Solved

cisco 2620 bundling two Verizon frame T1s

Posted on 2007-03-23
7
1,272 Views
Last Modified: 2008-02-18
I have a cisco 2620 router with (2) WIC cards, ready for (2) verizon frame T1s.
Verizon sent a basic script, I added what I could but the rest gave me errors:

Here is the Basic Script Verizon Sent:
-------------------------------------------------------------------
Sample config:
controller T1 1/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64
!
controller T1 1/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64
!
interface MFR 1
description :MLFR:NxT1
mtu 4470
bandwidth 3072
no ip address
no ip redirect
no ip directed-broadcast
no ip proxy-arp
no ip mroute-cache
no arp frame-relay
load-interval 30
encapsulation frame-relay ietf
frame-relay intf-type dte
frame-relay lmi-type ansi
frame-relay multilink bid

interface MFR 1.500 point-to-point
ip address 64.65.155.110 255.255.255.252
no ip redirects
no ip directed-broadcast
no ip proxy-arp
no arp frame-relay
no cdp enable
frame-relay interface-dlci 500 ietf


interface Serial1/0:0
 description:MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip directed-broadcast
 no ip proxy-arp
 encapsulation frame-relay MFR 1
 no arp frame-relay
 no shut
 !
interface Serial1/1:0
 description :MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip directed-broadcast
 no ip proxy-arp
 encapsulation frame-relay MFR 1
 no arp frame-relay
 no shut
!
interface FastEthernet 0/0
ip address 64.211.219.217 255.255.255.248
!
ip route 0.0.0.0 0.0.0.0 64.65.155.109


----------------------------------------------------------------------------------
here is my current configuration: the router includes some old configuration related to NAT and port forwarding, I plan on using the same IP scheme (206.180.19.0) and keep the same port forward for my web/mail servers. 144.232.191.126  was our old public IP ( I will change later)
------------------------------------------------------------------------------------------------
User Access Verification

Password:
sl-hunte1>enable
Password:
sl-hunte1#show run
Building configuration...

Current configuration : 3039 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname sl-hunte1
!
boot system tftp c2600-is-mz.122-11.T.bin 192.168.1.5
boot system flash
no logging console
enable secret 5 $1$Cwof$HFywsLSFqJo/iI5IC8xuV.
enable password 7 05080F1C2243
!
username word
username admin
ip subnet-zero
!
!
ip name-server 198.6.1.3
!
frame-relay switching
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface MFR1
 description :MLFR:NxT1
 mtu 4470
 bandwidth 3072
 no ip address
 no ip redirects
 no ip proxy-arp
 no ip mroute-cache
 load-interval 30
 no arp frame-relay
 frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
 ip address 64.65.155.110 255.255.255.252
 no ip redirects
 no ip proxy-arp
 no arp frame-relay
 no cdp enable
 frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
 ip address 206.180.19.251 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
!
interface Serial0/0
 description :MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 ip access-group 100 in
 ip access-group 101 out
 no ip redirects
 no ip proxy-arp
 ip nat outside
 encapsulation frame-relay MFR1
 no arp frame-relay
!
interface Serial0/1
 description :MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation frame-relay MFR1
 no arp frame-relay
!
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source list 10 interface Serial0/0 overload
ip nat inside source static tcp 206.180.19.104 25 144.232.191.126 25 extendable
ip nat inside source static tcp 206.180.19.104 110 144.232.191.126 110 extendable
ip nat inside source static tcp 206.180.19.2 443 144.232.191.126 443 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 64.65.155.109
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit 206.180.19.0 0.0.0.255
access-list 10 permit 206.180.19.0 0.0.0.255
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
access-list 100 deny   ip 172.16.0.0 0.15.255.255 any
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip 224.0.0.0 31.255.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip host 0.0.0.0 any
access-list 100 deny   icmp any any redirect
access-list 100 deny   icmp any any administratively-prohibited
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
access-list 100 permit ip any any
access-list 100 permit tcp any any eq smtp
!
no call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
 password 7 121F041B1E185E132325302D21
 login
line aux 0
line vty 0 4
 access-class 1 in
 password 7 13151601181B0B382F
 login
!
!
end

sl-hunte1#

-------------------------------
to refresh: I want both Verizon T1s to work together (bundle) on my NAT network (one public IP for many private ips).
Currently, I can ping the outside only from within the router (telnet)
NAT, port forwarding are not working, nor can I use the router as an internet gateway.

Thank you.
0
Comment
Question by:silver_domain_emperor
  • 4
  • 3
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18782507
Take the ip nat outside off the serial interfaces and put it on the MFR .500 interface
interface MFR1.500 point-to-point
 ip address 64.65.155.110 255.255.255.252
 ip nat outside  <==
 ip access-group 100 in <==

interface Serial0/0
 no ip access-group 100 in <-- not here
 no ip access-group 101 out <-- not here (there is no acl 101)
 no ip nat outside   <-- not here
All acls and nat processes get applied to the bundle interface - MFR1.500

Nat needs to use the MFR interface IP. Neither serial interface has an IP address assigned
>no ip nat inside source list 1 interface Serial0/0 overload
>no ip nat inside source list 10 interface Serial0/0 overload
     
ip nat inside source list 1 interface MFR1.500 overload

>interface FastEthernet0/0
> ip address 206.180.19.251 255.255.255.0
Did the ISP assign you this IP address range? If yes, then you don't need to NAT on this router

>ip nat inside source static tcp 206.180.19.2 443 144.232.191.126 443
Seeing this nat statement, I'm thinking you have 206.180.19.0 as your internal LAN and you now need to either change them all to private IP's or nat to this 144.232.191.xxx address space. Can you clarify?




