Cisco 1921 Router Config Question

digitaldespair · ‎01-20-2015

Not terribly adept at configuring Cisco routers, but have been tasked with setting up a Cisco 1921 for connecting new ATT circuit to an office. They had a router configured by ATT already in place, but when they upgraded their circuit, the old router was removed and a newly purchased one put in its place. I've managed to get the circuit working so that both businesses in the suite have their respective networks running on the internet. Each "business" has their own sonicwall router for their respective networks. Basically it's:

Circuit --->Cisco1921-----> --SonicwallA---->Network A

--SonicwallB---->Network B

The networks are working (mostly) fine with each having a Public IP, internet speed is good, however, when users are attempting to use FTP to connect to an outside FTP site, it fails. I can replicate it by connecting to the server on their network and attempting to connect to a known good FTP site and ultimately it fails to provide a directory listing. I know the initial connection works fine, as I have the ability to look at the logs for one of the FTP servers. It appears that the traffic from the FTP server back to the internal network is getting blocked. I don't believe it's either Sonicwall since they both have had no change except WAN IP. I worked with the ATT folks to get the initial configuration working, but I'm thinking the traffic is getting blocked on the Cisco. I wasn't aware that it would block inbound traffic, but obviously I'm wrong. I need to get that resolved. I'm wondering if I need to allow all traffic inbound since each network has a firewall and the Cisco is only "bridging" the connection to their ISP. Any point in the right direction would be appreciated. I do have access to the cisco and sonicwalls remotely.

paul driver · ‎01-20-2015

Hello

Can you post the config of the cisco rtr ?

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

digitaldespair · ‎01-21-2015

Here is the current configuration of the router. Thanks for replying.

-----

Router#show running-config
Building configuration...

Current configuration : 1260 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 $1$tK22$kA0v5K1pQ4CSsP8rr2lza1
enable password ****************
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
memory-size iomem 25
!
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn ###########
!
!
username Admin password 0 **********
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description External
ip address ###.###.189.102 255.255.255.252
duplex full
speed 100
!
interface GigabitEthernet0/1
description Internal
ip address ###.###.12.1 255.255.255.224
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 ###.###.189.101
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
!
end

Jon Marshall · ‎01-21-2015

A Cisco router by default will not block any traffic and you have nothing in your configuration that should block anything.

It should simply route between those two subnets and that's it.

So the Sonicwalls are on the same internal subnet ?

Jon

digitaldespair · ‎01-21-2015

They are, one is ###.###.12.2 and the other ###.###.12.3, the gateway being ###.###.12.1. They have two businesses and they wanted to keep traffic isolated from each other. Now I'm puzzled even more since the only thing changed is the WAN IP address on the Sonicwalls and obviously the cisco router.

Jon Marshall · ‎01-21-2015

Apologies I didn't word that right.

The firewalls currently are in the same IP subnet.

Before they made the change did each firewall have it's own IP subnet for the outside interface ?

Jon

digitaldespair · ‎01-21-2015

The IP's the sonicwalls are using are public IP's. Technically the cisco is providing the "outside" connectivity and the previous cisco configured by ATT was doing pretty much the exact same thing, in the same location as this one. The big difference is that the client didn't want the recurring $80/mo charge for a "managed" router ATT provided...which was a 1921 also. I found it odd that ATT wouldn't give access to look at the config, nor would they just leave that one in place and simply change the IP's, but that's just my odd way of thinking I guess.

Jon Marshall · ‎01-21-2015

I understand they are using public IPs.

When you said in your original post -

I don't believe it's either Sonicwall since they both have had no change except WAN IP

i took that to mean the firewalls had had their outside interfaces readdressed.

Is that what you meant or did you mean the Cisco router.

If you meant the firewalls can you see the question in my previous post.

Jon

digitaldespair · ‎01-21-2015

I get the question now. Both aspects changed. The cisco is new and is providing a new range of public IP's due to circuit upgrade, and the sonicwalls were both on the same public subnet before and remain that way, other than the addresses changing.

Jon Marshall · ‎01-21-2015

Okay thanks for that.

I can't see any obvious reason why it isn't working through the Cisco device.

If you had access lists or NAT configured they could be the culprit but you have neither.

You router configuration is about as simple as it gets ie. it is just routing and pretty much nothing else.

I suspect the firewalls (but then i would say that :-)). I thought being in the same IP subnet may cause some issue but then you say they were before

What you could try doing on the router are a couple of things -

1) you could use acls to see what traffic is going through the router eg.

access-list 101 permit tcp host <firewall IP> host <ftp server IP> log
access-list 101 permit ip any any <--

access-list 102 permit tcp host <ftp server IP> host <firewall IP> log
access-list 102 permit ip any any

then apply them to the internal interface of your router eg.

int gi0/1
ip access-group 101 in
ip access-group 102 out

if you don't see traffic coming back then apply them to outside interface of your router eg -

int gi0/0
ip access-group 101 out
ip access-group 102 in

note when you apply to the outside you need to change the direction applied to the acl.

And don't forget the "permit ip any any" lines or else you will cut off everyone from the internet.

This won't stop traffic flowing through the router but it will log the FTP data. Don't add log to the "any" lines.

That's quite basic but it may point you in the right direction.

2) you could use packet captures on the routers. See this link for details -

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html

If you do either it is probably a good idea to try them when the connection is not busy ie. out of office hours.

Jon