ATBChrisW
asked on
Need Help with a Cisco 1841 Router Configuration
Here is my current config:
ciscorouter#show run
Building configuration...
Current configuration : 1795 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ciscorouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
ip domain name **************
!
username ************* privilege 15 secret 5 ***********
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 192.168.23.254 255.255.255.0
ip policy route-map Internal
duplex auto
speed auto
!
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.1.254 255.255.255.0
ip policy route-map Internet
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.23.10
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
!
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 1433
access-list 101 permit tcp any any eq 2725
access-list 101 permit tcp any any eq 2393
access-list 101 permit tcp any any eq 2394
access-list 199 permit ip any any
route-map Internal permit 10
match ip address 101
match interface FastEthernet0/1
!
route-map Internet permit 11
match ip address 101
match interface FastEthernet0/0
!
route-map Internet permit 20
match ip address 199
set ip next-hop 192.168.1.10
!
!
control-plane
!
!
end
Here is my problem. I am trying to use the ports specified, including RDP (3389), to be able to to go back and forth between the two subnets. I can access RDP and WWW from the .1 subnet to the .23 subnet just fine, but when I try to RDP from .23 to the .1 subnet not only does it not work, but it also prevents me from going from .1 to .23 until I log into the router and run a few commands, like show run, and then log out. After that it starts working normal again. Can someone help?
Thanks
Chris
ciscorouter#show run
Building configuration...
Current configuration : 1795 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ciscorouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
ip domain name **************
!
username ************* privilege 15 secret 5 ***********
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 192.168.23.254 255.255.255.0
ip policy route-map Internal
duplex auto
speed auto
!
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.1.254 255.255.255.0
ip policy route-map Internet
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.23.10
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
!
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 1433
access-list 101 permit tcp any any eq 2725
access-list 101 permit tcp any any eq 2393
access-list 101 permit tcp any any eq 2394
access-list 199 permit ip any any
route-map Internal permit 10
match ip address 101
match interface FastEthernet0/1
!
route-map Internet permit 11
match ip address 101
match interface FastEthernet0/0
!
route-map Internet permit 20
match ip address 199
set ip next-hop 192.168.1.10
!
!
control-plane
!
!
end
Here is my problem. I am trying to use the ports specified, including RDP (3389), to be able to to go back and forth between the two subnets. I can access RDP and WWW from the .1 subnet to the .23 subnet just fine, but when I try to RDP from .23 to the .1 subnet not only does it not work, but it also prevents me from going from .1 to .23 until I log into the router and run a few commands, like show run, and then log out. After that it starts working normal again. Can someone help?
Thanks
Chris
ASKER
The route map was there from when we had to send certain traffic to different PIX firewalls to different T1 lines. Now they all just go to the 192.168.23.10 PIX. I will update with a sh ip route when I get a chance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am not sure about the route map Internet statements - I just don't have experience with them.
But looking over your config something does stand out. First the .1.254 address is assigned to fa0/1 as is the ACL 199 and .23.254 is assigned to fa0/0 with ACL 101 (these are mapped in the route-map statements.). So ACL 199 allows any traffic while 101 (on .23) allows only the stated TCP traffic, remember there is an explicit deny at the end of the ACL so as it is written only TCP traffic destined for one of the named ports are allowed and everything else would be denied.
So I could see you being able to ping from .1 and not .23. Don't know if this is the issue, but its the only thing I can think of from what I see.
Another thing I don't see is the routing protocal. Is it configured? Or did I just miss that?
I will be looking forward to seeing that sh ip route as well.
~z~
But looking over your config something does stand out. First the .1.254 address is assigned to fa0/1 as is the ACL 199 and .23.254 is assigned to fa0/0 with ACL 101 (these are mapped in the route-map statements.). So ACL 199 allows any traffic while 101 (on .23) allows only the stated TCP traffic, remember there is an explicit deny at the end of the ACL so as it is written only TCP traffic destined for one of the named ports are allowed and everything else would be denied.
So I could see you being able to ping from .1 and not .23. Don't know if this is the issue, but its the only thing I can think of from what I see.
Another thing I don't see is the routing protocal. Is it configured? Or did I just miss that?
I will be looking forward to seeing that sh ip route as well.
~z~
I agree with mikefalcone - i would remove the route map internet statements if they are not needed.
It's always a good idea to clean up thoes configs.
~z~
It's always a good idea to clean up thoes configs.
~z~
Just remove the routemap internet, that is your problem
ASKER
Thanks fo rthe info guys. I don't have access until next week to the router but I set up a Lab and confirmed what you guys are saying. It looks like I was just over complicating things. I will make sure to give the points after I am able to make the change next week. Thanks.
Chris
Chris
The ACLs used for route maps work like this: the ACLs are evaluated & if a match is found, the traffic is sent via whatever interface or next-hop IP is specified in the route map. If a match isn't found, the traffic is sent via normal paths based on destination, ie, either based on dynamic routes or through your default gateway. Route map ACLs don't "permit" or "deny" traffic, they simply match conditions & tell the router how to handle the traffic.
If you're sure you don't need the route maps anymore, remove them from each interface. eg:
int f0/0
no ip policy route-map Internet
cheers
If you're sure you don't need the route maps anymore, remove them from each interface. eg:
int f0/0
no ip policy route-map Internet
cheers
ASKER
Mike,
I just wanted to let you know that removing the routemaps did the trick. Thanks.
Chris
I just wanted to let you know that removing the routemaps did the trick. Thanks.
Chris
Also could you post a sh ip route