jterrero
asked on
Network not passing traffic past firewall to main internet router. please help
Hope one of you is a Cisco Guru, I am a paper CCNA (passed the test, not much hands on)
Before we get into posting my configurations. Here is the way my network is setup
Tempest (Router connected to LAN at hub site)
- Ethernet 0/0 = 10.0.10.1 /16
- FastEthernet 0/0 = 172.16.1.254 /24
(Routing Protocol is eigrp)
Starsider (Main router which will soon have 6 point to points, sits behind pix515)
- FastEthernet 0/0 = 10.0.10.2 /16 (Directly connected to Tempest E0/0 via xover)
- FastEthernet 0/1 = 10.10.1.2 /24 (Directly connected to Bloodfin Ethernet 1 via xoveR)
(Routing Protocol eigrp)
Bloodfin (pix 515)
- Ethernet 1 (inside) = 10.10.1.1 /24
- Ethernet 0 (Outside) = 38.117.225.234 /29
Ahazi (internet router)
- Serial 0 = 66.250.56.210
- FastEthernet = 38.117.225.233 /29
I can ping from the Firewall to my Lan router (meaning traffic from firewall will go through my main router, but i can only ping the interface that is directly connected from my main router to my lan router 10.0.10.0 subnet, I cannot ping the 172.16.1.0 subnet interface on the same router)
from my Lan Router, I can ping all the way to the firewall, but cannot ping the outside interface of the firewall of anything beyond it (inet router, etc etc)
can someone please help me with my config.. Below are the configurations in the order listed above (lan router, main router, pix515, internet router)
any help is Apprciated
--------------------
LAN (Tempest)
---------------------
interface Ethernet0/0
ip address 10.0.10.1 255.255.0.0
half-duplex
!
interface FastEthernet0/0
ip address 172.16.1.254 255.255.255.0
speed auto
!
router eigrp 99
network 10.0.0.0
network 172.16.0.0
no auto-summary
!
ip classless
no ip http server
!
!
!
line con 0
line aux 0
line vty 0 4
!
no scheduler allocate
end
--------------
Main Router (Starsider)
-------------
controller T1 0/0
framing sf
crc-threshold 320
linecode ami
!
controller T1 0/1
framing sf
crc-threshold 320
linecode ami
!
controller T1 0/2
framing sf
crc-threshold 320
linecode ami
!
controller T1 0/3
framing sf
crc-threshold 320
linecode ami
!
controller T1 0/4
framing sf
crc-threshold 320
interface FastEthernet0/0
ip address 10.0.10.2 255.255.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.1.2 255.255.255.0
duplex auto
speed auto
!
router eigrp 99
network 10.0.0.0
network 172.16.0.0
no auto-summary
interface FastEthernet0/1
ip address 10.10.1.2 255.255.255.0
duplex auto
speed auto
!
router eigrp 99
network 10.0.0.0
network 172.16.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 0.0.0.0 0.0.0.0 10.10.1.1
ip http server
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
--------------------------
Pix515 (Bloodfin)
--------------------------
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Bloodfin
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 38.117.225.234 255.255.255.248
ip address inside 10.10.1.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 38.117.225.237-38.117.225.
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 38.117.225.233 1
route inside 10.0.0.0 255.0.0.0 10.10.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
--------------------------
Internet Rotuer (Ahazi)
--------------------------
ip cef
!
!
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0
ip address 38.117.225.233 255.255.255.248
full-duplex
!
interface FastEthernet0
no ip address
speed auto
full-duplex
!
interface Serial0
ip address 66.250.56.210 255.255.255.252
ip access-group 110 in
encapsulation ppp
!
ip classless
ip route 0.0.0.0 0.0.0.0 66.250.56.209
no ip http server
!
access-list 110 deny ip 38.117.225.232 0.0.0.7 any log
access-list 110 permit tcp any 38.117.225.232 0.0.0.7 established
access-list 110 permit ip any 38.117.225.232 0.0.0.7
access-list 110 permit icmp 66.28.3.0 0.0.0.255 host 66.250.56.210 log
!
line con 0
line aux 0
line vty 0 4
password q1w2e3r4$$
login
!
!
end
Before we get into posting my configurations. Here is the way my network is setup
Tempest (Router connected to LAN at hub site)
- Ethernet 0/0 = 10.0.10.1 /16
- FastEthernet 0/0 = 172.16.1.254 /24
(Routing Protocol is eigrp)
Starsider (Main router which will soon have 6 point to points, sits behind pix515)
- FastEthernet 0/0 = 10.0.10.2 /16 (Directly connected to Tempest E0/0 via xover)
- FastEthernet 0/1 = 10.10.1.2 /24 (Directly connected to Bloodfin Ethernet 1 via xoveR)
(Routing Protocol eigrp)
Bloodfin (pix 515)
- Ethernet 1 (inside) = 10.10.1.1 /24
- Ethernet 0 (Outside) = 38.117.225.234 /29
Ahazi (internet router)
- Serial 0 = 66.250.56.210
- FastEthernet = 38.117.225.233 /29
I can ping from the Firewall to my Lan router (meaning traffic from firewall will go through my main router, but i can only ping the interface that is directly connected from my main router to my lan router 10.0.10.0 subnet, I cannot ping the 172.16.1.0 subnet interface on the same router)
from my Lan Router, I can ping all the way to the firewall, but cannot ping the outside interface of the firewall of anything beyond it (inet router, etc etc)
can someone please help me with my config.. Below are the configurations in the order listed above (lan router, main router, pix515, internet router)
any help is Apprciated
--------------------
LAN (Tempest)
---------------------
interface Ethernet0/0
ip address 10.0.10.1 255.255.0.0
half-duplex
!
