Cisco Router Behind a Cisco Router

I have setup a subnet between the routers, and assigned one of the DMZ IPs to the primary interface on the router:  

Interface vlan z
ip address x.x.x.y 255.255.255.0

You will need to configure routing, again whether that's a dynamic protocol such as RIP, EIGRP or OSPF, or whether you just use static routes, is up to you.  If the DMZ network is a single subnet, or can be summarized, I'd just do a static route on the existing router pointing to the new router as the next-hop to get to that subnet.  This command is for a /24 subnet:

ip route x.x.x.x 255.255.255.0 <DMZ router interface>

The new router will need default route pointing to the existing router as the next hop to get out.

ip route 0.0.0.0 0.0.0.0 <existing router interface>

Ive done all this and it all seems to work, the problem is the second I enable NAT on the second router, all the IPs I ping through the primary get translated to the interface on the primary router, which is causing me problem.  I also have a port for its vlan 1 plugged into a switch but the switch doesnt seem to be picking up the vlan on the second router.  Any help would be awesome
LVL 1
TestMonkeyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SouljaSenior Network EngineerCommented:
Can you provide your santizide configs?
0
SouljaSenior Network EngineerCommented:
sanitized...sorry
0
TestMonkeyAuthor Commented:
For which router
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

SouljaSenior Network EngineerCommented:
both
0
TestMonkeyAuthor Commented:
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec

!
hostname router2
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
!
!
!
 --More--         !
crypto pki trustpoint TP-self-signed-54008793
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-54008793
 revocation-check none
 rsakeypair TP-self-signed-54008793
!
!
crypto pki certificate chain TP-self-signed-54008793
 certificate self-signed 01
  3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 35343030 38373933 301E170D 31313034 31313136 35353337
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D353430 30383739
  3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81008B67
  F7C799CE 9EB15368 DA3E493C 013B659F C36022B4 082D83AA 738979DC 203C3967
  BEA2FB35 428360F9 83658B03 61F40FCA 5F80FA89 7D9480C1 E843EEA1 9996194C
  95383EA5 111E2F2C D8640311 F724A507 7229B80F B7CB454B FF32B958 663E6671
  C098C8CC C1C4CE24 626F7243 A63C2C89 1D7ADD11 A266FA80 DFD21874 BD4B0203
  010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 551D1104
  0B300982 07536869 66744851 301F0603 551D2304 18301680 144FBDA7 F849BD7E
  A6FF1B79 F7A227CC 660E5D03 20301D06 03551D0E 04160414 4FBDA7F8 49BD7EA6
 --More--           FF1B79F7 A227CC66 0E5D0320 300D0609 2A864886 F70D0101 04050003 81810069
  8163D685 040771AD B63DCCE8 F3BF8187 B6D66EFE AEABBCA1 D837EA76 58280AAF
  0D1BF2CC 63616E3A 83578BD8 D417AE0F 5FC63084 7D36EABE 89B7C576 A1BA67D1
  B0CA851B 06F4CF08 598C3BAE F27EBEBD 464EADD5 704D4695 E5F9FEDD ED2CEF1D
  B01C6F8A 2C19B389 80C8DC5A 3E7A062E 0771AC07 CA6FC0F3 4548DA43 90238A
        quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username
!
 --More--         !
!
!
!
!
!
!
!
interface FastEthernet0
 ip address 161.162.1.2 255.255.255.128
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
 !
!
 --More--         interface FastEthernet2
 !
!
interface FastEthernet3
 switchport access vlan 2
 !
!
interface FastEthernet4
 !
!
interface FastEthernet5
 !
!
interface FastEthernet6
 !
!
interface FastEthernet7
 !
!
interface FastEthernet8
 switchport access vlan 2
 !
!
 --More--         interface FastEthernet9
 switchport access vlan 2
 !
!
interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan2
 ip address 161.161.161.2 255.255.255.224
 !
!
interface Async1
 no ip address
 encapsulation slip
 !
!
!
router eigrp 1
 network 10.10.10.0 0.0.0.255
!
 --More--         ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source static network 10.10.10.0 161.162.1.1 /32
ip route 0.0.0.0 0.0.0.0 161.162.1.2
!
ip access-list extended InOutNat
 permit ip any any
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.31.30.0 0.0.0.255
!
!
!
!
route-map RMap1 permit 1
 match ip address InOutNat
!
!
!
 --More--         control-plane
 !
!
!
line con 0
 exec-timeout 5 0
 logging synchronous
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 exec-timeout 5 0
 login
 transport input telnet ssh
 transport output telnet ssh
!
end

