ucftimm
asked on
Not able to route between subnets
I am building an edge router that is connecting Frontier to our network. They gave us a WAN IP block and a LAN public IP block. I have configured the router and I think I have done it right for what we are using it for. On the router I can ping both the 152.179.45.144 network which is a /30 and the wan block. I can also ping the the 65.200.225.160 network which is a /28 LAN Block. I can not ping 152.179.45.145 using 65.200.225.161 as the source. From the router I can also ping outside address with no trouble. I can ping the Frontier DNS servers ,Google's public DNS servers I can also ping IP address' of yahoo and Microsoft. SO I can get out to internet but just cant using the public IP address' given to me. I can from a laptop with an IP address of 65.200.225.163 or .162 ping 65.200.225.161 and I can ping 152.179.45.146. I can not get past 152.179.45.146. I am assuming I did not route something correctly.
Thanks for any assistance.
Here is the config file.
Building configuration...
Current configuration : 6712 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname AIP
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
enable secret 5 ************************** *****.
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 10
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name nameofcompany.com
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint ************************** *-ca
enrollment selfsigned
subject-name O=************************ ****,CN=ww w.******** ********** .com
revocation-check crl
rsakeypair ************************** ********** ***-rsa
!
!
crypto pki certificate chain ******-******************- ca
certificate self-signed 01
308202B1 3082021A A0030201 02020101 300D0609 2A864886 F70D0101 04050030
63311E30 1C060355 04031315 7777772E 74686F6D 70736F6E 67726F75 702E636F
6D311B30 19060355 040A1312 54686F6D 70736F6E 616E6443 6F6D7061 6E793124
30220609 2A864886 F70D0109 02161541 49502E54 686F6D70 736F6E67 726F7570
2E636F6D 301E170D 30323033 30313030 32323332 5A170D32 30303130 31303030
3030305A 3063311E 301C0603 55040313 15777777 2E74686F 6D70736F 6E67726F
75702E63 6F6D311B 30190603 55040A13 1254686F 6D70736F 6E616E64 436F6D70
616E7931 24302206 092A8648 86F70D01 09021615 4149502E 54686F6D 70736F6E
67726F75 702E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030
81890281 8100D104 5F0D67A1 8A8D5A4D 8E1D5230 F5C0A795 4F278D16 F7E3CA92
76E56936 A7631463 50189EA4 F477FA62 D68BFF59 C5E4DBEA 039625BD 1A4CAB70
E99DD21E BE4788CD 6FAD1D97 CB9F28F2 B3F82743 3284E735 E793F9CC D586AEE2
D7797140 B15EBC8E B8420CBE E00D49C3 2BF63F05 113F76C5 A3B73CF5 09600030
B4BFBAF8 18090203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF
30200603 551D1104 19301782 15414950 2E54686F 6D70736F 6E67726F 75702E63
6F6D301F 0603551D 23041830 1680146F 86EC5924 7A6516CC 7B12F28C 7442073D
30F2AE30 1D060355 1D0E0416 04146F86 EC59247A 6516CC7B 12F28C74 42073D30
F2AE300D 06092A86 4886F70D 01010405 00038181 00518443 64619FCC F87119F4
E49FB291 9F57ADC6 7E8E5F83 480D40A4 DB88EB85 D5E1079E 3A55B29B 5B5A6438
086A64CE 16CC5846 2583A1E0 479B61E7 F4C71E5E 32D3A02C C0B07C28 B0AED2BB
24A7DE02 D772F724 3686A608 D462E734 CE5475CA E30BB5D0 87D59077 0CA284E4
DF5FF435 79DEDB47 04AEC217 6200C89B 4269FBB4 83
quit
username ********privilege 15 secret 5 ************************** ********** ****.
!
!
!
!
!
!
interface FastEthernet0/0
description INTF-INFO-FA 0/0$FW_INSIDE$
ip address 65.200.225.161 255.255.255.240
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description to Verizon WAN
no ip address
no ip redirects
no ip proxy-arp
ip flow ingress
speed 100
full-duplex
no mop enabled
!
interface FastEthernet0/1.1
description To Verizon WAN
encapsulation dot1Q 54
ip address 152.179.45.146 255.255.255.252
no snmp trap link-status
no cdp enable
!
router rip
version 2
network 65.0.0.0
network 152.179.0.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 152.179.45.145 permanent
!
