TestMonkey
asked on
Cisco Router behind Cisco Router
This is a cisco router behind another cisco router, it can ping external ips etc, but the hosts connected to it cannot, ideas?
Building configuration...
Current configuration : 3482 bytes
!
! Last configuration change at 22:30:23 UTC Mon Apr 18 2011 by ecarter
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5
enable password
!
no aaa new-model
!
!
!
crypto pki trustpoint TP-self-signed-54008793
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-54008 793
revocation-check none
rsakeypair TP-self-signed-54008793
!
!
crypto pki certificate chain TP-self-signed-54008793
certificate self-signed 01
3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35343030 38373933 301E170D 31313034 31323139 34353234
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D353430 30383739
3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81008B67
F7C799CE 9EB15368 DA3E493C 013B659F C36022B4 082D83AA 738979DC 203C3967
BEA2FB35 428360F9 83658B03 61F40FCA 5F80FA89 7D9480C1 E843EEA1 9996194C
95383EA5 111E2F2C D8640311 F724A507 7229B80F B7CB454B FF32B958 663E6671
C098C8CC C1C4CE24 626F7243 A63C2C89 1D7ADD11 A266FA80 DFD21874 BD4B0203
010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 551D1104
0B300982 07536869 66744851 301F0603 551D2304 18301680 144FBDA7 F849BD7E
A6FF1B79 F7A227CC 660E5D03 20301D06 03551D0E 04160414 4FBDA7F8 49BD7EA6
FF1B79F7 A227CC66 0E5D0320 300D0609 2A864886 F70D0101 04050003 8181007E
22327F6E 1B700110 811A793F 3A0DF856 3C51C316 324062AD 0532C21A 83969392
586C0461 92873C77 380C1FFE B7F549DB ED114BC2 B675DD0A 11BDFE72 05A84B5E
391FFDC2 9C73C8AC 4DBF657F E125F7D5 86887515 2EDF6455 13D6E047 3A5B0C21
35720B47 7FFDB172 B8C1D7FA 39B8FD8A D5C044EA F157462A 5904425F 0A5A9E
quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip name-server
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid /K9 sn
vtp version 2
username
!
!
!
!
!
!
!
!
interface FastEthernet0
ip address 1.1.1.1 255.255.255.255
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface FastEthernet1
ip address 11.11.11.11 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
--More-- !
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
!
!
interface FastEthernet9
switchport access vlan 2
!
!
interface Vlan1
ip address 12.11.11.11 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Async1
no ip address
encapsulation slip
!
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 1.1.1.0 permanent
!
access-list 110 remark CCP_ACL Category=2
access-list 110 permit ip 0.0.0.0 255.255.255.0 any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
logging synchronous
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
--More-- exec-timeout 5 0
login
transport input telnet ssh
transport output telnet ssh
!
end
Building configuration...
Current configuration : 3482 bytes
!
! Last configuration change at 22:30:23 UTC Mon Apr 18 2011 by ecarter
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5
enable password
!
no aaa new-model
!
!
!
crypto pki trustpoint TP-self-signed-54008793
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-54008793
!
!
crypto pki certificate chain TP-self-signed-54008793
certificate self-signed 01
3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35343030 38373933 301E170D 31313034 31323139 34353234
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D353430 30383739
3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81008B67
F7C799CE 9EB15368 DA3E493C 013B659F C36022B4 082D83AA 738979DC 203C3967
BEA2FB35 428360F9 83658B03 61F40FCA 5F80FA89 7D9480C1 E843EEA1 9996194C
95383EA5 111E2F2C D8640311 F724A507 7229B80F B7CB454B FF32B958 663E6671
C098C8CC C1C4CE24 626F7243 A63C2C89 1D7ADD11 A266FA80 DFD21874 BD4B0203
010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 551D1104
0B300982 07536869 66744851 301F0603 551D2304 18301680 144FBDA7 F849BD7E
A6FF1B79 F7A227CC 660E5D03 20301D06 03551D0E 04160414 4FBDA7F8 49BD7EA6
FF1B79F7 A227CC66 0E5D0320 300D0609 2A864886 F70D0101 04050003 8181007E
22327F6E 1B700110 811A793F 3A0DF856 3C51C316 324062AD 0532C21A 83969392
586C0461 92873C77 380C1FFE B7F549DB ED114BC2 B675DD0A 11BDFE72 05A84B5E
391FFDC2 9C73C8AC 4DBF657F E125F7D5 86887515 2EDF6455 13D6E047 3A5B0C21
35720B47 7FFDB172 B8C1D7FA 39B8FD8A D5C044EA F157462A 5904425F 0A5A9E
quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip name-server
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid /K9 sn
vtp version 2
username
!
