11-30-2013 12:17 PM - edited 03-04-2019 09:43 PM
Hi everyone - thanks for taking time to help me out. First off - I am a complete and total noob, I know how to access the command line through telnet and issue show running_config. Beyond that, please understand that I don't know much.
A school I work for has paid for a new ethernet internet service, to replace a T1 line. Right now both services are operational. The T1 is running though a Cisco 1841 router on the serial0/0/0 interface. The ethernet connection comes from a gateway(or modem or router, anyway, a box that was supplied by the ISP) and probably should end up in fastethernet0/1 since fastethernet0/0 is being used to connect to the switch. The IP information supplied by the new ISP is as follows:
Static ip settings:
***.***.94.86 | IP Address |
255.255.255.252 | Subnet Mask |
***.***.94.85 | Gateway |
64.16.28.2 | DNS1 |
137.118.1.33 | DNS2 |
Below is our current config: 99% of this was created by someone no longer working for the school and 1% is my messing around to try to make this work. PLEASE BE KIND - I know it's a mess, please help me clean it up.
What can I do to get the ethernet internet distributed through the 1841 to the school while keeping the same functionality as before? The way it is now, we are not getting any kind of connection to the new ISP, only from the AT&T T1 line.
Running_config:
IRAH#show running-config
Building configuration...
Current configuration : 4510 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname IRAH
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 ***********************************
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -7
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool sdm-pool1
import all
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.5 8.8.8.8
default-router 192.168.0.1
!
!
no ip bootp server
ip domain name irah.com
ip name-server 192.168.0.5
ip name-server 8.8.8.8
!
username administrator privilege 15 secret 5 **********************************
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description GRTI Ethernet
ip address ***.***.94.86 255.255.255.252
ip access-group 110 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
description AT&T Internet
ip address ***.***.145.22 255.255.255.252
ip access-group 110 out
ip nat outside
encapsulation ppp
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Serial0/0/0 overload
ip nat inside source list 11 interface Serial0/0/0 overload
ip nat inside source static 192.168.0.5 ***.***.145.115
ip nat inside source static 192.168.0.6 ***.***.145.116
ip nat inside source static 192.168.0.7 ***.***.145.117
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 110 permit ip any any
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq ftp
access-list 110 permit tcp any any eq pop3
access-list 110 permit tcp any any eq echo
access-list 110 permit tcp any any eq smtp
access-list 110 permit tcp any any eq domain
access-list 110 permit tcp any any eq 3389
access-list 110 permit udp any any eq echo
access-list 110 permit udp any any eq tftp
access-list 110 permit udp any any eq domain
access-list 110 permit tcp host ***.***.145.125 any
access-list 110 permit udp host ***.***.145.125 any
access-list 110 permit tcp host ***.***.145.116 eq www any
access-list 110 permit tcp host ***.***.145.116 eq ftp any
access-list 110 permit tcp host ***.***.145.116 eq ftp-data any
access-list 110 permit tcp host ***.***.145.116 eq 3389 any
access-list 110 permit tcp host ***.***.145.116 eq smtp any
access-list 110 permit tcp host ***.***.145.117 eq 3389 any
access-list 110 permit tcp host ***.***.145.115 eq 3389 any
access-list 110 permit tcp host ***.***.145.115 eq 3389 0.0.0.5 255.255.255.0
no cdp run
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 4000 1000
end
Solved! Go to Solution.
12-01-2013 05:40 PM
What you have done in interface FastEther0/1 looks pretty good. I have some suggestions and some questions about how you want to do things that may lead to other suggestions of things to do.
The first question is how you want both connections to work. If you want both connections to actively carry traffic and to share the load then you would need to add another static default route which would look something like this
ip route 0.0.0.0 0.0.0.0 ***.***.94.85
But when you have interfaces with such different capacity having both active and sharing load can lead to issues in which the slower T1 gets overloaded and the FastEther is underutilized as the router attempts to share load equally on both. You might do better to use them as primary and backup (with the possibility of sending some traffic over the T1 backup so that it carries some load but not sharing equally).
Another question would be whether you want to do anything with the DNS server information sent to you by the new ISP. My suggestion is that if what you have got now is working ok then I might stay with what you have got and not use the new DNS information.
One of the biggest changes will be how to do address translation. What you have now is a pretty simple NAT configuration. But when you add a new outbound interface then the NAT gets a bit more complex. You will need to use route maps that might look something like this
ip nat inside source route-map ATT_NAT interface Serial0/0/0 overload
ip nat inside source route-map GRTI_NAT interface Fasteth0/1 overload
route-map ATT_NAT permit 10
match ip address 1
match interface Serial0/0/0
route-map GRTI_NAT permit 10
match ip address 1
match interface FastEth0/1
Also I see references to addresses ***.***.145.115 ***.***.145.116 and ***.***.145.117. What are they? It appears that they are addresses related to ATT. You will need to determine whether it is valid to send traffic with those addresses over the new connection to the new ISP if they are actually ATT addresses.
I will point out one other issue, though it is not about the new connection. Access list 110 is used to filter outbound traffic and the very first line is this
access-list 110 permit ip any any
The permit any any here means that no other line in the access list will ever match. I do not know if this is a new change or if it has been this way for a long time. But I would certainly suggest that the access list needs to be re-written.