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit tcp host 65.115.158.150 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.151 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.152 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.154 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.156 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.140 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.200.225.162 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.150 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.115.158.151 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.115.158.152 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.115.158.154 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.115.158.156 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.115.158.140 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.200.225.162 host 65.200.225.161 eq cmd
access-list 100 permit udp host 65.115.158.150 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.115.158.151 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.115.158.152 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.115.158.154 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.115.158.156 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.115.158.140 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.200.225.162 host 65.200.225.161 eq snmp
access-list 100 permit udp host 198.92.103.112 host 65.200.225.161 eq snmp
access-list 100 deny tcp any host 65.200.225.161 eq telnet
access-list 100 deny tcp any host 65.200.225.161 eq 22
access-list 100 deny tcp any host 65.200.225.161 eq www
access-list 100 deny tcp any host 65.200.225.161 eq 443
access-list 100 deny tcp any host 65.200.225.161 eq cmd
access-list 100 deny udp any host 65.200.225.161 eq snmp
access-list 100 deny icmp any host 65.200.225.161 echo-reply
access-list 100 permit ip any any
access-list 101 permit ip host 65.115.158.150 any
access-list 101 permit ip host 65.115.158.151 any
access-list 101 permit ip host 65.115.158.152 any
access-list 101 permit ip host 65.115.158.154 any
access-list 101 permit ip host 65.115.158.156 any
access-list 101 permit ip host 65.200.225.162 any
no cdp log mismatch duplex
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CC
AUTHORIZED USE ONLY!!
If you are not an active employee of ********************
performing appointed tasks, DISCONNECT IMMEDIATELY!!!
All activity is logged.
^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login local
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
access-class 101 in
privilege level 15
login local
transport input ssh
line vty 5 15
access-class 101 in
privilege level 15
login local
transport input ssh
!
!
end
Thanks for any assistance.
Here is the config file.
Building configuration...
Current configuration : 6712 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname AIP
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
enable secret 5 **************************
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 10
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name nameofcompany.com
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint **************************
enrollment selfsigned
subject-name O=************************
revocation-check crl
rsakeypair **************************
!
!
crypto pki certificate chain ******-******************-
certificate self-signed 01
308202B1 3082021A A0030201 02020101 300D0609 2A864886 F70D0101 04050030
63311E30 1C060355 04031315 7777772E 74686F6D 70736F6E 67726F75 702E636F
6D311B30 19060355 040A1312 54686F6D 70736F6E 616E6443 6F6D7061 6E793124
30220609 2A864886 F70D0109 02161541 49502E54 686F6D70 736F6E67 726F7570
2E636F6D 301E170D 30323033 30313030 32323332 5A170D32 30303130 31303030
3030305A 3063311E 301C0603 55040313 15777777 2E74686F 6D70736F 6E67726F
75702E63 6F6D311B 30190603 55040A13 1254686F 6D70736F 6E616E64 436F6D70
616E7931 24302206 092A8648 86F70D01 09021615 4149502E 54686F6D 70736F6E
67726F75 702E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030
81890281 8100D104 5F0D67A1 8A8D5A4D 8E1D5230 F5C0A795 4F278D16 F7E3CA92
76E56936 A7631463 50189EA4 F477FA62 D68BFF59 C5E4DBEA 039625BD 1A4CAB70
E99DD21E BE4788CD 6FAD1D97 CB9F28F2 B3F82743 3284E735 E793F9CC D586AEE2
D7797140 B15EBC8E B8420CBE E00D49C3 2BF63F05 113F76C5 A3B73CF5 09600030
B4BFBAF8 18090203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF
30200603 551D1104 19301782 15414950 2E54686F 6D70736F 6E67726F 75702E63
6F6D301F 0603551D 23041830 1680146F 86EC5924 7A6516CC 7B12F28C 7442073D
30F2AE30 1D060355 1D0E0416 04146F86 EC59247A 6516CC7B 12F28C74 42073D30
F2AE300D 06092A86 4886F70D 01010405 00038181 00518443 64619FCC F87119F4
E49FB291 9F57ADC6 7E8E5F83 480D40A4 DB88EB85 D5E1079E 3A55B29B 5B5A6438
086A64CE 16CC5846 2583A1E0 479B61E7 F4C71E5E 32D3A02C C0B07C28 B0AED2BB
24A7DE02 D772F724 3686A608 D462E734 CE5475CA E30BB5D0 87D59077 0CA284E4
DF5FF435 79DEDB47 04AEC217 6200C89B 4269FBB4 83
quit
username ********privilege 15 secret 5 **************************
!
