JMarewa
asked on
Cisco Router 1700 Wonn't Forward Packets
Hi,
I have a problem connecting two subnets in the office. The layout is as follows
192.168.6.0 Network <--->Switch<-->Cisco 1700 Router<-->Switch<--->10.0. 0.0 Network
I have configured the router with two ip address, 192.168.6.14, 255.255.254.0 and 10.0.0.3, 255.0.0.0. I can ping the 192.168.6.14 router address from the 192.168.6.0 network and I can ping the 10.0.0.3 router address from the 10.0.0.0 network. I however can't ping the 10.0.0.0 addresses from the 192.168.6.0 network or vice versa.
I can ping any address on both subnets from the router console, except for any internet address despite having configured two ip name servers, one on the 192.168.6.0 network and the other on the internet. The internet is accessed via a 192.168.6.45 gateway.
Please let me know how I can configure this router so that I can acess both subnets from either subnet. I would also want to acess the internet which is connected to the 192.168.6.0 network via the 192.168.6.45 gateway (firewall).
Below is the running-config of the router
Router#show run
Building configuration...
Current configuration : 746 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$YoBF$7eyAUBT6MlRKnKSWLY fun.
enable password xxxxx
!
memory-size iomem 25
no aaa new-model
ip subnet-zero
!
!
ip name-server 192.168.6.19
ip name-server 80.240.192.7
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
shutdown
!
interface Ethernet0
ip address 192.168.6.14 255.255.254.0
full-duplex
!
interface FastEthernet0
ip address 10.0.0.3 255.0.0.0
speed auto
full-duplex
!
ip classless
no ip http server
!
!
!
snmp-server community public RO
!
!
!
line con 0
line aux 0
line vty 0 4
password xxxxx
login
!
end
Router#
I have a problem connecting two subnets in the office. The layout is as follows
192.168.6.0 Network <--->Switch<-->Cisco 1700 Router<-->Switch<--->10.0.
I have configured the router with two ip address, 192.168.6.14, 255.255.254.0 and 10.0.0.3, 255.0.0.0. I can ping the 192.168.6.14 router address from the 192.168.6.0 network and I can ping the 10.0.0.3 router address from the 10.0.0.0 network. I however can't ping the 10.0.0.0 addresses from the 192.168.6.0 network or vice versa.
I can ping any address on both subnets from the router console, except for any internet address despite having configured two ip name servers, one on the 192.168.6.0 network and the other on the internet. The internet is accessed via a 192.168.6.45 gateway.
Please let me know how I can configure this router so that I can acess both subnets from either subnet. I would also want to acess the internet which is connected to the 192.168.6.0 network via the 192.168.6.45 gateway (firewall).
Below is the running-config of the router
Router#show run
Building configuration...
Current configuration : 746 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$YoBF$7eyAUBT6MlRKnKSWLY
enable password xxxxx
!
memory-size iomem 25
no aaa new-model
ip subnet-zero
!
!
ip name-server 192.168.6.19
ip name-server 80.240.192.7
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
shutdown
!
interface Ethernet0
ip address 192.168.6.14 255.255.254.0
full-duplex
!
interface FastEthernet0
ip address 10.0.0.3 255.0.0.0
speed auto
full-duplex
!
ip classless
no ip http server
!
!
!
snmp-server community public RO
!
!
!
line con 0
line aux 0
line vty 0 4
password xxxxx
login
!
end
Router#
Please do a 'sh ip route' and post it.
ASKER
Router#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 10.0.0.0/8 is directly connected, FastEthernet0
C 192.168.6.0/23 is directly connected, Ethernet0
Router#
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 10.0.0.0/8 is directly connected, FastEthernet0
C 192.168.6.0/23 is directly connected, Ethernet0
Router#
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all. I will answer all your questions in order.
@qbakies - tracert on the 192.168.6.0 and 10.0.0.0 time out for all the 30 hops. Trace on the router to any address on any subnet is successful.
