Cisco routing

ashrobbo · 20 Jul 2011 at 12:48

Hi Guys,

As you all never fail to dissapoint ive got an issue which needs sorting.

We have 2 sites, head office and lets call it Site A.

Site A network address: 10.0.1.0
HQ network address: 10.0.0.0

internet router (10.0.0.6) is located at HQ.

Site A is connected to our main router (10.0.0.220) via serial.

- Site A is connected to HQ via a leased line.

- PC's at site A need to access the internet, so any internet traffic traverses the leased line then get forwarded onto a router which we use for our internet (10.0.0.6).

- From Site A I can ping the internal IP of the router located at head office, I get a response, I can also ping the router and any host at site A from HQ ok.

- HQ also use the internet router to browse the internet (10.0.0.6)

- HQ can browse fine

- Site A and HQ both use the same internal DNS servers.

- Site A cannot ping bbc.co.uk or google.com but can resolve them, so i Know DNS is OK.

I think maybe the internet router is somehow not letting traffic from site A through to the internet, and back again.

Its a rather odd inherited setup.

ill try to draw a diagram

Site A ~~~~~~~|||~~~~~~~~~HQ~~~~~~~~~~~~~~~~~~~~~
10.0.1.0 --->-Leased Line---> 10.0.0.220 >---Internet Traffic---> 10.0.0.6

I'm baffled tbh,

any ideas?

Cheers,

Ash

ashrobbo · 20 Jul 2011 at 13:09

Hi Pete, thanks for the quick response!

I can ping from the internet router to 10.0.1.1 (router in site a and it works fine).

here is the entry from the show run of the internet router

name 10.0.1.0 Leamington
route inside Leamington 255.255.255.0 10.0.0.220 1

could it be access list related? is it worth me posting the config up here?

its strange cause all this worked up until yesterday, but nothing has changed on the network.

ashrobbo · 20 Jul 2011 at 13:58

meant to add, the 'INternet router' is infact a pix 515e :\

sorry not sure if this changes anything.

ashrobbo · 20 Jul 2011 at 17:24

255.255.255.0 on all LAN interfaces.

Site a = 10.0.1.0/24
HQ = 10.0.0.0/24

I have spend the past 2 hours configuring a cisco 1841 router which I am tempted to put in its place this week to see if it works with a basic ACL (+anti-spoofing) All the pix does is connect to a Modem then out on the net. Its such a complicated config and being fairly new to cisco IOS its a bit scary to try and fathom.

ashrobbo · 21 Jul 2011 at 08:50

How would i go about adding a translation,

Ive added the access list to permit all traffic fro 10.0.1.0 to any outside network.

Do i need to translate the external IP of the internet router to the network address 10.0.1.0 ?

i do get the error

'there is no network address translation (nat) rule configured for inside: 10.0.1.0/255.255.255.0 to go to interface outside would you like to configure nat rule for this host or network now.

If i Click ok it takes me to the NAT tab but im not sure what to select?

ashrobbo · 21 Jul 2011 at 11:37

ShadowMan said:
Tried changing the network mask to 255.255.0.0 to work across the multisite address space?

Just tried that so its a /16 instead of a /24 in the acl and still not working, also changed to 255.255.0.0 in the hosts/network bit and didnt make a difference :\

ashrobbo · 21 Jul 2011 at 12:44

Right, Im going to replace the pix with a cisco 1841 we have lying around,

can anybody have a look at the diagram and the config and see if im on the right lines?

config of 10.0.0.1 (which is to replace 10.0.0.6 in the diagram)

!
version 12.4
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname Internet-1841
!
boot-start-marker
boot-end-marker
!
logging buffered 16384 debugging
no logging console
enable password 7 XXXXXXXXXXXXXXXXX
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip source-route
ip cef
!
!
!
!
no ip bootp server
login block-for 120 attempts 5 within 60
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip access-group 101 out
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 82.47.XXX.XXX 255.255.255.240
ip access-group 102 in
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 10.0.1.0 255.255.255.0 10.0.0.220
!
no ip http server
no ip http secure-server
!
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.255.255 host 0.0.0.0
access-list 101 deny ip any any log
access-list 102 deny ip host 0.0.0.0 any log
access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip 192.168.0.0 0.0.255.255 any log
access-list 102 deny ip 224.0.0.0 31.255.255.255 any log
access-list 102 deny ip 10.0.0.0 0.0.0.255 any log
access-list 102 deny ip 169.254.0.0 0.0.255.255 any
access-list 102 deny ip host 217.11.11.11 any log
access-list 102 deny ip any host 10.0.0.1 log
access-list 102 deny ip any host 217.11.11.11 log
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 permit ip any 10.0.0.0 0.0.0.255
access-list 102 permit ip any 10.0.1.0 0.0.0.255
access-list 102 deny ip any any log
no cdp run
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 1 in
password 7 XXXXXXXXXXXXXX
login
!
end

Thanks for all the help so far guys. Very much appreciated.

Ash

ashrobbo · 21 Jul 2011 at 14:10

After doing some research I haven't added any NAT statements, only deemed the inside and outside NAT interfaces,

do i even need NAT statements? Nothing is going to be accessing from outside to inside to any particular hosts.