0
 

Author Comment

by:silver_domain_emperor
ID: 18782932
Thank you Lrmoore,

I made the changes you posted, and I can now access the internet from my PC.(thank you)
my IP scheme is 206.180.19.0 (I know they are illegal address, but a while back chrysler had us use this scheme, we were using satellite at that time, and so we kept it, we're too lazy to change, and it has not cause any trouble, even with NAT enable)

144.232.191.126 is the public address used when this router was in production(2 years ago), please disregard, I will change it to the current one, once everything else is up and running.


Current Config after changes:
-------------------------------------------------
User Access Verification

Password:
sl-hunte1>enable
Password:
sl-hunte1#show run
Building configuration...

Current configuration : 3089 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname sl-hunte1
!
boot system tftp c2600-is-mz.122-11.T.bin 192.168.1.5
boot system flash
no logging console
enable secret 5 $1$Cwof$HFywsLSFqJo/iI5IC8xuV.
enable password 7 05080F1C2243
!
username word
username admin
ip subnet-zero
!
!
ip name-server 198.6.1.3
!
frame-relay switching
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface MFR1
 description :MLFR:NxT1
 mtu 4470
 bandwidth 3072
 no ip address
 no ip redirects
 no ip proxy-arp
 no ip mroute-cache
 load-interval 30
 no arp frame-relay
 frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
 ip address 64.65.155.110 255.255.255.252
 ip access-group 100 in
 no ip redirects
 no ip proxy-arp
 ip nat outside
 no arp frame-relay
 no cdp enable
 frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
 ip address 206.180.19.251 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
!
interface Serial0/0
 description :MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation frame-relay MFR1
 no arp frame-relay
!
interface Serial0/1
 description :MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation frame-relay MFR1
 no arp frame-relay
!
ip nat inside source list 1 interface MFR1.500 overload
ip nat inside source list 10 interface MFR1.500 overload
ip nat inside source static tcp 206.180.19.104 25 144.232.191.126 25 extendable
ip nat inside source static tcp 206.180.19.104 110 144.232.191.126 110 extendable
ip nat inside source static tcp 206.180.19.2 443 144.232.191.126 443 extendable
ip nat inside source static tcp 206.180.19.40 80 64.65.155.110 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 64.65.155.109
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit 206.180.19.0 0.0.0.255
access-list 10 permit 206.180.19.0 0.0.0.255
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
access-list 100 deny   ip 172.16.0.0 0.15.255.255 any
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip 224.0.0.0 31.255.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip host 0.0.0.0 any
access-list 100 deny   icmp any any redirect
access-list 100 deny   icmp any any administratively-prohibited
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
access-list 100 permit ip any any
access-list 100 permit tcp any any eq smtp
!
no call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
 password 7 121F041B1E185E132325302D21
 login
line aux 0
line vty 0 4
 access-class 1 in
 password 7 13151601181B0B382F
 login
!
!
end

sl-hunte1#

-------------------------------------------------------
two questions:
Do I need both these lines? or can I get by with just one?
ip nat inside source list 1 interface MFR1.500 overload    ?
ip nat inside source list 10 interface MFR1.500 overload  ?
---------------------------------------------------------
I add 206.180.19.40 and port forward 80 to this pc, but It does not seem to work, am I missing something?
------------------------------------------------------
the current config is showing this line:
 "  ip route 0.0.0.0 0.0.0.0 Serial0/0  "
do I need to make changes, if interface serial0/0 does not have an assign IP? or should I have it read;
 " ip route 0.0.0.0 0.0.0.0 MFR1.500 "  (if possible)

-----------------------------------------------------
last question:
I tested my connection speed at 2800k UP/ 2300k Down.. it' suppose to be around 3000k/3000k
is there anything I can do to the configuration to bring  it up to par?
-----------------------------------------------------
Thank you in advance


0
 

Author Comment

by:silver_domain_emperor
ID: 18782940
Oops, I meant 2800K down, 2300k up
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 79

Expert Comment

by:lrmoore
ID: 18783203
>Do I need both these lines? or can I get by with just one?
Just one. List 1 and list 10 are the same, so pick one.

>the current config is showing this line:
 "  ip route 0.0.0.0 0.0.0.0 Serial0/0  "
do I need to make changes, if interface serial0/0 does not have an assign IP? or should I have it read;
 " ip route 0.0.0.0 0.0.0.0 MFR1.500 "

Absolutely! I suggest using the upstream IP address instead of the interface
  ip route 0.0.0.0 0.0.0.0 64.65.155.109

2800k vs 3000k is pretty darn close. Fix the default route and it may improve some.
0
 

Author Comment

by:silver_domain_emperor
ID: 18783349
Thank you, I have accepted your answer.

Just one last question, using the last posted config, is there something wrong with my config that is preventing port 80 to be routed to machine xx.xx.xx.40?

I remember it worked two years ago, do I need to take an extra step to make it work now that we are using bundle T1s?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18783382
>is there something wrong with my config that is preventing port 80 to be routed to machine xx.xx.xx.40?

>ip nat inside source static tcp 206.180.19.40 80 64.65.155.110 80 extendable
This, and the required access-list entry, which you have covered with
  access-list 100 permit ip any any
That should be all you need. Is the Default Gateway correct on the www server?
0
 

Author Comment

by:silver_domain_emperor
ID: 18783587
Thank you, for some reason it did not work from my computer, which is by the way, where I am running the test web server. I went to another pc and it work correctly.

Thank you.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA Troubleshooting: Easy way to determine an interface's next hop 18 77
WAN Site Edge Routers 15 58
Palo Alto Networks: Truly No Hit Count? 2 46
ASA Tunnel 18 34
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question