@anoopkmr - The default gateway on the 192.168.6.0 subnet is 192.168.6.19, an already existing domain controller. I don't want to change this. The default gateway on the 10.0.0.0 network is the router ip address 10.0.0.3.
@cmonteith - the 192.168.6.45 internet gateway is a firewall with no routing capability. so the "ip route 10.0.0.0 255.0.0.0 192.168.6.14" command won't work. I will add the default route on the router tomorrow and let you know if I can ping the internet.
I have tried to put in a few static routes and they haven't been working. so please help me out on how exactly to configure the static routes. I have also tried Router RIP version 2 but maybe I didn't configure it properly.
The router in question is a Cisco 1700 series router with a built-in FastEthernet port, a WAN card with an Ethernet port and another WAN card with a BRI0 port (which is unconfigured).
Thanks.
@qbakies - tracert on the 192.168.6.0 and 10.0.0.0 time out for all the 30 hops. Trace on the router to any address on any subnet is successful.
@anoopkmr - The default gateway on the 192.168.6.0 subnet is 192.168.6.19, an already existing domain controller. I don't want to change this. The default gateway on the 10.0.0.0 network is the router ip address 10.0.0.3.
@cmonteith - the 192.168.6.45 internet gateway is a firewall with no routing capability. so the "ip route 10.0.0.0 255.0.0.0 192.168.6.14" command won't work. I will add the default route on the router tomorrow and let you know if I can ping the internet.
I have tried to put in a few static routes and they haven't been working. so please help me out on how exactly to configure the static routes. I have also tried Router RIP version 2 but maybe I didn't configure it properly.
The router in question is a Cisco 1700 series router with a built-in FastEthernet port, a WAN card with an Ethernet port and another WAN card with a BRI0 port (which is unconfigured).
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If your server is in fact your default gateway for your 192.168.6 network, it might also be helpful if you post the results of a "route print" done from command line of that server....so we can see it's routing table. Some of the details on your network setup are certainly atypical...so a bit more insight into your existing routing might help the diagnosis.
what is the gateway of 192.168.6.19 ? from 192.168.6.19 can u reach other network ?
ASKER
Thank you for all your help guys. Below is my current configuration with a few additions
Router#show run
Building configuration...
Current configuration : 904 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$YoBF$7eyAUBT6MlRKnKSWLY fun.
enable password xxxxx
!
memory-size iomem 25
no aaa new-model
ip subnet-zero
!
!
ip name-server 192.168.6.19
ip name-server 80.240.192.7
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
shutdown
!
interface Ethernet0
ip address 192.168.6.14 255.255.254.0
ip nat outside
full-duplex
!
interface FastEthernet0
ip address 10.0.0.3 255.0.0.0
ip nat inside
speed auto
full-duplex
!
ip nat inside source list 7 interface Ethernet0 overload
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.6.45
no ip http server
!
!
access-list 7 permit 0.0.0.0
!
snmp-server community public RO
!
!
!
line con 0
line aux 0
line vty 0 4
password xxxxx
login
!
end
Router#
In response to all your suggestions
@cmonteith - you were right. I added the default route and could immediately ping the internet from my router. I was also able to add a route back from the firewall to my 10.0.0.0 network gateway of 192.168.6.14 and now I can ping the internet and resolve names from my 10.0.0.0 network. Thanks.
@qbakies - you were right. If I set up the GW as 192.168.6.14, I can ping the 10.0.0.0 subnet. Once I added the default route pointing to the firewall 192.168.6.45, I could get to the internet from the router.
@cmonteith - same thing as above, only that I didn't change the GW on the DC but added a route instead as you suggested. This is what I did and it's currently working. Now if I need any computer to get onto the 10.0.0.0 network, I just add the route and leave the current configuration intact. I don't know if this is the most efficient way to do things.
