Solved

Route traffic across T1 P2P as a secondary Internet connection

Posted on 2008-06-17
19
473 Views
Last Modified: 2011-10-19
Two locations: (on/off site)

On Site:
192.168.1.x subnet
main router @ 192.168.1.1, routing traffic to internet and back just fine. (has a route defined for offsite subnet 7.x to go through 192.168.1.3)
secondary router(name=gw2) @ 192.168.1.3 connected to P2P to offsite location.
99 users pointing @ main router as gateway.
1 user pointing @ secondary router as gateway.

Offsite
192.168.7.x subnet
router (name = gw1) @ 192.168.7.1 connected to P2P to on site location, and Ethernet Internet.
6 users pointing @ router (gw1) as gateway.

Goal, if a user on site, points their gateway to 192.168.1.3 (gw2) their internet traffic will route across the P2P T1 and out the internet connection @ the offsite location.

Question: How do I do this? aka What config changes do I need to make on one or both of these routers to make this happen?

Currently:

* User @ off site (192.168.7.x) can reach everything I want them to aka onsite (192.168.1.x) and internet.
* User @ on site (192.168.1.x) with gateway set to 192.168.1.1 can get to both subnets 192.168.1.x and 192.168.7.x and the internet (through the main Internet connection)
* User @ on site (192.168.1.x) with gateway set to 192.168.1.3 (gw2) can get to both subnets (7.x and 1.x) but cannot get to the internet (via the internet connection @ off site.)
* Pinging from the offsite router (gw1) I get a response from both subnets and the internet.
* Pinging from the onsite router (gw2) I get a response from both subnets but not the internet.

I have attached my running config for both routers.

(on another note, what are the possible debug commands I can use in the future or today to determine where my pings/packets/traffic is dying?)
gw1-running-config.txt
gw2-running-config.txt
0
Comment
Question by:Namtrok
  • 8
  • 5
  • 3
  • +1
19 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21806010
Not gonna ask why you'd want to do this.... I think the only way you could get it to work would be to set a static route on the client to the 192.168.7.x subnet and then set the default gateway on that client to be 192.168.7.1 (the remote site router).

Your static route would be:

192.168.7.0   255.255.255.0   192.168.1.3

Then if you set the default gateway on the user's NIC to 192.168.7.1, it should route him through the 192.168.1.3 router to the 192.168.7.x subnet and then out to the Internet through the 192.168.7.1 router connection.

Give that a try.  
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21806032
BTW, the simplest command to use for IP traffic and routing to see where it's dying is tracert.

tracert 192.168.7.1

Using that command on your client would trace the route between the client and the remote router, for example.  Using a tracert to an Internet host such as www.yahoo.com, would confirm the route being taken all the way to the Internet.
0
 
LVL 1

Author Comment

by:Namtrok
ID: 21806156
I have my reasons, one is in case our main ISP looses its connection etc. We still need a connection to the internet.

As for tracert and setting the static route on the clients, this is not the kind of fix(es) I'm looking for, I know the client/server side of life, I need help on the Cisco IOS side of networking.

I am certain that this router 192.168.1.3 should be able to route internet traffic across the T1 to the offsite router. I just don't know the commands/config to enable that to happen.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21806318
OK - I guess I misinterpreted. I'm not a Cisco expert, so I will bow out of the question and leave it to someone with more knowledge.
0
 
LVL 2

Expert Comment

by:litmuslogic
ID: 21809842
Ok, so on the Cisco side, the command similar to tracert above would be 'trace'.  You can type 'trace x.x.x.x', or you can just type 'trace' and let the box prompt you for the rest.