!
!
!
!
!
!
!
interface FastEthernet0
ip address 1.1.1.1 255.255.255.255
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface FastEthernet1
ip address 11.11.11.11 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
--More-- !
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
!
!
interface FastEthernet9
switchport access vlan 2
!
!
interface Vlan1
ip address 12.11.11.11 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Async1
no ip address
encapsulation slip
!
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 1.1.1.0 permanent
!
access-list 110 remark CCP_ACL Category=2
access-list 110 permit ip 0.0.0.0 255.255.255.0 any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
logging synchronous
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
--More-- exec-timeout 5 0
login
transport input telnet ssh
transport output telnet ssh
!
end
What is the IP Schema (of the hosts) connected through NAT?
ASKER
they use the same subnet as those on vlan 1 and fastethernet1
You don't have NAT pools or ACLs setup. To better understand NAT and how to configure it, look at
http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1045853
http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1045853
ASKER
Whenever I do natting then the subnets on my other router cannot reach the ones on this router, which is why im here asking
do you have multiple vlans or just a single vlan?
ASKER
On router 1 i have vlan 1 which is a standard 10.11.11.0 network, then on router two the config is above, whats bothering me is router 2 can ping anything on the internet, tftp etc but hosts on it cannot reach the net, ive tried my overloads to the interface, and working an acl, permits, but when iu do the nat overload 10.11.11.0 pings the subnets on routers 2 but its external interface replies.
can you print me out a complete netstat routing table from one of the hosts.
Why are you doing NAT instead of just routing?
ASKER
Gateway of last resort is 1.1.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 1.1.1.1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.11.11.0/24 is directly connected, Vlan1
L 10.11.11.1/32 is directly connected, Vlan1
C 10.12.12.0/24 is directly connected, FastEthernet1
L 10.12.12.1/32 is directly connected, FastEthernet1
1.1.1.0/16 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/25 is directly connected, FastEthernet0
L 1.1.1.1/32 is directly connected, FastEthernet0
S 10.24.24.0/24 [1/0] via 10.12.12.2
Currently routing to the next hop which is a vlan on the 1st router again router 2 can get out to the new, its connected hosts cant.
Tried routing to everything, router 1, router 1s next hope etc, cant ping outside world with those, can with the vlan ip on router 1
S* 0.0.0.0/0 [1/0] via 1.1.1.1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.11.11.0/24 is directly connected, Vlan1
L 10.11.11.1/32 is directly connected, Vlan1
C 10.12.12.0/24 is directly connected, FastEthernet1
L 10.12.12.1/32 is directly connected, FastEthernet1
1.1.1.0/16 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/25 is directly connected, FastEthernet0
L 1.1.1.1/32 is directly connected, FastEthernet0
S 10.24.24.0/24 [1/0] via 10.12.12.2
Currently routing to the next hop which is a vlan on the 1st router again router 2 can get out to the new, its connected hosts cant.
Tried routing to everything, router 1, router 1s next hope etc, cant ping outside world with those, can with the vlan ip on router 1
You also may not have the first router configured for NAT for the other IP addresses. What is your network design goal? Why are you using NAT (improperly configured) on this router? You are using public IP addresses on the router config you posted, which doesn't match anything like the routing table you posted.
