Solved

Route traffic across T1 P2P as a secondary Internet connection

Posted on 2008-06-17
19
470 Views
Last Modified: 2011-10-19
Two locations: (on/off site)

On Site:
192.168.1.x subnet
main router @ 192.168.1.1, routing traffic to internet and back just fine. (has a route defined for offsite subnet 7.x to go through 192.168.1.3)
secondary router(name=gw2) @ 192.168.1.3 connected to P2P to offsite location.
99 users pointing @ main router as gateway.
1 user pointing @ secondary router as gateway.

Offsite
192.168.7.x subnet
router (name = gw1) @ 192.168.7.1 connected to P2P to on site location, and Ethernet Internet.
6 users pointing @ router (gw1) as gateway.

Goal, if a user on site, points their gateway to 192.168.1.3 (gw2) their internet traffic will route across the P2P T1 and out the internet connection @ the offsite location.

Question: How do I do this? aka What config changes do I need to make on one or both of these routers to make this happen?

Currently:

* User @ off site (192.168.7.x) can reach everything I want them to aka onsite (192.168.1.x) and internet.
* User @ on site (192.168.1.x) with gateway set to 192.168.1.1 can get to both subnets 192.168.1.x and 192.168.7.x and the internet (through the main Internet connection)
* User @ on site (192.168.1.x) with gateway set to 192.168.1.3 (gw2) can get to both subnets (7.x and 1.x) but cannot get to the internet (via the internet connection @ off site.)
* Pinging from the offsite router (gw1) I get a response from both subnets and the internet.
* Pinging from the onsite router (gw2) I get a response from both subnets but not the internet.

I have attached my running config for both routers.

(on another note, what are the possible debug commands I can use in the future or today to determine where my pings/packets/traffic is dying?)
gw1-running-config.txt
gw2-running-config.txt
0
Comment
Question by:Namtrok
  • 8
  • 5
  • 3
  • +1
19 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
Not gonna ask why you'd want to do this.... I think the only way you could get it to work would be to set a static route on the client to the 192.168.7.x subnet and then set the default gateway on that client to be 192.168.7.1 (the remote site router).

Your static route would be:

192.168.7.0   255.255.255.0   192.168.1.3

Then if you set the default gateway on the user's NIC to 192.168.7.1, it should route him through the 192.168.1.3 router to the 192.168.7.x subnet and then out to the Internet through the 192.168.7.1 router connection.

Give that a try.  
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
BTW, the simplest command to use for IP traffic and routing to see where it's dying is tracert.

tracert 192.168.7.1

Using that command on your client would trace the route between the client and the remote router, for example.  Using a tracert to an Internet host such as www.yahoo.com, would confirm the route being taken all the way to the Internet.
0
 
LVL 1

Author Comment

by:Namtrok
Comment Utility
I have my reasons, one is in case our main ISP looses its connection etc. We still need a connection to the internet.

As for tracert and setting the static route on the clients, this is not the kind of fix(es) I'm looking for, I know the client/server side of life, I need help on the Cisco IOS side of networking.

I am certain that this router 192.168.1.3 should be able to route internet traffic across the T1 to the offsite router. I just don't know the commands/config to enable that to happen.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
OK - I guess I misinterpreted. I'm not a Cisco expert, so I will bow out of the question and leave it to someone with more knowledge.
0
 
LVL 2

Expert Comment

by:litmuslogic
Comment Utility
Ok, so on the Cisco side, the command similar to tracert above would be 'trace'.  You can type 'trace x.x.x.x', or you can just type 'trace' and let the box prompt you for the rest.


Now.  Give the following a shot:

Change the default route on gw2 to point to 10.1.1.2

In other words like this:

no ip route 0.0.0.0 0.0.0.0 69.87.157.169
ip route 0.0.0.0 0.0.0.0 10.1.1.2

also get rid of that recursive 69.0.0.0 route:

no ip route 69.0.0.0 255.255.255.248 10.10.10.2

Another issue that might be problematic is on gw1.  Take a look at the last statement of the access list.  I think that maybe your wild cards are off?  The IP address of 10.1.1.2, for example which would be the source if you were to ping, say google.com from gw2 would NOT pass that access list and thus would NOT get translated.  Maybe that line  should be:

access-list 1 permit 10.0.0.0 0.255.255.255

or

access-list 1 permit 10.1.1.0 0.0.0.255



See if that works! :)

0
 
LVL 13

Expert Comment

by:kdearing
Comment Utility
Looked over your router configs...