Now.  Give the following a shot:

Change the default route on gw2 to point to 10.1.1.2

In other words like this:

no ip route 0.0.0.0 0.0.0.0 69.87.157.169
ip route 0.0.0.0 0.0.0.0 10.1.1.2

also get rid of that recursive 69.0.0.0 route:

no ip route 69.0.0.0 255.255.255.248 10.10.10.2

Another issue that might be problematic is on gw1.  Take a look at the last statement of the access list.  I think that maybe your wild cards are off?  The IP address of 10.1.1.2, for example which would be the source if you were to ping, say google.com from gw2 would NOT pass that access list and thus would NOT get translated.  Maybe that line  should be:

access-list 1 permit 10.0.0.0 0.255.255.255

or

access-list 1 permit 10.1.1.0 0.0.0.255



See if that works! :)

0
 
LVL 13

Expert Comment

by:kdearing
ID: 21810009
Looked over your router configs...

It appears the GW1 is the offsite and GW2 is the onsite.

You say there is "Ethernet internet" offsite, but is nowhere in the configs.
In fact it looks like it is not being used at all.

What is the LAN IP address of that "Ethernet internet" device?
What type of device is it?
What type of device is the onsite main router?

Once I get this info, I can provide config for fix your routing problems.
0
 
LVL 1

Author Comment

by:Namtrok
ID: 21811847
litmuslogic,

thanks for the help/suggestions

I made the changes you suggested, which was basically taking out the junk I put in there to try and test/make this work. I was stabbing in the dark and did not hit my target.

I have attached the (new) current running config from both routers since they both changed and I want to make sure I did what you suggested.

I'm still in the same spot. unable to ping/route traffic to internet from gw2 (while gw1 is happily pinging/routing traffic to the internet sticking its tongue out at me the whole time!)

I know how to use trace/traceroute on IOS but what I don't know is how to determine from another router if the traffic is hitting it and if its being dropped etc. so for example I ran the following commands from gw2 (which is the router unable to connect to the internet at this time)

gw2#traceroute 64.233.187.99

Type escape sequence to abort.
Tracing the route to 64.233.187.99

  1 10.1.1.2 16 msec
gw2#ping 64.233.187.99      

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 64.233.187.99, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

so it looks like I was able to get to 10.1.1.2 or at least it sent info to that ip (via the traceroute) but what I don't know/can't see/want the command(s) for is to run on gw1 while I'm sending a ping from gw2 to see the packets/routing/dropping/issues etc. in server world I want to see the log in realtime (tail -f /var/log/messages)


-----------------------------------------------
kdearing
you are correct with gw1 being the offsite router.
in the configs Ethernet0 on gw1 has a public IP.... that is where the internet connection is.
As for what physical series of cisco routers these are does that matter? it's IOS 12.2 which is the same no matter what hardware its running on... maybe I'm wrong on this.
gw1-running-config-2008-06-18-a.txt
gw2-running-config-2008-06-18-a.txt
0
 
LVL 13

Expert Comment

by:kdearing
ID: 21812755
You're right, I had other configs open at the time and got mixed up. I apoligize.

I think the problem you're having right now is that GW1 is only NAt'ing the 192.168.7.0 subnet.
There's nothing in the config telling it to NAT traffic from 192.168.1.0
0
 
LVL 1

Author Comment

by:Namtrok
ID: 21812967
kdearing,

now you're on the right track... I hadn't thought about natting... and so I entered the appropriate commands (or so I think) still no success... I have attached my new config from gw1, the only router where changes took place.

I imagine I don't need this line in there now:

access-list 1 permit 192.168.1.0 0.0.0.255


gw1-running-config-2008-06-18-b.txt
0
 
LVL 13

Expert Comment

by:kdearing
ID: 21813214
I'm not sure just adding "ip nat inside" to the S0 interface will work.
Take a look at this doc:
http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv.html
0
 
LVL 1

Author Comment

by:Namtrok
ID: 21814644
kdearing...

there is a lot of options in that document, I understand most of them but I was unable to find a specific "Nat two inside interfaces to one outside interface"

I did some searching on Google and found this article from ciscopress stating "Multiple inside interfaces are quite acceptable." http://www.ciscopress.com/articles/article.asp?p=25273&seqNum=4 

So two ip nat inside interfaces should be acceptable.

since Im using overloading (PAT) I shouldn't need a pool of IP addys to NAT to, and I am using static for certain ip addys, but that should be just fine as well.

