Link to home
Start Free TrialLog in
Avatar of ucftimm
ucftimm

asked on

Not able to route between subnets

I am building an edge router that is connecting Frontier to our network.  They gave us a WAN IP block and a LAN public IP block.  I have configured the router and I think I have done it right for what we are using it for.  On the router I can ping both the 152.179.45.144 network which is a /30 and the wan block.   I can also ping the  the 65.200.225.160 network which is a /28 LAN Block. I can not ping 152.179.45.145 using 65.200.225.161 as the source. From the router I can also ping outside address with no trouble.  I can ping the Frontier DNS servers ,Google's public DNS servers I can also ping IP address' of yahoo and Microsoft.  SO I can get out to internet but just cant using the public IP address' given to me.  I can  from a laptop with an IP address of 65.200.225.163 or .162  ping 65.200.225.161 and I can ping 152.179.45.146.  I can not get past 152.179.45.146.  I am assuming I did not route something correctly.

Thanks for any assistance.

Here is the config file.

Building configuration...

Current configuration : 6712 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname AIP
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
enable secret 5 *******************************.
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 10
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name nameofcompany.com
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint ***************************-ca
 enrollment selfsigned
 subject-name O=****************************,CN=www.******************.com
 revocation-check crl
 rsakeypair ***************************************-rsa
!
!
crypto pki certificate chain ******-******************-ca
 certificate self-signed 01
  308202B1 3082021A A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  63311E30 1C060355 04031315 7777772E 74686F6D 70736F6E 67726F75 702E636F
  6D311B30 19060355 040A1312 54686F6D 70736F6E 616E6443 6F6D7061 6E793124
  30220609 2A864886 F70D0109 02161541 49502E54 686F6D70 736F6E67 726F7570
  2E636F6D 301E170D 30323033 30313030 32323332 5A170D32 30303130 31303030
  3030305A 3063311E 301C0603 55040313 15777777 2E74686F 6D70736F 6E67726F
  75702E63 6F6D311B 30190603 55040A13 1254686F 6D70736F 6E616E64 436F6D70
  616E7931 24302206 092A8648 86F70D01 09021615 4149502E 54686F6D 70736F6E
  67726F75 702E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030
  81890281 8100D104 5F0D67A1 8A8D5A4D 8E1D5230 F5C0A795 4F278D16 F7E3CA92
  76E56936 A7631463 50189EA4 F477FA62 D68BFF59 C5E4DBEA 039625BD 1A4CAB70
  E99DD21E BE4788CD 6FAD1D97 CB9F28F2 B3F82743 3284E735 E793F9CC D586AEE2
  D7797140 B15EBC8E B8420CBE E00D49C3 2BF63F05 113F76C5 A3B73CF5 09600030
  B4BFBAF8 18090203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF
  30200603 551D1104 19301782 15414950 2E54686F 6D70736F 6E67726F 75702E63
  6F6D301F 0603551D 23041830 1680146F 86EC5924 7A6516CC 7B12F28C 7442073D
  30F2AE30 1D060355 1D0E0416 04146F86 EC59247A 6516CC7B 12F28C74 42073D30
  F2AE300D 06092A86 4886F70D 01010405 00038181 00518443 64619FCC F87119F4
  E49FB291 9F57ADC6 7E8E5F83 480D40A4 DB88EB85 D5E1079E 3A55B29B 5B5A6438
  086A64CE 16CC5846 2583A1E0 479B61E7 F4C71E5E 32D3A02C C0B07C28 B0AED2BB
  24A7DE02 D772F724 3686A608 D462E734 CE5475CA E30BB5D0 87D59077 0CA284E4
  DF5FF435 79DEDB47 04AEC217 6200C89B 4269FBB4 83
  quit
username ********privilege 15 secret 5 ****************************************.
!
!
!
!
!
!
interface FastEthernet0/0
 description INTF-INFO-FA 0/0$FW_INSIDE$
 ip address 65.200.225.161 255.255.255.240
 ip access-group 100 in
 no ip redirects
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description to Verizon WAN
 no ip address
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 speed 100
 full-duplex
 no mop enabled
!
interface FastEthernet0/1.1
 description To Verizon WAN
 encapsulation dot1Q 54
 ip address 152.179.45.146 255.255.255.252
 no snmp trap link-status
 no cdp enable
!
router rip
 version 2
 network 65.0.0.0
 network 152.179.0.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 152.179.45.145 permanent
!
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit tcp host 65.115.158.150 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.151 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.152 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.154 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.156 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.140 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.200.225.162 host 65.200.225.161 eq 22
access-list 100 permit tcp host 65.115.158.150 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.115.158.151 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.115.158.152 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.115.158.154 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.115.158.156 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.115.158.140 host 65.200.225.161 eq cmd
access-list 100 permit tcp host 65.200.225.162 host 65.200.225.161 eq cmd
access-list 100 permit udp host 65.115.158.150 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.115.158.151 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.115.158.152 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.115.158.154 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.115.158.156 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.115.158.140 host 65.200.225.161 eq snmp
access-list 100 permit udp host 65.200.225.162 host 65.200.225.161 eq snmp
access-list 100 permit udp host 198.92.103.112 host 65.200.225.161 eq snmp
access-list 100 deny   tcp any host 65.200.225.161 eq telnet
access-list 100 deny   tcp any host 65.200.225.161 eq 22
access-list 100 deny   tcp any host 65.200.225.161 eq www
access-list 100 deny   tcp any host 65.200.225.161 eq 443
access-list 100 deny   tcp any host 65.200.225.161 eq cmd
access-list 100 deny   udp any host 65.200.225.161 eq snmp
access-list 100 deny   icmp any host 65.200.225.161 echo-reply
access-list 100 permit ip any any
access-list 101 permit ip host 65.115.158.150 any
access-list 101 permit ip host 65.115.158.151 any
access-list 101 permit ip host 65.115.158.152 any
access-list 101 permit ip host 65.115.158.154 any
access-list 101 permit ip host 65.115.158.156 any
access-list 101 permit ip host 65.200.225.162 any
no cdp log mismatch duplex
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CC
AUTHORIZED USE ONLY!!
If you are not an active employee of ********************
performing appointed tasks, DISCONNECT IMMEDIATELY!!!
All activity is logged.
^C
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 login local
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 access-class 101 in
 privilege level 15
 login local
 transport input ssh
line vty 5 15
 access-class 101 in
 privilege level 15
 login local
 transport input ssh
!
!
end
Avatar of ArneLovius
ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

