Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1024
  • Last Modified:

Cisco 2801 Routing Problems

I have a FW with WAN failover capabilities and 2 Internet connections.  I noticed today the WAN failover didn't work.  Checked settings on the firewall and it looked OK.  Checked settings on router and this is where I am having problems.  The ISP gave me a public IP and a /28 adressable internal range for the router.  I hooked my laptop with one of the internal static IP's.  From my laptop, I can ping the FE0/0 interface and the Serial0/1/0 interface.  I can't get beyond that.  From the router, I can ping/trace/resolve just about anything (I enabled DNS as well).

I noticed RIP2 was enabled on both the active interfaces as well as a static route.  

Here is my config:

version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname [My router]
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip name-server [mydnsserver]
!
!
!
interface FastEthernet0/0
 description connected to FW
 ip address [FE0/0 IP]
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/1/0
 description connected to Internet
 ip address [Public IP of Router]
 no ip proxy-arp
 no fair-queue
 service-module t1 remote-alarm-enable
!
router rip
 version 2
 network [Public network]
 network [FE0/0 network]
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
!
ip http server
ip http access-class 1
ip http authentication local
!
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit [From FW] any
access-list 1 deny   any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit [From FW] any
access-list 100 deny   ip any any
no cdp run
!
control-plane
!
end
0
mcw82
Asked:
mcw82
  • 13
  • 4
  • 4
  • +3
1 Solution
 
mcw82Author Commented:
This isn't critical, but primary Internet link works OK.  I was in the process of making my backup link the primary, but realized this wasn't possible if I'm having routing problems with the Cisco (which was provided with the backup link/service).
0
 
mcw82Author Commented:
I can also ping the Cisco's public IP from my primary Internet connection.
0
 
mikebernhardtCommented:
I assume that when you say you couldn't get past the router with your laptop, you mean while in failover mode.

I think you need to talk to the ISP. What is RIP there for? Is it for them? If so, the serial interface needs to be added to RIP also. What is the static route there for if they ARE using RIP?

Where is the failover? Is it with a 2nd router that you have? There is no failover in the config above.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
mcw82Author Commented:
Let me clarify.  My LAN is behind a firewall appliance.  My two Internet connection routers plugs in the WAN ports of my firewall appliance.  When I noticed the original failover problem, I disconnected the Cisco router from the firewall and connected my laptop directly to one of the Ethernet ports on the 2801.  I used the IP config that was for the firewall on my laptop.  So from there, I can ping the internal ethernet interface of the router and the serial WAN interface, but I can't get beyond that.  When I connect directly to the router, I can resolve just about any public addresses (my other internet public IP, Google, Samspade, etc).  

I don't know why the static route or RIP is being used.  I thought the 2801 knows how to route between interfaces automatically and RIP is only used for router to router discovery.  
0
 
mikebernhardtCommented:
OK. It's likely that your laptop won't work when connected to the backup router is because the ISP still has a route pointing to the primary router. If this was true then disconnecting the primary router from the internet would allow your laptop to access the internet via the backup router.
0
 
naveedbCommented:
Can you post the output from following on the router?

show ip route
show ip int br

And when you were connected with laptop, can you post your output from the following

tracert -d www.google.com
0
 
mcw82Author Commented:
:)

OK, some more clarification.  My internet connections are from two different ISP's.  The primary is a wireless connection, the backup is a T1.  Both do not know the other exists.  Now looking at my router config, should I disable RIP2 for the internal ethernet interface, but leave it on for the serial?  Do I also need to remove my static entry?
0
 
mikebernhardtCommented:
It's getting more complex by the minute! Please provide some kind of diagram of how things are connected to each other, and the sanitized configs for both routers. Instead of xing out all of the public IPs, please just x out the 1st 2 octets so we can get a better idea what's going on.
0
 
mcw82Author Commented:
My apologies for the confusion.  I hope my simplistic networ diagram will suffice.  I'll add the tracert output from the laptop connected to the router shortly after this.

LAN <-->  FW  <--> ISP #1 (Wireless)
                      <--> ISP #2 (Telco T1)

Show IP Route Output:

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     144.223.0.0/30 is subnetted, 1 subnets
C       144.223.x.x is directly connected, Serial0/1/0
S*   0.0.0.0/0 is directly connected, Serial0/1/0

show ip int br output:

Interface                  IP-Address      OK? Method Status                Prot
ocol
FastEthernet0/0            204.95.x.x   YES manual up                    down

FastEthernet0/1            unassigned  YES unset    administratively down down

Serial0/1/0                144.223.x.x    YES SLARP  up                    up

0
 
mcw82Author Commented:
It's ISP #2, the telco T1 (and the 2801 provided to me for service) that I am having problems with.  ISP #1 works like a champ...most of the time and is not the cause of my frustrations.  So we can leave that one out.  
0
 
mikebernhardtCommented:
Looking at your diagram... how does the firewall know if the wireless is down?

But the bigger problem is this: If you are using IP address space provided by the wireless ISP, the other ISP will never route to it via your T1 because the addresses are owned by the wireless ISP. On the internet, your little chunk of address space is summarized into a much bigger chunk.

Each router needs to NAT internal addresses into public addressing provided by the appropriate ISP. Or else, get your own personal subnet from ARIN and use BGP to your ISPs.
0
 
mcw82Author Commented:
When I performed a tracert from the laptop connected directly to the Cisco 2801, I get the unable to resolve target system name www.google.com.