Unless there is a specific reason to do otherwise, this second router should not be doing NAT and it should only route. I don't see any routing protocols, so the first router, so you will need static routes on the first router. Can you post properly sanitized configurations of both routers? The configuration you posted shows invalid routes and interface subnets, so it's impossible to see if the original config is wrong or just the version you posted.
Unless there is a specific reason to do otherwise, this second router should not be doing NAT and it should only route. I don't see any routing protocols, so the first router, so you will need static routes on the first router. Can you post properly sanitized configurations of both routers? The configuration you posted shows invalid routes and interface subnets, so it's impossible to see if the original config is wrong or just the version you posted.
ASKER
Ok if i skip routing, ive enabled EIGRP, that didnt work, the next hops tried were
1.) The Vlan on router 1 which is a dmz range, I have another firewall on it that has hosts that can get to the net with just using the vlans primary as the next hope
2.) The router itself, tried doesnt work
3.) the next hop on the layer 3 switch thats attached, doesnt work
1.) The Vlan on router 1 which is a dmz range, I have another firewall on it that has hosts that can get to the net with just using the vlans primary as the next hope
2.) The router itself, tried doesnt work
3.) the next hop on the layer 3 switch thats attached, doesnt work
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
1.) I set the routes for the two subnets on the old router to point to the routable IP on the router itself, just did that now, pings are going back and forth on the local networks
2.) Router 1 uses an RMap and i just included the two subnets which includes the ACL
No pings to outside world
2.) Router 1 uses an RMap and i just included the two subnets which includes the ACL
No pings to outside world
What's the IP of the host you're trying to ping from?
Can you ping that IP from router 1?
Can you ping that IP from router 1?
ASKER
Router 1 is having zerp issues, works flawlessly
Router 2 <-- New router can ping internal IP address only, it can ping the external interface on the gateway, it can ping the outside world, it cannot however ping the internal primary internal of router 1. Hosts on it can only ping other internal subnets
Router 2 <-- New router can ping internal IP address only, it can ping the external interface on the gateway, it can ping the outside world, it cannot however ping the internal primary internal of router 1. Hosts on it can only ping other internal subnets
Ok, I understand that router 1 works fine, but I'm asking something very specific.
In order to establish if router 1 is ever going to route traffic for hosts behind router 2 we need to know if router 1 knows where to send traffic for hosts on that network.
It is a little confusing when looking at your config and routing table, as the two don't seem to match.
Also, you've said router 2 can ping external IPs but not the internal primary of router 1, so there is something amiss on router 1 also.
Could you post the config from router 1 so we can check them both?
In order to establish if router 1 is ever going to route traffic for hosts behind router 2 we need to know if router 1 knows where to send traffic for hosts on that network.
It is a little confusing when looking at your config and routing table, as the two don't seem to match.
Also, you've said router 2 can ping external IPs but not the internal primary of router 1, so there is something amiss on router 1 also.
Could you post the config from router 1 so we can check them both?
ASKER
Just fixed that up, I had two routes pointing back to router 2 on router one, now router 2 can ping anything on the internal network
On router 1 I use an Rmap to move traffic via nat, so I added the two subnets behind router 2 to that rmap so thats a good first step
The interface on router 2 is a DMZ IP, routable etc which has ip 168.168.168.11 attached to it, and it points to vlan 1 on router 1 which is 168.168.168.1, the router itself can ping anything and everything internal and external
Hosts can now ping everything including the front end IP but nothing after that
Router 1 points the two subnets back to 168.168.168.11 which is the ip of the primary interface on router 2
The config for router 1 is nearly 20 pages in total in notepad, i can provide parts but the time to clean it would be massive
On router 1 I use an Rmap to move traffic via nat, so I added the two subnets behind router 2 to that rmap so thats a good first step
The interface on router 2 is a DMZ IP, routable etc which has ip 168.168.168.11 attached to it, and it points to vlan 1 on router 1 which is 168.168.168.1, the router itself can ping anything and everything internal and external
Hosts can now ping everything including the front end IP but nothing after that
Router 1 points the two subnets back to 168.168.168.11 which is the ip of the primary interface on router 2
The config for router 1 is nearly 20 pages in total in notepad, i can provide parts but the time to clean it would be massive
ASKER
Does router 1 need to nat the the subents of router 2 as well? or simply just an ip route
It needs to NAT in normal installations. I'm assuming you have an internet feed attached to router 1 with either a dynamic IP address or a single static IP?
