mcw82
asked on
Cisco 2801 Routing Problems
I have a FW with WAN failover capabilities and 2 Internet connections. I noticed today the WAN failover didn't work. Checked settings on the firewall and it looked OK. Checked settings on router and this is where I am having problems. The ISP gave me a public IP and a /28 adressable internal range for the router. I hooked my laptop with one of the internal static IP's. From my laptop, I can ping the FE0/0 interface and the Serial0/1/0 interface. I can't get beyond that. From the router, I can ping/trace/resolve just about anything (I enabled DNS as well).
I noticed RIP2 was enabled on both the active interfaces as well as a static route.
Here is my config:
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname [My router]
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip name-server [mydnsserver]
!
!
!
interface FastEthernet0/0
description connected to FW
ip address [FE0/0 IP]
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
interface Serial0/1/0
description connected to Internet
ip address [Public IP of Router]
no ip proxy-arp
no fair-queue
service-module t1 remote-alarm-enable
!
router rip
version 2
network [Public network]
network [FE0/0 network]
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
!
ip http server
ip http access-class 1
ip http authentication local
!
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit [From FW] any
access-list 1 deny any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit [From FW] any
access-list 100 deny ip any any
no cdp run
!
control-plane
!
end
I noticed RIP2 was enabled on both the active interfaces as well as a static route.
Here is my config:
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname [My router]
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip name-server [mydnsserver]
!
!
!
interface FastEthernet0/0
description connected to FW
ip address [FE0/0 IP]
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
interface Serial0/1/0
description connected to Internet
ip address [Public IP of Router]
no ip proxy-arp
no fair-queue
service-module t1 remote-alarm-enable
!
router rip
version 2
network [Public network]
network [FE0/0 network]
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
!
ip http server
ip http access-class 1
ip http authentication local
!
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit [From FW] any
access-list 1 deny any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit [From FW] any
access-list 100 deny ip any any
no cdp run
!
control-plane
!
end
ASKER
I can also ping the Cisco's public IP from my primary Internet connection.
I assume that when you say you couldn't get past the router with your laptop, you mean while in failover mode.
I think you need to talk to the ISP. What is RIP there for? Is it for them? If so, the serial interface needs to be added to RIP also. What is the static route there for if they ARE using RIP?
Where is the failover? Is it with a 2nd router that you have? There is no failover in the config above.
I think you need to talk to the ISP. What is RIP there for? Is it for them? If so, the serial interface needs to be added to RIP also. What is the static route there for if they ARE using RIP?
Where is the failover? Is it with a 2nd router that you have? There is no failover in the config above.
ASKER
Let me clarify. My LAN is behind a firewall appliance. My two Internet connection routers plugs in the WAN ports of my firewall appliance. When I noticed the original failover problem, I disconnected the Cisco router from the firewall and connected my laptop directly to one of the Ethernet ports on the 2801. I used the IP config that was for the firewall on my laptop. So from there, I can ping the internal ethernet interface of the router and the serial WAN interface, but I can't get beyond that. When I connect directly to the router, I can resolve just about any public addresses (my other internet public IP, Google, Samspade, etc).
I don't know why the static route or RIP is being used. I thought the 2801 knows how to route between interfaces automatically and RIP is only used for router to router discovery.
I don't know why the static route or RIP is being used. I thought the 2801 knows how to route between interfaces automatically and RIP is only used for router to router discovery.
OK. It's likely that your laptop won't work when connected to the backup router is because the ISP still has a route pointing to the primary router. If this was true then disconnecting the primary router from the internet would allow your laptop to access the internet via the backup router.
Can you post the output from following on the router?
show ip route
show ip int br
And when you were connected with laptop, can you post your output from the following
tracert -d www.google.com
show ip route
show ip int br
And when you were connected with laptop, can you post your output from the following
tracert -d www.google.com
ASKER
:)
OK, some more clarification. My internet connections are from two different ISP's. The primary is a wireless connection, the backup is a T1. Both do not know the other exists. Now looking at my router config, should I disable RIP2 for the internal ethernet interface, but leave it on for the serial? Do I also need to remove my static entry?
OK, some more clarification. My internet connections are from two different ISP's. The primary is a wireless connection, the backup is a T1. Both do not know the other exists. Now looking at my router config, should I disable RIP2 for the internal ethernet interface, but leave it on for the serial? Do I also need to remove my static entry?
It's getting more complex by the minute! Please provide some kind of diagram of how things are connected to each other, and the sanitized configs for both routers. Instead of xing out all of the public IPs, please just x out the 1st 2 octets so we can get a better idea what's going on.
ASKER
My apologies for the confusion. I hope my simplistic networ diagram will suffice. I'll add the tracert output from the laptop connected to the router shortly after this.
