Cisco routing for internet access on a remote network
Right now we have multiple remote locations all connected to a main location via point to point frame relay lines. The main router (Cisco 2600) has a connection to the internet. The main location is on the 10.1.x.x network and the remotes are 10.2.x.x, 10.3.x.x., 10.4.x.x We want to allow the remotes to access the internet via the main connection. The main has no problem accessing the internet via the 10.1.1.2 default gateway. The other seem to die out at the serial interface on the main router. Below is the configuration of the main router. The serial 0/0.6 interface goes to another router owned by the ISP. Any ideas?
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname UCHC_Continental_2621
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
!
!
ip subnet-zero
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.0.0 secondary
ip address 64.x.x.x 255.255.255.240 secondary
ip address 63.x.x.x 255.255.255.248
ip helper-address 10.1.1.11
no ip directed-broadcast
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
bandwidth 356
no ip address
no ip directed-broadcast
encapsulation frame-relay
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
frame-relay traffic-shaping
frame-relay lmi-type cisco
!
interface Serial0/0.2 point-to-point
description Frame to Tucson
ip address 10.254.1.13 255.255.255.252
no ip directed-broadcast
frame-relay class 3-Points
frame-relay interface-dlci 16
!
interface Serial0/0.3 point-to-point
description Frame to Duval
ip address 10.254.1.17 255.255.255.252
no ip directed-broadcast
ip nat inside
frame-relay class Admin
frame-relay interface-dlci 21
!
interface Serial0/0.4 point-to-point
description "frame to Arivaca 2nd Connection"
ip address 10.254.1.9 255.255.255.252
no ip directed-broadcast
frame-relay class Arivaca-2
frame-relay interface-dlci 20
!
interface Serial0/0.5 point-to-point
description New Continental Clinic
ip address 10.254.1.21 255.255.255.252
no ip directed-broadcast
frame-relay class Continental
frame-relay interface-dlci 22
!
interface Serial0/0.6 point-to-point
ip address 192.168.66.10 255.255.255.252
no ip directed-broadcast
ip nat outside
frame-relay interface-dlci 19
!
router eigrp 1
network 10.0.0.0
no auto-summary
!
ip nat pool natpool 63.x.x.x 63.x.x.x netmask 255.255.255.248
ip nat inside source list 1 pool natpool overload
ip nat inside source static 10.1.1.11 64.140.190.66
ip nat inside source static 10.1.1.10 64.140.190.67
ip nat inside source static 10.1.1.12 64.140.190.68
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.66.9
ip route 10.0.0.0 255.0.0.0 FastEthernet0/0
ip route 10.2.0.0 255.255.0.0 10.254.1.10
ip route 10.3.0.0 255.255.0.0 10.254.1.14
ip route 10.4.0.0 255.255.0.0 10.254.1.18
ip route 10.5.0.0 255.255.0.0 10.254.1.22
no ip http server
!
!
ip access-list extended inbound
permit tcp any host 64.140.190.66 eq 3389
!
map-class frame-relay 3-Points
frame-relay adaptive-shaping becn
frame-relay cir 128000
frame-relay bc 8000
frame-relay be 16000
frame-relay mincir 64000
!
map-class frame-relay Admin
frame-relay adaptive-shaping becn
frame-relay cir 128000
frame-relay bc 8000
frame-relay be 16000
frame-relay mincir 64000
!
map-class frame-relay Arivaca-2
frame-relay adaptive-shaping becn
frame-relay cir 768000
frame-relay bc 8000
frame-relay be 16000
frame-relay mincir 384000
!
map-class frame-relay Continental
frame-relay adaptive-shaping becn
frame-relay cir 256000
frame-relay bc 8000
frame-relay be 16000
frame-relay mincir 128000
!
map-class frame-relay Arivaca-1
frame-relay adaptive-shaping becn
frame-relay cir 56000
frame-relay bc 8000
frame-relay be 16000
frame-relay mincir 48000
!
line con 0
password xxxxxxxxxxxxxx
transport input none
line aux 0
line vty 0 4
password 7 xxxxxxxxxxxxxxxxxxx
login
!
end
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname UCHC_Continental_2621
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
!