The main routers config is fairly large, but all i do with it thats relevant here is forward the ip subnets 10.10.10.0 and the associated DMZ ips.
0
TestMonkeyAuthor Commented:
Very basic config, as long as i dont enable natting on router 2 (above config) it seems to work, except the vlan 1 doesnt cross into the data switch i use, it might be because im already using vlan 1 though
0
SouljaSenior Network EngineerCommented:
Instead of doing the subnet translation can you try removing:

ip nat inside source static network 10.10.10.0 161.162.1.1 /32

and adding

access-list 2 permit 10.10.10.0 0.0.0.255
!
ip nat inside source list 2 interface FastEthernet0 overload


Let me know if that changes anything.
0
TestMonkeyAuthor Commented:
that works, but now to add a server onto that network and see if it can get to the internet
0
TestMonkeyAuthor Commented:
Hosts on that subnet still cant reach the internet
0
SouljaSenior Network EngineerCommented:
Does router 1 have a route configured back to the 10.10.10.0 network?
0
TestMonkeyAuthor Commented:
Hosts connected to router 2 are on a vlan, I have a default route of ip route 0.0.0.0 0.0.0.0 161.162.1.2

The router itself can ping and trace route onto the new, but hosts cant

Router 1 and everything on it is fine, unless ur asking me to add something else.
0
TestMonkeyAuthor Commented:
How should the router look?

I have ip route 10.10.10.0 255.255.255.0 pointing to 10.10.1.1 (example) 10.10.1.1 being an inside interface
plugged into the switching port of the router 1
0
TestMonkeyAuthor Commented:
On router 2 none of the hosts on it can get to the net, the router itself and ftp and get anywhere i try

I did the list exactly as you have it
0
SouljaSenior Network EngineerCommented:
Can you post router 1 config? As least the port configs and routing parts?
0
TestMonkeyAuthor Commented:
I cant do router 1 but I can do router 2

On router one Ive attached firewalls with the same method without problems.

Right now it seems to stop at the DMZ IP 161.161.161.1 <- and doesnt go past it.  Now I use that range on numerous devices and they all route fine (vlan)
0
SouljaSenior Network EngineerCommented:
Do you have access to router 1's config? Can you verify that nothing has changed on that end?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TestMonkeyAuthor Commented:
Yes I do have access to it and nothing has changed

So on router 1 I have a vlan, lets say its 161.161.161.1 as its ip, I have switchports on the routers switching module assigned, over 43 VMs connected, they can reach the net and get everywhere, and externally I can reach them.

On Router 2, I just assigned another port to the vlan, and on the router assigned an IP address thats within the Vlan, and its next hop is no different then the rests of the VMs that I have (which is 161.161.161.1), what Im seeing on the hosts in 10.10.10.1 network is a traceroute stops at 161.161.161.1 and does nothing else, the router itself can tftp to external IPs, ftp etc to other datacenters I deal with, it does DNS perfectly

So either its a route back from router 1, router 1 not permitting 10.10.10.1 traffic to go through or another nat issue, when i do RMaps on router 2, the hosts get the internet, but then the 10.10.10.1 range isnt accessible from the router 1 networks, they all come back as the dmz ip assigned to the interface on router 2
0
SouljaSenior Network EngineerCommented:
Did you resolve your issue?
0
SouljaSenior Network EngineerCommented:
Did you resolve your issue?
0
SouljaSenior Network EngineerCommented:
Did you resolve your issue?
0
SouljaSenior Network EngineerCommented:
Did you resolve your issue?
0
SouljaSenior Network EngineerCommented:
Talk about duplicate posts...:)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.