LAN <--> FW <--> ISP #1 (Wireless)
<--> ISP #2 (Telco T1)
Show IP Route Output:
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
144.223.0.0/30 is subnetted, 1 subnets
C 144.223.x.x is directly connected, Serial0/1/0
S* 0.0.0.0/0 is directly connected, Serial0/1/0
show ip int br output:
Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0/0 204.95.x.x YES manual up down
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/1/0 144.223.x.x YES SLARP up up
LAN <--> FW <--> ISP #1 (Wireless)
<--> ISP #2 (Telco T1)
Show IP Route Output:
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
144.223.0.0/30 is subnetted, 1 subnets
C 144.223.x.x is directly connected, Serial0/1/0
S* 0.0.0.0/0 is directly connected, Serial0/1/0
show ip int br output:
Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0/0 204.95.x.x YES manual up down
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/1/0 144.223.x.x YES SLARP up up
ASKER
It's ISP #2, the telco T1 (and the 2801 provided to me for service) that I am having problems with. ISP #1 works like a champ...most of the time and is not the cause of my frustrations. So we can leave that one out.
Looking at your diagram... how does the firewall know if the wireless is down?
But the bigger problem is this: If you are using IP address space provided by the wireless ISP, the other ISP will never route to it via your T1 because the addresses are owned by the wireless ISP. On the internet, your little chunk of address space is summarized into a much bigger chunk.
Each router needs to NAT internal addresses into public addressing provided by the appropriate ISP. Or else, get your own personal subnet from ARIN and use BGP to your ISPs.
But the bigger problem is this: If you are using IP address space provided by the wireless ISP, the other ISP will never route to it via your T1 because the addresses are owned by the wireless ISP. On the internet, your little chunk of address space is summarized into a much bigger chunk.
Each router needs to NAT internal addresses into public addressing provided by the appropriate ISP. Or else, get your own personal subnet from ARIN and use BGP to your ISPs.
ASKER
When I performed a tracert from the laptop connected directly to the Cisco 2801, I get the unable to resolve target system name www.google.com.
As for the firewall and multi-homing, it's a Sonicwall 3060 with 6 programmable ports. Each connection has its own public IP address, since they are from two different ISP's. I entered the WAN IP configuration information for both connections (Public IP address, GW, DNS). The Sonicwall looks at the connection state for each WAN connection that feeds into it (I guess it's first looking at link state and then it probes certain IPs that I have entered). So when it determines the primary link is disconnected, it switches over to the secondary WAN connection and takes care of the internal NAT automatically.
So let's take it from this perspective. Let's imagine I don't have the wireless connection but only the T1. When I first received the T1, the ISP dropped the T1 line and configured only the public IP of 144.223.x.x. They didn't have nat enabled for the internal connection. My hopes was to just connect my firewall to the 2801 and use the 2801's internal IP as the FW's gateway. However, I couldn't do that since the ethernet interface and/or nat wasn't configured. I called them again with the problem and they gave me the 204.95.x.x/24 address for me to use internally, as I had mentioned I wanted to eventually run a few different services from the connection.
So this is where I am. Any ideas? :)
As for the firewall and multi-homing, it's a Sonicwall 3060 with 6 programmable ports. Each connection has its own public IP address, since they are from two different ISP's. I entered the WAN IP configuration information for both connections (Public IP address, GW, DNS). The Sonicwall looks at the connection state for each WAN connection that feeds into it (I guess it's first looking at link state and then it probes certain IPs that I have entered). So when it determines the primary link is disconnected, it switches over to the secondary WAN connection and takes care of the internal NAT automatically.
So let's take it from this perspective. Let's imagine I don't have the wireless connection but only the T1. When I first received the T1, the ISP dropped the T1 line and configured only the public IP of 144.223.x.x. They didn't have nat enabled for the internal connection. My hopes was to just connect my firewall to the 2801 and use the 2801's internal IP as the FW's gateway. However, I couldn't do that since the ethernet interface and/or nat wasn't configured. I called them again with the problem and they gave me the 204.95.x.x/24 address for me to use internally, as I had mentioned I wanted to eventually run a few different services from the connection.
So this is where I am. Any ideas? :)
ASKER
Also, I want to reiterate that from the router, via console, I can resolve/ping/trace anything....like www.google.com, different DNS servers, and even my other WAN IP. Based on this, can't I assume that there's an internal routing issue between the ethernet and serial interfaces?
When you said that you can ping from the router itself to anything, where you doing a straight ping/traceroute or an extended ping/traceroute? Reason I ask is that, if you are doing a straight ping/traceroute on the 2801, e.g ping 1.1.1.1 then you are sourcing the serial interface. If this is successfull then the internet is working just fine on that interface. However, if you are doing an extended ping/traceroute on the router sourcing the FastEthernet interface of the 2801 and this fails then there is definitely some routing issue.
e.g
Router#ping
Protocol [ip]:
Target IP address: 1.1.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: FastEthernet0/0
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
I would say this is not your problem but your ISP. There's nothing you can do on your end but to call them up and tell them that you are having issues routing the 2nd subnet (204.95.x.x) they gave you. They should be able to fix this issue for you.
e.g
Router#ping
Protocol [ip]:
Target IP address: 1.1.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: FastEthernet0/0
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
I would say this is not your problem but your ISP. There's nothing you can do on your end but to call them up and tell them that you are having issues routing the 2nd subnet (204.95.x.x) they gave you. They should be able to fix this issue for you.
ASKER
I performed a straight ping and traceroute to an Internet address. I'll try the extended ping tomorrow with the FE0/0 as the source. Just a side question, but why do I need RIP on the FE0/0 interface and the static route entry?
>FastEthernet0/0 204.95.x.x YES manual up down
The LAN port is down. Is it connected straight to the sonicwall? Using straight or xover patch cable?
>can't I assume that there's an internal routing issue between the ethernet and serial interfaces?
Yep. As long as the lan port is showing down, as far as the router is concerned, there is nothing to route
The LAN port is down. Is it connected straight to the sonicwall? Using straight or xover patch cable?
>can't I assume that there's an internal routing issue between the ethernet and serial interfaces?
Yep. As long as the lan port is showing down, as far as the router is concerned, there is nothing to route
>>> I'll try the extended ping tomorrow with the FE0/0 as the source.
Before you do the extended ping sourcing the FE0/0, make sure that the interface is UP/UP so plug your laptop back to it or plug it into a switch or something. I was assuming you didn't have the laptop plug in when you did the show ip route and show ip int brie. Like lrmoore said, make sure that you have the right cable if you have the laptop connected at the time the output was taken.
>>> Just a side question, but why do I need RIP on the FE0/0 interface and the static route entry?
Who configured RIP? If your ISP did all the configuration, they must have configured it there either doing some test and they forgot to clean up or they need it for some routing. Normally all you need is a default gateway configured, however, we don't know what's on your ISP's side. So like I mentioned before, you have to talk to them.
Before you do the extended ping sourcing the FE0/0, make sure that the interface is UP/UP so plug your laptop back to it or plug it into a switch or something. I was assuming you didn't have the laptop plug in when you did the show ip route and show ip int brie. Like lrmoore said, make sure that you have the right cable if you have the laptop connected at the time the output was taken.
>>> Just a side question, but why do I need RIP on the FE0/0 interface and the static route entry?
Who configured RIP? If your ISP did all the configuration, they must have configured it there either doing some test and they forgot to clean up or they need it for some routing. Normally all you need is a default gateway configured, however, we don't know what's on your ISP's side. So like I mentioned before, you have to talk to them.
why your FE0/0 is showing down.
FastEthernet0/0 204.95.x.x YES manual up down
can you post your routers config. Please remove your passwords and IP addresses from it .
FastEthernet0/0 204.95.x.x YES manual up down
can you post your routers config. Please remove your passwords and IP addresses from it .
ASKER
The router config is posted up on top. FE0/0 is showing down because my laptop, operating on battery, goes on standby. I will confirm again one more time. However, I was able to ping FE0/0 and the Serial0/1/0 from my laptop but not anything beyond. I will disable RIP on the FE0/0 interface. Should I also disable RIP on the Serial0/1/0?
Yeah, you can do that. Just do:
no router rip
Then after disabling RIP, do a straight ping just to make sure you can still go out to the internet from the Serial interface, then do the extended ping.
no router rip
Then after disabling RIP, do a straight ping just to make sure you can still go out to the internet from the Serial interface, then do the extended ping.
ASKER
Since I'm not even a Cisco neophyte, should I enable IP Routing so the fastethernet port can communicate with the serial port or is this already the default? I thought all router ports are aware of each other by default and knows how to send traffic to each other.
are their any ACL placed on router.
Have you check those.
what you need to do is to make sure that you have added default route.
use this command.
ip route 0.0.0.0 0.0.0.0 144.223.x.x
Have you check those.
what you need to do is to make sure that you have added default route.
use this command.
ip route 0.0.0.0 0.0.0.0 144.223.x.x
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is the output from my show access-list:
Standard IP access list 1
10 permit 204.95.151.xx, wildcard bits 0.0.0.15 (467 matches)
20 deny any (1 match)
Extended IP access list 100
10 permit ip 204.95.151.xx 0.0.0.15 any (4 matches)
20 deny ip any any
As for the default route (ip route 0.0.0.0 0.0.0.0 144.223.x.x), it should point to the IP of my serial interface or the serial interface itself?
Standard IP access list 1
10 permit 204.95.151.xx, wildcard bits 0.0.0.15 (467 matches)
20 deny any (1 match)
Extended IP access list 100
10 permit ip 204.95.151.xx 0.0.0.15 any (4 matches)
20 deny ip any any
As for the default route (ip route 0.0.0.0 0.0.0.0 144.223.x.x), it should point to the IP of my serial interface or the serial interface itself?
ASKER
Well, I've thrown in the towel and called my service provider. Hopefully they can figure out what's wrong. Thanks for you help, gentlemen.
ASKER