Solved

Cisco routing for internet access on a remote network

Posted on 2004-03-27
12
306 Views
Last Modified: 2010-04-11
Right now we have multiple remote locations all connected to a main location via point to point frame relay lines.  The main router (Cisco 2600) has a connection to the internet.  The main location is on the 10.1.x.x network and the remotes are 10.2.x.x, 10.3.x.x., 10.4.x.x  We want to allow the remotes to access the internet via the main connection.  The main has no problem accessing the internet via the 10.1.1.2 default gateway.  The other seem to die out at the serial interface on the main router.  Below is the configuration of the main router.  The serial 0/0.6 interface goes to another router owned by the ISP.  Any ideas?

version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname UCHC_Continental_2621
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
!
!
ip subnet-zero
!
!
!
!
interface FastEthernet0/0
 ip address 10.1.1.2 255.255.0.0 secondary
 ip address 64.x.x.x 255.255.255.240 secondary
 ip address 63.x.x.x 255.255.255.248
 ip helper-address 10.1.1.11
 no ip directed-broadcast
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 bandwidth 356
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 no ip mroute-cache
 no fair-queue
 service-module t1 timeslots 1-24
 frame-relay traffic-shaping
 frame-relay lmi-type cisco
!
interface Serial0/0.2 point-to-point
 description Frame to Tucson
 ip address 10.254.1.13 255.255.255.252
 no ip directed-broadcast
 frame-relay class 3-Points
 frame-relay interface-dlci 16  
!
interface Serial0/0.3 point-to-point
 description Frame to Duval
 ip address 10.254.1.17 255.255.255.252
 no ip directed-broadcast
 ip nat inside
 frame-relay class Admin
 frame-relay interface-dlci 21  
!
interface Serial0/0.4 point-to-point
 description "frame to Arivaca 2nd Connection"
 ip address 10.254.1.9 255.255.255.252
 no ip directed-broadcast
 frame-relay class Arivaca-2
 frame-relay interface-dlci 20  
!
interface Serial0/0.5 point-to-point
 description New Continental Clinic
 ip address 10.254.1.21 255.255.255.252
 no ip directed-broadcast
 frame-relay class Continental
 frame-relay interface-dlci 22  
!
interface Serial0/0.6 point-to-point
 ip address 192.168.66.10 255.255.255.252
 no ip directed-broadcast
 ip nat outside
 frame-relay interface-dlci 19  
!
router eigrp 1
 network 10.0.0.0
 no auto-summary
!
ip nat pool natpool 63.x.x.x 63.x.x.x netmask 255.255.255.248
ip nat inside source list 1 pool natpool overload
ip nat inside source static 10.1.1.11 64.140.190.66
ip nat inside source static 10.1.1.10 64.140.190.67
ip nat inside source static 10.1.1.12 64.140.190.68
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.66.9
ip route 10.0.0.0 255.0.0.0 FastEthernet0/0
ip route 10.2.0.0 255.255.0.0 10.254.1.10
ip route 10.3.0.0 255.255.0.0 10.254.1.14
ip route 10.4.0.0 255.255.0.0 10.254.1.18
ip route 10.5.0.0 255.255.0.0 10.254.1.22
no ip http server
!
!
ip access-list extended inbound
 permit tcp any host 64.140.190.66 eq 3389
!
map-class frame-relay 3-Points
 frame-relay adaptive-shaping becn
 frame-relay cir 128000
 frame-relay bc 8000
 frame-relay be 16000
 frame-relay mincir 64000
!
map-class frame-relay Admin
 frame-relay adaptive-shaping becn
 frame-relay cir 128000
 frame-relay bc 8000
 frame-relay be 16000
 frame-relay mincir 64000
!
map-class frame-relay Arivaca-2
 frame-relay adaptive-shaping becn
 frame-relay cir 768000
 frame-relay bc 8000
 frame-relay be 16000
 frame-relay mincir 384000
!
map-class frame-relay Continental
 frame-relay adaptive-shaping becn
 frame-relay cir 256000
 frame-relay bc 8000
 frame-relay be 16000
 frame-relay mincir 128000
!
map-class frame-relay Arivaca-1
 frame-relay adaptive-shaping becn
 frame-relay cir 56000
 frame-relay bc 8000
 frame-relay be 16000
 frame-relay mincir 48000


!
line con 0
 password xxxxxxxxxxxxxx
 transport input none
line aux 0
line vty 0 4
 password 7 xxxxxxxxxxxxxxxxxxx
 login
!
end
0
Comment
Question by:cnewgaard
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 5

Expert Comment

by:visioneer
ID: 10695516
Could you please post the config from one of the remote site routers?

Also, can the remote sites see the main sites okay?
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10695545
Also, I'm curious about this routing statement:

ip route 10.0.0.0 255.0.0.0 FastEthernet0/0

Since fe0/0 is on the 10.1.0.0/16 network, I think that routing statement should probably read:

ip route 10.1.0.0 255.255.0.0 FastEthernet0/0

Another thing... you have your NAT inside sources configured as fe0/0 and s0/0.3 (Duval), but none of the other remote sites interfaces are configured with "ip nat inside".  Is that what you intended?

