Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 545
  • Last Modified:

Cisco Router behind Cisco Router

This is a cisco router behind another cisco router, it can ping external ips etc, but the hosts connected to it cannot, ideas?


Building configuration...

Current configuration : 3482 bytes
!
! Last configuration change at 22:30:23 UTC Mon Apr 18 2011 by ecarter
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5
enable password
!
no aaa new-model
!
!
!
crypto pki trustpoint TP-self-signed-54008793
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-54008793
 revocation-check none
 rsakeypair TP-self-signed-54008793
!
!
crypto pki certificate chain TP-self-signed-54008793
 certificate self-signed 01
  3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 35343030 38373933 301E170D 31313034 31323139 34353234
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D353430 30383739
  3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81008B67
  F7C799CE 9EB15368 DA3E493C 013B659F C36022B4 082D83AA 738979DC 203C3967
  BEA2FB35 428360F9 83658B03 61F40FCA 5F80FA89 7D9480C1 E843EEA1 9996194C
  95383EA5 111E2F2C D8640311 F724A507 7229B80F B7CB454B FF32B958 663E6671
  C098C8CC C1C4CE24 626F7243 A63C2C89 1D7ADD11 A266FA80 DFD21874 BD4B0203
  010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 551D1104
  0B300982 07536869 66744851 301F0603 551D2304 18301680 144FBDA7 F849BD7E
  A6FF1B79 F7A227CC 660E5D03 20301D06 03551D0E 04160414 4FBDA7F8 49BD7EA6
  FF1B79F7 A227CC66 0E5D0320 300D0609 2A864886 F70D0101 04050003 8181007E
  22327F6E 1B700110 811A793F 3A0DF856 3C51C316 324062AD 0532C21A 83969392
  586C0461 92873C77 380C1FFE B7F549DB ED114BC2 B675DD0A 11BDFE72 05A84B5E
  391FFDC2 9C73C8AC 4DBF657F E125F7D5 86887515 2EDF6455 13D6E047 3A5B0C21
  35720B47 7FFDB172 B8C1D7FA 39B8FD8A D5C044EA F157462A 5904425F 0A5A9E
        quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip name-server
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid /K9 sn
vtp version 2
username
!
!
!
!
!
!
!
!
interface FastEthernet0
 ip address 1.1.1.1 255.255.255.255
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
interface FastEthernet1
 ip address 11.11.11.11 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 --More--          !
!
interface FastEthernet2
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 !
!
interface FastEthernet5
 !
!
interface FastEthernet6
 !
!
interface FastEthernet7
 !
!
interface FastEthernet8
 !
!
interface FastEthernet9
 switchport access vlan 2
 !
!
interface Vlan1
 ip address 12.11.11.11 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface Async1
 no ip address
 encapsulation slip
 !
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 1.1.1.0 permanent
!
access-list 110 remark CCP_ACL Category=2
access-list 110 permit ip 0.0.0.0 255.255.255.0 any
!
!
!
!
!
!
control-plane
 !
!
!
line con 0
 exec-timeout 5 0
 logging synchronous
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 --More--          exec-timeout 5 0
 login
 transport input telnet ssh
 transport output telnet ssh
!
end

0
TestMonkey
Asked:
TestMonkey
  • 19
  • 11
  • 4
  • +1
1 Solution
 
activematxCommented:
What is the IP Schema (of the hosts) connected through NAT?
0
 
TestMonkeyAuthor Commented:
they use the same subnet as those on vlan 1 and fastethernet1
0
 
kevinhsiehCommented:
You don't have NAT pools or ACLs setup. To better understand NAT and how to configure it, look at

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1045853
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
TestMonkeyAuthor Commented:
Whenever I do natting then the subnets on my other router cannot reach the ones on this router, which is why im here asking
0
 
activematxCommented:
do you have multiple vlans or just a single vlan?
0
 
TestMonkeyAuthor Commented:
On router 1 i have vlan 1 which is a standard 10.11.11.0 network, then on router two the config is above, whats bothering me is router 2 can ping anything on the internet, tftp etc but hosts on it cannot reach the net, ive tried my overloads to the interface, and working an acl, permits, but when iu do the nat overload 10.11.11.0 pings the subnets on routers 2 but its external interface replies.  
0
 
activematxCommented:
can you print me out a complete netstat routing table from one of the hosts.
0
 
kevinhsiehCommented:
Why are you doing NAT instead of just routing?
0
 
TestMonkeyAuthor Commented:
Gateway of last resort is 1.1.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 1.1.1.1
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.11.11.0/24 is directly connected, Vlan1
L        10.11.11.1/32 is directly connected, Vlan1
C        10.12.12.0/24 is directly connected, FastEthernet1
L        10.12.12.1/32 is directly connected, FastEthernet1
      1.1.1.0/16 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/25 is directly connected, FastEthernet0
L        1.1.1.1/32 is directly connected, FastEthernet0
S     10.24.24.0/24 [1/0] via 10.12.12.2


Currently routing to the next hop which is a vlan on the 1st router again router 2 can get out to the new, its connected hosts cant.

