pcsonwheels
asked on
Perimeter Router
Hi,
We are trying to setup a Cisco 2811 Perimeter router to supply internet to our ASA5510 firewall. The 2811 will have a public IP on the serial port (/30) and another public IP on the Ethernet port (/27) the rest of the IPs on the (/27) will be forwarded to the ASA for exchange, web, RDT, etc. Here is the config we are trying to use to just get connection to the Internet. From this setup we can ping the internet from the 2811 and the ASA but we can not access the Internet. We replaced the ASA with a Laptop with the IP configuration of IP:207.***.***.210 255.255.255.224 gateway 207.***.***.209 DNS 4.2.2.2 4.2.2.3 and we can still not get to the internet. Any idea why?
Thanks
version 12.4
no service pad
service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 <encrypted string here>
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
!
ip cef
!
!
no ip bootp server
ip domain name ****.com
ip name-server 4.2.2.2
ip name-server 4.2.2.3
!
username <username here> privilege 15 secret 5 <encrypted string here>
!
!
interface GigabitEthernet0/0
Description connection to ASA Firewall (firewall IP 207.***.***.210)
ip address 207.***.***.209 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache policy
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0:0
ip address 63.***.***.238 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
!
interface Serial0/0/0:1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
encapsulation ppp
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0
no cdp run
!
control-plane
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
We are trying to setup a Cisco 2811 Perimeter router to supply internet to our ASA5510 firewall. The 2811 will have a public IP on the serial port (/30) and another public IP on the Ethernet port (/27) the rest of the IPs on the (/27) will be forwarded to the ASA for exchange, web, RDT, etc. Here is the config we are trying to use to just get connection to the Internet. From this setup we can ping the internet from the 2811 and the ASA but we can not access the Internet. We replaced the ASA with a Laptop with the IP configuration of IP:207.***.***.210 255.255.255.224 gateway 207.***.***.209 DNS 4.2.2.2 4.2.2.3 and we can still not get to the internet. Any idea why?
Thanks
version 12.4
no service pad
service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 <encrypted string here>
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
!
ip cef
!
!
no ip bootp server
ip domain name ****.com
ip name-server 4.2.2.2
ip name-server 4.2.2.3
!
username <username here> privilege 15 secret 5 <encrypted string here>
!
!
interface GigabitEthernet0/0
Description connection to ASA Firewall (firewall IP 207.***.***.210)
ip address 207.***.***.209 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache policy
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0:0
ip address 63.***.***.238 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
!
interface Serial0/0/0:1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
encapsulation ppp
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0
no cdp run
!
control-plane
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
ASKER
I can ping both the ethernet and serial interface from the PC and yes I have changed the Serial... to ...239. I have no Idea why.
Check that your ISP has routed the /27 properly to your /30 address. This can be done with a traceroute from the internet to one of your /27 addresses.
Also check that the ip route stated earlier ends in .237 NOT .239.
Subnetting reveals that .236/30 Gives you
.236 - Network
.237 - First IP
.238 - Last IP
.239 - Broadcast
Also check that the ip route stated earlier ends in .237 NOT .239.
ip route 0.0.0.0 0.0.0.0 63.xxx.xxx.237Subnetting reveals that .236/30 Gives you
.236 - Network
.237 - First IP
.238 - Last IP
.239 - Broadcast
Yep, previous poster to right about the IP address. Need to get some glasses I guess.
You can test what the previous poster mentioned by sourcing a ping from your Ethernet interface. If this doesn't work but you can ping without specifing the source then the ISP isn't routing that subnet towards you.
# ping 8.8.8.8 source 207.***.***.209
You can test what the previous poster mentioned by sourcing a ping from your Ethernet interface. If this doesn't work but you can ping without specifing the source then the ISP isn't routing that subnet towards you.
# ping 8.8.8.8 source 207.***.***.209
Ah yes, didn't think about source pings... guess I've hit the egg nog a little early this year.... =D
ASKER
I tried it with the .237 but same issue. We have an adtran router that works fine but the cisco will not. From that I know the ISP is routing the /27 to the /30. We are going from 1 T1 to 2 T1s and the adtran will not handle more than 1 T1 so we are trying to use the cisco.
Thanks
Thanks
So setting it back to the orig conf above you couldn't do a ping with the source option that I described above?
Your original default route should work with using the interface. I was just suggesting that you could try it with a destination IP instead.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Did you try changing your default route from "ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0" to "ip route 0.0.0.0 0.0.0 63.***.***.239"?