Also, and maybe this is just my ignorance, why is your external IP address configured as the primary address on fe0/0?  You're doing NAT there.
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10695555
Sorry for triple-posting in a row here, but now that I think about it, the "ip route 10.1.0.0 255.255.0.0 fe0/0" statement is redundant.  The interface is already subnetted that way.  But I still think the "ip route 10.0.0.0 255.0.0.0 fe0/0" wouldn't work because anything outside of 10.1.0.0/16 is not on the subnet of that interface.
0
 
LVL 3

Author Comment

by:cnewgaard
ID: 10698726
The remote sites can see the main site.  They can log in to the domain, internal DNS resolution, DHCP, terminal services, etc.  Just can't get internet access from the remotes.  The NAT inside on S0/0.3 is the one that I'm trying to get going first, once I get this figured out they'll all have it.  I don't have the remote site configuration at the moment but I can get it.  Basically all it has is the default route from there to the cooresponding serial interface on the main sites router, and the IP helper address.  I was wondering about that IP ROUTE like you said it just seems like it shouldn't be there.  As far as the secondary address I was wondering that too.  It was setup long before I arrived but I would think it should be 10.1.1.2 as the primary and the two 63.x.x.x addresses as secondary.  Is that correct?
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10699307
If you're doing NAT, I don't think you should have those 63.x.x.x addresses set on that interface at all.
0
 
LVL 1

Expert Comment

by:QST
ID: 10700098
The fact that you have several IP address on the Ethernet interface should not affect you. The problem here is the NAT. Your remote sites are routing between them via the main site (start config), however when the packets leave the router (main) to the internet, those are not being Natted, so the packets are leaving your router to the ISP, but getting lost or killed in the way.

You need to NAT for the serial interface. There would be several ways to do this.

 
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Expert Comment

by:QST
ID: 10700186
ip route 10.2.0.0 255.255.0.0 10.254.1.10 should not be there, is not needed. If you issue the command:

Sh Ip Route

it will diaplay network 10.2.0.0 255.255.0.0 as "C" meaning connected. No need to declare routing for any connected network. Eliminate that....From remote sites, try to traceroute an external address , one that you know you can trace (some carriers block traces). So first try from you main network, and when you are sure you can trace it, try from the remote location...

it would be interesting to see the results.

0
 
LVL 1

Expert Comment

by:QST
ID: 10700208
sorry for triple-posting (somebody else said this ?? ;-) )

your S0/0.3 looks good. That's the config I'll go for. regarding the comment about having that 63.x.x.x on your Fe0/0 interface...it should not affect. I assume you have servers (web, mail??) on the same ethernet segment as your local (internal network)...right?

0
 
LVL 3

Author Comment

by:cnewgaard
ID: 10700469
Ok here's a traceroute from one of the remotes (the one on S0/0.3)

Duval#traceroute 216.253.197.155

Type escape sequence to abort.
Tracing the route to 216.253.197.155

  1 10.254.1.17 16 msec 16 msec 20 msec
  2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *  *  *
  8  *  *  *
  9  *  *  *
 10  *  *  *
 11  *  *  *
 12  *  *  *
 13  *  *  *
 14  *  *  *
 15  *  *  *
 16  *  *  *
 17  *  *  *
 18  *  *  *
 19  *  *  *
 20  *  *  *
 21  *  *  *
 22  *  *  *
 23  *  *  *
 24  *  *  *
 25  *  *  *
 26  *  *  *
 27  *  *  *
 28  *  *  *
 29  *  *  *
 30  *  *  *
Duval#

0
 
LVL 3

Author Comment

by:cnewgaard
ID: 10700472
And here's the configuration of that same router:

!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Duval
!
enable password 7 002012142754060B
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip finger
ip domain-name uchc
!
!
!
!
interface Serial0
 --More--
 description Frame to Continental
 ip address 10.254.1.18 255.255.255.252
 encapsulation frame-relay
 no fair-queue
 service-module t1 timeslots 1-2
 frame-relay traffic-shaping
 frame-relay class Admin
 frame-relay interface-dlci 16
 frame-relay lmi-type cisco
!
interface FastEthernet0
 ip address 10.4.1.1 255.255.0.0
 ip access-group 1 in
 ip helper-address 10.1.1.10
 ip helper-address 10.1.1.11
 ip helper-address 10.1.1.12
 speed auto
!
router eigrp 10
 network 10.0.0.0
 auto-summary
 no eigrp log-neighbor-changes
!
 --More--
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.254.1.17
no ip http server
!
!
map-class frame-relay Admin
 frame-relay adaptive-shaping becn
 frame-relay cir 128000
 frame-relay bc 8000
 frame-relay mincir 64000
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password 7 112D1817341D0601
 login
!
no scheduler allocate
end
0
 
LVL 3

Author Comment

by:cnewgaard
ID: 10701049
Just tried something.  I don't know if it helps but if I make a static mapping by doing ip nat inside source static xxxx xxxx I get a connection from the remote site.  But not without that command in there.  Again I don't know if that helps you guys any but I'm just trying things that I actually know how to do with Cisco.  
0
 
LVL 11

Accepted Solution

by:
PennGwyn earned 95 total points
ID: 10719520
I'm fairly certain that it's the NAT config that's not quite got all it's I's dotted and T's crossed.

However, I see references in both router configs to access-list 1, which I don't see defined anywhere.  And since an undefined access list consist just of the default trailing "deny any", that's not likely to be helpful.

(The route to 10.0.0.0 255.0.0.0 should be to Null0, not E0.  Since direct connections and/or EIGRP are going to provide more specific routes to 10.1.x.x, 10.2.x.x, etc, this route will just act as a sink for 10.x.x.x traffic that doesn't belong to any of the subnets actually being used.)

0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSH logs Cisco switch 4 29
Simple Guest VLAN Help 17 36
Printer Settings 3 60
Cisco IOS from ipbase to ipservices 10 14
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now