Solved

cisco 2620 bundling two Verizon frame T1s

Posted on 2007-03-23
7
1,263 Views
Last Modified: 2008-02-18
I have a cisco 2620 router with (2) WIC cards, ready for (2) verizon frame T1s.
Verizon sent a basic script, I added what I could but the rest gave me errors:

Here is the Basic Script Verizon Sent:
-------------------------------------------------------------------
Sample config:
controller T1 1/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64
!
controller T1 1/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64
!
interface MFR 1
description :MLFR:NxT1
mtu 4470
bandwidth 3072
no ip address
no ip redirect
no ip directed-broadcast
no ip proxy-arp
no ip mroute-cache
no arp frame-relay
load-interval 30
encapsulation frame-relay ietf
frame-relay intf-type dte
frame-relay lmi-type ansi
frame-relay multilink bid

interface MFR 1.500 point-to-point
ip address 64.65.155.110 255.255.255.252
no ip redirects
no ip directed-broadcast
no ip proxy-arp
no arp frame-relay
no cdp enable
frame-relay interface-dlci 500 ietf


interface Serial1/0:0
 description:MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip directed-broadcast
 no ip proxy-arp
 encapsulation frame-relay MFR 1
 no arp frame-relay
 no shut
 !
interface Serial1/1:0
 description :MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip directed-broadcast
 no ip proxy-arp
 encapsulation frame-relay MFR 1
 no arp frame-relay
 no shut
!
interface FastEthernet 0/0
ip address 64.211.219.217 255.255.255.248
!
ip route 0.0.0.0 0.0.0.0 64.65.155.109


----------------------------------------------------------------------------------
here is my current configuration: the router includes some old configuration related to NAT and port forwarding, I plan on using the same IP scheme (206.180.19.0) and keep the same port forward for my web/mail servers. 144.232.191.126  was our old public IP ( I will change later)
------------------------------------------------------------------------------------------------
User Access Verification

Password:
sl-hunte1>enable
Password:
sl-hunte1#show run
Building configuration...

Current configuration : 3039 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname sl-hunte1
!
boot system tftp c2600-is-mz.122-11.T.bin 192.168.1.5
boot system flash
no logging console
enable secret 5 $1$Cwof$HFywsLSFqJo/iI5IC8xuV.
enable password 7 05080F1C2243
!
username word
username admin
ip subnet-zero
!
!
ip name-server 198.6.1.3
!
frame-relay switching
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface MFR1
 description :MLFR:NxT1
 mtu 4470
 bandwidth 3072
 no ip address
 no ip redirects
 no ip proxy-arp
 no ip mroute-cache
 load-interval 30
 no arp frame-relay
 frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
 ip address 64.65.155.110 255.255.255.252
 no ip redirects
 no ip proxy-arp
 no arp frame-relay
 no cdp enable
 frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
 ip address 206.180.19.251 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
!
interface Serial0/0
 description :MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 ip access-group 100 in
 ip access-group 101 out
 no ip redirects
 no ip proxy-arp
 ip nat outside
 encapsulation frame-relay MFR1
 no arp frame-relay
!
interface Serial0/1
 description :MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation frame-relay MFR1
 no arp frame-relay
!
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source list 10 interface Serial0/0 overload
ip nat inside source static tcp 206.180.19.104 25 144.232.191.126 25 extendable
ip nat inside source static tcp 206.180.19.104 110 144.232.191.126 110 extendable
ip nat inside source static tcp 206.180.19.2 443 144.232.191.126 443 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 64.65.155.109
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit 206.180.19.0 0.0.0.255
access-list 10 permit 206.180.19.0 0.0.0.255
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
access-list 100 deny   ip 172.16.0.0 0.15.255.255 any
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip 224.0.0.0 31.255.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip host 0.0.0.0 any
access-list 100 deny   icmp any any redirect
access-list 100 deny   icmp any any administratively-prohibited
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
access-list 100 permit ip any any
access-list 100 permit tcp any any eq smtp
!
no call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
 password 7 121F041B1E185E132325302D21
 login
line aux 0
line vty 0 4
 access-class 1 in
 password 7 13151601181B0B382F
 login
!
!
end

sl-hunte1#

-------------------------------
to refresh: I want both Verizon T1s to work together (bundle) on my NAT network (one public IP for many private ips).
Currently, I can ping the outside only from within the router (telnet)
NAT, port forwarding are not working, nor can I use the router as an internet gateway.

Thank you.
0
Comment
Question by:silver_domain_emperor
  • 4
  • 3
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18782507
Take the ip nat outside off the serial interfaces and put it on the MFR .500 interface
interface MFR1.500 point-to-point
 ip address 64.65.155.110 255.255.255.252
 ip nat outside  <==
 ip access-group 100 in <==

interface Serial0/0
 no ip access-group 100 in <-- not here
 no ip access-group 101 out <-- not here (there is no acl 101)
 no ip nat outside   <-- not here
All acls and nat processes get applied to the bundle interface - MFR1.500

Nat needs to use the MFR interface IP. Neither serial interface has an IP address assigned
>no ip nat inside source list 1 interface Serial0/0 overload
>no ip nat inside source list 10 interface Serial0/0 overload
     
ip nat inside source list 1 interface MFR1.500 overload

>interface FastEthernet0/0
> ip address 206.180.19.251 255.255.255.0
Did the ISP assign you this IP address range? If yes, then you don't need to NAT on this router

>ip nat inside source static tcp 206.180.19.2 443 144.232.191.126 443
Seeing this nat statement, I'm thinking you have 206.180.19.0 as your internal LAN and you now need to either change them all to private IP's or nat to this 144.232.191.xxx address space. Can you clarify?




