cisco 2620 bundling two Verizon frame T1s

I have a cisco 2620 router with (2) WIC cards, ready for (2) verizon frame T1s.
Verizon sent a basic script, I added what I could but the rest gave me errors:

Here is the Basic Script Verizon Sent:
-------------------------------------------------------------------
Sample config:
controller T1 1/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64
!
controller T1 1/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64
!
interface MFR 1
description :MLFR:NxT1
mtu 4470
bandwidth 3072
no ip address
no ip redirect
no ip directed-broadcast
no ip proxy-arp
no ip mroute-cache
no arp frame-relay
load-interval 30
encapsulation frame-relay ietf
frame-relay intf-type dte
frame-relay lmi-type ansi
frame-relay multilink bid

interface MFR 1.500 point-to-point
ip address 64.65.155.110 255.255.255.252
no ip redirects
no ip directed-broadcast
no ip proxy-arp
no arp frame-relay
no cdp enable
frame-relay interface-dlci 500 ietf


interface Serial1/0:0
 description:MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip directed-broadcast
 no ip proxy-arp
 encapsulation frame-relay MFR 1
 no arp frame-relay
 no shut
 !
interface Serial1/1:0
 description :MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip directed-broadcast
 no ip proxy-arp
 encapsulation frame-relay MFR 1
 no arp frame-relay
 no shut
!
interface FastEthernet 0/0
ip address 64.211.219.217 255.255.255.248
!
ip route 0.0.0.0 0.0.0.0 64.65.155.109


----------------------------------------------------------------------------------
here is my current configuration: the router includes some old configuration related to NAT and port forwarding, I plan on using the same IP scheme (206.180.19.0) and keep the same port forward for my web/mail servers. 144.232.191.126  was our old public IP ( I will change later)
------------------------------------------------------------------------------------------------
User Access Verification

Password:
sl-hunte1>enable
Password:
sl-hunte1#show run
Building configuration...

Current configuration : 3039 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname sl-hunte1
!
boot system tftp c2600-is-mz.122-11.T.bin 192.168.1.5
boot system flash
no logging console
enable secret 5 $1$Cwof$HFywsLSFqJo/iI5IC8xuV.
enable password 7 05080F1C2243
!
username word
username admin
ip subnet-zero
!
!
ip name-server 198.6.1.3
!
frame-relay switching
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface MFR1
 description :MLFR:NxT1
 mtu 4470
 bandwidth 3072
 no ip address
 no ip redirects
 no ip proxy-arp
 no ip mroute-cache
 load-interval 30
 no arp frame-relay
 frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
 ip address 64.65.155.110 255.255.255.252
 no ip redirects
 no ip proxy-arp
 no arp frame-relay
 no cdp enable
 frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
 ip address 206.180.19.251 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
!
interface Serial0/0
 description :MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 ip access-group 100 in
 ip access-group 101 out
 no ip redirects
 no ip proxy-arp
 ip nat outside
 encapsulation frame-relay MFR1
 no arp frame-relay
!
interface Serial0/1
 description :MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation frame-relay MFR1
 no arp frame-relay
!
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source list 10 interface Serial0/0 overload
ip nat inside source static tcp 206.180.19.104 25 144.232.191.126 25 extendable
ip nat inside source static tcp 206.180.19.104 110 144.232.191.126 110 extendable
ip nat inside source static tcp 206.180.19.2 443 144.232.191.126 443 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 64.65.155.109
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit 206.180.19.0 0.0.0.255
access-list 10 permit 206.180.19.0 0.0.0.255
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
access-list 100 deny   ip 172.16.0.0 0.15.255.255 any
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip 224.0.0.0 31.255.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip host 0.0.0.0 any
access-list 100 deny   icmp any any redirect
access-list 100 deny   icmp any any administratively-prohibited
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
access-list 100 permit ip any any
access-list 100 permit tcp any any eq smtp
!
no call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
 password 7 121F041B1E185E132325302D21
 login
line aux 0
line vty 0 4
 access-class 1 in
 password 7 13151601181B0B382F
 login
!
!
end

sl-hunte1#

-------------------------------
to refresh: I want both Verizon T1s to work together (bundle) on my NAT network (one public IP for many private ips).
Currently, I can ping the outside only from within the router (telnet)
NAT, port forwarding are not working, nor can I use the router as an internet gateway.

Thank you.
silver_domain_emperorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Take the ip nat outside off the serial interfaces and put it on the MFR .500 interface
interface MFR1.500 point-to-point
 ip address 64.65.155.110 255.255.255.252
 ip nat outside  <==
 ip access-group 100 in <==

interface Serial0/0
 no ip access-group 100 in <-- not here
 no ip access-group 101 out <-- not here (there is no acl 101)
 no ip nat outside   <-- not here
All acls and nat processes get applied to the bundle interface - MFR1.500

Nat needs to use the MFR interface IP. Neither serial interface has an IP address assigned
>no ip nat inside source list 1 interface Serial0/0 overload
>no ip nat inside source list 10 interface Serial0/0 overload
     
ip nat inside source list 1 interface MFR1.500 overload

>interface FastEthernet0/0
> ip address 206.180.19.251 255.255.255.0
Did the ISP assign you this IP address range? If yes, then you don't need to NAT on this router

>ip nat inside source static tcp 206.180.19.2 443 144.232.191.126 443
Seeing this nat statement, I'm thinking you have 206.180.19.0 as your internal LAN and you now need to either change them all to private IP's or nat to this 144.232.191.xxx address space. Can you clarify?