Tried routing to everything, router 1, router 1s next hope etc, cant ping outside world with those, can with the vlan ip on router 1
0
 
kevinhsiehCommented:
You also may not have the first router configured for NAT for the other IP addresses. What is your network design goal? Why are you using NAT (improperly configured) on this router? You are using public IP addresses on the router config you posted, which doesn't match anything like the routing table you posted.

Unless there is a specific reason to do otherwise, this second router should not be doing NAT and it should only route. I don't see any routing protocols, so the first router, so you will need static routes on the first router. Can you post properly sanitized configurations of both routers? The configuration you posted shows invalid routes and interface subnets, so it's impossible to see if the original config is wrong or just the version you posted.
0
 
TestMonkeyAuthor Commented:
Ok if i skip routing, ive enabled EIGRP, that didnt work, the next hops tried were

1.) The Vlan on router 1 which is a dmz range, I have another firewall on it that has hosts that can get to the net with just using the vlans primary as the next hope
2.) The router itself, tried doesnt work
3.) the next hop on the layer 3 switch thats attached, doesnt work

0
 
Craig BeckCommented:
The router can get to the internet as it has a gateway address.

The hosts behind that router can't get to the internet for one of the following reasons:

1] The first router doesn't have a route to the network on router 2.
2] The NAT statement on router 1 isn't configured to include the IP range on router 2.
2] The ACL which specifies traffic to be NATted isn't configured to include the IP range on router 2.


I would verify the above, maybe adding the following config to router 1...

ip route 10.11.11.0 255.255.255.0 1.1.1.1
0
 
TestMonkeyAuthor Commented:
1.) I set the routes for the two subnets on the old router to point to the routable IP on the router itself, just did that now, pings are going back and forth on the local networks
2.) Router 1 uses an RMap and i just included the two subnets which includes the ACL

No pings to outside world
0
 
Craig BeckCommented:
What's the IP of the host you're trying to ping from?

Can you ping that IP from router 1?
0
 
TestMonkeyAuthor Commented:
Router 1 is having zerp issues, works flawlessly

Router 2 <-- New router can ping internal IP address only, it can ping the external interface on the gateway, it can ping the outside world, it cannot however ping the internal primary internal of router 1.  Hosts on it can only ping other internal subnets
0
 
Craig BeckCommented:
Ok, I understand that router 1 works fine, but I'm asking something very specific.

In order to establish if router 1 is ever going to route traffic for hosts behind router 2 we need to know if router 1 knows where to send traffic for hosts on that network.
It is a little confusing when looking at your config and routing table, as the two don't seem to match.

Also, you've said router 2 can ping external IPs but not the internal primary of router 1, so there is something amiss on router 1 also.

Could you post the config from router 1 so we can check them both?
0
 
TestMonkeyAuthor Commented:
Just fixed that up, I had two routes pointing back to router 2 on router one, now router 2 can ping anything on the internal network

On router 1 I use an Rmap to move traffic via nat, so I added the two subnets behind router 2 to that rmap so thats a good first step

The interface on router 2 is a DMZ IP, routable etc which has ip 168.168.168.11 attached to it, and it points to vlan 1 on router 1 which is 168.168.168.1, the router itself can ping anything and everything internal and external

Hosts can now ping everything including the front end IP but nothing after that

Router 1 points the two subnets back to 168.168.168.11 which is the ip of the primary interface on router 2

The config for router 1 is nearly 20 pages in total in notepad, i can provide parts but the time to clean it would be massive
0
 
TestMonkeyAuthor Commented:
Does router 1 need to nat the the subents of router 2 as well? or simply just an ip route
0
 
Craig BeckCommented:
It needs to NAT in normal installations.  I'm assuming you have an internet feed attached to router 1 with either a dynamic IP address or a single static IP?

Just as an example, you would need a NAT statement and ACL to match the traffic you want to give internet access to...

access-list 100 permit ip 1.1.1.0 0.0.0.255 any  (subnet on router 1)
access-list 100 permit ip 2.2.2.0 0.0.0.255 any  (subnet on router 2)
access-list 100 permit ip 3.3.3.0 0.0.0.255 any  (another subnet on router 2)

ip nat inside source list 100 interface Dialer0 overload   (assuming you have an ADSL or similar)


0
 
TestMonkeyAuthor Commented:
access-list 102 permit ip 10.25.25.0 0.0.0.255 any
access-list 102 permit ip 10.26.26.0 0.0.0.255 any
access-list 102 permit ip 10.11.11.0 0.0.0.255 any <-- Router 2
access-list 102 permit ip 10.12.12.0 0.0.0.255 any <-- Router 2


ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload <- Router 1's nat statement

SDM_RMAP_1 points to access list 102

Static, we have 250 routable ips, 100MBit dedicated fibre feed
0
 
Craig BeckCommented:
Is there a reason why you have a route-map for the NAT statement?
Is GigabitEthernet0/0 your default route to the internet?