It appears the GW1 is the offsite and GW2 is the onsite.

You say there is "Ethernet internet" offsite, but is nowhere in the configs.
In fact it looks like it is not being used at all.

What is the LAN IP address of that "Ethernet internet" device?
What type of device is it?
What type of device is the onsite main router?

Once I get this info, I can provide config for fix your routing problems.
0
 
LVL 1

Author Comment

by:Namtrok
Comment Utility
litmuslogic,

thanks for the help/suggestions

I made the changes you suggested, which was basically taking out the junk I put in there to try and test/make this work. I was stabbing in the dark and did not hit my target.

I have attached the (new) current running config from both routers since they both changed and I want to make sure I did what you suggested.

I'm still in the same spot. unable to ping/route traffic to internet from gw2 (while gw1 is happily pinging/routing traffic to the internet sticking its tongue out at me the whole time!)

I know how to use trace/traceroute on IOS but what I don't know is how to determine from another router if the traffic is hitting it and if its being dropped etc. so for example I ran the following commands from gw2 (which is the router unable to connect to the internet at this time)

gw2#traceroute 64.233.187.99

Type escape sequence to abort.
Tracing the route to 64.233.187.99

  1 10.1.1.2 16 msec
gw2#ping 64.233.187.99      

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 64.233.187.99, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

so it looks like I was able to get to 10.1.1.2 or at least it sent info to that ip (via the traceroute) but what I don't know/can't see/want the command(s) for is to run on gw1 while I'm sending a ping from gw2 to see the packets/routing/dropping/issues etc. in server world I want to see the log in realtime (tail -f /var/log/messages)


-----------------------------------------------
kdearing
you are correct with gw1 being the offsite router.
in the configs Ethernet0 on gw1 has a public IP.... that is where the internet connection is.
As for what physical series of cisco routers these are does that matter? it's IOS 12.2 which is the same no matter what hardware its running on... maybe I'm wrong on this.
gw1-running-config-2008-06-18-a.txt
gw2-running-config-2008-06-18-a.txt
0
 
LVL 13

Expert Comment

by:kdearing
Comment Utility
You're right, I had other configs open at the time and got mixed up. I apoligize.

I think the problem you're having right now is that GW1 is only NAt'ing the 192.168.7.0 subnet.
There's nothing in the config telling it to NAT traffic from 192.168.1.0
0
 
LVL 1

Author Comment

by:Namtrok
Comment Utility
kdearing,

now you're on the right track... I hadn't thought about natting... and so I entered the appropriate commands (or so I think) still no success... I have attached my new config from gw1, the only router where changes took place.

I imagine I don't need this line in there now:

access-list 1 permit 192.168.1.0 0.0.0.255


gw1-running-config-2008-06-18-b.txt
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 13

Expert Comment

by:kdearing
Comment Utility
I'm not sure just adding "ip nat inside" to the S0 interface will work.
Take a look at this doc:
http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv.html
0
 
LVL 1

Author Comment

by:Namtrok
Comment Utility
kdearing...

there is a lot of options in that document, I understand most of them but I was unable to find a specific "Nat two inside interfaces to one outside interface"

I did some searching on Google and found this article from ciscopress stating "Multiple inside interfaces are quite acceptable." http://www.ciscopress.com/articles/article.asp?p=25273&seqNum=4

So two ip nat inside interfaces should be acceptable.

since Im using overloading (PAT) I shouldn't need a pool of IP addys to NAT to, and I am using static for certain ip addys, but that should be just fine as well.