Just as an example, you would need a NAT statement and ACL to match the traffic you want to give internet access to...
access-list 100 permit ip 1.1.1.0 0.0.0.255 any (subnet on router 1)
access-list 100 permit ip 2.2.2.0 0.0.0.255 any (subnet on router 2)
access-list 100 permit ip 3.3.3.0 0.0.0.255 any (another subnet on router 2)
ip nat inside source list 100 interface Dialer0 overload (assuming you have an ADSL or similar)
Just as an example, you would need a NAT statement and ACL to match the traffic you want to give internet access to...
access-list 100 permit ip 1.1.1.0 0.0.0.255 any (subnet on router 1)
access-list 100 permit ip 2.2.2.0 0.0.0.255 any (subnet on router 2)
access-list 100 permit ip 3.3.3.0 0.0.0.255 any (another subnet on router 2)
ip nat inside source list 100 interface Dialer0 overload (assuming you have an ADSL or similar)
ASKER
access-list 102 permit ip 10.25.25.0 0.0.0.255 any
access-list 102 permit ip 10.26.26.0 0.0.0.255 any
access-list 102 permit ip 10.11.11.0 0.0.0.255 any <-- Router 2
access-list 102 permit ip 10.12.12.0 0.0.0.255 any <-- Router 2
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload <- Router 1's nat statement
SDM_RMAP_1 points to access list 102
Static, we have 250 routable ips, 100MBit dedicated fibre feed
access-list 102 permit ip 10.26.26.0 0.0.0.255 any
access-list 102 permit ip 10.11.11.0 0.0.0.255 any <-- Router 2
access-list 102 permit ip 10.12.12.0 0.0.0.255 any <-- Router 2
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload <- Router 1's nat statement
SDM_RMAP_1 points to access list 102
Static, we have 250 routable ips, 100MBit dedicated fibre feed
Is there a reason why you have a route-map for the NAT statement?
Is GigabitEthernet0/0 your default route to the internet?
Can you post any ip route statements you have on router 1?
Is GigabitEthernet0/0 your default route to the internet?
Can you post any ip route statements you have on router 1?
ASKER
theres over 100 routes when i do show ip route but the ones we are interested in:
S 10.11.11.0/24 [1/0] via 168.168.168.11
S 10.12.12.0/24 [1/0] via 168.168.168.11
ip route 10.11.11.0 255.255.255.0 168.168.168.11
ip route 10.12.12.0 255.255.255.0 168.168.168.11
S 10.11.11.0/24 [1/0] via 168.168.168.11
S 10.12.12.0/24 [1/0] via 168.168.168.11
ip route 10.11.11.0 255.255.255.0 168.168.168.11
ip route 10.12.12.0 255.255.255.0 168.168.168.11
ASKER
No reason, it works though so never saw a need to change it
Ok can you do show ip int br on router 2 and post the output?
ASKER
Interface IP-Address OK? Method Status Protocol
Async1 unassigned YES NVRAM down down
FastEthernet0 168.168.168.11 YES manual up up
FastEthernet1 10.11.11.1 YES manual up up
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset up down
FastEthernet4 unassigned YES unset up down
FastEthernet5 unassigned YES unset up up
FastEthernet6 unassigned YES unset up up
FastEthernet7 unassigned YES unset up down
FastEthernet8 unassigned YES unset up down
FastEthernet9 unassigned YES unset up down
NVI0 unassigned YES unset administratively down down
Vlan1 10.12.12.1 YES manual up up
Async1 unassigned YES NVRAM down down
FastEthernet0 168.168.168.11 YES manual up up
FastEthernet1 10.11.11.1 YES manual up up
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset up down
FastEthernet4 unassigned YES unset up down
FastEthernet5 unassigned YES unset up up
FastEthernet6 unassigned YES unset up up
FastEthernet7 unassigned YES unset up down
FastEthernet8 unassigned YES unset up down
FastEthernet9 unassigned YES unset up down
NVI0 unassigned YES unset administratively down down
Vlan1 10.12.12.1 YES manual up up
That looks ok.
