Solved

Cisco Router 1700 Wonn't Forward Packets

Posted on 2010-09-02
16
636 Views
Last Modified: 2012-05-10
Hi,

I have a problem connecting two subnets in the office. The layout is as follows

192.168.6.0 Network <--->Switch<-->Cisco 1700 Router<-->Switch<--->10.0.0.0 Network

I have configured the router with two ip address, 192.168.6.14, 255.255.254.0 and 10.0.0.3, 255.0.0.0. I can ping the 192.168.6.14 router address from the 192.168.6.0 network and I can ping the 10.0.0.3 router address from the 10.0.0.0 network. I however can't ping the 10.0.0.0 addresses from the 192.168.6.0 network or vice versa.

I can ping any address on both subnets from the router console, except for any internet address despite having configured two ip name servers, one on the 192.168.6.0 network and the other on the internet. The internet is accessed via a 192.168.6.45 gateway.

Please let me know how I can configure this router so that I can acess both subnets from either subnet. I would also want to acess the internet which is connected to the 192.168.6.0 network via the 192.168.6.45 gateway (firewall).

Below is the running-config of the router

Router#show run
Building configuration...

Current configuration : 746 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$YoBF$7eyAUBT6MlRKnKSWLYfun.
enable password xxxxx
!
memory-size iomem 25
no aaa new-model
ip subnet-zero
!
!
ip name-server 192.168.6.19
ip name-server 80.240.192.7
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
 no ip address
 shutdown
!
interface Ethernet0
 ip address 192.168.6.14 255.255.254.0
 full-duplex
!
interface FastEthernet0
 ip address 10.0.0.3 255.0.0.0
 speed auto
 full-duplex
!
ip classless
no ip http server
!
!
!
snmp-server community public RO
!
!
!
line con 0
line aux 0
line vty 0 4
 password xxxxx
 login
!
end

Router#
0
Comment
Question by:JMarewa
  • 3
  • 3
  • 3
  • +2
16 Comments
 
LVL 10

Expert Comment

by:qbakies
Comment Utility
Please do a 'sh ip route' and post it.
0
 

Author Comment

by:JMarewa
Comment Utility
Router#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    10.0.0.0/8 is directly connected, FastEthernet0
C    192.168.6.0/23 is directly connected, Ethernet0
Router#
0
 
LVL 10

Assisted Solution

by:qbakies
qbakies earned 180 total points
Comment Utility
Ont the router do a 'trace' using one of your machines on the 10 subnet as the target and 192.168.6.14 as your source.  That will tell us if the router is having some kind of issue .

Then do a a 'tracert' on a machine from the 192 subnet to the 10 network and vice versa.

In order to get Internet traffic to go out the 192 subnet from the 10 subnet you are going to have to put a default route in the router.
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 60 total points
Comment Utility
can't ping the 10.0.0.0 addresses from the 192.168.6.0 network or vice versa.

what is the gateway configured on  the pCs that u r trying to reach on both network
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 60 total points
Comment Utility
gateway has to be the router IP or proper routing should be there
0
 
LVL 2

Assisted Solution

by:cmonteith
cmonteith earned 230 total points
Comment Utility
If your clients on the 192.168.6.x network are using the 192.168.6.45 IP address as their default gateway, you'll need to add a static route in that 192.168.6.45 (router/firewall?) pointing back to your Cisco router for the 10.0.0.0 network.

In Cisco config the router would be the following command (again, this would be on your 192.168.6.45 device):   "ip route 10.0.0.0 255.0.0.0 192.168.6.14"  If you're not sure how to add the route to that device post back what kind of router it is and we should be able to help.

Now for your router to be able to ping internet addresses, first thing if you need to add a default route on your router.  That command would be the following:  "ip route 0.0.0.0 0.0.0.0 192.168.6.45"

This working is also amusing any hosts you have on your 10.0.0.0 network are configured to use 10.0.0.3 as their default gateway...if they are pointing to something else on their network for then an additional router would be required on that device
0
 

Author Comment

by:JMarewa
Comment Utility
Thank you all. I will answer all your questions in order.

@qbakies - tracert on the 192.168.6.0 and 10.0.0.0 time out for all the 30 hops. Trace on the router to any address on any subnet is successful.

@anoopkmr - The default gateway on the 192.168.6.0 subnet is 192.168.6.19, an already existing domain controller. I don't want to change this. The default gateway on the 10.0.0.0 network is the router ip address 10.0.0.3.

@cmonteith - the 192.168.6.45 internet gateway is a firewall with no routing capability. so the "ip route 10.0.0.0 255.0.0.0 192.168.6.14" command won't work. I will add the default route on the router tomorrow and let you know if I can ping the internet.

I have tried to put in a few static routes and they haven't been working. so please help me out on how exactly to configure the static routes. I have also tried Router RIP version 2 but maybe I didn't configure it properly.

The router in question is a Cisco 1700 series router with a built-in FastEthernet port, a WAN card with an Ethernet port and another WAN card with a  BRI0 port (which is unconfigured).

Thanks.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 10

Assisted Solution

by:qbakies
qbakies earned 180 total points
Comment Utility
From your description above your issue between the two subnets is that the 168 subnet doesn't know how to get to the 10 subnet.  Why do you have a DC setup as a DG?  You should change the DG to 192.168.6.14 and it will resolve the issue of the two subnets not talking.  Once you add the default route to the 1700 pointing to the firewall you should be able to get to the Internet.
0
 
LVL 2

Accepted Solution

by:
cmonteith earned 230 total points
Comment Utility
OK,  so you're using a Windows server as your default gateway for your 192.168.6.0/23 network?  While certainly not my first choice, if you are using the routing services of that server, you will need to add a route so that the 192.168.6.0 network has a path to send traffic destined to the 10.0.0.0 network.