If so am I natting the outside interface to the two internal network addresses? (10.0.0.0 and 10.0.1.0)

ashrobbo · 21 Jul 2011 at 14:47

Skidilliplop said:
Internet router > HQ router doesn't look like a point to point to me.

Edit, also if you're accessing the internet from a private address range you WILL need NAT. Your ISP's border routers will not accept and forward packets from 10.x.x.x addresses, they need to be NAT'd to a public address

thats correct the HQ and internet router are just on the same LAN, only site a and HQ are connected via point to point.

Do I therefore need to add any NAT statements or am i ok leaving ip nat inside and ip nat outside respectively just as it is?.

ashrobbo · 21 Jul 2011 at 15:16

So something like

access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 permit 10.0.1.0 0.0.0.255

ip nat inside source 10 interface fax/x overload

so im applying this nat to the 'Outside' or 'inside' interface

ashrobbo · 21 Jul 2011 at 16:14

Thanks Chap, Ill give this a whirl tomorrow and let you know how i get on!

ashrobbo · 22 Jul 2011 at 09:54

Right ive made the changes I think, next is to rip out the pix and install this one and hopefully were good to go. The company will have to do without internet for a short time.

New Config:
!
hostname Internet-1841
!
boot-start-marker
boot-end-marker
!
logging buffered 16384 debugging
no logging console
enable password 7 XXXXXXX
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip source-route
ip cef
!
!
!
!
no ip bootp server
login block-for 120 attempts 5 within 60
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip access-group 101 out
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 82.47.XXX.XXX 255.255.255.240
ip access-group 102 in
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 10.0.1.0 255.255.255.0 10.0.0.220
ip route 10.0.2.0 255.255.255.0 10.0.0.150
ip route 10.0.4.0 255.255.255.0 10.0.0.150
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 permit 10.0.1.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.255.255 host 0.0.0.0
access-list 101 deny ip any any log
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip 169.254.0.0 0.0.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 82.47.103.0 0.0.0.255 any
access-list 102 permit ip any 10.0.0.0 0.0.0.255
access-list 102 permit ip any 10.0.1.0 0.0.0.255
access-list 102 permit ip any 10.0.2.0 0.0.0.255
access-list 102 permit ip any 10.0.4.0 0.0.0.255
access-list 102 deny ip any any
no cdp run
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 1 in
password 7 XXXXXXXXXXXX
login
!
end

Made some changes to the ACL, This will be applied on the outside ethernet interface to stop any of this traffic coming in.

access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip 169.254.0.0 0.0.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 82.47.XXX.XXX 0.0.0.255 any ----- our outside Public static IP not sure about this?!?!?!
access-list 102 permit ip any 10.0.0.0 0.0.0.255
access-list 102 permit ip any 10.0.1.0 0.0.0.255
access-list 102 permit ip any 10.0.2.0 0.0.0.255
access-list 102 permit ip any 10.0.4.0 0.0.0.255
access-list 102 deny ip any any

Final check before it goes on and gets installed

ashrobbo · 22 Jul 2011 at 11:38

Thanks for pointing that out, now changed that.

The firewall didnt appear to be doing much firewalling, I will be looking more at the security and blocking the ports we dont require etc. Just wantto get it up and working then ill add some more security to it.

ashrobbo · 22 Jul 2011 at 16:05

Hmm,

Well it didnt work, im not entirely sure why, ive looked at the config thats on the pix and even though its a static IP its set as DHCP, there only a crappy motorola cable modem hanging off the back but i guess this is giving out a dhcp address. so i changed my config accordingly (setting fa0/1 to ip address dhcp)

i tried show interface summary brief and it doesnt appear to get an IP, even if i manually set it to our static IP i can ping anything.

I even tried changing botht he 101 and 102 access list to 'permit ip any any' so im ruling them out as the issue, maybe its the nat?

back to the drawing board :\

last config.

Building configuration...

Current configuration : 1864 bytes
!
version 12.4
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname Internet-1841
!
boot-start-marker
boot-end-marker
!
logging buffered 16384 debugging
enable password 7 XXXXXXXXXXX
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip source-route
ip cef
!
!
!
!
no ip bootp server
login block-for 120 attempts 5 within 60
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.6 255.255.255.0
ip access-group 101 out
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip access-group 102 in
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 10.0.1.0 255.255.255.0 10.0.0.220
ip route 10.0.2.0 255.255.255.0 10.0.0.150
ip route 10.0.4.0 255.255.255.0 10.0.0.150
!
no ip http server
no ip http secure-server
!
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 permit 10.0.1.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.255.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip 169.254.0.0 0.0.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip host 82.47.103.211 any
access-list 102 permit ip any 10.0.0.0 0.0.0.255
access-list 102 permit ip any 10.0.1.0 0.0.0.255
access-list 102 permit ip any 10.0.2.0 0.0.0.255
access-list 102 permit ip any 10.0.4.0 0.0.0.255
access-list 102 deny ip any any
no cdp run
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 1 in
password 7 XXXXXXXXXXXXX
login
!
end

ashrobbo · 22 Jul 2011 at 17:28

I was pinging from a pc, but will give the WAN interface a go.

I took the NAT statements off and forgot to reload the router then show run, oops, I will repost and use pastebin in futureposts, ill look @ this Monday first thing.

Thanks