?
Solved

2 networks connected by 1 router (commands) Cisco

Posted on 2003-03-19
13
Medium Priority
?
318 Views
Last Modified: 2013-11-29
I have a simple network. Network 1: is a 10.0.0.0 network with a PIX FW to my ISP and a connect into router 1. Network 2: is a 192.168.0.0 network connected into the second E0/0 of my router. The router has 2 Eth. ports.

I want the users on both networks to be able to see each other and for users on 192.16.0.0 to go out to the internet.

Router 1: is configured with correctly for the most part. If I am on the router I can ping every host on both networks, but (for example) a client on the 192 network can only ping the 2 Eth. ports on the router, it wont go through it.

What static commands will I need to add to the router or the PIX to allow this to happen?  
0
Comment
Question by:kcswanko
13 Comments
 

Expert Comment

by:Vwrinn
ID: 8171331
You need to create an access list to allow your clients on your 192.168.0.0 network to go through the router for internet access.

For instance,

In configuration mode:

access-list 103 permit ip any any
access-list 103 permit icmp any any

Apply to e0 interface coming in:

ip access-list 103 in

This should allow all traffic from your e0 to cross over your router, make sure this is what you really want. This should work unless you have another access list on your other interface out. Hope this helps.

I am not sure about the pix, I don't have much experience with them.
 
0
 

Expert Comment

by:sw1tch_n1nja
ID: 8171675
No, you do not have to build an access list....completly pointless unless your BLOCKING traffic from the other network, and if you going to use the ACL he just gave you its useless, you need to add a routing protocol, rip would work fine, or you can use ospf sample config...

router ospf 100
network 192.168.0.0 0.0.255.255 area 0
network 10.0.0.0 0.255.255.255 area 0

 or

router rip
version 2
network 192.168.0.0
network 10.0.0.0

then add a static route for routes to the internet
ip route 0.0.0.0 <IP of PIX>
0
 
LVL 1

Expert Comment

by:guerriero33t
ID: 8172397
sw1tch_n1nja's examples will work if you have two different routers and only put the static route on the router that will be accessing the internet. If both networks are attached to the same router (i.e. e0/0 and e0/1, then both networks will be allowed out to the internet.)

You don't need to add a protocol for two small networks. While it is fun to have routing protocols running it is not necessary.

Three static entries will work
ip route 0.0.0.0 0.0.0.0 <IP of PIX>
ip route 192.168.0.0 255.255.0.0 <IP of 192 interface>
ip route 10.0.0.0 255.0.0.0 <IP of 10 interface>

Plus one access list to deny the 10 network from reaching the internet via your PIX.

access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 permit ip any any

On the router interface connected to the PIX. Apply the access list.

ip access-group 100 out

Better yet since you are using a PIX you can deny the 10 network from reaching the internet at the PIX.

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:kcswanko
ID: 8176539
Ok, So I didnt try the first Access-list, I know it is not that. I did try the second method of adding a RIP, that does not work. I then tried the 3rd (seemed to be the best, but) when I put the command ip route 192.168.0.0 255.255.0.0 192.168.1.1 I get an error that says:
invlaid next hop address: Its this router.

So I am still stuck. Remeber I have 1 router with 2 Eth ports. 1 port is 10.0.0.4 and the other is 192.168.1.1. I want the 192.168.1.x clients to access the 10.0.0.x clients. If I do pings from the router it gets everywhere but the clients cant get through the router..

help!
0
 
LVL 1

Expert Comment

by:guerriero33t
ID: 8176696
I didn't know if you had two routers or one. Your example had your router listed as router 1, so I thought you had router 2 also.


Anyway.

Are the hosts on the 10.0.0.0 network using 10.0.0.4 as their gateway and the 192.168.0.0 hosts using 192.168.1.1 as their gateway (default router).

Also, do you have anything in your running config that says "no ip routing"?

If it is one router and two interfaces you should be able to get through to both networks if your clients are pointing to the right gateways. This could be the reason behind it.

0
 
LVL 1

Expert Comment

by:guerriero33t
ID: 8176906
Is your pix the same router as the one connecting the two networks or are there 2 routers?
0
 

Author Comment

by:kcswanko
ID: 8176927
I am with yu. I dont understand it.