!
ip subnet-zero
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.0.0 secondary
ip address 64.x.x.x 255.255.255.240 secondary
ip address 63.x.x.x 255.255.255.248
ip helper-address 10.1.1.11
no ip directed-broadcast
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
bandwidth 356
no ip address
no ip directed-broadcast
encapsulation frame-relay
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
frame-relay traffic-shaping
frame-relay lmi-type cisco
!
interface Serial0/0.2 point-to-point
description Frame to Tucson
ip address 10.254.1.13 255.255.255.252
no ip directed-broadcast
frame-relay class 3-Points
frame-relay interface-dlci 16
!
interface Serial0/0.3 point-to-point
description Frame to Duval
ip address 10.254.1.17 255.255.255.252
no ip directed-broadcast
ip nat inside
frame-relay class Admin
frame-relay interface-dlci 21
!
interface Serial0/0.4 point-to-point
description "frame to Arivaca 2nd Connection"
ip address 10.254.1.9 255.255.255.252
no ip directed-broadcast
frame-relay class Arivaca-2
frame-relay interface-dlci 20
!
interface Serial0/0.5 point-to-point
description New Continental Clinic
ip address 10.254.1.21 255.255.255.252
no ip directed-broadcast
frame-relay class Continental
frame-relay interface-dlci 22
!
interface Serial0/0.6 point-to-point
ip address 192.168.66.10 255.255.255.252
no ip directed-broadcast
ip nat outside
frame-relay interface-dlci 19
!
router eigrp 1
network 10.0.0.0
no auto-summary
!
ip nat pool natpool 63.x.x.x 63.x.x.x netmask 255.255.255.248
ip nat inside source list 1 pool natpool overload
ip nat inside source static 10.1.1.11 64.140.190.66
ip nat inside source static 10.1.1.10 64.140.190.67
ip nat inside source static 10.1.1.12 64.140.190.68
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.66.9
ip route 10.0.0.0 255.0.0.0 FastEthernet0/0
ip route 10.2.0.0 255.255.0.0 10.254.1.10
ip route 10.3.0.0 255.255.0.0 10.254.1.14
ip route 10.4.0.0 255.255.0.0 10.254.1.18
ip route 10.5.0.0 255.255.0.0 10.254.1.22
no ip http server
!
!
ip access-list extended inbound
permit tcp any host 64.140.190.66 eq 3389
!
map-class frame-relay 3-Points
frame-relay adaptive-shaping becn
frame-relay cir 128000
frame-relay bc 8000
frame-relay be 16000
frame-relay mincir 64000
!
map-class frame-relay Admin
frame-relay adaptive-shaping becn
frame-relay cir 128000
frame-relay bc 8000
frame-relay be 16000
frame-relay mincir 64000
!
map-class frame-relay Arivaca-2
frame-relay adaptive-shaping becn
frame-relay cir 768000
frame-relay bc 8000
frame-relay be 16000
frame-relay mincir 384000
!
map-class frame-relay Continental
frame-relay adaptive-shaping becn
frame-relay cir 256000
frame-relay bc 8000
frame-relay be 16000
frame-relay mincir 128000
!
map-class frame-relay Arivaca-1
frame-relay adaptive-shaping becn
frame-relay cir 56000
frame-relay bc 8000
frame-relay be 16000
frame-relay mincir 48000
!
line con 0
password xxxxxxxxxxxxxx
transport input none
line aux 0
line vty 0 4
password 7 xxxxxxxxxxxxxxxxxxx
login
!
end
Also, I'm curious about this routing statement:
ip route 10.0.0.0 255.0.0.0 FastEthernet0/0
Since fe0/0 is on the 10.1.0.0/16 network, I think that routing statement should probably read:
ip route 10.1.0.0 255.255.0.0 FastEthernet0/0
Another thing... you have your NAT inside sources configured as fe0/0 and s0/0.3 (Duval), but none of the other remote sites interfaces are configured with "ip nat inside". Is that what you intended?
Also, and maybe this is just my ignorance, why is your external IP address configured as the primary address on fe0/0? You're doing NAT there.
ip route 10.0.0.0 255.0.0.0 FastEthernet0/0
Since fe0/0 is on the 10.1.0.0/16 network, I think that routing statement should probably read:
ip route 10.1.0.0 255.255.0.0 FastEthernet0/0
Another thing... you have your NAT inside sources configured as fe0/0 and s0/0.3 (Duval), but none of the other remote sites interfaces are configured with "ip nat inside". Is that what you intended?
Also, and maybe this is just my ignorance, why is your external IP address configured as the primary address on fe0/0? You're doing NAT there.
Sorry for triple-posting in a row here, but now that I think about it, the "ip route 10.1.0.0 255.255.0.0 fe0/0" statement is redundant. The interface is already subnetted that way. But I still think the "ip route 10.0.0.0 255.0.0.0 fe0/0" wouldn't work because anything outside of 10.1.0.0/16 is not on the subnet of that interface.
ASKER
The remote sites can see the main site. They can log in to the domain, internal DNS resolution, DHCP, terminal services, etc. Just can't get internet access from the remotes. The NAT inside on S0/0.3 is the one that I'm trying to get going first, once I get this figured out they'll all have it. I don't have the remote site configuration at the moment but I can get it. Basically all it has is the default route from there to the cooresponding serial interface on the main sites router, and the IP helper address. I was wondering about that IP ROUTE like you said it just seems like it shouldn't be there. As far as the secondary address I was wondering that too. It was setup long before I arrived but I would think it should be 10.1.1.2 as the primary and the two 63.x.x.x addresses as secondary. Is that correct?
