• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 349
  • Last Modified:

What is worng with my CISCO 1841 configuration

I need an urgent help to set up my 1841 CISCO Routers. Below are the structure of the plan. We are in the process of upgrading our old network which is totally a non domain.

This is a test lab.

In the head office we have 2 different types of net works. One is windows domain net work and the other is Apple Workgroup net work. These two net works are physically separated ones. The same is also applied in the branch office too.

For internet we using ISA 2006 as the front end fire wall for windows domain and Apple workgroup. All the windows domain clients are SNAT of ISA 2006. We do not have an exchange server.

The entire subnet is 255.255.255.0. The Windows Domain group consists of 192.168.2.0/24 in the Head office and 192.168.3.0/24 at the Branch office. They are all on a same domain named fourfilms.com. For this domain I have an ISA 2006 front end fire wall through which internet is given to all the clients in the head office and branch.

The apple workgroup consists of 192.168.0.0/24 at the head office and 192.168.4.0/24 at the branch. For this work group I have another ISA 2006 front end fire wall through which internet is given to the clients.


Now I have a CISCO1841 router in the head office and  in the branch. It has 3 routed Ethernet ports. Below  are the details: 192.168.0.0/24  is for  Apple Work group. 192.168.2.0/24 is for Windows Domain.

4FILMSHQ#
Current configuration : 946 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 4FILMSHQ
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$d8VC$EgzKpLWREpWrMBKL0O58i.
!
no aaa new-model
ip cef
!
!
!
!
ip domain name fourfilms.com
ip name-server 192.168.2.2
multilink bundle-name authenticated
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.0.7 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
p address 192.168.20.1 255.255.255.0
 duplex auto
 speed auto
!
ip route 192.168.3.0 255.255.255.0 FastEthernet0/0/0
ip route 192.168.4.0 255.255.255.0 FastEthernet0/0/0
!
!
no ip http server
!
!
!
control-plane
!
!
line con 0
 password 7 11040F130502000B162C72
 login
line aux 0
line vty 0 4
 password 7 00090510164B00011D2715
 login
scheduler allocate 20000 1000
end

The details of CISCO router in the Branch office is
192.168.3.0/24 is for windows Domain. 192.168.4.0/24 is for Apple Workgroup.

4FILMSBRN#
Current configuration : 947 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 4FILMSBRN
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$y/57$kgtzsXRI7wMCZ0VyQS1ZO/
!
no aaa new-model
ip cef
!
!
!
!
ip domain name fourfilms.com
ip name-server 192.168.2.2
multilink bundle-name authenticated
interface FastEthernet0/0
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.4.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 ip address 192.168.20.2 255.255.255.0
 duplex auto
 speed auto
!
ip route 192.168.0.0 255.255.255.0 FastEthernet0/0/0
ip route 192.168.2.0 255.255.255.0 FastEthernet0/0/0
!
!
no ip http server
!
!
control-plane
!
!
line con 0
 password 7 03094D1D141F2A4B5C0F40
 login
line aux 0
line vty 0 4
 password 7 11040F130502000B162C72
 login
!
scheduler allocate 20000 1000
end


Now this is my problem. Only  the clients who are on 192.168.2.0/24 can access internet and email through out look. Others can access internet but can not access email through out look. I feel that something is wrong with my CISCo 1841 router configuration.
0
Zacharia Kurian
Asked:
Zacharia Kurian
  • 3
  • 3
1 Solution
 
Zacharia KurianAuthor Commented:
hi no one out there?
0
 
The_R0CKCommented:
Hi what is the default gateway you use of the PC's at the two sites? Also what is the IP address of the Email server?

I am assuming that you have the PC's deafult gateway pointing to the ISA server, correct? In this case does the ISA server have the correct routes applied to send non-internet traffic to the 1841 routers?

I would recommend that from both sites you do some ping tests and post the results. Such as:
ping from remote site (192.168.3.X & 192.168.4.X0 to main site (192.168.0.x & 192.168.2.X). Does this work? From remote site can you ping the email server??
0
 
Zacharia KurianAuthor Commented:
We do not have an exchange server yet. But we do have a web site hosted out side and they do provide us email. The mail server IP of theirs is  198.173.91.83. In the out look we normally enter this IP as the incoming and out going server and this works fine with 192.168.2.0/24 users.

All the clients are the SNAT of ISA i.e. the IP of ISA server which is 192.168.2.22 is set as the default gate way, in all the clients. In the ISA server I have added 192.168.0.0 mask 255.255.0.0 192.168.2.1 as the Persistent Routes (classless).

ping from remote site (192.168.3.X & 192.168.4.X0 to main site (192.168.0.x & 192.168.2.X) works fine. Even ns lookup also works fine. But when I try to ping any web sites (including the mail server198.173.91.83)  either from 192.168.0.0/24, 192.168.3.0/24 and 192.168.4.0/24, it says destination is unreachable.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
The_R0CKCommented:
What i would try doing is put a default route on your 1841's. This would tell the router where to pass all traffic which is destined for non-internal networks.

IE: Put this on Main Site 1841
ip route 0.0.0.0 0.0.0.0 192.168.2.22

IE Put this on the remote site 1841
ip route 0.0.0.0 0.0.0.0 192.168.20.1

You should also try changing your default gateway to the router instead of the ISA. Routing is the router job :)  So by doing this, the router will know of all internal networks, due to static routes and directly connected interfaces, and using the default route (as above) the router will know to pass all non-internal destined traffic to the ISA. This should mean internet, email and intersite communication for everyone... Try it out and let me know....
0
 
Zacharia KurianAuthor Commented:
Hi,

Thanks a million and it works!

Now just one more doubts. Since I am having 2 ISA servers (one for the Apple Work group which belongs to 192.168.0.0/24, ISA IP-192.168.0.22) do I have to add ip route 0.0.0.0 0.0.0.0 192.168.0.22 too? apart from 0.0.0.0 0.0.0.0 192.168.2.22?

Also do I have to remove the classless static route from ISA server (192.168.2.22) which is 192.168.0.0 mask 255.255.0.0 192.168.2.1?

Please do give me a clarification.
0
 
The_R0CKCommented:
Ok thats great...

Im guessing the problem was the ISA servers did not have the complete routes required for all of your networks, however it is certainly better to let the cisco routers handle the routing. I beleive the ISA servers will still need routing, as they must know about your internal networks. For example if a user from 192.168.4.X send some traffic to the ISA 192.168.0.22, because the traffic is coming from a different network than the ISA itself, the ISA must know how to send the traffic back. In this case you would need a route on the ISA saying: to get to 192.168.4.X use 192.168.0.7, then the 1841 will take care of the rest... Does that make sense??

Dealing with two internet connections (or in this case two ISA servers) is a little complicated. You cannot add a second default route because there can be only 1 "default" route, the second route will be ignored.
So to achieve this you must implement "policy based routing" (PBR). PBR works on the Cisco router and would bascially do the following:
If traffic is from 192.168.2.X pass it to 192.168.2.22
If traffic is from 192.168.0.X pass it to 192.168.0.22
All other traffic exclude from this rule.

I believe it may also be possible to manage this on the first ISA server also (192.168.2.22). In this case all internet traffic would hit the first ISA (192.168.2.22), the ISA would then look at the source of the traffic, if from 192.168.0.X then it would pass it to the 192.168.0.22 ISA. However I believe this to be quite messy and if the first ISA is down then both will be down, as all traffic is reliant on the first ISA. Also I dont actually know ISA well enough to assist with that either.

So therefore I would suggest that the PBR option is the best bet, however you need to would need to tackle that subject :)
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now