Solved

Network not passing traffic past firewall to main internet router. please help

Posted on 2004-09-23
8
222 Views
Last Modified: 2010-04-17
Hope one of you is a Cisco Guru, I am a paper CCNA (passed the test, not much hands on)
Before we get into posting my configurations. Here is the way my network is setup

Tempest (Router connected to LAN at hub site)
 - Ethernet 0/0     = 10.0.10.1 /16
 - FastEthernet 0/0 = 172.16.1.254 /24
 (Routing Protocol is eigrp)

Starsider (Main router which will soon have 6 point to points, sits behind pix515)
 - FastEthernet 0/0 = 10.0.10.2 /16 (Directly connected to Tempest E0/0 via xover)
 - FastEthernet 0/1 = 10.10.1.2 /24 (Directly connected to Bloodfin Ethernet 1 via xoveR)
 (Routing Protocol eigrp)

Bloodfin (pix 515)
 - Ethernet 1 (inside) = 10.10.1.1 /24
 - Ethernet 0 (Outside) = 38.117.225.234 /29

Ahazi (internet router)
 - Serial 0 = 66.250.56.210
 - FastEthernet = 38.117.225.233 /29

I can ping from the Firewall to my Lan router (meaning traffic from firewall will go through my main router, but i can only ping the interface that is directly connected from my main router to my lan router 10.0.10.0 subnet, I cannot ping the 172.16.1.0 subnet interface on the same router)

from my Lan Router, I can ping all the way to the firewall, but cannot ping the outside interface of the firewall of anything beyond it (inet router, etc etc)

can someone please help me with my config.. Below are the configurations in the order listed above (lan router, main router, pix515, internet router)
any help is Apprciated

--------------------
LAN (Tempest)
---------------------

interface Ethernet0/0
 ip address 10.0.10.1 255.255.0.0
 half-duplex
!
interface FastEthernet0/0
 ip address 172.16.1.254 255.255.255.0
 speed auto
!
router eigrp 99
 network 10.0.0.0
 network 172.16.0.0
 no auto-summary
!
ip classless
no ip http server
!
!
!
line con 0
line aux 0
line vty 0 4
!
no scheduler allocate
end
--------------
Main Router (Starsider)
-------------
controller T1 0/0
 framing sf
 crc-threshold 320
 linecode ami
!
controller T1 0/1
 framing sf
 crc-threshold 320
 linecode ami
!
controller T1 0/2
 framing sf
 crc-threshold 320
 linecode ami
!
controller T1 0/3
 framing sf
 crc-threshold 320
 linecode ami
!
controller T1 0/4
 framing sf
 crc-threshold 320
interface FastEthernet0/0
 ip address 10.0.10.2 255.255.0.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.10.1.2 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 99
 network 10.0.0.0
 network 172.16.0.0
 no auto-summary
interface FastEthernet0/1
 ip address 10.10.1.2 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 99
 network 10.0.0.0
 network 172.16.0.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 0.0.0.0 0.0.0.0 10.10.1.1
ip http server
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
--------------------------------
Pix515 (Bloodfin)
-----------------------------------
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Bloodfin
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 38.117.225.234 255.255.255.248
ip address inside 10.10.1.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 38.117.225.237-38.117.225.238
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 38.117.225.233 1
route inside 10.0.0.0 255.0.0.0 10.10.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
---------------------------
Internet Rotuer (Ahazi)
---------------------------
ip cef
!
!
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0
 ip address 38.117.225.233 255.255.255.248
 full-duplex
!
interface FastEthernet0
 no ip address
 speed auto
 full-duplex
!
interface Serial0
 ip address 66.250.56.210 255.255.255.252
 ip access-group 110 in
 encapsulation ppp
!
ip classless
ip route 0.0.0.0 0.0.0.0 66.250.56.209
no ip http server
!
access-list 110 deny   ip 38.117.225.232 0.0.0.7 any log
access-list 110 permit tcp any 38.117.225.232 0.0.0.7 established
access-list 110 permit ip any 38.117.225.232 0.0.0.7
access-list 110 permit icmp 66.28.3.0 0.0.0.255 host 66.250.56.210 log
!
line con 0
line aux 0
line vty 0 4
 password q1w2e3r4$$
 login
!
!
end
0
Comment
Question by:jterrero
  • 5
  • 3
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12135391
First things first...
>from my Lan Router, I can ping all the way to the firewall, but cannot ping the outside interface of the firewall
Of course not. You never will be able to ping the outside interface IP from the inside network.

>route inside 10.0.0.0 255.0.0.0 10.10.1.1 1
This should not point to its own IP. It should be:
    route inside 10.0.0.0 255.0.0.0 10.10.1.2  1 <==point to starsider
If you want the 172.16.0.0 network to use the PIX, add the following:
    route inside 172.16.0.0 255.255.0.0 10.10.1.2 1
Else, you can enable OSPF between the PIX and Starsider, and the PIX and the Internet router.
PIX learns default gateway from Inet router, passes along to Starsider via OSPF. Starsider redistributes EIGRP into OSPF so that the PIX learns all internal networks. Works nice when you have alternate backup pathway for Internet access.

>global (outside) 1 38.117.225.237-38.117.225.238
Two things here. 1) You need another "overload" address, else you are limited to 2 hosts. Add:
   global (outside) 1 interface
2) You're missing the corresponding nat. You must add the following:
   nat (inside) 1 0 0

Next, on Ahazi Internet router:
 > interface Serial0
 >   ip access-group 110 in


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12135413
Never mind about the Ahazi router. I was thinking there was an issue with the access-list, but you have permitted ip from any. Sort of defeats the whole purpose of having an acl, so you might as well remove it from the interface...
0
 

Author Comment

by:jterrero
ID: 12135423
thanks, trying this now. will let you know how it goes. thanks a million
0
 

Author Comment

by:jterrero
ID: 12143611
deffinetly getting somewhere, i can now pass traffic from ahazi to starsider, (i net router past firewall to main router), i still cannot get any trafffic outside the firewall from tempest. I think i might go for a OSPF solution like you advised earlier, ospf for ahazi, bloodfin and starsider, have the rest of the network on eigrp. do you have any tips or recomedation before I implement this?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12143720
Easier solution:

On Tempest, add a static default
  ip route 0.0.0.0 0.0.0.0 10.0.10.2  <== points to starsider

0
 

Author Comment

by:jterrero
ID: 12143782
thank you, you have been most helpful
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12143831
Glad to help!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 13688754
Do you need more information?
Have you resolved this problem?
Can you close this question?
Thanks!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now