What's connected to FastEthernet1 on router 2? Is it a switch?
From whatever is connected to FastEthernet1 can you ping router 1?
What's connected to FastEthernet1 on router 2? Is it a switch?
From whatever is connected to FastEthernet1 can you ping router 1?
ASKER
Fast ethernet 1 is connected to a layer 3 switch, router 1 is plugged into the same, they are assigned their own vlans.
Yes everything is pingable, i can even change ip routes and send to the vlans on the switch and they can ping everything on each other
Yes everything is pingable, i can even change ip routes and send to the vlans on the switch and they can ping everything on each other
Ok, so can you do a traceroute to 8.8.8.8 from a PC on the 10.11.11.0 network and post that?
ASKER
First hope is 10.11.11.1 and second is the 168.168.168.11 and then nothing so the fastethernet0 interface is where its stopping
If the first hop is 10.11.11.1 the second hop should not be displayed as 168.168.168.11 as it is the same router. The You should see * * * if you're doing the traceroute from a PC.
ASKER
That's where nat cones in i thought
There is no NAT at router 2. It is plain routing.
ASKER
so what should next hop be?
You asked me to ping from a host on router 2, the hosts default gateway is 10.11.11.1 168.168.168.1 which is the main DMZ ip on router 1, sorry confued the hop number but the next hope was router 1
You asked me to ping from a host on router 2, the hosts default gateway is 10.11.11.1 168.168.168.1 which is the main DMZ ip on router 1, sorry confued the hop number but the next hope was router 1
I think that there is a NAT problem on router 1. Can you PLEASE post the configuration?
ASKER
ip nat inside source route-map SDM_RMAP_1 interface gigabitethernet0/0 overload
Other nats are just static to other networks internally that are seperate from router 2, they all work
The IP route on Router 1 points to the next hope of the gateway so if my router is 1.1.1.2 the next is 1.1.1.1 no issues with anything there
Router-map SDM_RMAP_1 permit 1
match ip address 102
access-list 102 permit ip 10.25.25.0 0.0.0.255 any
access-list 102 permit ip 10.26.26.0 0.0.0.255 any
access-list 102 permit ip 10.11.11.0 0.0.0.255 any <-- Router 2
access-list 102 permit ip 10.12.12.0 0.0.0.255 any <-- Router 2
Other nats are just static to other networks internally that are seperate from router 2, they all work
The IP route on Router 1 points to the next hope of the gateway so if my router is 1.1.1.2 the next is 1.1.1.1 no issues with anything there
Router-map SDM_RMAP_1 permit 1
match ip address 102
access-list 102 permit ip 10.25.25.0 0.0.0.255 any
access-list 102 permit ip 10.26.26.0 0.0.0.255 any
access-list 102 permit ip 10.11.11.0 0.0.0.255 any <-- Router 2
access-list 102 permit ip 10.12.12.0 0.0.0.255 any <-- Router 2
It would definitely help if we could see the configs from both routers, no matter how large they may be. Even though all the NATs work for your existing stuff, there may be something that is breaking what you're trying to do now.
ASKER
I canged next hope from the dmz to the internal ip of the router, which i router back through my l3 switch and it works but cant use the dmz ip on the router for next hope, which I can do with other servers and firewalls attached to it so kinda odd
I dont mind posting the nat part, just filtering it would take awhile, grand total i have 900 objects :P each with a specific name that matches a corporate name, profile and a description to match purpose
I dont mind posting the nat part, just filtering it would take awhile, grand total i have 900 objects :P each with a specific name that matches a corporate name, profile and a description to match purpose