2611 configuation help!

ddr1
ddr1 used Ask the Experts™
on
I just purchased a 2611 to replace an old 2500 and astrocom csu.
I cant seem to get this to work, serial0/0 is my T1 connection, and when i have it hooked up the interfaces all show as up
ethernet0/0 is my external lan ( i run a gnatbox firewall inside)
i think i have some issues with the routing but i am not sure
please help!

mmrouter#sh run
Building configuration...

Current configuration : 1000 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mmrouter
!
enable secret 5 $1$gUBu$Fpvsj9AIAWKASa5fBiVEt/
enable password XXXXXXXXXXXX
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
 ip address 66.114.229.225 255.255.255.224
 half-duplex
 no mop enabled
!
interface Serial0/0
 ip address 63.121.108.126 255.255.255.252
 no fair-queue
!
interface Ethernet0/1
 ip address 172.16.55.2 255.255.0.0
 half-duplex
 no mop enabled
!
router rip
 version 2
 redistribute connected
 network 63.0.0.0
 network 66.0.0.0
 network 172.16.0.0
!
ip classless
ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password
 login
line vty 5 15
 password XXXXXXXXXXX
 login
!
no scheduler allocate
end
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
I doubt that your ISP is running RIP.
I assume that none of the users on Eth 0/1 172.16.x.x network access the Internet?

Add this line

ip route 0.0.0.0 0.0.0.0 63.121.108.125

Author

Commented:
well i could have an internal client change the gateway and bypass the firewall couldnt i?
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
Not if your internal LAN is also a private IP address space and your firewall does NAT. The internal clients should never be able to see the 66.114.x.x network.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
why ip route 0.0.0.0 0.0.0.0 63.121.108.125
and not ip route 0.0.0.0 0.0.0.0 Serial0/0
or ip route 0.0.0.0 0.0.0.0 63.121.108.126

and anyone who uses the 172.16.x.x could use 172.16.55.1 as the gateway (pro interface on firewall) (66.114.229.228 is the external interface) or 172.16.55.2 if i wanted to bypass the firewall....
right?
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
If your Serial interface is 63.121.108.126, then the ISP's rotuer must be 63.121.108.125. You want to use the UPSTREAM IP address as the default route instead of your own IP address, or the interface. If you don't then packets leaving the router must arp for the next hop.

From Cisco's documentation:

If you point a static route to a broadcast interface, the route will be inserted into the routing table only when the broadcast interface is up. This configuration is not recommended because when the next hop of a static route points to an interface, the router considers each of the hosts within the range of the route to be directly connected through that interface. For example, ip route 0.0.0.0 0.0.0.0 Serial0/0.

With this type of configuration, a router will perform Address Resolution Protocol (ARP) on the Serial interface for every destination the router finds through the default route because the router will consider all of these destinations as directly connected to Serial 0/0.

This kind of default route, especially if it is used by a lot of packets to many different destination subnets, can cause high processor utilization and a very large ARP cache (along with attendant memory allocation failures).

Specifying a numerical next hop on a directly connected interface will prevent the router from performing ARP for each destination address.


Nobody can use 172.16.55.2 as their gateway and bypass the firewall. Why? Because 172.16.x.x cannot be routed on the Internet and your router is not doing NAT.

Question for you:
Why do you have your firewall looped back to the router?
Typically, we would see:

WAN LINK <-->Serial-router-Eth<--><--outside-firewall-inside-->LAN

You have your LAN looping back to the 2nd Ethernet interface??

WAN <--> router E0 -> public IP <-> firewall --|
                E1 -> Private IP <-> firewall--|<--LAN

Author

Commented:
I get it, my E1 set up wouldnt have nat applied and the IP's are non-routable
My current set up is
WAN LINK <-->Serial-router-Eth<-->public IP<--outside-firewall-inside-->LAN private IP
is that right?
Sr. Systems Engineer
Top Expert 2008
Commented:
Yes. You should be able to shutdown your Eth1 port and not use it at all.

Author

Commented:
thanks for your patience!
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
Glad to help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial