?
Solved

configure 2 Cisco 1721 routers for a point to point T1 to provide access to the Internet, Citrix and Exchange

Posted on 2006-06-05
35
Medium Priority
?
297 Views
Last Modified: 2010-04-17
Please help.  I've gotten in over my head, again.
 
I've got 2 Cisco 1721s connected to a T1.
I am able to ping both the inside (192.168.1.60) and outside (10.0.0.1) of Point "A"  from Point "B."
I am unable to ping anything else on Point "A"

I haven't tested it the other way.  I won't be back on-site until tomorrow.

I've gotten this far by studing the other posts and combining it with what I thought I knew.  Any corrective configuration advise is deeply appreciated.

Here is the scenario:

Point to Point T1
2 Cisco 1721s with T1wic installed
40 miles of the worst friggin traffic in the Philly area

Point (A)
local LAN 192.168.1.0 255.255.255.0
DNS server 192.168.1.1
Internet router 192.168.1.2

Cisco configuration:

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption

hostname rahnchalf

boot-start-marker
boot-end-marker

enable secret 5 (removed)
enable password (removed)

username (removed) privilege 15 password 0 (removed)
no aaa new-model
ip subnet-zero

ip name-server 192.168.1.1

ip cef

interface FastEthernet0
 description connected to Chalfont
 ip address 192.168.1.60 255.255.255.0
 ip access-group sdm_fastethernet0_in in
 ip nat outside
 speed auto
 full-duplex
 no keepalive

interface Serial0
 ip address 10.0.0.1 255.255.255.0
 ip access-group sdm_serial0_in in
 ip nat inside
 service-module t1 clock source internal
 service-module t1 remote-alarm-enable

router rip
 version 2
 passive-interface FastEthernet0
 network 192.168.1.0
 network 192.168.9.0
 no auto-summary

ip nat inside source list 1 interface FastEthernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip route 192.168.9.0 255.255.255.0 Serial0 permanent
ip http server
ip http authentication local

ip access-list extended sdm_fastethernet0_in
 remark SDM_ACL Category=1
 permit ip any any
ip access-list extended sdm_serial0_in
 remark SDM_ACL Category=1
 permit ip any any
access-list 1 permit 192.168.9.0 0.0.0.255

line con 0
 password (removed)
 login
line aux 0
line vty 0 4
 privilege level 15
 password (removed)
 login local
 transport input telnet

end

Point (B)

version 12.3
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption

hostname (removed)

boot-start-marker
boot-end-marker

no logging buffered
enable secret 5 (removed)
enable password (removed)

mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef

ip dhcp excluded-address 192.168.9.1 192.168.9.3

ip dhcp pool 1
   network 192.168.9.0 255.255.255.0
   default-router 192.168.9.1
   dns-server 192.168.1.1

ip name-server 192.168.1.1
no ftp-server write-enable

interface FastEthernet0
 ip address 192.168.9.1 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
 no keepalive
 no cdp enable

interface Serial0
 ip address 10.0.0.2 255.255.255.0
 ip nat outside
 service-module t1 remote-alarm-enable

router rip
 version 2
 network 192.168.1.0
 network 192.168.9.0
 no auto-summary

ip nat inside source list 1 interface Serial0 overload
ip classless
ip route 192.168.1.0 255.255.255.0 Serial0 permanent
ip route 192.168.9.0 255.255.255.0 FastEthernet0 permanent
ip http server

access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.9.0 0.0.0.255
snmp-server community rahns RO
snmp-server enable traps tty

line con 0
 exec-timeout 0 0
 password (removed)
 login
line aux 0
line vty 0 4
 password (removed)
 login

end
0
Comment
Question by:bxcarwilly
  • 20
  • 15
35 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 16837548
>I am unable to ping anything else on Point "A"

Other than the two interfaces, what else is there on Point "A" to ping?

If you mean beyond Point A, then Point B will need a route to the destination. I would use a default route like you have on Point A except send it out the serial0 interface.

RouterB(config) ip route 0.0.0.0 0.0.0.0 serial0

Also (not that it's causing a problem), your RIP configuration is useless. You're using static routes so why have RIP running?
0
 

Author Comment

by:bxcarwilly
ID: 16837971
>Other than the two interfaces, what else is there on Point "A" to ping?

My Internet gateway, DNS and Exchange servers are behind Point "A."
I figured if I cannot ping them, my clients at Point "B" will not be able to access them.

I took a configuration from a similar post and tried to tailor it for what I need to do.  I am not familiar with RIP but it was in my sample configuration.

I will add the default route tomorrow.  Do you think it will accomplish all I'm looking to do?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 16838232
I assumed Point "A" was the router. Sorry.

Do the servers have a default gateway of 192.168.1.60?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 50

Expert Comment

by:Don Johnston
ID: 16838243
Oh yeah, and you can forget about it working the other way (Point A -> Point B) unless you start port forwarding on each router to get through the NAT. BTW, why do you have NAT setup... on both routers?
0
 

Author Comment

by:bxcarwilly
ID: 16838342
The default gateway on 192.168.1.0 is 192.168.1.2  => Internet router (Netscreen 25)
The Exchange, DHCP & DNS server is 192.168.1.1
192.168.1.60 is the LAN interface on the Cisco 1721 located at Point "A"

I don't know what I'm doing.  I thought for communication between the 2 different networks would require the use of  NAT.  I'm familar with the basics of TCP/IP and this project has shown me how much I do not understand.

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 16838769
First off, your configs are basically sound... with a couple exceptions. ;-)

Since all for your networks are private IP addresses, there's probably no need for NAT. It's most likely already being done on the "Internet" router.

There are a couple ways to make this work.

First to simplify things, I'd get rid of the NAT on both routers. In interface config mode, issue a "no ip nat inside" or "no ip nat outside" on each of the interfaces.

Option 1:
Next, if you can't configure the "internet" router, then you'll need to add a route to each server. Something like:

"route add 192.138.9.0 mask 255.255.255.0 192.168.1.60"

Option 2:
An easier way would be to add a route to the "internet" router like above. That way you don't have to do it on each server.

Option 3:
Another way would be to enable a routing protocol (like RIP, for example) on all of your routers. If you can enable RIP on the "internet" router, add the following commands on the 1720 Point "A" router:

router RIP
 network 192.168.1.0
 network 10.0.0.0

and on the Point "B" router:

router rip
 network 10.0.0.0
 network 192.168.9.0


0
 

Author Comment

by:bxcarwilly
ID: 16838832
>Option 1:
>Next, if you can't configure the "internet" router, then you'll need to add a route to each server. Something like:

>"route add 192.138.9.0 mask 255.255.255.0 192.168.1.60"

to each server?  did you mean, to each router?

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 16838870
No. Each server on the 192.168.1.0 network will need to know how to get to the 192.168.9.0 network. If the servers are windows, the commands above will create a route (if you fix the typo, that is) to that network.

This still won't help if the Point "B" devices are trying to get past the 192.168.1.0 network to the internet, though. For that to work, the "internet" router needs a route back (option 2 or 3).
0
 

Author Comment

by:bxcarwilly
ID: 16838915
OK.  So to accomplish all the goals.  

Configure RIP properly on both Ciscos
Remove the NAT configurations from both Ciscos
And add the routes on all servers

Do I have to worry about port forwarding with NAT disabled?
0
 

Author Comment

by:bxcarwilly
ID: 16838923
BTW..  I appreciate your patience and guidance.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 16838948
You don't HAVE to configure rip on the Cisco's. You've already got static routes. If you run RIP on the Cisco's AND your current default-gateway (192.168.1.1 router), then you don't have to create routes on the servers.

But if you don't run RIP on all the routers, then you'll need to create static routes on the servers.
0
 

Author Comment

by:bxcarwilly
ID: 16845511
Ok.  I made a mistake above.  The default gateway on the servers of the 192.168.1.0 network is 192.168.1.11.
It is a Cisco 2600 that I was able to console and add ip route 192.168.9.0 255.255.255.0 192.168.1.60.
I've removed the RIP configuration and NAT entries from Point A.
Do I still need to enable port forwarding?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 16846315
Can a Point B device ping a Point A device now?

You will only need to do port forwarding if a device from Point A needs to initiate communications to a device at Point B.

0
 

Author Comment

by:bxcarwilly
ID: 16848417
Yes, Point B can ping Point A.

I cannot get to the Internet though.

I see it resolve the name to IP but still cannot find the server.
The DNS server which resides at Point A is 192.168.1.1
The default gateway, is 192.168.1.11
The actual Internet router is 192.168.1.2

I'll post the new configurations next.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 16848432
In order to get past Point A (the internet for example), the router that goes from Point A towards the internet must have a route in it's routing table for the 192.168.9.0 network that points to 192.168.1.60.
0
 

Author Comment

by:bxcarwilly
ID: 16848462
Point "A"

!version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname (removed)
!
boot-start-marker
boot-end-marker
!
enable secret 5 (removed)
enable password (removed)
!
username wbassett privilege 15 password 0 $ke84hj$
no aaa new-model
ip subnet-zero
!
!
ip name-server 192.168.1.1
!
ip cef
!
!
!
!
interface FastEthernet0
 description connected to Chalfont
 ip address 192.168.1.60 255.255.255.0
 ip access-group sdm_fastethernet0_in in
 speed auto
 full-duplex
 no keepalive
!
interface Serial0
 ip address 10.0.0.1 255.255.255.0
 ip access-group sdm_serial0_in in
 service-module t1 clock source internal
 service-module t1 remote-alarm-enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip route 192.168.9.0 255.255.255.0 Serial0 permanent
ip http server
ip http authentication local
!
!
ip access-list extended sdm_fastethernet0_in
 remark SDM_ACL Category=1
 permit ip any any
ip access-list extended sdm_serial0_in
 remark SDM_ACL Category=1
 permit ip any any
access-list 1 permit 192.168.9.0 0.0.0.255
!
line con 0
 password (removed)
 login
line aux 0
line vty 0 4
 privilege level 15
 password (removed)
 login local
 transport input telnet
!
!
end

Point "B"

!version 12.3
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname (removed)
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 (removed)
enable password (removed)
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.9.1 192.168.9.3
!
ip dhcp pool 1
   network 192.168.9.0 255.255.255.0
   dns-server 192.168.1.1
   default-router 192.168.9.1
!
ip name-server 192.168.1.1
no ftp-server write-enable
!
!
!
!
interface FastEthernet0
 ip address 192.168.9.1 255.255.255.0
 speed auto
 full-duplex
 no keepalive
 no cdp enable
!
interface Serial0
 ip address 10.0.0.2 255.255.255.0
 service-module t1 remote-alarm-enable
!
ip nat inside source list 1 interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 192.168.1.0 255.255.255.0 Serial0 permanent
ip route 192.168.9.0 255.255.255.0 FastEthernet0 permanent
ip http server
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.9.0 0.0.0.255
snmp-server community rahns RO
snmp-server enable traps tty
!
line con 0
 exec-timeout 0 0
 password (removed)
 login
line aux 0
line vty 0 4
 password (removed)
 login
!
!
end
0
 

Author Comment

by:bxcarwilly
ID: 16848473
I added:

ip route 192.168.9.0 255.255.255.0 192.168.1.60

to the 192.168.1.11 which is the gateway for the clients and servers on the 192.168.1.0 network.

Still doesn't work.
0
 

Author Comment

by:bxcarwilly
ID: 16848488
do I need to put that route into the actual Internet router =>192.168.1.2?

It is a Netscreen25 that noone has the credentials to configure.

Is there another way?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 16848491
Yeah, but you said the internet router was 192.168.1.2... That's the router which needs a route to the 192.168.9.0 network.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 16848587
>Is there another way?

Yes... NAT on the Point A router. :-)

Just like you had it before.
0
 

Author Comment

by:bxcarwilly
ID: 16848643
OK.  So, I should setup NAT just like this:


interface FastEthernet0
 description connected to Chalfont
 ip address 192.168.1.60 255.255.255.0
 ip access-group sdm_fastethernet0_in in
 ip nat outside
 speed auto
 full-duplex
 no keepalive

interface Serial0
 ip address 10.0.0.1 255.255.255.0
 ip access-group sdm_serial0_in in
 ip nat inside
 service-module t1 clock source internal
 service-module t1 remote-alarm-enable

and I should be able to get Internet and access to servers on the 192.168.1.0
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 16848679
Don't forget:

ip nat inside source list 1 interface FastEthernet0 overload
access-list 1 permit any
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 16848685
I gotta run for now. I'll back in around 10 hours...
0
 

Author Comment

by:bxcarwilly
ID: 16848694
Awesome.  Thanks for all your help.  I will fix the configuration at Point "A" and let you know how it goes
0
 

Author Comment

by:bxcarwilly
ID: 16860523
Ut oh.  Not sure what happened.  I've lost my connection thru the T1.  The AL light is alluminated and I can no longer access the Router via SDM from Point "A" while attached to that LAN.    I'm leaving to go on-site.   I'll check back in 3 hours.
0
 

Author Comment

by:bxcarwilly
ID: 16862036
OK.  I got the T1 back up.  However, when I add:

ip nat inside source list 1 interface FastEthernet0 overload
access-list 1 permit any

I lose access to the SDM and the strangest thing, after disconnecting to the console, I'm unable to access it again with my credentials.

This is drivin' me crazy.  Here is the current config from Point "A"

Using 1278 out of 29688 bytes                            
!
! Last configuration change at 03:33:46 UTC Wed Jun 7 2006                                                          
! NVRAM config last updated at 03:33:50 UTC Wed Jun 7 2006                                                          
!
version 12.3            
service timestamps debug datetime msec                                      
service timestamps log datetime msec                                    
no service password-encryption                              
!
hostname rahnchalf                  
!
boot-start-marker                
boot-end-marker              
!
enable secret 5 (removed)                                              
enable password (removed)                      
!
no aaa new-model                
ip subnet-zero              
!
!
ip name-server 192.168.1.1                          
!
ip cef      
!
!
!
!
interface FastEthernet0                      
 ip address 192.168.1.60 255.255.255.0                                      
 ip access-group sdm_fastethernet0_in in                                        
 ip nat outside              
 speed auto          
 full-duplex            
 no keepalive            
!
interface Serial0                
 description connected to Chalfont                                  
 ip address 10.0.0.1 255.255.255.0                                  
 ip access-group sdm_serial0_in in                                  
 ip nat inside              
 service-module t1 clock source internal                                        
 service-module t1 remote-alarm-enable                                      
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip route 192.168.9.0 255.255.255.0 Serial0 permanent
ip http server
ip http authentication local
!
!
ip access-list extended sdm_fastethernet0_in
 remark SDM_ACL Category=1
 permit ip any any
ip access-list extended sdm_serial0_in
 remark SDM_ACL Category=1
 permit ip any any
access-list 1 permit 192.168.9.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
 password (removed)
 login
!
!
end

You sure are earing these points.   What the heck am I doing wrong?

Bill
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 16862319
Sorry. I didn't notice your SDM config info.

Get rid of the existing NAT config and change it to:

ip nat inside source list 2 interface FastEthernet0 overload
access-list 2 permit any
0
 

Author Comment

by:bxcarwilly
ID: 16862458
>Get rid of the existing NAT config and change it to:

I'm sorry, I'm a little gun shy.  Just to make sure I'm understanging you.  Which lines should I get rid of

interface FastEthernet0                      
 ip address 192.168.1.60 255.255.255.0                                      
 ip access-group sdm_fastethernet0_in in                                        
 ip nat outside  <=== remove this?              
 speed auto          
 full-duplex            
 no keepalive            
!
interface Serial0                
 description connected to Chalfont                                  
 ip address 10.0.0.1 255.255.255.0                                  
 ip access-group sdm_serial0_in in                                  
 ip nat inside    <=== remove this?          
 service-module t1 clock source internal                                        
 service-module t1 remote-alarm-enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip route 192.168.9.0 255.255.255.0 Serial0 permanent
ip http server
ip http authentication local
!
!
ip access-list extended sdm_fastethernet0_in
 remark SDM_ACL Category=1
 permit ip any any
ip access-list extended sdm_serial0_in
 remark SDM_ACL Category=1
 permit ip any any
access-list 1 permit 192.168.9.0 0.0.0.255

and add:
                     
ip nat inside source list 2 interface FastEthernet0 overload
access-list 2 permit any
0
 

Author Comment

by:bxcarwilly
ID: 16862896
I took a chance and did what I thought you meant.

I removed ==> ip nat outside from interface FastEthernet0
I removed ==> ip nat inside from interface Serial0

and added

ip nat inside source list 2 interface FastEthernet0 overload
access-list 2 permit any

I can now access the SDM but my clients behind the router at point 'B' are unable to get to the Internet.
0
 

Author Comment

by:bxcarwilly
ID: 16862991
I accessed the SDM on the router at Point 'B' from a workstation on the LAN of Point 'A,' and ran a communication test on Serial0 that failed with the following error:

Pinging to the destination host(s) failed.  The possible reason may be one of the following,

1.  The detected DNS servers or the IP address or hostname specified are unreachable or not responding.

2.  In case of DSL interfaces, this may be due to mismatch of encapsulation at the remote end.

The same test on FastEthernet0 failed with the following error:

To test connectivity, SDM tries to PING the configured DNS servers.  However there is no configured route to any of the DNS servers through the selected interface.

should I add

ip route 192.168.1.1 255.255.255.0 serial0 permanent  ???



0
 

Author Comment

by:bxcarwilly
ID: 16863024
Nevermind, that did not work.  
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 2000 total points
ID: 16864334
Here's what you need to do:

int fast0
 ip nat outside
int serial0
 ip nat inside
ip nat inside source list 2 interface FastEthernet0 overload
access-list 2 permit any

If it doesn't work after this, repost your current config.
0
 

Author Comment

by:bxcarwilly
ID: 16866644
I'll try it tomorrow.  I had to move on for the day.

I have 5 servers at Point 'A'
3 Citrix
1 Windows 2003 with SBS
1 Windows 2003 for MAS 200

When I ping the remote host 192.168.9.1 from the SBS server and the MAS 200 server I get successful replies from 192.168.9.1.  Yet when I try to ping the same remote host 192.168.9.1 from any of the Citrix servers, which are on the same network as the previous servers, I get successful replies but from the LAN interface of the cisco at point 'A' 192.168.1.60.  Is that normal?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 16866772
You are not going to be able to initiate communications FROM point A to Point B. So pinging from one of the servers to the 9.0 network won't work (at this point). You should, however, be able to ping from the 9.0 network to the servers.
0
 

Author Comment

by:bxcarwilly
ID: 16873550
Everything is working.  Thank you for your assistance.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question