Re: Routing between three networks

westmanm · ‎01-22-2004

I have a 2621XM that I'm trying to have connect three networks. The problem is that I only have full conectivity when two of them are on the same interface with a secondary IP address.

FastEthernet 0/0 is a connection to a calble modem and is the NAT Outside

FastEthernet 0/1 is linked to another Cisco router taking us out over a T-1 managed by and outside agency 172.16.60.x via 192.168.83.1

FastEthernet 1/0-1/15 is for connections to the internal network 10.65.0.x and is the NAT Inside

When in the above configuration the router is able to ping the 172. network, but 10.65.0.x computer cannot. 10.65.0.x computers can however surf the Internet.

To get a connection to the 172 network for the inside computers I had to move the cable with the link to the other router to F1/2 and assign it's IP address to VLAN10.

What would make it so that the router can get to the remote network, but the 10.65.0.x computers cannot?

Thanks

Mike

Using 2436 out of 29688 bytes

!

version 12.3

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname BellevueFire

!

boot-start-marker

boot system flash:ipbase.bin

boot-end-marker

!

enable secret 5

!

no aaa new-model

ip subnet-zero

!

ip ftp username router

ip ftp password 7 raven

no ip domain lookup

no ftp-server write-enable

!

interface FastEthernet0/0

description WAN Connection to Cox

ip address dhcp

no ip redirects

no ip unreachables

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

description Sarpy Co

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

description Old network

switchport access vlan 10

no ip address

!

interface FastEthernet1/1

description Pager Gateway

switchport access vlan 10

no ip address

!

interface FastEthernet1/2

switchport access vlan 10

no ip address

no cdp enable

!

interface FastEthernet1/3

no ip address

shutdown

!

interface FastEthernet1/4

no ip address

shutdown

!

interface FastEthernet1/5

no ip address

shutdown

!

interface FastEthernet1/6

no ip address

shutdown

!

interface FastEthernet1/7

no ip address

shutdown

!

interface FastEthernet1/8

no ip address

shutdown

!

interface FastEthernet1/9

no ip address

shutdown

!

interface FastEthernet1/10

no ip address

shutdown

!

interface FastEthernet1/11

no ip address

shutdown

!

interface FastEthernet1/12

no ip address

shutdown

!

interface FastEthernet1/13

no ip address

shutdown

!

interface FastEthernet1/14

no ip address

shutdown

!

interface FastEthernet1/15

no ip address

shutdown

!

interface GigabitEthernet1/0

no ip address

shutdown

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

description Internal BVFD Network

ip address 192.168.83.10 255.255.255.0 secondary

ip address 10.65.0.254 255.255.255.0

ip nat inside

!

interface Vlan15

no ip address

!

ip nat inside source list 1 interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 68.99.8.1 254

ip route 172.16.60.0 255.255.252.0 192.168.83.1

no ip http server

!

access-list 1 permit 10.65.0.0 0.0.0.255

access-list 10 permit 68.15.231.xxx

access-list 10 permit 68.13.159.xxx

access-list 10 permit 10.65.0.0 0.0.0.255

!

line con 0

exec-timeout 0 0

password backfire

login

line aux 0

ip route 172.16.60.0 255.255.252.0 192.168.83.1

no ip http server

!

access-list 1 permit 10.65.0.0 0.0.0.255

access-list 10 permit 68.15.231.xxx

access-list 10 permit 68.13.159.xxx

access-list 10 permit 10.65.0.0 0.0.0.255

!

line con 0

exec-timeout 0 0

password

login

line aux 0

line vty 0 4

access-class 10 in

password

login

!

exception protocol ftp

exception dump 68.15.231.xxx

!

end

smcquerry · ‎01-22-2004

It looks to me like the problem may be NAT related.

Since your 10.65.0.x address source from an inside interface and match access-list 1, they are being translated to the address of the Fa 0/0 interface and then sent to the next hop.

Since the 172.16.60.x router does not know of the address associated with the NAT outside address and is not on an outside interfac, the ICMP packets are not returned.

The router pinging 172.16.0.x devices will work howerver because it should source it's fastethernet 0/1 which will be a known network to 172.16.60.x routers.

I would suggest a different access list for NAT

Try

access-list 101 deny 10.65.0.0 0.0.0.255 172.16.60.0 0.0.0.255

access-list 101 permit 10.65.0.0 0.0.0.255 any

then change your NAT statement to the following:

ip nat inside source list 101 interface FastEthernet0/0 overload

westmanm · ‎01-22-2004

That would make it so that only data going to the Internet would be NATed right?

Sounds like a plan.

-Mike

smcquerry · ‎01-22-2004

Assuming that's the only other networks these devices access except the 172.16.60.0 subnet. If you needed to access other local networks, you could put deny statments in the list above the permit statement. Let me know how it goes.

-Steve

westmanm · ‎01-22-2004

Question: Since the 172 network has a mask of 255.255.252.0, how do I translate that to the other direction of a mask?

smcquerry · ‎01-22-2004

Subtract the subnet mask from the value 255.255.255.255. This will give you the inverse mask which can be used as the wildcard mask.

In this case the value would be 0.0.3.255.

lincolnp1 · ‎01-30-2004

Hi, does the remote router have a route for your natted address?