Cisco routing

ashrobbo · 20 Jul 2011 at 12:48

Hi Guys,

As you all never fail to dissapoint ive got an issue which needs sorting.

We have 2 sites, head office and lets call it Site A.

Site A network address: 10.0.1.0
HQ network address: 10.0.0.0

internet router (10.0.0.6) is located at HQ.

Site A is connected to our main router (10.0.0.220) via serial.

- Site A is connected to HQ via a leased line.

- PC's at site A need to access the internet, so any internet traffic traverses the leased line then get forwarded onto a router which we use for our internet (10.0.0.6).

- From Site A I can ping the internal IP of the router located at head office, I get a response, I can also ping the router and any host at site A from HQ ok.

- HQ also use the internet router to browse the internet (10.0.0.6)

- HQ can browse fine

- Site A and HQ both use the same internal DNS servers.

- Site A cannot ping bbc.co.uk or google.com but can resolve them, so i Know DNS is OK.

I think maybe the internet router is somehow not letting traffic from site A through to the internet, and back again.

Its a rather odd inherited setup.

ill try to draw a diagram

Site A ~~~~~~~|||~~~~~~~~~HQ~~~~~~~~~~~~~~~~~~~~~
10.0.1.0 --->-Leased Line---> 10.0.0.220 >---Internet Traffic---> 10.0.0.6

I'm baffled tbh,

any ideas?

Cheers,

Ash

PistolPete · 20 Jul 2011 at 12:58

Does the internet routers LAN interface know how to get to the 10.0.1.0 network?

You might need to add a static route to point the traffic for 10.0.1.0 via 10.0.0.220.

ashrobbo · 20 Jul 2011 at 13:09

Hi Pete, thanks for the quick response!

I can ping from the internet router to 10.0.1.1 (router in site a and it works fine).

here is the entry from the show run of the internet router

name 10.0.1.0 Leamington
route inside Leamington 255.255.255.0 10.0.0.220 1

could it be access list related? is it worth me posting the config up here?

its strange cause all this worked up until yesterday, but nothing has changed on the network.

ashrobbo · 20 Jul 2011 at 13:58

meant to add, the 'INternet router' is infact a pix 515e :\

sorry not sure if this changes anything.

bigredshark · 20 Jul 2011 at 17:13

What's your net mask on all the devices?

ashrobbo · 20 Jul 2011 at 17:24

255.255.255.0 on all LAN interfaces.

Site a = 10.0.1.0/24
HQ = 10.0.0.0/24

I have spend the past 2 hours configuring a cisco 1841 router which I am tempted to put in its place this week to see if it works with a basic ACL (+anti-spoofing) All the pix does is connect to a Modem then out on the net. Its such a complicated config and being fairly new to cisco IOS its a bit scary to try and fathom.

Chief Wiggum · 21 Jul 2011 at 07:02

Is the network in the access list on the FW and also is it being NAT correctly? you might need to add a translation for it on the pix. Have you got syslog on the pix? It'll really help you with troubleshooting

ashrobbo · 21 Jul 2011 at 08:50

How would i go about adding a translation,

Ive added the access list to permit all traffic fro 10.0.1.0 to any outside network.

Do i need to translate the external IP of the internet router to the network address 10.0.1.0 ?

i do get the error

'there is no network address translation (nat) rule configured for inside: 10.0.1.0/255.255.255.0 to go to interface outside would you like to configure nat rule for this host or network now.

If i Click ok it takes me to the NAT tab but im not sure what to select?

ShadowMan · 21 Jul 2011 at 09:21

Tried changing the network mask to 255.255.0.0 to work across the multisite address space?

ashrobbo · 21 Jul 2011 at 11:37

ShadowMan said:
Tried changing the network mask to 255.255.0.0 to work across the multisite address space?

Just tried that so its a /16 instead of a /24 in the acl and still not working, also changed to 255.255.0.0 in the hosts/network bit and didnt make a difference :\

ashrobbo · 21 Jul 2011 at 12:44

Right, Im going to replace the pix with a cisco 1841 we have lying around,

can anybody have a look at the diagram and the config and see if im on the right lines?

config of 10.0.0.1 (which is to replace 10.0.0.6 in the diagram)