In your windows server, you can try adding the following from a cmd prompt:  "route add 10.0.0.0 mask 255.0.0.0 192.168.6.14 /p"

this gives instructs for that server on where to send the 10.x.x.x traffic (towards your Cisco router interface)

Are you using ISA or any other form of security software on your server for routing/firewalling/proxy?

0
 
LVL 2

Expert Comment

by:cmonteith
Comment Utility
If your server is in fact your default gateway for your 192.168.6 network, it might also be helpful if you post the results of a "route print" done from command line of that server....so we can see it's routing table.  Some of the details on your network setup are certainly atypical...so a bit more insight into your existing routing might help the diagnosis.
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
what is the gateway of 192.168.6.19 ? from 192.168.6.19 can u reach other network ?
0
 

Author Comment

by:JMarewa
Comment Utility
Thank you for all your help guys. Below is my current configuration with a few additions

 

Router#show run

Building configuration...

 

Current configuration : 904 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$YoBF$7eyAUBT6MlRKnKSWLYfun.

enable password xxxxx

!

memory-size iomem 25

no aaa new-model

ip subnet-zero

!

!

ip name-server 192.168.6.19

ip name-server 80.240.192.7

!

ip cef

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface BRI0

no ip address

shutdown

!

interface Ethernet0

ip address 192.168.6.14 255.255.254.0

ip nat outside

full-duplex

!

interface FastEthernet0

ip address 10.0.0.3 255.0.0.0

ip nat inside

speed auto

full-duplex

!

ip nat inside source list 7 interface Ethernet0 overload

no ip classless

ip route 0.0.0.0 0.0.0.0 192.168.6.45

no ip http server

!

!

access-list 7 permit 0.0.0.0

!

snmp-server community public RO

!

!

!

line con 0

line aux 0

line vty 0 4

password xxxxx

login

!

end

 

Router#

In response to all your suggestions

@cmonteith - you were right. I added the default route and could immediately ping the internet from my router. I was also able to add a route back from the firewall to my 10.0.0.0 network gateway of 192.168.6.14 and now I can ping the internet and resolve names from my 10.0.0.0 network. Thanks.

@qbakies - you were right. If I set up the GW as 192.168.6.14, I can ping the 10.0.0.0 subnet. Once I added the default route pointing to the firewall 192.168.6.45, I could get to the internet from the router.

@cmonteith - same thing as above, only that I didn't change the GW on the DC but added a route instead as you suggested. This is what I did and it's currently working. Now if I need any computer to get onto the 10.0.0.0 network, I just add the route and leave the current configuration intact. I don't know if this is the most efficient way to do things.

@anoopkmr - once I added the route on the 192.168.6.19 server, I could get onto the 10.0.0.0 network.

A brief explaination of my setup. My DC and DNS server is 192.168.6.19. It doesn't connect directly to the internet. All computers on the 192.168.6.0 LAN which don't need internet access use this IP as the GW and DNS. I have a firewall 192.168.6.45. All computers which need access to the internet are connected with 192.168.6.45 as the GW, and DNS as 192.168.6.19 and another public DNS. I don't know if this is the most efficient way to do this.

On adding a default route onto my router, I initially got a "IP spoof dropped 10.0.0.1, 512, LAN" error message from the firewall as the IP address didn't originate from the 192.168.6.0 subnet. This was fixed nce I added a route to the 10.0.0.0 network onto the firewall.

As you can see from my configuration above, I am also trying to NAT my 10.0.0.0 network so that all traffic from this network NATs using the GW IP 192.168.6.14. Please check the router configuration above and let me know if it's okay although currently I can access the internet from the 10.0.0.0 network.

Thank you.
0
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 30 total points
Comment Utility
It sounds like what you have will work - although it is a bit complex. If I understand your requirements somehosts on 192.168.6.x will be allowed internet access while some hosts won't. I might recommend that you change your setup as follows.

1. Point all hosts on the 192.168.6.x network to the firewall as a default gateway.

2. Manage you Internet access via firewall rules. Create a rule that will allow the desired hosts Internet access while denying such access to others.

3. Add a route to your 10.x.x.x network pointing to the router 192.168.6.14 address. Note that if you are intent on natting all of your 10.x.x.x hosts to the 192.168.6.14 address you won't be able to address individual hosts on the 10.x.x.x from the 192.168.6.x network. It may be better to nat those hosts at the firewall and control which of them will have Internet access via firewall rules like my recommendation in step 2. This way the router will just be a router and fully route your two networks.

This should simplify your host configuration where all hosts can have the same default gateway and DNS servers. It will also centralize control of Internet access at the firewall where it belongs.

Hope this helps - good luck
0
 
LVL 28

Expert Comment

by:bgoering
Comment Utility
Step 3 should begin: Add a router TO YOUR FIREWALL for the 10.x.x.x network pointing ....

Sounds like you may already have this if you added it to get rid of the spoof errors.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Great sound, comfort and fit, excellent build quality, versatility, compatibility. These are just some of the many reasons for choosing a headset from Sennheiser.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now