We help IT Professionals succeed at work.

Cisco 2600 permit ip 192.168.1.0 0.0.0.255 how to?

DAMAdmin
DAMAdmin asked
on
2,365 Views
Last Modified: 2010-08-05
Easy one i am sure but our cisco guy is gone and I am left doing it.

I need to add a line like this on a cisco 2600
permit ip 192.168.1.0 0.0.0.255

So i can allow 192.168.1.x traffic from one router to another across a point to point connection. The end here is done, but not the other end, long story that involves company not paying enough.

I know the line needs to look like that, but i do not know the command to add it. Cisco.com is no help if you do not know how to ask for the help you need.
Comment
Watch Question

Commented:
you would need to add that line to an access list.. if you know the number its access-list <number> permit ip 192.168.1.0 0.0.0.255

are you adding this to a nat? do you want to not nat that range over a vpn? can you show your running config and highlight what you are trying to do

Author

Commented:
here is the running config of another 2600 that is no longer in service. I do not think i need to route over a vpn. Our connection between offices is a point to point EOC soon to be a DS3. Everything works but the 208.x.x.x servers on the other end are not able to see the 192.168.1.1 systems on this end. But the systems here are able to see the 208 servers there, so the router here is set up correctly its a 3600.

router2600north#show running-config
Building configuration...

Current configuration : 3051 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname dpmain.com
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
!
!
ip domain name yourdomain.com

!
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0
 ip address 63.x.x.x 255.255.255.224 secondary
 ip address 66.x.x.x 255.255.255.192
 ip access-group 102 out
 duplex full
 speed 100
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/1
 ip address 65.x.x.x 255.255.255.248
 ip access-group 101 in
 duplex full
 speed 100
 media-type rj45
 negotiation auto
!
interface Hssi1/0
 ip address 66.x.x.x 255.255.255.252
 serial restart-delay 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 65.x.x.x
ip route 66.x.x.x 255.255.255.224 Hssi1/0
ip route 192.168.1.0 255.255.255.0 Hssi1/0
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 1000
!
access-list 101 permit tcp any any established
access-list 101 permit ip host 65.x.x.x any
access-list 101 permit ip host 68.x.x.x any
access-list 101 permit ip 67.x.x.0 0.0.0.255 any
access-list 101 permit ip 208.x.x.0 0.0.0.255 any
access-list 101 deny   tcp any any eq 136
access-list 101 deny   tcp any any eq 137
access-list 101 deny   tcp any any eq 138
access-list 101 deny   tcp any any eq 139
access-list 101 deny   tcp any any eq 445
access-list 101 deny   tcp any any eq 5554
access-list 101 deny   tcp any any eq 6667
access-list 101 deny   tcp any any eq 9995
access-list 101 deny   tcp any any eq 9996
access-list 101 permit ip any any
access-list 105 permit tcp any any eq ftp
access-list 105 permit tcp any any eq ftp-data
access-list 105 permit tcp any any eq www
access-list 105 permit tcp any any eq domain
access-list 105 permit udp any any eq domain
access-list 105 permit tcp any any eq 443
access-list 105 permit tcp any any eq 1433
access-list 105 permit udp any any eq 1433
access-list 105 permit tcp any any eq pop3
access-list 105 permit tcp any any eq 1723
access-list 105 permit udp any any eq 1723
access-list 105 permit tcp any any eq smtp
access-list 105 permit tcp any any eq 1701
access-list 105 permit tcp any any eq 5050
access-list 105 permit tcp any any eq 3389
access-list 105 permit gre any any
access-list 150 permit ip host 66.x.x.x any
access-list 150 permit ip any host 66.x.x.x
snmp-server community domainname RO
!
control-plane
!
CERTIFIED EXPERT
Top Expert 2004

Commented:
Are you sure that the problem is your access list and not a routing problem? If it's the access list then atf1084 has given you the correct syntax.

the best thing is to post the config of the routers on both ends and it will be easy to find the problem.

Author

Commented:
Here is the one at this campus, no offense to anyone I took out the public side and replaced with x.x.x .

its a 3600 if that makes any differance.

South3600#show running-config
Building configuration...