I tried on gw1 (offiste) to run debug commands to see the natting activity or the icmp activity and the terminal never flashed one piece of debug information.

here is what I tried on gw 1 (while pinging an off site ip from gw2 )
#debug ip icmp
#debug ip nat
(config)#logging console 7

whatelse do I need to enter to see the packets/natting activity?
0
 
LVL 2

Expert Comment

by:litmuslogic
Comment Utility
Nam, here are some commands to troubleshoot NAT:

show ip nat trans
show ip nat trans detail


You can also do a 'debug ip packet', but please be careful -- this can generate a huge amount of output, t the point where you can type on the console.  Whenever I do this, I usually do this from a telnet/ssh session rather than console.  This way you can still use the console to 'undebug all', in case you lose your vty.















0
 
LVL 1

Author Comment

by:Namtrok
Comment Utility
ahh I figured out what I was missing to watch the logging traffic. I'm only using telnet as I am not in the same physical area... so I needed "terminal monitor" command. then all my debugging arrived on my screen (vty0).

using this I have this output from gw1 (offsite) while I was trying to ping trough from gw2 to the internet... via gw1. first the IP debug... then the NAT debug... (this is actually the udp traffic for a host lookup to a valid dns server.

*************************IP debug output from udp hostlookup from 192.168.1.3 (10.1.1.1) to 204.177.184.10*************************************
*Jun 19 20:20:46.218 EDT: IP: s=192.168.1.7 (Serial0), d=192.168.7.1, len 114, rcvd 4
*Jun 19 20:20:46.226 EDT: IP: s=192.168.7.1 (local), d=192.168.1.7 (Serial0), len 140, sending
*Jun 19 20:20:46.270 EDT: IP: s=192.168.1.7 (Serial0), d=192.168.7.1, len 114, rcvd 4
*Jun 19 20:20:46.278 EDT: IP: s=192.168.7.1 (local), d=192.168.1.7 (Serial0), len 139, sending
*Jun 19 20:20:46.334 EDT: IP: s=192.168.1.7 (Serial0), d=192.168.7.1, len 114, rcvd 4
*Jun 19 20:20:46.342 EDT: IP: s=192.168.7.1 (local), d=192.168.1.7 (Serial0), len 141, sending
*Jun 19 20:21:46.718 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.10 (Ethernet0), g=69.87.157.169, len 60, forward
*Jun 19 20:21:49.722 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.10 (Ethernet0), g=69.87.157.169, len 60, forward
*Jun 19 20:21:52.722 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.10 (Ethernet0), g=69.87.157.169, len 60, forward
*Jun 19 20:21:55.722 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.10 (Ethernet0), g=69.87.157.169, len 70, forward
*Jun 19 20:21:58.718 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.10 (Ethernet0), g=69.87.157.169, len 70, forward
*Jun 19 20:22:01.718 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.10 (Ethernet0), g=69.87.157.169, len 70, forward
*Jun 19 20:22:04.722 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.15 (Ethernet0), g=69.87.157.169, len 60, forward
*Jun 19 20:22:07.718 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.15 (Ethernet0), g=69.87.157.169, len 60, forward
*Jun 19 20:22:10.718 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.15 (Ethernet0), g=69.87.157.169, len 60, forward
*Jun 19 20:22:13.722 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.15 (Ethernet0), g=69.87.157.169, len 70, forward
*Jun 19 20:22:16.722 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.15 (Ethernet0), g=69.87.157.169, len 70, forward
*Jun 19 20:22:19.726 EDT: IP: s=10.1.1.2 (Serial0), d=204.177.184.15 (Ethernet0), g=69.87.157.169, len 70, forward
*Jun 19 20:22:50.630 EDT: IP: s=74.208.70.179 (Ethernet0), d=69.87.157.170 (Ethernet0), len 84, rcvd 3
*Jun 19 20:22:50.630 EDT: ICMP: echo reply sent, src 69.87.157.170, dst 74.208.70.179
*Jun 19 20:22:50.630 EDT: IP: s=69.87.157.170 (local), d=74.208.70.179 (Ethernet0), len 84, sending
*Jun 19 20:22:51.630 EDT: IP: s=74.208.70.179 (Ethernet0), d=69.87.157.170 (Ethernet0), len 84, rcvd 3
*Jun 19 20:22:51.630 EDT: ICMP: echo reply sent, src 69.87.157.170, dst 74.208.70.179
*Jun 19 20:22:51.630 EDT: IP: s=69.87.157.170 (local), d=74.208.70.179 (Ethernet0), len 84, sending
*Jun 19 20:22:52.634 EDT: IP: s=74.208.70.179 (Ethernet0), d=69.87.157.170 (Ethernet0), len 84, rcvd 3
*Jun 19 20:22:52.634 EDT: ICMP: echo reply sent, src 69.87.157.170, dst 74.208.70.179
*Jun 19 20:22:52.634 EDT: IP: s=69.87.157.170 (local), d=74.208.70.179 (Ethernet0), len 84, sending
*Jun 19 20:22:53.630 EDT: IP: s=74.208.70.179 (Ethernet0), d=69.87.157.170 (Ethernet0), len 84, rcvd 3
*Jun 19 20:22:53.634 EDT: ICMP: echo reply sent, src 69.87.157.170, dst 74.208.70.179
*Jun 19 20:22:53.634 EDT: IP: s=69.87.157.170 (local), d=74.208.70.179 (Ethernet0), len 84, sending
*Jun 19 20:22:54.634 EDT: IP: s=74.208.70.179 (Ethernet0), d=69.87.157.170 (Ethernet0), len 84, rcvd 3
*Jun 19 20:22:54.634 EDT: ICMP: echo reply sent, src 69.87.157.170, dst 74.208.70.179
*************************END IP debug output *************************************