!
version 12.4
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname Internet-1841
!
boot-start-marker
boot-end-marker
!
logging buffered 16384 debugging
no logging console
enable password 7 XXXXXXXXXXXXXXXXX
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip source-route
ip cef
!
!
!
!
no ip bootp server
login block-for 120 attempts 5 within 60
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip access-group 101 out
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 82.47.XXX.XXX 255.255.255.240
ip access-group 102 in
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 10.0.1.0 255.255.255.0 10.0.0.220
!
no ip http server
no ip http secure-server
!
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.255.255 host 0.0.0.0
access-list 101 deny ip any any log
access-list 102 deny ip host 0.0.0.0 any log
access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip 192.168.0.0 0.0.255.255 any log
access-list 102 deny ip 224.0.0.0 31.255.255.255 any log
access-list 102 deny ip 10.0.0.0 0.0.0.255 any log
access-list 102 deny ip 169.254.0.0 0.0.255.255 any
access-list 102 deny ip host 217.11.11.11 any log
access-list 102 deny ip any host 10.0.0.1 log
access-list 102 deny ip any host 217.11.11.11 log
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 permit ip any 10.0.0.0 0.0.0.255
access-list 102 permit ip any 10.0.1.0 0.0.0.255
access-list 102 deny ip any any log
no cdp run
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 1 in
password 7 XXXXXXXXXXXXXX
login
!
end

Thanks for all the help so far guys. Very much appreciated.

Ash

Skidilliplop · 21 Jul 2011 at 14:01

Looks to be on the right lines to me.

ashrobbo · 21 Jul 2011 at 14:10

After doing some research I haven't added any NAT statements, only deemed the inside and outside NAT interfaces,

do i even need NAT statements? Nothing is going to be accessing from outside to inside to any particular hosts.

If so am I natting the outside interface to the two internal network addresses? (10.0.0.0 and 10.0.1.0)

PistolPete · 21 Jul 2011 at 14:15

Dont think you need NAT personally.

One suggestion I would make, albeit a tiny one, is that I'd change
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 10.0.1.0 255.255.255.0 10.0.0.220

to

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 10.0.1.0 255.255.255.0 FastEthernet0/0

It's just easier to fire traffic out of an interface rather than to a specific IP.

Skidilliplop · 21 Jul 2011 at 14:32

PistolPete said:
Dont think you need NAT personally.

One suggestion I would make, albeit a tiny one, is that I'd change
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 10.0.1.0 255.255.255.0 10.0.0.220

to

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 10.0.1.0 255.255.255.0 FastEthernet0/0

It's just easier to fire traffic out of an interface rather than to a specific IP.

If the outbound network is a multiaccess network you should always use a gateway. You should only fire things out of interfaces if they're connected to point to point links.

Internet router > HQ router doesn't look like a point to point to me.

Edit, also if you're accessing the internet from a private address range you WILL need NAT. Your ISP's border routers will not accept and forward packets from 10.x.x.x addresses, they need to be NAT'd to a public address

ashrobbo · 21 Jul 2011 at 14:47

Skidilliplop said:
Internet router > HQ router doesn't look like a point to point to me.

Edit, also if you're accessing the internet from a private address range you WILL need NAT. Your ISP's border routers will not accept and forward packets from 10.x.x.x addresses, they need to be NAT'd to a public address

thats correct the HQ and internet router are just on the same LAN, only site a and HQ are connected via point to point.

Do I therefore need to add any NAT statements or am i ok leaving ip nat inside and ip nat outside respectively just as it is?.

Skidilliplop · 21 Jul 2011 at 15:08

Yes you do, because you need an overloaded NAT, which is something defined outside of the interfaces and needs an access list to tell it which address ranges to perform Overloaded NAT on.

The command looks something like this:

IP NAT inside source <list> interface <interface> overload

where list is an access list defining which subnets should be NAT'd using 'permit' statements.

and <interface> is the outbound interface to the internet

ashrobbo · 21 Jul 2011 at 15:16

So something like

access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 permit 10.0.1.0 0.0.0.255

ip nat inside source 10 interface fax/x overload

so im applying this nat to the 'Outside' or 'inside' interface

Skidilliplop · 21 Jul 2011 at 15:54

you set the interface roles, be it inside or outside, then you define the NAT list. It doesn't really apply it to an interface as such, but yes if anything it applies it to the outside interface.
So the interface in the ip nat inside source statement is the one facing the ISP

Edit: just read through your ACLs a bit deeper. Really you should re-order the statements so the more specific ones are at the top and the less specific at the bottom. I.e ones with "host" in them should be nearer the top than the ones referencing entire networks. Also you've duplicated some rules. Such as: access-list 102 deny ip 192.168.0.0 0.0.255.255 any log
then later you have: access-list 102 deny ip 192.168.0.0 0.0.255.255 any
You don't need both.

ashrobbo · 21 Jul 2011 at 16:14

Thanks Chap, Ill give this a whirl tomorrow and let you know how i get on!