I tried on gw1 (offiste) to run debug commands to see the natting activity or the icmp activity and the terminal never flashed one piece of debug information.

here is what I tried on gw 1 (while pinging an off site ip from gw2 )
#debug ip icmp
#debug ip nat
(config)#logging console 7

whatelse do I need to enter to see the packets/natting activity?
0
 
LVL 2

Expert Comment

by:litmuslogic
ID: 21814742
Nam, here are some commands to troubleshoot NAT:

show ip nat trans
show ip nat trans detail


You can also do a 'debug ip packet', but please be careful -- this can generate a huge amount of output, t the point where you can type on the console.  Whenever I do this, I usually do this from a telnet/ssh session rather than console.  This way you can still use the console to 'undebug all', in case you lose your vty.















0
 
LVL 1

Author Comment

by:Namtrok
ID: 21815280
ahh I figured out what I was missing to watch the logging traffic. I'm only using telnet as I am not in the same physical area... so I needed "terminal monitor" command. then all my debugging arrived on my screen (vty0).

using this I have this output from gw1 (offsite) while I was trying to ping trough from gw2 to the internet... via gw1. first the IP debug... then the NAT debug... (this is actually the udp traffic for a host lookup to a valid dns server.

*************************IP debug output from udp hostlookup from 192.168.1.3 (10.1.1.1) to 204.177.184.10*************************************
*Jun 19 20:20:46.218 EDT: IP: s=192.168.1.7 (Serial0), d=192.168.7.1, len 114, rcvd 4
*Jun 19 20:20:46.226 EDT: IP: s=192.168.7.1 (local), d=192.168.1.7 (Serial0), len 140, sending
*Jun 19 20:20:46.270 EDT: IP: s=192.168.1.7 (Serial0), d=192.168.7.1, len 114, rcvd 4
*Jun 19 20:20:46.278 EDT: IP: s=192.168.7.1 (local), d=192.168.1.7 (Serial0), len 139, sending
*Jun 19 20:20:46.334 EDT: IP: s=192.168.1.7 (Serial0), d=192.168.7.1, len 114, rcvd 4
*Jun 19 20:20:46.342 EDT: IP: s=192.168.7.1 (local), d=192.168.1.7 (Serial0), len 141, sending
*Jun 19 20:21:46.718 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.10 (Ethernet0), g=69.87.157.169, len 60, forward
*Jun 19 20:21:49.722 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.10 (Ethernet0), g=69.87.157.169, len 60, forward
*Jun 19 20:21:52.722 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.10 (Ethernet0), g=69.87.157.169, len 60, forward
*Jun 19 20:21:55.722 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.10 (Ethernet0), g=69.87.157.169, len 70, forward
*Jun 19 20:21:58.718 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.10 (Ethernet0), g=69.87.157.169, len 70, forward
*Jun 19 20:22:01.718 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.10 (Ethernet0), g=69.87.157.169, len 70, forward
*Jun 19 20:22:04.722 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.15 (Ethernet0), g=69.87.157.169, len 60, forward
*Jun 19 20:22:07.718 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.15 (Ethernet0), g=69.87.157.169, len 60, forward
*Jun 19 20:22:10.718 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.15 (Ethernet0), g=69.87.157.169, len 60, forward
*Jun 19 20:22:13.722 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.15 (Ethernet0), g=69.87.157.169, len 70, forward
*Jun 19 20:22:16.722 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.15 (Ethernet0), g=69.87.157.169, len 70, forward
*Jun 19 20:22:19.726 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.15 (Ethernet0), g=69.87.157.169, len 70, forward
*Jun 19 20:22:50.630 EDT: IP: s=74.208.70.179 (Ethernet0), d=69.87.157.170 (Ethernet0), len 84, rcvd 3
*Jun 19 20:22:50.630 EDT: ICMP: echo reply sent, src 69.87.157.170, dst 74.208.70.179
*Jun 19 20:22:50.630 EDT: IP: s=69.87.157.170 (local), d=74.208.70.179 (Ethernet0), len 84, sending
*Jun 19 20:22:51.630 EDT: IP: s=74.208.70.179 (Ethernet0), d=69.87.157.170 (Ethernet0), len 84, rcvd 3
*Jun 19 20:22:51.630 EDT: ICMP: echo reply sent, src 69.87.157.170, dst 74.208.70.179
*Jun 19 20:22:51.630 EDT: IP: s=69.87.157.170 (local), d=74.208.70.179 (Ethernet0), len 84, sending
*Jun 19 20:22:52.634 EDT: IP: s=74.208.70.179 (Ethernet0), d=69.87.157.170 (Ethernet0), len 84, rcvd 3
*Jun 19 20:22:52.634 EDT: ICMP: echo reply sent, src 69.87.157.170, dst 74.208.70.179
*Jun 19 20:22:52.634 EDT: IP: s=69.87.157.170 (local), d=74.208.70.179 (Ethernet0), len 84, sending
*Jun 19 20:22:53.630 EDT: IP: s=74.208.70.179 (Ethernet0), d=69.87.157.170 (Ethernet0), len 84, rcvd 3
*Jun 19 20:22:53.634 EDT: ICMP: echo reply sent, src 69.87.157.170, dst 74.208.70.179
*Jun 19 20:22:53.634 EDT: IP: s=69.87.157.170 (local), d=74.208.70.179 (Ethernet0), len 84, sending
*Jun 19 20:22:54.634 EDT: IP: s=74.208.70.179 (Ethernet0), d=69.87.157.170 (Ethernet0), len 84, rcvd 3
*Jun 19 20:22:54.634 EDT: ICMP: echo reply sent, src 69.87.157.170, dst 74.208.70.179
*************************END IP debug output *************************************