it might be
access-list 100 deny   icmp any host 65.200.225.161 echo-reply
Could you please send by PM the complete information you received for the WAN? Including gateway and so on. If I'm able to resolve, I'll post the solution. However, it's not the type of information you want to have posted on such a public forum.
What does your traceroute command look like from the IP address you are having an issue with?
Avatar of ucftimm
ucftimm

ASKER

I can not get to the router physically this afternooon.  I can get traceroute pic for you Monday morning.  I can tell you that when a traceroute is run it hits 65.199.217.161 and then nothing but * after that.
ASKER CERTIFIED SOLUTION
Avatar of masnrock
masnrock
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ucftimm

ASKER

When i was getting out to the outside address'.  I was on the router using 152.179.45.146 as the source to ping and traceroute to outside address'.  I have removed the access-list 100 from int giga 0/1.  I was still getting same behavior.  I think it is a routing issue where I have not got a proper route or its the ISP.  I am waiting on them to get back to me to see if they have routed the 65.200.225.160 /28 network properly on their end.
Avatar of ucftimm

ASKER

Good Morning,

I wanted to let you guys know that it was our ISP.  They did not have the static route for our public IP's configured properly.  Once that was corrected I can not Ping all the way out to the internet and I can access the internet using our Public IP address'.  Thanks to everyone for their assistance.
Avatar of ucftimm

ASKER

Thanks for the assistance.