interface FastEthernet0/0
ip address 172.16.1.254 255.255.255.0
speed auto
!
router eigrp 99
network 10.0.0.0
network 172.16.0.0
no auto-summary
!
ip classless
no ip http server
!
!
!
line con 0
line aux 0
line vty 0 4
!
no scheduler allocate
end
--------------
Main Router (Starsider)
-------------
controller T1 0/0
framing sf
crc-threshold 320
linecode ami
!
controller T1 0/1
framing sf
crc-threshold 320
linecode ami
!
controller T1 0/2
framing sf
crc-threshold 320
linecode ami
!
controller T1 0/3
framing sf
crc-threshold 320
linecode ami
!
controller T1 0/4
framing sf
crc-threshold 320
interface FastEthernet0/0
ip address 10.0.10.2 255.255.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.1.2 255.255.255.0
duplex auto
speed auto
!
router eigrp 99
network 10.0.0.0
network 172.16.0.0
no auto-summary
interface FastEthernet0/1
ip address 10.10.1.2 255.255.255.0
duplex auto
speed auto
!
router eigrp 99
network 10.0.0.0
network 172.16.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 0.0.0.0 0.0.0.0 10.10.1.1
ip http server
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
--------------------------
Pix515 (Bloodfin)
--------------------------
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Bloodfin
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 38.117.225.234 255.255.255.248
ip address inside 10.10.1.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 38.117.225.237-38.117.225.
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 38.117.225.233 1
route inside 10.0.0.0 255.0.0.0 10.10.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
--------------------------
Internet Rotuer (Ahazi)
--------------------------
ip cef
!
!
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0
ip address 38.117.225.233 255.255.255.248
full-duplex
!
interface FastEthernet0
no ip address
speed auto
full-duplex
!
interface Serial0
ip address 66.250.56.210 255.255.255.252
ip access-group 110 in
encapsulation ppp
!
ip classless
ip route 0.0.0.0 0.0.0.0 66.250.56.209
no ip http server
!
access-list 110 deny ip 38.117.225.232 0.0.0.7 any log
access-list 110 permit tcp any 38.117.225.232 0.0.0.7 established
access-list 110 permit ip any 38.117.225.232 0.0.0.7
access-list 110 permit icmp 66.28.3.0 0.0.0.255 host 66.250.56.210 log
!
line con 0
line aux 0
line vty 0 4
password q1w2e3r4$$
login
!
!
end
Never mind about the Ahazi router. I was thinking there was an issue with the access-list, but you have permitted ip from any. Sort of defeats the whole purpose of having an acl, so you might as well remove it from the interface...
ASKER
thanks, trying this now. will let you know how it goes. thanks a million
ASKER
deffinetly getting somewhere, i can now pass traffic from ahazi to starsider, (i net router past firewall to main router), i still cannot get any trafffic outside the firewall from tempest. I think i might go for a OSPF solution like you advised earlier, ospf for ahazi, bloodfin and starsider, have the rest of the network on eigrp. do you have any tips or recomedation before I implement this?
Easier solution:
On Tempest, add a static default
ip route 0.0.0.0 0.0.0.0 10.0.10.2 <== points to starsider
On Tempest, add a static default
ip route 0.0.0.0 0.0.0.0 10.0.10.2 <== points to starsider
ASKER
thank you, you have been most helpful
Glad to help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>from my Lan Router, I can ping all the way to the firewall, but cannot ping the outside interface of the firewall
Of course not. You never will be able to ping the outside interface IP from the inside network.
>route inside 10.0.0.0 255.0.0.0 10.10.1.1 1
This should not point to its own IP. It should be:
route inside 10.0.0.0 255.0.0.0 10.10.1.2 1 <==point to starsider
If you want the 172.16.0.0 network to use the PIX, add the following:
route inside 172.16.0.0 255.255.0.0 10.10.1.2 1
Else, you can enable OSPF between the PIX and Starsider, and the PIX and the Internet router.
PIX learns default gateway from Inet router, passes along to Starsider via OSPF. Starsider redistributes EIGRP into OSPF so that the PIX learns all internal networks. Works nice when you have alternate backup pathway for Internet access.
>global (outside) 1 38.117.225.237-38.117.225.
Two things here. 1) You need another "overload" address, else you are limited to 2 hosts. Add:
global (outside) 1 interface
2) You're missing the corresponding nat. You must add the following:
nat (inside) 1 0 0
Next, on Ahazi Internet router:
> interface Serial0
> ip access-group 110 in