?
Solved

2 networks connected by 1 router (commands) Cisco

Posted on 2003-03-19
13
Medium Priority
?
317 Views
Last Modified: 2013-11-29
I have a simple network. Network 1: is a 10.0.0.0 network with a PIX FW to my ISP and a connect into router 1. Network 2: is a 192.168.0.0 network connected into the second E0/0 of my router. The router has 2 Eth. ports.

I want the users on both networks to be able to see each other and for users on 192.16.0.0 to go out to the internet.

Router 1: is configured with correctly for the most part. If I am on the router I can ping every host on both networks, but (for example) a client on the 192 network can only ping the 2 Eth. ports on the router, it wont go through it.

What static commands will I need to add to the router or the PIX to allow this to happen?  
0
Comment
Question by:kcswanko
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 

Expert Comment

by:Vwrinn
ID: 8171331
You need to create an access list to allow your clients on your 192.168.0.0 network to go through the router for internet access.

For instance,

In configuration mode:

access-list 103 permit ip any any
access-list 103 permit icmp any any

Apply to e0 interface coming in:

ip access-list 103 in

This should allow all traffic from your e0 to cross over your router, make sure this is what you really want. This should work unless you have another access list on your other interface out. Hope this helps.

I am not sure about the pix, I don't have much experience with them.
 
0
 

Expert Comment

by:sw1tch_n1nja
ID: 8171675
No, you do not have to build an access list....completly pointless unless your BLOCKING traffic from the other network, and if you going to use the ACL he just gave you its useless, you need to add a routing protocol, rip would work fine, or you can use ospf sample config...

router ospf 100
network 192.168.0.0 0.0.255.255 area 0
network 10.0.0.0 0.255.255.255 area 0

 or

router rip
version 2
network 192.168.0.0
network 10.0.0.0

then add a static route for routes to the internet
ip route 0.0.0.0 <IP of PIX>
0
 
LVL 1

Expert Comment

by:guerriero33t
ID: 8172397
sw1tch_n1nja's examples will work if you have two different routers and only put the static route on the router that will be accessing the internet. If both networks are attached to the same router (i.e. e0/0 and e0/1, then both networks will be allowed out to the internet.)

You don't need to add a protocol for two small networks. While it is fun to have routing protocols running it is not necessary.

Three static entries will work
ip route 0.0.0.0 0.0.0.0 <IP of PIX>
ip route 192.168.0.0 255.255.0.0 <IP of 192 interface>
ip route 10.0.0.0 255.0.0.0 <IP of 10 interface>

Plus one access list to deny the 10 network from reaching the internet via your PIX.

access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 permit ip any any

On the router interface connected to the PIX. Apply the access list.

ip access-group 100 out

Better yet since you are using a PIX you can deny the 10 network from reaching the internet at the PIX.

0
Are You Using the Best Web Development Editor?

The worlds of web hosting and web development are constantly evolving. Every year we see design trends change, coding standards adapt and new frameworks/CMS created. With such a quick pace of change it’s easy to get lost trying to keep up.

See if your editor made the list.

 

Author Comment

by:kcswanko
ID: 8176539
Ok, So I didnt try the first Access-list, I know it is not that. I did try the second method of adding a RIP, that does not work. I then tried the 3rd (seemed to be the best, but) when I put the command ip route 192.168.0.0 255.255.0.0 192.168.1.1 I get an error that says:
invlaid next hop address: Its this router.

So I am still stuck. Remeber I have 1 router with 2 Eth ports. 1 port is 10.0.0.4 and the other is 192.168.1.1. I want the 192.168.1.x clients to access the 10.0.0.x clients. If I do pings from the router it gets everywhere but the clients cant get through the router..

help!
0
 
LVL 1

Expert Comment

by:guerriero33t
ID: 8176696
I didn't know if you had two routers or one. Your example had your router listed as router 1, so I thought you had router 2 also.


Anyway.

Are the hosts on the 10.0.0.0 network using 10.0.0.4 as their gateway and the 192.168.0.0 hosts using 192.168.1.1 as their gateway (default router).

Also, do you have anything in your running config that says "no ip routing"?

If it is one router and two interfaces you should be able to get through to both networks if your clients are pointing to the right gateways. This could be the reason behind it.