@anoopkmr - once I added the route on the 192.168.6.19 server, I could get onto the 10.0.0.0 network.
A brief explaination of my setup. My DC and DNS server is 192.168.6.19. It doesn't connect directly to the internet. All computers on the 192.168.6.0 LAN which don't need internet access use this IP as the GW and DNS. I have a firewall 192.168.6.45. All computers which need access to the internet are connected with 192.168.6.45 as the GW, and DNS as 192.168.6.19 and another public DNS. I don't know if this is the most efficient way to do this.
On adding a default route onto my router, I initially got a "IP spoof dropped 10.0.0.1, 512, LAN" error message from the firewall as the IP address didn't originate from the 192.168.6.0 subnet. This was fixed nce I added a route to the 10.0.0.0 network onto the firewall.
As you can see from my configuration above, I am also trying to NAT my 10.0.0.0 network so that all traffic from this network NATs using the GW IP 192.168.6.14. Please check the router configuration above and let me know if it's okay although currently I can access the internet from the 10.0.0.0 network.
Thank you.
Router#show run
Building configuration...
Current configuration : 904 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$YoBF$7eyAUBT6MlRKnKSWLY
enable password xxxxx
!
memory-size iomem 25
no aaa new-model
ip subnet-zero
!
!
ip name-server 192.168.6.19
ip name-server 80.240.192.7
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
shutdown
!
interface Ethernet0
ip address 192.168.6.14 255.255.254.0
ip nat outside
full-duplex
!
interface FastEthernet0
ip address 10.0.0.3 255.0.0.0
ip nat inside
speed auto
full-duplex
!
ip nat inside source list 7 interface Ethernet0 overload
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.6.45
no ip http server
!
!
access-list 7 permit 0.0.0.0
!
snmp-server community public RO
!
!
!
line con 0
line aux 0
line vty 0 4
password xxxxx
login
!
end
Router#
In response to all your suggestions
@cmonteith - you were right. I added the default route and could immediately ping the internet from my router. I was also able to add a route back from the firewall to my 10.0.0.0 network gateway of 192.168.6.14 and now I can ping the internet and resolve names from my 10.0.0.0 network. Thanks.
@qbakies - you were right. If I set up the GW as 192.168.6.14, I can ping the 10.0.0.0 subnet. Once I added the default route pointing to the firewall 192.168.6.45, I could get to the internet from the router.
@cmonteith - same thing as above, only that I didn't change the GW on the DC but added a route instead as you suggested. This is what I did and it's currently working. Now if I need any computer to get onto the 10.0.0.0 network, I just add the route and leave the current configuration intact. I don't know if this is the most efficient way to do things.
@anoopkmr - once I added the route on the 192.168.6.19 server, I could get onto the 10.0.0.0 network.
A brief explaination of my setup. My DC and DNS server is 192.168.6.19. It doesn't connect directly to the internet. All computers on the 192.168.6.0 LAN which don't need internet access use this IP as the GW and DNS. I have a firewall 192.168.6.45. All computers which need access to the internet are connected with 192.168.6.45 as the GW, and DNS as 192.168.6.19 and another public DNS. I don't know if this is the most efficient way to do this.
On adding a default route onto my router, I initially got a "IP spoof dropped 10.0.0.1, 512, LAN" error message from the firewall as the IP address didn't originate from the 192.168.6.0 subnet. This was fixed nce I added a route to the 10.0.0.0 network onto the firewall.
As you can see from my configuration above, I am also trying to NAT my 10.0.0.0 network so that all traffic from this network NATs using the GW IP 192.168.6.14. Please check the router configuration above and let me know if it's okay although currently I can access the internet from the 10.0.0.0 network.
Thank you.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Step 3 should begin: Add a router TO YOUR FIREWALL for the 10.x.x.x network pointing ....
Sounds like you may already have this if you added it to get rid of the spoof errors.
Sounds like you may already have this if you added it to get rid of the spoof errors.