Cisco 2811 routing issues with public IP's

Hey Henry,

Can you post a sanitized config from both routers? That would be about the only way someone could see what you have and what you are missing.

Ok here's "show configuration" on the OLD 2500

User Access Verification

Password:
Password:
Router>enable
Password:
Router#show configuration
Using 614 out of 32762 bytes
!
version 11.2
!
hostname Router
!
enable secret 5 $1$m7es$2TfNYzHnF9p74Vep2T/uo/
enable password conf2
!
ip subnet-zero
ip name-server 199.191.128.105
ip name-server 199.191.128.106
!
interface Ethernet0
 ip address 12.9.192.73 255.255.255.248
!
interface Ethernet1
 ip address 12.9.192.65 255.255.255.248
!
interface Serial0
 ip address 12.118.217.70 255.255.255.252
 encapsulation ppp
!
interface Serial1
 no ip address
 shutdown
!
router igrp 1
 network 12.0.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
snmp-server community public RO
!
line con 0
line aux 0
line vty 0 4
 password conf3
 login
!
end



AND HERE IS THE show configuration on the NEW 2800

Using 3070 out of 245752 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname atkrouter
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
logging console critical
enable secret 5 $1$tT4A$RUHnb5iW4RrLwunz5Sf33/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
!
!
no ip bootp server
ip domain name yourdomain.com
ip name-server 12.127.16.67
ip name-server 12.127.17.71
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto pki trustpoint TP-self-signed-2439421273
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2439421273
 revocation-check none
 rsakeypair TP-self-signed-2439421273
!
!
crypto pki certificate chain TP-self-signed-2439421273
 certificate self-signed 01 nvram:IOS-Self-Sig#3301.cer
username root privilege 15 secret 5 $1$ebtJ$8yr8RZ8opAwcCys7GMMLh1
!
!
!
!
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 12.9.192.73 255.255.255.248
 ip mask-reply
 ip directed-broadcast
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_LAN$$FW_INSIDE$$ETH-LAN$
 ip address 12.9.192.65 255.255.255.248
 ip mask-reply
 ip directed-broadcast
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 ip address 12.118.217.70 255.255.255.252
 ip mask-reply
 ip directed-broadcast
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 fair-queue
 service-module t1 clock source internal
 service-module t1 timeslots 1-24
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 2 interface Serial0/0/0 overload
!
no logging trap
access-list 1 remark INSIDE_IF=FastEthernet0/1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 12.9.192.64 0.0.0.7
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 12.9.192.72 0.0.0.7
access-list 2 permit 12.9.192.64 0.0.0.7
no cdp run
!
!
control-plane
!
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
 transport output telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
 transport output telnet ssh
!
scheduler allocate 20000 1000
!
end

Let me rephrase my question I have a new cisco 2811 router with a CSU card on it, this unit will replace an existing 2500 router which is running like this :

T1 ----> 2500 (12.118.xx.70) ----> ETHE 0/0 (12.xx.xx.73 ) --->Unix server (12.xx.xx.78 ) public address
ETHE 0/1 (12.xx.xx.65 )----> Voip Patton smartnode ( 12.xx.xx.66) public address

The gateway is 12.xx.xx.65
The Current Ethernet 0/0 is setup as 12.xx.xx.73 255.255.255.248
Ethernet 0/1 is setup as 12.xx.xx.65 255.255.255.248
The current serial 0/0 is setup as 12.118.xx.70 255.255.255.252

So any user over the internet does 12.xx.xx.78 and gets into my unix server (email,web,ssh,etc)
And remote smartnodes connect to 12.xx.xx.66 to my local smartnodes

I tried copying the same configuration to the new 2811 by doing a "show configuration on the old 2500" but the public ip addresses .78 and .66 are not working when I try to access them from the internet, Could you please tell me if on the 2811 I have to set NAT ?

If I'm on the CLI on the 2811 I'm able to traceroute to the 12.xx.xx.78 and traceroute to the outside world. I'm able from the outside world to see my router if I use the 12.118.xx.70 address.

From the unix server I can log in into the 2811 when I do 12.xx.xx.73 but that's about it. Do I need a bridge to make my internal IP's outside IP's ?

My firewall is OFF .

Please help.

How much would you charge me to configure my router remotely ?, I can give you GUI access and what I need it to do ?

I would not charge you anything; we're here to help - but I would expect keen cooperation from you. You are not far at all; just a matter of your being able to understand the concept of inside and outside interfaces - then everything turns on just like a lightbulb!

I would also want to reduce the number of public IP addresses. Again, they were needed because of the limitations of the 2500. Now that you have a 2800, you might as well save some money. If you agree, you might later have to contact your ISP for [possible] changes in your domain.

I see that you have used SDM. Our version is 2.34. If you have anything higher than that, please let me know.

We probably need to exchange emails, but I would rather not send you mine in such a public environment. If you want to open a temporary email with hotmail or something, let me know.

Let's be clear that I would not assume any responsibility for the work.

Hi Thanks for your prompt responce, As I was posting you the comment I did a change on the fastethernet 0/0 and fastethernet 0/1 , I switched IP's and now my cisco router is doing what I wanted. So let me try it tomorrow. and in case I still need your help configuring it I'll write you again. However I'm going to follow your advise on getting rid of those extra addresses and using just 1

It was like this :

!
interface FastEthernet0/0
ip address 12.9.x.73 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address 12.9.x.65 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!

with the above config a server using 12.9.x.78 was not working, but a device with 12.9.x.66 was working.
so I switched and now everything works!! GO figure!!.

new config:

!
interface FastEthernet0/0
ip address 12.9.x.65 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address 12.9.x.73 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!

By the way, please set you speed and duplex - at least the speed - to known values. Watch out for the duplex being wrong being you and you SP. They typically deliver half-duplex on anything less than 100MB lines.