*************************NAT debug output from udp hostlookup from 192.168.1.3 (10.1.1.1) to 204.177.184.10*************************************
*Jun 19 20:24:48.566 EDT: NAT: Allocated Port for 10.1.1.1 -> 10.1.1.2: wanted 57285 got 57285
*Jun 19 20:24:48.570 EDT: NAT: i: udp (10.1.1.1, 57285) -> (204.177.184.10, 53) [0]
*Jun 19 20:24:48.570 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.10 [0]
*Jun 19 20:24:51.570 EDT: NAT: i: udp (10.1.1.1, 57285) -> (204.177.184.10, 53) [1]
*Jun 19 20:24:51.570 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.10 [1]
*Jun 19 20:24:54.562 EDT: NAT: i: udp (10.1.1.1, 57285) -> (204.177.184.10, 53) [2]
*Jun 19 20:24:54.566 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.10 [2]
*Jun 19 20:24:57.566 EDT: NAT: i: udp (10.1.1.1, 57285) -> (204.177.184.10, 53) [3]
*Jun 19 20:24:57.566 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.10 [3]
*Jun 19 20:25:00.574 EDT: NAT: i: udp (10.1.1.1, 57285) -> (204.177.184.10, 53) [4]
*Jun 19 20:25:00.574 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.10 [4]
*Jun 19 20:25:03.570 EDT: NAT: i: udp (10.1.1.1, 57285) -> (204.177.184.10, 53) [5]
*Jun 19 20:25:03.570 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.10 [5]
*Jun 19 20:25:06.582 EDT: NAT: Allocated Port for 10.1.1.1 -> 10.1.1.2: wanted 50135 got 50135
*Jun 19 20:25:06.582 EDT: NAT: i: udp (10.1.1.1, 50135) -> (204.177.184.15, 53) [0]
*Jun 19 20:25:06.582 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.15 [0]
*Jun 19 20:25:09.566 EDT: NAT: i: udp (10.1.1.1, 50135) -> (204.177.184.15, 53) [1]
*Jun 19 20:25:09.566 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.15 [1]
*Jun 19 20:25:12.566 EDT: NAT: i: udp (10.1.1.1, 50135) -> (204.177.184.15, 53) [2]
*Jun 19 20:25:12.570 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.15 [2]
#comment: the following is from traffic on 7.x network, a sucessful translation
*Jun 19 20:25:14.378 EDT: NAT: i: tcp (192.168.7.8, 3512) -> (194.109.20.90, 6669) [37762]
*Jun 19 20:25:14.378 EDT: NAT: s=192.168.7.8->69.87.157.171, d=194.109.20.90 [37762]
*Jun 19 20:25:14.490 EDT: NAT*: o: tcp (194.109.20.90, 6669) -> (69.87.157.171, 3512) [17263]
*Jun 19 20:25:14.490 EDT: NAT*: s=194.109.20.90, d=69.87.157.171->192.168.7.8 [17263]
*Jun 19 20:25:15.098 EDT: NAT*: o: tcp (194.109.20.90, 6669) -> (69.87.157.171, 3512) [19273]
*Jun 19 20:25:15.098 EDT: NAT*: s=194.109.20.90, d=69.87.157.171->192.168.7.8 [19273]
*Jun 19 20:25:15.098 EDT: NAT: i: tcp (192.168.7.8, 3512) -> (194.109.20.90, 6669) [37763]
*Jun 19 20:25:15.098 EDT: NAT: s=192.168.7.8->69.87.157.171, d=194.109.20.90 [37763]
#comment: and back to my udp/ping traffic (trying to do a host lookup)
*Jun 19 20:25:15.578 EDT: NAT: i: udp (10.1.1.1, 50135) -> (204.177.184.15, 53) [3]
*Jun 19 20:25:15.578 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.15 [3]
*Jun 19 20:25:18.566 EDT: NAT: i: udp (10.1.1.1, 50135) -> (204.177.184.15, 53) [4]
*Jun 19 20:25:18.566 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.15 [4]
*Jun 19 20:25:21.566 EDT: NAT: i: udp (10.1.1.1, 50135) -> (204.177.184.15, 53) [5]
*Jun 19 20:25:21.566 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.15 [5]
*************************END NAT debug output *************************************