*************************NAT debug output from udp hostlookup from 192.168.1.3 (10.1.1.1) to 204.177.184.10*************************************
*Jun 19 20:24:48.566 EDT: NAT: Allocated Port for 10.1.1.1 -> 10.1.1.2: wanted 57285 got 57285
*Jun 19 20:24:48.570 EDT: NAT: i: udp (10.1.1.1, 57285) -> (204.177.184.10, 53) [0]
*Jun 19 20:24:48.570 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.10 [0]
*Jun 19 20:24:51.570 EDT: NAT: i: udp (10.1.1.1, 57285) -> (204.177.184.10, 53) [1]
*Jun 19 20:24:51.570 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.10 [1]
*Jun 19 20:24:54.562 EDT: NAT: i: udp (10.1.1.1, 57285) -> (204.177.184.10, 53) [2]
*Jun 19 20:24:54.566 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.10 [2]
*Jun 19 20:24:57.566 EDT: NAT: i: udp (10.1.1.1, 57285) -> (204.177.184.10, 53) [3]
*Jun 19 20:24:57.566 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.10 [3]
*Jun 19 20:25:00.574 EDT: NAT: i: udp (10.1.1.1, 57285) -> (204.177.184.10, 53) [4]
*Jun 19 20:25:00.574 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.10 [4]
*Jun 19 20:25:03.570 EDT: NAT: i: udp (10.1.1.1, 57285) -> (204.177.184.10, 53) [5]
*Jun 19 20:25:03.570 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.10 [5]
*Jun 19 20:25:06.582 EDT: NAT: Allocated Port for 10.1.1.1 -> 10.1.1.2: wanted 50135 got 50135
*Jun 19 20:25:06.582 EDT: NAT: i: udp (10.1.1.1, 50135) -> (204.177.184.15, 53) [0]
*Jun 19 20:25:06.582 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.15 [0]
*Jun 19 20:25:09.566 EDT: NAT: i: udp (10.1.1.1, 50135) -> (204.177.184.15, 53) [1]
*Jun 19 20:25:09.566 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.15 [1]
*Jun 19 20:25:12.566 EDT: NAT: i: udp (10.1.1.1, 50135) -> (204.177.184.15, 53) [2]
*Jun 19 20:25:12.570 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.15 [2]
#comment: the following is from traffic on 7.x network, a sucessful translation
*Jun 19 20:25:14.378 EDT: NAT: i: tcp (192.168.7.8, 3512) -> (194.109.20.90, 6669) [37762]
*Jun 19 20:25:14.378 EDT: NAT: s=192.168.7.8->69.87.157.171, d=194.109.20.90 [37762]
*Jun 19 20:25:14.490 EDT: NAT*: o: tcp (194.109.20.90, 6669) -> (69.87.157.171, 3512) [17263]
*Jun 19 20:25:14.490 EDT: NAT*: s=194.109.20.90, d=69.87.157.171->192.168.7.8 [17263]
*Jun 19 20:25:15.098 EDT: NAT*: o: tcp (194.109.20.90, 6669) -> (69.87.157.171, 3512) [19273]
*Jun 19 20:25:15.098 EDT: NAT*: s=194.109.20.90, d=69.87.157.171->192.168.7.8 [19273]
*Jun 19 20:25:15.098 EDT: NAT: i: tcp (192.168.7.8, 3512) -> (194.109.20.90, 6669) [37763]
*Jun 19 20:25:15.098 EDT: NAT: s=192.168.7.8->69.87.157.171, d=194.109.20.90 [37763]
#comment: and back to my udp/ping traffic (trying to do a host lookup)
*Jun 19 20:25:15.578 EDT: NAT: i: udp (10.1.1.1, 50135) -> (204.177.184.15, 53) [3]
*Jun 19 20:25:15.578 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.15 [3]
*Jun 19 20:25:18.566 EDT: NAT: i: udp (10.1.1.1, 50135) -> (204.177.184.15, 53) [4]
*Jun 19 20:25:18.566 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.15 [4]
*Jun 19 20:25:21.566 EDT: NAT: i: udp (10.1.1.1, 50135) -> (204.177.184.15, 53) [5]
*Jun 19 20:25:21.566 EDT: NAT: s=10.1.1.1->10.1.1.2, d=204.177.184.15 [5]
*************************END NAT debug output *************************************