I dont have a NO IP ROUTING staement. I even put IP ROUTING to be sure.

The 10.0.0.0 clients gateway is 10.0.0.4 and the 192.168.1.2 clients gateway is 192.168.1.1.

If I am on the 192.168.1.2 client I can ping the 192.168.1.1 eth port and the 10.0.0.4 port but not past 10.0.0.4 to the 10.0.0.1 PIX or 10.0.0.2 client. So its got to be in the router. Here is a copy of my config.

hostname test2621
!
enable secret 5 $1$CS3g$KAiVWLtK3S5H25/FI4ING/
!
ip subnet-zero
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.0.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.0.0.4 255.255.255.0
 duplex auto
 speed auto
!
ip classless
no ip http server
no ip pim bidir-enable
!
!
line con 0
line aux 0
line vty 0 4
 password fartface1
 login
!
no scheduler allocate
end
 

Wierd!
0
 

Author Comment

by:kcswanko
ID: 8176936
there is 1 router and opne PIX on the 10.0.0.0 side
0
 
LVL 1

Expert Comment

by:guerriero33t
ID: 8177041
Its not your router. Are you sure you are not using the PIX 10.0.0.1 address as the 10.0.0.2 hosts default route? The 10 network client should use the 10.0.0.4 address as the default and the router should have a static default route pointing to the PIX.

open up a dos prompt (windows) or an xterm (unix) and type in the following.

netstat -nr

windows should give you entries that match the following (the format has been changed so it will not look exactly like this)

client 1
destination 0.0.0.0
netmask 0.0.0.0
gateway 192.168.1.1
interface 192.168.1.2


client 2
destination 0.0.0.0
netmask 0.0.0.0
gateway 10.0.0.4
interface 10.0.0.2

The unix network table is also as easy to read. You should look for extra entries with the same destination. If there are any you can use "route delete" to get rid of them. You can also add some static routes into the windows boxes

route ADD 10.0.0.0 MASK 255.0.0.0 192.168.1.1 METRIC 1
route ADD 192.168.1.0 MASK 255.255.255.0 10.0.0.1 METRIC 1

0
 
LVL 1

Expert Comment

by:guerriero33t
ID: 8177074
I made a mistake with the second windows route
route ADD 192.168.1.0 MASK 255.255.255.0 10.0.0.4 METRIC 1


If you really are using 10.0.0.1 as the default route you can add just the static route into a batch script for the 10.0.0.2 client. This should work by itself.

route ADD 192.168.1.0 MASK 255.255.255.0 10.0.0.4 METRIC 1
0
 

Author Comment

by:kcswanko
ID: 8177459
Ok, now we are getting somewhere. I changed the 10.0.0.2 cluients D. gateway to 10.0.0.4. Now all clients can access each other.

Now the last problem is the 10.0.0.0 clients can still access the internet, but the 192.168.0.0 clients can't get to 10.0.0.1. I put the command ip route 0.0.0.0 0.0.0.0 10.0.0.1 in the router ( I have just one)

Could there be something on the PIX?
0
 
LVL 1

Accepted Solution

by:
guerriero33t earned 300 total points
ID: 8179398
Your PIX does not know about the 192 network existing on the other side of the 10.0.0.4 router. So it has no route to your network. You can verify this by trying to ping 192.168.1.2. You may get an ICMP message stating destination unreachable (I would imagine it is coming from the net and not your router. You need to create a static mapping in your pix.

ip route 192.168.1.0 255.255.255.0 10.0.0.4

Now, the problem is in your PIX. Since your 10 network clients are on the same segment as the PIX they will be allowed to get through. You will need to add an access list that blocks the 10 clients from gaining access to the PIX. You can either do this on the pix or on the router. It would be safer to put it on the pix because anyone on the 10 network could just add 10.0.0.1 as its default and still get out.

0
 

Author Comment

by:kcswanko
ID: 8183206
right on dude, that was it. Thanks for your help. The actual command on the PIX was:

route 192.168.0.0 255.255.0.0 10.0.0.4

but I get the picture. Thanks again.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

616 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question