <-> firewall--|<--LAN
ASKER
I get it, my E1 set up wouldnt have nat applied and the IP's are non-routable
My current set up is
WAN LINK <-->Serial-router-Eth<-->p
is that right?
My current set up is
WAN LINK <-->Serial-router-Eth<-->p
is that right?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for your patience!
Glad to help!
I assume that none of the users on Eth 0/1 172.16.x.x network access the Internet?
Add this line
ip route 0.0.0.0 0.0.0.0 63.121.108.125