does this help any?


0
 
LVL 1

Author Comment

by:Namtrok
Comment Utility
I looked at this in a new light... I have one Internet connection... and two routers with two subnets hanging off of each router, traffic is routed from the 7.x subnet, how do I route traffic from the 1.x network. Is it an issue of double NAT ?

Here is an ascii diagram of what I'm trying to do.
                  ______________
                  |                            |------------------192.168.7.x network/subnet
ISP----------|    gw1(offsite)   |                         ________________
                  |______________|----P2P T1------|                                |
                                                                   |      gw2(onsite)      |
                                                                   |________________|---------------192.168.1.x network/subnet
0
 
LVL 2

Accepted Solution

by:
litmuslogic earned 350 total points
Comment Utility
Ok, try this:

undo the following line:

ip nat inside source list 2 interface Serial0 overload

and change it to

ip nat inside source list 2 interface Ethernet0 overload

Because, even though the traffic is sourced from 10.1.1.0/24 you still want it to be translated to Ethernet's IP, right?
0
 
LVL 2

Expert Comment

by:litmuslogic
Comment Utility
"Is it a question of double NAT..."  

"Double" NAT is possible, but not advisable -- it can 'break' certain applications and protocols.  On the other hand, it is rarely, if ever required.  You can use a single IP address to 'masquerade' as many IP subnets as you would like.  Your only practical limitation is the amount of memory in the router.  You have a box with enough RAM it it will happily support as many simultaneous translations as you have TCP and/or UDP ports -- roughly 64k each.
0
 
LVL 1

Author Comment

by:Namtrok
Comment Utility
litmuslogic...

your last comment fixed it...

ip nat inside source list 2 interface Ethernet0 overload

I got so excited that I got sidetracked and forgot to inform you of this success... problem solved!

Thank you for your help!
0
 
LVL 1

Author Closing Comment

by:Namtrok
Comment Utility
You rock! I really appreciate the help on this!
0
 
LVL 2

Expert Comment

by:litmuslogic
Comment Utility
Glad to help!  Enjoy! :)
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now