Perimeter Router

Hi,
We are trying to setup a Cisco 2811 Perimeter router to supply internet to our ASA5510 firewall.  The 2811 will have a public IP on the serial port (/30) and another public IP on the Ethernet port (/27) the rest of the IPs on the (/27) will be forwarded to the ASA for exchange, web, RDT, etc.  Here is the config we are trying to use to just get connection to the Internet.  From this setup we can ping the internet from the 2811 and the ASA but we can not access the Internet.  We replaced the ASA with a Laptop with the IP configuration of IP:207.***.***.210 255.255.255.224 gateway 207.***.***.209 DNS 4.2.2.2 4.2.2.3 and we can still not get to the internet.  Any idea why?
Thanks

version 12.4
no service pad
service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 <encrypted string here>
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
!
ip cef
!
!
no ip bootp server
ip domain name ****.com
ip name-server 4.2.2.2
ip name-server 4.2.2.3
!
username <username here> privilege 15 secret 5 <encrypted string here>
!
!
interface GigabitEthernet0/0
Description connection to ASA Firewall (firewall IP 207.***.***.210)
ip address 207.***.***.209 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache policy
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0:0
 ip address 63.***.***.238 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
!
interface Serial0/0/0:1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 encapsulation ppp
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0
no cdp run
!
control-plane
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end
pcsonwheelsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

norgetekCommented:
I  assume you can ping 4.2.2.2 from the router and you can ping the Ethernet interface of the router from the PC?  I don't see anything with a quick look at the config of the router.  

Did you try changing your default route from "ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0" to "ip route 0.0.0.0 0.0.0 63.***.***.239"?  

pcsonwheelsAuthor Commented:
I can ping both the ethernet and serial interface from the PC and yes I have changed the Serial... to ...239.  I have no Idea why.
TYoungCommented:
Check that your ISP has routed the /27 properly to your /30 address. This can be done with a traceroute from the internet to one of your /27 addresses.

Also check that the ip route stated earlier ends in .237 NOT .239.

ip route 0.0.0.0 0.0.0.0 63.xxx.xxx.237

Open in new window


Subnetting reveals that .236/30 Gives you

.236 - Network
.237 - First IP
.238 - Last IP
.239 - Broadcast
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

norgetekCommented:
Yep, previous poster to right about the IP address.  Need to get some glasses I guess.

You can test what the previous poster mentioned by sourcing a ping from your Ethernet interface.  If this doesn't work but you can ping without specifing the source then the ISP isn't routing that subnet towards you.

# ping 8.8.8.8 source 207.***.***.209
TYoungCommented:
Ah yes, didn't think about source pings... guess I've hit the egg nog a little early this year.... =D
pcsonwheelsAuthor Commented:
I tried it with the .237 but same issue.  We have an adtran router that works fine but the cisco will not.  From that I know the ISP is routing the /27 to the /30.  We are going from 1 T1 to 2 T1s and the adtran will not handle more than 1 T1 so we are trying to use the cisco.
Thanks
norgetekCommented:

So setting it back to the orig conf above you couldn't do a ping with the source option that I described above?

Your original default route should work with using the interface.  I was just suggesting that you could try it with a destination IP instead.

TYoungCommented:
Paste the results of this command, as norgetek requested earlier:

ping 8.8.8.8 source 207.***.***.209

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.