0
 
LVL 1

Expert Comment

by:guerriero33t
ID: 8176906
Is your pix the same router as the one connecting the two networks or are there 2 routers?
0
 

Author Comment

by:kcswanko
ID: 8176927
I am with yu. I dont understand it.

I dont have a NO IP ROUTING staement. I even put IP ROUTING to be sure.

The 10.0.0.0 clients gateway is 10.0.0.4 and the 192.168.1.2 clients gateway is 192.168.1.1.

If I am on the 192.168.1.2 client I can ping the 192.168.1.1 eth port and the 10.0.0.4 port but not past 10.0.0.4 to the 10.0.0.1 PIX or 10.0.0.2 client. So its got to be in the router. Here is a copy of my config.

hostname test2621
!
enable secret 5 $1$CS3g$KAiVWLtK3S5H25/FI4ING/
!
ip subnet-zero
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.0.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.0.0.4 255.255.255.0
 duplex auto
 speed auto
!
ip classless
no ip http server
no ip pim bidir-enable
!
!
line con 0
line aux 0
line vty 0 4
 password fartface1
 login
!
no scheduler allocate
end
 

Wierd!
0
 

Author Comment

by:kcswanko
ID: 8176936
there is 1 router and opne PIX on the 10.0.0.0 side
0
 
LVL 1

Expert Comment

by:guerriero33t
ID: 8177041
Its not your router. Are you sure you are not using the PIX 10.0.0.1 address as the 10.0.0.2 hosts default route? The 10 network client should use the 10.0.0.4 address as the default and the router should have a static default route pointing to the PIX.

open up a dos prompt (windows) or an xterm (unix) and type in the following.

netstat -nr

windows should give you entries that match the following (the format has been changed so it will not look exactly like this)

client 1
destination 0.0.0.0
netmask 0.0.0.0
gateway 192.168.1.1
interface 192.168.1.2


client 2
destination 0.0.0.0
netmask 0.0.0.0
gateway 10.0.0.4
interface 10.0.0.2

The unix network table is also as easy to read. You should look for extra entries with the same destination. If there are any you can use "route delete" to get rid of them. You can also add some static routes into the windows boxes

route ADD 10.0.0.0 MASK 255.0.0.0 192.168.1.1 METRIC 1
route ADD 192.168.1.0 MASK 255.255.255.0 10.0.0.1 METRIC 1

0
 
LVL 1

Expert Comment

by:guerriero33t
ID: 8177074
I made a mistake with the second windows route
route ADD 192.168.1.0 MASK 255.255.255.0 10.0.0.4 METRIC 1


If you really are using 10.0.0.1 as the default route you can add just the static route into a batch script for the 10.0.0.2 client. This should work by itself.

route ADD 192.168.1.0 MASK 255.255.255.0 10.0.0.4 METRIC 1
0
 

Author Comment

by:kcswanko
ID: 8177459
Ok, now we are getting somewhere. I changed the 10.0.0.2 cluients D. gateway to 10.0.0.4. Now all clients can access each other.

Now the last problem is the 10.0.0.0 clients can still access the internet, but the 192.168.0.0 clients can't get to 10.0.0.1. I put the command ip route 0.0.0.0 0.0.0.0 10.0.0.1 in the router ( I have just one)

Could there be something on the PIX?
0
 
LVL 1

Accepted Solution

by:
guerriero33t earned 300 total points
ID: 8179398
Your PIX does not know about the 192 network existing on the other side of the 10.0.0.4 router. So it has no route to your network. You can verify this by trying to ping 192.168.1.2. You may get an ICMP message stating destination unreachable (I would imagine it is coming from the net and not your router. You need to create a static mapping in your pix.

ip route 192.168.1.0 255.255.255.0 10.0.0.4

Now, the problem is in your PIX. Since your 10 network clients are on the same segment as the PIX they will be allowed to get through. You will need to add an access list that blocks the 10 clients from gaining access to the PIX. You can either do this on the pix or on the router. It would be safer to put it on the pix because anyone on the 10 network could just add 10.0.0.1 as its default and still get out.

0
 

Author Comment

by:kcswanko
ID: 8183206
right on dude, that was it. Thanks for your help. The actual command on the PIX was:

route 192.168.0.0 255.255.0.0 10.0.0.4

but I get the picture. Thanks again.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question