If you're doing NAT, I don't think you should have those 63.x.x.x addresses set on that interface at all.
The fact that you have several IP address on the Ethernet interface should not affect you. The problem here is the NAT. Your remote sites are routing between them via the main site (start config), however when the packets leave the router (main) to the internet, those are not being Natted, so the packets are leaving your router to the ISP, but getting lost or killed in the way.
You need to NAT for the serial interface. There would be several ways to do this.
You need to NAT for the serial interface. There would be several ways to do this.
ip route 10.2.0.0 255.255.0.0 10.254.1.10 should not be there, is not needed. If you issue the command:
Sh Ip Route
it will diaplay network 10.2.0.0 255.255.0.0 as "C" meaning connected. No need to declare routing for any connected network. Eliminate that....From remote sites, try to traceroute an external address , one that you know you can trace (some carriers block traces). So first try from you main network, and when you are sure you can trace it, try from the remote location...
it would be interesting to see the results.
Sh Ip Route
it will diaplay network 10.2.0.0 255.255.0.0 as "C" meaning connected. No need to declare routing for any connected network. Eliminate that....From remote sites, try to traceroute an external address , one that you know you can trace (some carriers block traces). So first try from you main network, and when you are sure you can trace it, try from the remote location...
it would be interesting to see the results.
sorry for triple-posting (somebody else said this ?? ;-) )
your S0/0.3 looks good. That's the config I'll go for. regarding the comment about having that 63.x.x.x on your Fe0/0 interface...it should not affect. I assume you have servers (web, mail??) on the same ethernet segment as your local (internal network)...right?
your S0/0.3 looks good. That's the config I'll go for. regarding the comment about having that 63.x.x.x on your Fe0/0 interface...it should not affect. I assume you have servers (web, mail??) on the same ethernet segment as your local (internal network)...right?
ASKER
Ok here's a traceroute from one of the remotes (the one on S0/0.3)
Duval#traceroute 216.253.197.155
Type escape sequence to abort.
Tracing the route to 216.253.197.155
1 10.254.1.17 16 msec 16 msec 20 msec
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Duval#
Duval#traceroute 216.253.197.155
Type escape sequence to abort.
Tracing the route to 216.253.197.155
1 10.254.1.17 16 msec 16 msec 20 msec
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Duval#
ASKER
And here's the configuration of that same router:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Duval
!
enable password 7 002012142754060B
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip finger
ip domain-name uchc
!
!
!
!
interface Serial0
--More--
description Frame to Continental
ip address 10.254.1.18 255.255.255.252
encapsulation frame-relay
no fair-queue
service-module t1 timeslots 1-2
frame-relay traffic-shaping
frame-relay class Admin
frame-relay interface-dlci 16
frame-relay lmi-type cisco
!
interface FastEthernet0
ip address 10.4.1.1 255.255.0.0
ip access-group 1 in
ip helper-address 10.1.1.10
ip helper-address 10.1.1.11
ip helper-address 10.1.1.12
speed auto
!
router eigrp 10
network 10.0.0.0
auto-summary
no eigrp log-neighbor-changes
!
--More--
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.254.1.17
no ip http server
!
!
map-class frame-relay Admin
frame-relay adaptive-shaping becn
frame-relay cir 128000
frame-relay bc 8000
frame-relay mincir 64000
!
line con 0
transport input none
line aux 0
line vty 0 4
password 7 112D1817341D0601
login
!
no scheduler allocate
end
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Duval
!
enable password 7 002012142754060B
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip finger
ip domain-name uchc
!
!
!
!
interface Serial0
--More--
description Frame to Continental
ip address 10.254.1.18 255.255.255.252
encapsulation frame-relay
no fair-queue
service-module t1 timeslots 1-2
frame-relay traffic-shaping
frame-relay class Admin
frame-relay interface-dlci 16
frame-relay lmi-type cisco
!
interface FastEthernet0
ip address 10.4.1.1 255.255.0.0
ip access-group 1 in
ip helper-address 10.1.1.10
ip helper-address 10.1.1.11
ip helper-address 10.1.1.12
speed auto
!
router eigrp 10
network 10.0.0.0
auto-summary
no eigrp log-neighbor-changes
!
--More--
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.254.1.17
no ip http server
!
!
map-class frame-relay Admin
frame-relay adaptive-shaping becn
frame-relay cir 128000
frame-relay bc 8000
frame-relay mincir 64000
!
line con 0
transport input none
line aux 0
line vty 0 4
password 7 112D1817341D0601
login
!
no scheduler allocate
end
ASKER
Just tried something. I don't know if it helps but if I make a static mapping by doing ip nat inside source static xxxx xxxx I get a connection from the remote site. But not without that command in there. Again I don't know if that helps you guys any but I'm just trying things that I actually know how to do with Cisco.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also, can the remote sites see the main sites okay?