does this help any?


0
 
LVL 1

Author Comment

by:Namtrok
ID: 21815548
I looked at this in a new light... I have one Internet connection... and two routers with two subnets hanging off of each router, traffic is routed from the 7.x subnet, how do I route traffic from the 1.x network. Is it an issue of double NAT ?

Here is an ascii diagram of what I'm trying to do.
                  ______________
                  |                            |------------------192.168.7.x network/subnet
ISP----------|    gw1(offsite)   |                         ________________
                  |______________|----P2P T1------|                                |
                                                                   |      gw2(onsite)      |
                                                                   |________________|---------------192.168.1.x network/subnet
0
 
LVL 2

Accepted Solution

by:
litmuslogic earned 350 total points
ID: 21815632
Ok, try this:

undo the following line:

ip nat inside source list 2 interface Serial0 overload

and change it to

ip nat inside source list 2 interface Ethernet0 overload

Because, even though the traffic is sourced from 10.1.1.0/24 you still want it to be translated to Ethernet's IP, right?
0
 
LVL 2

Expert Comment

by:litmuslogic
ID: 21815705
"Is it a question of double NAT..."  

"Double" NAT is possible, but not advisable -- it can 'break' certain applications and protocols.  On the other hand, it is rarely, if ever required.  You can use a single IP address to 'masquerade' as many IP subnets as you would like.  Your only practical limitation is the amount of memory in the router.  You have a box with enough RAM it it will happily support as many simultaneous translations as you have TCP and/or UDP ports -- roughly 64k each.
0
 
LVL 1

Author Comment

by:Namtrok
ID: 21815918
litmuslogic...

your last comment fixed it...

ip nat inside source list 2 interface Ethernet0 overload

I got so excited that I got sidetracked and forgot to inform you of this success... problem solved!

Thank you for your help!
0
 
LVL 1

Author Closing Comment

by:Namtrok
ID: 31468522
You rock! I really appreciate the help on this!
0
 
LVL 2

Expert Comment

by:litmuslogic
ID: 21816067
Glad to help!  Enjoy! :)
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question