0
 

Author Comment

by:silver_domain_emperor
ID: 18782932
Thank you Lrmoore,

I made the changes you posted, and I can now access the internet from my PC.(thank you)
my IP scheme is 206.180.19.0 (I know they are illegal address, but a while back chrysler had us use this scheme, we were using satellite at that time, and so we kept it, we're too lazy to change, and it has not cause any trouble, even with NAT enable)

144.232.191.126 is the public address used when this router was in production(2 years ago), please disregard, I will change it to the current one, once everything else is up and running.


Current Config after changes:
-------------------------------------------------
User Access Verification

Password:
sl-hunte1>enable
Password:
sl-hunte1#show run
Building configuration...

Current configuration : 3089 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname sl-hunte1
!
boot system tftp c2600-is-mz.122-11.T.bin 192.168.1.5
boot system flash
no logging console
enable secret 5 $1$Cwof$HFywsLSFqJo/iI5IC8xuV.
enable password 7 05080F1C2243
!
username word
username admin
ip subnet-zero
!
!
ip name-server 198.6.1.3
!
frame-relay switching
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface MFR1
 description :MLFR:NxT1
 mtu 4470
 bandwidth 3072
 no ip address
 no ip redirects
 no ip proxy-arp
 no ip mroute-cache
 load-interval 30
 no arp frame-relay
 frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
 ip address 64.65.155.110 255.255.255.252
 ip access-group 100 in
 no ip redirects
 no ip proxy-arp
 ip nat outside
 no arp frame-relay
 no cdp enable
 frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
 ip address 206.180.19.251 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
!
interface Serial0/0
 description :MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation frame-relay MFR1
 no arp frame-relay
!
interface Serial0/1
 description :MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation frame-relay MFR1
 no arp frame-relay
!
ip nat inside source list 1 interface MFR1.500 overload
ip nat inside source list 10 interface MFR1.500 overload
ip nat inside source static tcp 206.180.19.104 25 144.232.191.126 25 extendable
ip nat inside source static tcp 206.180.19.104 110 144.232.191.126 110 extendable
ip nat inside source static tcp 206.180.19.2 443 144.232.191.126 443 extendable
ip nat inside source static tcp 206.180.19.40 80 64.65.155.110 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 64.65.155.109
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit 206.180.19.0 0.0.0.255
access-list 10 permit 206.180.19.0 0.0.0.255
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
access-list 100 deny   ip 172.16.0.0 0.15.255.255 any
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip 224.0.0.0 31.255.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip host 0.0.0.0 any
access-list 100 deny   icmp any any redirect
access-list 100 deny   icmp any any administratively-prohibited
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
access-list 100 permit ip any any
access-list 100 permit tcp any any eq smtp
!
no call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
 password 7 121F041B1E185E132325302D21
 login
line aux 0
line vty 0 4
 access-class 1 in
 password 7 13151601181B0B382F
 login
!
!
end

sl-hunte1#

-------------------------------------------------------
two questions:
Do I need both these lines? or can I get by with just one?
ip nat inside source list 1 interface MFR1.500 overload    ?
ip nat inside source list 10 interface MFR1.500 overload  ?
---------------------------------------------------------
I add 206.180.19.40 and port forward 80 to this pc, but It does not seem to work, am I missing something?
------------------------------------------------------
the current config is showing this line:
 "  ip route 0.0.0.0 0.0.0.0 Serial0/0  "
do I need to make changes, if interface serial0/0 does not have an assign IP? or should I have it read;
 " ip route 0.0.0.0 0.0.0.0 MFR1.500 "  (if possible)

-----------------------------------------------------
last question:
I tested my connection speed at 2800k UP/ 2300k Down.. it' suppose to be around 3000k/3000k
is there anything I can do to the configuration to bring  it up to par?
-----------------------------------------------------
Thank you in advance


0
 

Author Comment

by:silver_domain_emperor
ID: 18782940
Oops, I meant 2800K down, 2300k up
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 79

Expert Comment

by:lrmoore
ID: 18783203
>Do I need both these lines? or can I get by with just one?
Just one. List 1 and list 10 are the same, so pick one.

>the current config is showing this line:
 "  ip route 0.0.0.0 0.0.0.0 Serial0/0  "
do I need to make changes, if interface serial0/0 does not have an assign IP? or should I have it read;
 " ip route 0.0.0.0 0.0.0.0 MFR1.500 "

Absolutely! I suggest using the upstream IP address instead of the interface
  ip route 0.0.0.0 0.0.0.0 64.65.155.109

2800k vs 3000k is pretty darn close. Fix the default route and it may improve some.
0
 

Author Comment

by:silver_domain_emperor
ID: 18783349
Thank you, I have accepted your answer.

Just one last question, using the last posted config, is there something wrong with my config that is preventing port 80 to be routed to machine xx.xx.xx.40?

I remember it worked two years ago, do I need to take an extra step to make it work now that we are using bundle T1s?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18783382
>is there something wrong with my config that is preventing port 80 to be routed to machine xx.xx.xx.40?

>ip nat inside source static tcp 206.180.19.40 80 64.65.155.110 80 extendable
This, and the required access-list entry, which you have covered with
  access-list 100 permit ip any any
That should be all you need. Is the Default Gateway correct on the www server?
0
 

Author Comment

by:silver_domain_emperor
ID: 18783587
Thank you, for some reason it did not work from my computer, which is by the way, where I am running the test web server. I went to another pc and it work correctly.

Thank you.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now