Can you post any ip route statements you have on router 1?
0
 
TestMonkeyAuthor Commented:
theres over 100 routes when i do show ip route but the ones we are interested in:

S        10.11.11.0/24 [1/0] via 168.168.168.11
S        10.12.12.0/24 [1/0] via 168.168.168.11

ip route 10.11.11.0 255.255.255.0 168.168.168.11
ip route 10.12.12.0 255.255.255.0 168.168.168.11
0
 
TestMonkeyAuthor Commented:
No reason, it works though so never saw a need to change it
0
 
Craig BeckCommented:
Ok can you do show ip int br on router 2 and post the output?
0
 
TestMonkeyAuthor Commented:
Interface                  IP-Address      OK? Method Status                Protocol
Async1                     unassigned      YES NVRAM  down                  down
FastEthernet0              168.168.168.11   YES manual up                    up  
FastEthernet1              10.11.11.1      YES manual up                    up  
FastEthernet2              unassigned      YES unset  down                  down
FastEthernet3              unassigned      YES unset  up                    down
FastEthernet4              unassigned      YES unset  up                    down
FastEthernet5              unassigned      YES unset  up                    up  
FastEthernet6              unassigned      YES unset  up                    up  
FastEthernet7              unassigned      YES unset  up                    down
FastEthernet8              unassigned      YES unset  up                    down
FastEthernet9              unassigned      YES unset  up                    down
NVI0                       unassigned      YES unset  administratively down down
Vlan1                      10.12.12.1      YES manual up                    up  
0
 
Craig BeckCommented:
That looks ok.

What's connected to FastEthernet1 on router 2?  Is it a switch?
From whatever is connected to FastEthernet1 can you ping router 1?
0
 
TestMonkeyAuthor Commented:
Fast ethernet 1 is connected to a layer 3 switch, router 1 is plugged into the same, they are assigned their own vlans.

Yes everything is pingable, i can even change ip routes and send to the vlans on the switch and they can ping everything on each other
0
 
Craig BeckCommented:
Ok, so can you do a traceroute to 8.8.8.8 from a PC on the 10.11.11.0 network and post that?
0
 
TestMonkeyAuthor Commented:
First hope is 10.11.11.1 and second is the 168.168.168.11 and then nothing so the fastethernet0 interface is where its stopping
0
 
Craig BeckCommented:
If the first hop is 10.11.11.1 the second hop should not be displayed as 168.168.168.11 as it is the same router.  The   You should see *   *   * if you're doing the traceroute from a PC.
0
 
TestMonkeyAuthor Commented:
That's where nat cones in i thought
0
 
Craig BeckCommented:
There is no NAT at router 2.  It is plain routing.
0
 
TestMonkeyAuthor Commented:
so what should next hop be?

You asked me to ping from a host on router 2, the hosts default gateway is 10.11.11.1 168.168.168.1 which is the main DMZ ip on router 1, sorry confued the hop number but the next hope was router 1
0
 
kevinhsiehCommented:
I think that there is a NAT problem on router 1. Can you PLEASE post the configuration?
0
 
TestMonkeyAuthor Commented:
ip nat inside source route-map SDM_RMAP_1 interface gigabitethernet0/0 overload

Other nats are just static to other networks internally that are seperate from router 2, they all work

The IP route on Router 1 points to the next hope of the gateway so if my router is 1.1.1.2 the next is 1.1.1.1 no issues with anything there

Router-map SDM_RMAP_1 permit 1
match ip address 102

access-list 102 permit ip 10.25.25.0 0.0.0.255 any
access-list 102 permit ip 10.26.26.0 0.0.0.255 any
access-list 102 permit ip 10.11.11.0 0.0.0.255 any <-- Router 2
access-list 102 permit ip 10.12.12.0 0.0.0.255 any <-- Router 2
0
 
Craig BeckCommented:
It would definitely help if we could see the configs from both routers, no matter how large they may be.  Even though all the NATs work for your existing stuff, there may be something that is breaking what you're trying to do now.
0
 
TestMonkeyAuthor Commented:
I canged next hope from the dmz to the internal ip of the router, which i router back through my l3 switch and it works but cant use the dmz ip on the router for next hope, which I can do with other servers and firewalls attached to it so kinda odd

I dont mind posting the nat part, just filtering it would take awhile, grand total i have 900 objects :P each with a specific name that matches a corporate name, profile and a description to match purpose
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 19
  • 11
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now