Link to home
Create AccountLog in
Avatar of pcsonwheels
pcsonwheels

asked on

Perimeter Router

Hi,
We are trying to setup a Cisco 2811 Perimeter router to supply internet to our ASA5510 firewall.  The 2811 will have a public IP on the serial port (/30) and another public IP on the Ethernet port (/27) the rest of the IPs on the (/27) will be forwarded to the ASA for exchange, web, RDT, etc.  Here is the config we are trying to use to just get connection to the Internet.  From this setup we can ping the internet from the 2811 and the ASA but we can not access the Internet.  We replaced the ASA with a Laptop with the IP configuration of IP:207.***.***.210 255.255.255.224 gateway 207.***.***.209 DNS 4.2.2.2 4.2.2.3 and we can still not get to the internet.  Any idea why?
Thanks

version 12.4
no service pad
service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 <encrypted string here>
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
!
ip cef
!
!
no ip bootp server
ip domain name ****.com
ip name-server 4.2.2.2
ip name-server 4.2.2.3
!
username <username here> privilege 15 secret 5 <encrypted string here>
!
!
interface GigabitEthernet0/0
Description connection to ASA Firewall (firewall IP 207.***.***.210)
ip address 207.***.***.209 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache policy
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0:0
 ip address 63.***.***.238 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
!
interface Serial0/0/0:1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 encapsulation ppp
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0
no cdp run
!
control-plane
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end
Avatar of norgetek
norgetek
Flag of United States of America image

I  assume you can ping 4.2.2.2 from the router and you can ping the Ethernet interface of the router from the PC?  I don't see anything with a quick look at the config of the router.  

Did you try changing your default route from "ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0" to "ip route 0.0.0.0 0.0.0 63.***.***.239"?  

Avatar of pcsonwheels
pcsonwheels

ASKER

I can ping both the ethernet and serial interface from the PC and yes I have changed the Serial... to ...239.  I have no Idea why.
Check that your ISP has routed the /27 properly to your /30 address. This can be done with a traceroute from the internet to one of your /27 addresses.

Also check that the ip route stated earlier ends in .237 NOT .239.

ip route 0.0.0.0 0.0.0.0 63.xxx.xxx.237

Open in new window


Subnetting reveals that .236/30 Gives you

.236 - Network
.237 - First IP
.238 - Last IP
.239 - Broadcast
Yep, previous poster to right about the IP address.  Need to get some glasses I guess.

You can test what the previous poster mentioned by sourcing a ping from your Ethernet interface.  If this doesn't work but you can ping without specifing the source then the ISP isn't routing that subnet towards you.

# ping 8.8.8.8 source 207.***.***.209
Ah yes, didn't think about source pings... guess I've hit the egg nog a little early this year.... =D
I tried it with the .237 but same issue.  We have an adtran router that works fine but the cisco will not.  From that I know the ISP is routing the /27 to the /30.  We are going from 1 T1 to 2 T1s and the adtran will not handle more than 1 T1 so we are trying to use the cisco.
Thanks

So setting it back to the orig conf above you couldn't do a ping with the source option that I described above?

Your original default route should work with using the interface.  I was just suggesting that you could try it with a destination IP instead.

ASKER CERTIFIED SOLUTION
Avatar of TYoung
TYoung

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account