As for the firewall and multi-homing, it's a Sonicwall 3060 with 6 programmable ports.  Each connection has its own public IP address, since they are from two different ISP's.  I entered the WAN IP configuration information for both connections (Public IP address, GW, DNS).  The Sonicwall looks at the connection state for each WAN connection that feeds into it (I guess it's first looking at link state and then it probes certain IPs that I have entered).  So when it determines the primary link is disconnected, it switches over to the secondary WAN connection and takes care of the internal NAT automatically.

So let's take it from this perspective.  Let's imagine I don't have the wireless connection but only the T1.  When I first received the T1, the ISP dropped the T1 line and configured only the public IP of 144.223.x.x.  They didn't have nat enabled for the internal connection.  My hopes was to just connect my firewall to the 2801 and use the 2801's internal IP as the FW's gateway.  However, I couldn't do that since the ethernet interface and/or nat wasn't configured.  I called them again with the problem and they gave me the 204.95.x.x/24 address for me to use internally, as I had mentioned I wanted to eventually run a few different services from the connection.

So this is where I am.  Any ideas? :)
0
 
mcw82Author Commented:
Also, I want to reiterate that from the router, via console, I can resolve/ping/trace anything....like www.google.com, different DNS servers, and even my other WAN IP.  Based on this, can't I assume that there's an internal routing issue between the ethernet and serial interfaces?
0
 
stressedout2004Commented:
When you said that you can ping from the router itself to anything, where you doing a straight ping/traceroute or an extended ping/traceroute? Reason I ask is that, if you are doing a straight ping/traceroute on the 2801, e.g ping 1.1.1.1 then you are sourcing the serial interface. If this is successfull then the internet is working just fine on that interface. However, if you are doing an extended ping/traceroute on the router sourcing the FastEthernet interface of the 2801 and this fails then there is definitely some routing issue.

e.g
Router#ping
Protocol [ip]:
Target IP address: 1.1.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: FastEthernet0/0
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
 
I would say this is not your problem but your ISP. There's nothing you can do on your end but to call them up and tell them that you are having issues routing the 2nd subnet (204.95.x.x) they gave you. They should be able to fix this issue for you.

0
 
mcw82Author Commented:
I performed a straight ping and traceroute to an Internet address.  I'll try the extended ping tomorrow with the FE0/0 as the source.  Just a side question, but why do I need RIP on the FE0/0 interface and the static route entry?
0
 
lrmooreCommented:
>FastEthernet0/0            204.95.x.x   YES manual up                    down
The LAN port is down. Is it connected straight to the sonicwall? Using straight or xover patch cable?

>can't I assume that there's an internal routing issue between the ethernet and serial interfaces?
Yep. As long as the lan port is showing down, as far as the router is concerned, there is nothing to route

0
 
stressedout2004Commented:
>>> I'll try the extended ping tomorrow with the FE0/0 as the source.  

Before you do the extended ping sourcing the FE0/0, make sure that the interface is UP/UP so plug your laptop back to it or plug it into a switch or something. I was assuming you didn't have the laptop plug in when you did the show ip route and show ip int brie. Like lrmoore said, make sure that you have the right cable if you have the laptop connected at the time the output was taken.

>>> Just a side question, but why do I need RIP on the FE0/0 interface and the static route entry?

Who configured RIP? If your ISP did all the configuration, they must have configured it there either doing some test and they forgot to clean up or they need it for some routing. Normally all you need is a default gateway configured, however, we don't know what's on your ISP's side. So like I mentioned before, you have to talk to them.
0
 
prashsaxCommented:
why your FE0/0 is showing down.

FastEthernet0/0            204.95.x.x   YES manual up                    down


can you post  your routers config. Please remove your passwords and IP addresses from it .
0
 
mcw82Author Commented:
The router config is posted up on top.  FE0/0 is showing down because my laptop, operating on battery, goes on standby.  I will confirm again one more time.  However, I was able to ping FE0/0 and the Serial0/1/0 from my laptop but not anything beyond.  I will disable RIP on the FE0/0 interface.  Should I also disable RIP on the Serial0/1/0?  
0
 
stressedout2004Commented:
Yeah, you can do that. Just do:

no router rip

Then after disabling RIP, do a straight ping just to make sure you can still go out to the internet from the Serial interface, then do the extended ping.
0
 
mcw82Author Commented:
Since I'm not even a Cisco neophyte, should I enable IP Routing so the fastethernet port can communicate with the serial port or is this already the default?  I thought all router ports are aware of each other by default and knows how to send traffic to each other.
0
 
prashsaxCommented:
are their any ACL placed on router.

Have you check those.

what you need to do is to make sure that you have added  default route.

use this command.

ip route 0.0.0.0 0.0.0.0 144.223.x.x

0
 
stressedout2004Commented:
Both Fastethernet and serial port are local to the router, they don't even use IP routing to communicate, they use arp.
All you need for now is the default gateway and nothing else which you already have.

ip route 0.0.0.0 0.0.0.0 Serial0/1/0
0
 
mcw82Author Commented:
This is the output from my show access-list:

Standard IP access list 1
    10 permit 204.95.151.xx, wildcard bits 0.0.0.15 (467 matches)
    20 deny   any (1 match)
Extended IP access list 100
    10 permit ip 204.95.151.xx 0.0.0.15 any (4 matches)
    20 deny ip any any

As for the default route (ip route 0.0.0.0 0.0.0.0 144.223.x.x), it should point to the IP of my serial interface or the serial interface itself?
0
 
mcw82Author Commented:
Well, I've thrown in the towel and called my service provider.  Hopefully they can figure out what's wrong.  Thanks for you help, gentlemen.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 13
  • 4
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now