0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
silver_domain_emperorAuthor Commented:
Thank you Lrmoore,

I made the changes you posted, and I can now access the internet from my PC.(thank you)
my IP scheme is 206.180.19.0 (I know they are illegal address, but a while back chrysler had us use this scheme, we were using satellite at that time, and so we kept it, we're too lazy to change, and it has not cause any trouble, even with NAT enable)

144.232.191.126 is the public address used when this router was in production(2 years ago), please disregard, I will change it to the current one, once everything else is up and running.


Current Config after changes:
-------------------------------------------------
User Access Verification

Password:
sl-hunte1>enable
Password:
sl-hunte1#show run
Building configuration...

Current configuration : 3089 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname sl-hunte1
!
boot system tftp c2600-is-mz.122-11.T.bin 192.168.1.5
boot system flash
no logging console
enable secret 5 $1$Cwof$HFywsLSFqJo/iI5IC8xuV.
enable password 7 05080F1C2243
!
username word
username admin
ip subnet-zero
!
!
ip name-server 198.6.1.3
!
frame-relay switching
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface MFR1
 description :MLFR:NxT1
 mtu 4470
 bandwidth 3072
 no ip address
 no ip redirects
 no ip proxy-arp
 no ip mroute-cache
 load-interval 30
 no arp frame-relay
 frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
 ip address 64.65.155.110 255.255.255.252
 ip access-group 100 in
 no ip redirects
 no ip proxy-arp
 ip nat outside
 no arp frame-relay
 no cdp enable
 frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
 ip address 206.180.19.251 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
!
interface Serial0/0
 description :MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation frame-relay MFR1
 no arp frame-relay
!
interface Serial0/1
 description :MLFR:NxT1
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation frame-relay MFR1
 no arp frame-relay
!
ip nat inside source list 1 interface MFR1.500 overload
ip nat inside source list 10 interface MFR1.500 overload
ip nat inside source static tcp 206.180.19.104 25 144.232.191.126 25 extendable
ip nat inside source static tcp 206.180.19.104 110 144.232.191.126 110 extendable
ip nat inside source static tcp 206.180.19.2 443 144.232.191.126 443 extendable
ip nat inside source static tcp 206.180.19.40 80 64.65.155.110 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 64.65.155.109
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit 206.180.19.0 0.0.0.255
access-list 10 permit 206.180.19.0 0.0.0.255
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
access-list 100 deny   ip 172.16.0.0 0.15.255.255 any
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip 224.0.0.0 31.255.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip host 0.0.0.0 any
access-list 100 deny   icmp any any redirect
access-list 100 deny   icmp any any administratively-prohibited
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
access-list 100 permit ip any any
access-list 100 permit tcp any any eq smtp
!
no call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
 password 7 121F041B1E185E132325302D21
 login
line aux 0
line vty 0 4
 access-class 1 in
 password 7 13151601181B0B382F
 login
!
!
end

sl-hunte1#

-------------------------------------------------------
two questions:
Do I need both these lines? or can I get by with just one?
ip nat inside source list 1 interface MFR1.500 overload    ?
ip nat inside source list 10 interface MFR1.500 overload  ?
---------------------------------------------------------
I add 206.180.19.40 and port forward 80 to this pc, but It does not seem to work, am I missing something?
------------------------------------------------------
the current config is showing this line:
 "  ip route 0.0.0.0 0.0.0.0 Serial0/0  "
do I need to make changes, if interface serial0/0 does not have an assign IP? or should I have it read;
 " ip route 0.0.0.0 0.0.0.0 MFR1.500 "  (if possible)

-----------------------------------------------------
last question:
I tested my connection speed at 2800k UP/ 2300k Down.. it' suppose to be around 3000k/3000k
is there anything I can do to the configuration to bring  it up to par?
-----------------------------------------------------
Thank you in advance


0
silver_domain_emperorAuthor Commented:
Oops, I meant 2800K down, 2300k up
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

lrmooreCommented:
>Do I need both these lines? or can I get by with just one?
Just one. List 1 and list 10 are the same, so pick one.

>the current config is showing this line:
 "  ip route 0.0.0.0 0.0.0.0 Serial0/0  "
do I need to make changes, if interface serial0/0 does not have an assign IP? or should I have it read;
 " ip route 0.0.0.0 0.0.0.0 MFR1.500 "

Absolutely! I suggest using the upstream IP address instead of the interface
  ip route 0.0.0.0 0.0.0.0 64.65.155.109

2800k vs 3000k is pretty darn close. Fix the default route and it may improve some.
0
silver_domain_emperorAuthor Commented:
Thank you, I have accepted your answer.

Just one last question, using the last posted config, is there something wrong with my config that is preventing port 80 to be routed to machine xx.xx.xx.40?

I remember it worked two years ago, do I need to take an extra step to make it work now that we are using bundle T1s?
0
lrmooreCommented:
>is there something wrong with my config that is preventing port 80 to be routed to machine xx.xx.xx.40?

>ip nat inside source static tcp 206.180.19.40 80 64.65.155.110 80 extendable
This, and the required access-list entry, which you have covered with
  access-list 100 permit ip any any
That should be all you need. Is the Default Gateway correct on the www server?
0
silver_domain_emperorAuthor Commented:
Thank you, for some reason it did not work from my computer, which is by the way, where I am running the test web server. I went to another pc and it work correctly.

Thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.