!
!
!
!
!
interface FastEthernet0/0
description INTF-INFO-FA 0/0$FW_INSIDE$
ip address 65.200.225.161 255.255.255.240
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description to Verizon WAN
no ip address
no ip redirects
no ip proxy-arp
ip flow ingress
speed 100
full-duplex
no mop enabled
!
interface FastEthernet0/1.1
description To Verizon WAN
encapsulation dot1Q 54
ip address 152.179.45.146 255.255.255.252
no snmp trap link-status
no cdp enable
!
router rip
version 2
network 65.0.0.0
network 152.179.0.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 152.179.45.145 permanent
!
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit tcp host 65.115.158.150 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.151 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.152 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.154 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.156 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.140 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.200.225.162 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.150 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.115.158.151 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.115.158.152 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.115.158.154 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.115.158.156 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.115.158.140 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.200.225.162 host 65.200.225.161 eq cmd
access-list 100 permit udp host 65.115.158.150 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.115.158.151 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.115.158.152 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.115.158.154 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.115.158.156 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.115.158.140 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.200.225.162 host 65.200.225.161 eq snmp
access-list 100 permit udp host 198.92.103.112 host 65.200.225.161 eq snmp
access-list 100 deny tcp any host 65.200.225.161 eq telnet
access-list 100 deny tcp any host 65.200.225.161 eq 22
access-list 100 deny tcp any host 65.200.225.161 eq www
access-list 100 deny tcp any host 65.200.225.161 eq 443
access-list 100 deny tcp any host 65.200.225.161 eq cmd
access-list 100 deny udp any host 65.200.225.161 eq snmp
access-list 100 deny icmp any host 65.200.225.161 echo-reply
access-list 100 permit ip any any
access-list 101 permit ip host 65.115.158.150 any
access-list 101 permit ip host 65.115.158.151 any
access-list 101 permit ip host 65.115.158.152 any
access-list 101 permit ip host 65.115.158.154 any
access-list 101 permit ip host 65.115.158.156 any
access-list 101 permit ip host 65.200.225.162 any
no cdp log mismatch duplex
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CC
AUTHORIZED USE ONLY!!
If you are not an active employee of ********************
performing appointed tasks, DISCONNECT IMMEDIATELY!!!
All activity is logged.
^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login local
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
access-class 101 in
privilege level 15
login local
transport input ssh
line vty 5 15
access-class 101 in
privilege level 15
login local
transport input ssh
!
!
end
Could you please send by PM the complete information you received for the WAN? Including gateway and so on. If I'm able to resolve, I'll post the solution. However, it's not the type of information you want to have posted on such a public forum.
What does your traceroute command look like from the IP address you are having an issue with?
ASKER
I can not get to the router physically this afternooon. I can get traceroute pic for you Monday morning. I can tell you that when a traceroute is run it hits 65.199.217.161 and then nothing but * after that.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When i was getting out to the outside address'. I was on the router using 152.179.45.146 as the source to ping and traceroute to outside address'. I have removed the access-list 100 from int giga 0/1. I was still getting same behavior. I think it is a routing issue where I have not got a proper route or its the ISP. I am waiting on them to get back to me to see if they have routed the 65.200.225.160 /28 network properly on their end.
ASKER
Good Morning,
I wanted to let you guys know that it was our ISP. They did not have the static route for our public IP's configured properly. Once that was corrected I can not Ping all the way out to the internet and I can access the internet using our Public IP address'. Thanks to everyone for their assistance.
I wanted to let you guys know that it was our ISP. They did not have the static route for our public IP's configured properly. Once that was corrected I can not Ping all the way out to the internet and I can access the internet using our Public IP address'. Thanks to everyone for their assistance.
ASKER
Thanks for the assistance.
access-list 100 deny icmp any host 65.200.225.161 echo-reply