Current configuration : 3145 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname South3600
!
boot-start-marker
boot-end-marker
!
enable secret
enable password 7
!
username
username ciscohelp privilege 15 password
username
no aaa new-model
ip subnet-zero
!
!
ip cef
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.120 192.168.1.255
!
ip dhcp pool 0
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254
   dns-server 208.x.x.x 63.x.x.x
!
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.2 255.255.255.0
!
interface FastEthernet0/0
 ip address 208.x.x.x 255.255.255.192
 ip nat outside
 speed 10
 full-duplex
!
interface FastEthernet0/1
 ip address 208.x.x.x 255.255.255.248 secondary
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 speed 100
 full-duplex
!
interface Ethernet1/0
 no ip address
 shutdown
 half-duplex
!
interface Serial1/0
 ip address 65.x.x.x 255.255.255.252
 ip access-group 101 in
 ip access-group 101 out
 shutdown
 no fair-queue
!
interface Hssi2/0
 ip address 66.x.x.x 255.255.255.252
 ip accounting output-packets
 serial restart-delay 0
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 192.168.1.251 66.x.x.x
ip nat inside source static 192.168.1.111 66.x.x.x
ip nat inside source static 192.168.1.250 66.x.x.x
ip nat inside source static 192.168.1.244 66.x.x.x
ip nat inside source static 192.168.1.195 66.x.x.x
ip nat inside source static 192.168.1.233 66.x.xx
ip nat inside source static 192.168.1.192 66.x.x.x
ip nat inside source static tcp 192.168.1.120 80 208.x.x.x 80 extendable
ip nat inside source static tcp 192.168.1.121 80 208.x.x.x80 extendable
ip nat inside source static tcp 192.168.1.122 21 208.xx.x 21 extendable
ip nat inside source static 192.168.1.123 208.x.x.x
ip nat inside source static tcp 192.168.1.120 443 208.x.x.x 443 extendable
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 208.x.x.x
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 105 permit tcp any any eq www
access-list 120 permit ip 192.168.1.0 0.0.0.255 63.x.x.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 66.x.x.x 0.0.0.255
access-list 124 permit ip 66.x.x.x 0.0.0.255 any
!
route-map NoNat12 permit 10
 match ip address 120
 set interface Loopback0
!
snmp-server community domain RO
snmp-server enable traps tty
!
!
!
!
!
!
!
!
line con 0
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 exec-timeout 35 0
 password 7
 session-limit 15
 login local
 transport preferred all
 transport input all
 transport output all
!
!
!
end
CERTIFIED EXPERT
Top Expert 2004

Commented:
Well you do not have any access list blocking traffic on this side. what is the subnet that can't reach 192.168.1.0 from the other side, and what is the config on the other side? I suspect you need a route on both sides but maybe not.

Author

Commented:
the first config is the router on the other side, where traffic is not going back.

the 192.168.1.0 can not be reached from there, but the 208.x.x.x can be reached from here.

I really hope this is all coming off correctly, i do not know the lingo.
CERTIFIED EXPERT
Top Expert 2004

Commented:
You said the first config was "running config of another 2600 that is no longer in service." I don't see any 208.x.x.x configured on it.

Also on the 2nd config, you should remove this static route: ip route 192.168.1.0 255.255.255.0 FastEthernet0/1

You should not have a static route for a connected interface, the router already knows about connected addresses.

Author

Commented:
my bad, that is correct, I will upload the current router config in the morning. sorry i got all mixed up on what i posted.

thanks i will edit that out.
CERTIFIED EXPERT
Top Expert 2004

Commented:
I'm gonna be out of town tomorrow and Friday. The thing I'm looking for is that each router has a static route telling it how to get to the network on the other side. So this side needs a route to 208.x.x.x (which I don't see) and the other side needs a route to 192.168. The next hop should be the far end of the point-to-point (which I assume is on the HSSI ports).

Author

Commented:
Here is the new routers current config, have a good weekend.

Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname newrouter
!
enable secret 5 $
enable password 7
!
username
username
!
!
!
!
memory-size iomem 15
ip subnet-zero
ip cef
!
ip audit notify log
ip audit po max-events 100
!
!
!
interface FastEthernet0/0
 ip address 208.x.x.x 255.255.255.128
 no ip directed-broadcast
 speed 100
 full-duplex
!
interface Serial0/0
 no ip address
 ip access-group 101 in
 no ip directed-broadcast
 shutdown
!
interface FastEthernet0/1
 ip address 65.x.x.x 255.255.255.252
 no ip directed-broadcast
 speed 100
 full-duplex
!
interface Serial0/1
 no ip address
 ip access-group 101 in
 no ip directed-broadcast
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 65.x.x.x
ip route 208.x.x.x 255.255.255.248 208.x.x.x
no ip http server
!
access-list 105 permit tcp any any eq ftp
access-list 105 permit tcp any any eq ftp-data
access-list 105 permit tcp any any eq www
access-list 105 permit tcp any any eq domain
access-list 105 permit udp any any eq domain
access-list 105 permit tcp any any eq 443
access-list 105 permit tcp any any eq 1433
access-list 105 permit udp any any eq 1433
access-list 105 permit tcp any any eq pop3
access-list 105 permit tcp any any eq 1723
access-list 105 permit udp any any eq 1723
access-list 105 permit tcp any any eq smtp
access-list 105 permit tcp any any eq 1701
access-list 105 permit tcp any any eq 5050
access-list 105 permit tcp any any eq 3389
access-list 105 permit gre any any
snmp-server engineID local 0000000902000050547D001F
snmp-server community domain RO
!
line con 0
 transport input none
line aux 0
line vty 0 4
 exec-timeout 35 0
 password 7
 session-limit 15
 login local
!
end

CERTIFIED EXPERT
Top Expert 2004
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
just to clarify did you mean the new 2600 just above this post?

Author

Commented:
also is the 208.x.x.x you refer too the 3600 for the target?
CERTIFIED EXPERT
Top Expert 2004

Commented:
Yes to both questions.

Author

Commented:
Thanks mike, this was a huge help, I hope to award you more points in the future as well :)

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.