HTH
Rick
12-02-2013 02:28 PM
The permit 10 starts the configuration of an instance (or of a paragraph) in the route map. If you were going to use both outbound interfaces then you would have needed route maps to do the NAT correctly on 2 interfaces. Since you will be taking the T1 out as you put the new one in you will be translating on only 1 interface at a time and the more simple way to configure address translation that you were using (and that Jon mentions) is good enough. So you do not need the route map.
Here are a few other detail about the config.
you have configured the router to use your local time zone rather than GMT but have not told it to observe daylight saving time. If you want daylight savings then use this command
clock summertime PCtime recurring
you can substitute whatever identifier you might prefer for PCtime which just supplied the identifier for local time.
You have a second command doing dynamic address translation in the config. It uses the same outbound interface and it uses an access list that does not appear in the config. So I think it was doing no good. So remove it with this
no ip nat inside source list 11 interface Serial0/0/0 overload
While you are cleaning up the access list you should remove the lines that reference the addresses (115, 116, 117) that are going away.
The banner exec is something that came with the router when it was new. It is no longer appropriate and I suggest that you remove it with
no banner exec
HTH
Rick
12-01-2013 05:40 PM
What you have done in interface FastEther0/1 looks pretty good. I have some suggestions and some questions about how you want to do things that may lead to other suggestions of things to do.
The first question is how you want both connections to work. If you want both connections to actively carry traffic and to share the load then you would need to add another static default route which would look something like this
ip route 0.0.0.0 0.0.0.0 ***.***.94.85
But when you have interfaces with such different capacity having both active and sharing load can lead to issues in which the slower T1 gets overloaded and the FastEther is underutilized as the router attempts to share load equally on both. You might do better to use them as primary and backup (with the possibility of sending some traffic over the T1 backup so that it carries some load but not sharing equally).
Another question would be whether you want to do anything with the DNS server information sent to you by the new ISP. My suggestion is that if what you have got now is working ok then I might stay with what you have got and not use the new DNS information.
One of the biggest changes will be how to do address translation. What you have now is a pretty simple NAT configuration. But when you add a new outbound interface then the NAT gets a bit more complex. You will need to use route maps that might look something like this
ip nat inside source route-map ATT_NAT interface Serial0/0/0 overload
ip nat inside source route-map GRTI_NAT interface Fasteth0/1 overload
route-map ATT_NAT permit 10
match ip address 1
match interface Serial0/0/0
route-map GRTI_NAT permit 10
match ip address 1
match interface FastEth0/1
Also I see references to addresses ***.***.145.115 ***.***.145.116 and ***.***.145.117. What are they? It appears that they are addresses related to ATT. You will need to determine whether it is valid to send traffic with those addresses over the new connection to the new ISP if they are actually ATT addresses.
I will point out one other issue, though it is not about the new connection. Access list 110 is used to filter outbound traffic and the very first line is this
access-list 110 permit ip any any
The permit any any here means that no other line in the access list will ever match. I do not know if this is a new change or if it has been this way for a long time. But I would certainly suggest that the access list needs to be re-written.
HTH
Rick
12-02-2013 11:47 AM
Thanks for the quick response.
I should have mentioned that we're not looking to load balance - the new ethernet will replace the existing T1.
I have not implemented any of your changes yet, but I have a few questions before I start. When I take the T1 line out of the serial0/0/0 interface, and plug in the ethernet to FastEthernet0/1, there is no connection to the internet in the building.
1. Is this because the static route "ip route 0.0.0.0 0.0.0.0 ***.***.94.85" is missing? Does this let the router know where the gateway is?
2. Should I delete the old static route if we don't plan to use ATT? What is the command to do this? "no ip route 0.0.0.0 0.0.0.0 Serial0/0/0"?
3. Are there any other superfluous settings that I should delete if we're getting rid of the T1 service?
The extra WAN addresses you mention are indeed ATT addresses that were only used as convenience and should probably come down.
I wish I knew what each item on the access-list did, I think I'll do that next. Thanks for the heads-up on that.
Anyway, thanks again for your help
12-02-2013 12:31 PM
Mark
1 & 2) Yes to both. So you would do -
no ip route 0.0.0.0 0.0.0.0 s0/0/0
ip route 0.0.0.0 0.0.0.0 x.x.94.85
3) you need to rewrite your NAT statement ie.
no ip nat inside source list 1 interface s0/0/0 overload
ip nat inside source list 1 interface fa0/0 overload
Also, are you saying you no longer need these -
ip nat inside source static 192.168.0.5 ***.***.145.115
ip nat inside source static 192.168.0.6 ***.***.145.116
ip nat inside source static 192.168.0.7 ***.***.145.117
because obviously when you switch over these translations will no longer be available.
Jon
12-02-2013 01:53 PM
Jon,
Did you mean for this:
ip nat inside source list 1 interface fa0/0 overload
to be this?
ip nat inside source list 1 interface fa0/1 overload
12-02-2013 01:55 PM
Mark
Good catch, yes it should be fa0/1.
Apologies for the mistake.
Jon
12-02-2013 12:41 PM
HI mark,
Just adding to Richard...
Using IP SLA the Cisco IOS gets the ability to use Internet Control Message Protocol (ICMP) pings to identify when a WAN link goes down at the remote end and hence allows the initiation of a backup connection from an alternative port.
Config example:
--------------------------------------------------------------------------------
R1(config)# ip sla 1
R1(config)# icmp-echo ***.***.94.85 source-interface FastEthernet0/1
R1(config)# timeout 1000
R1(config)# threshold 2
R1(config)# frequency 3
R1(config)# ip sla schedule 1 life forever start-time now
R1(config)# track 1 ip sla 1 reachability
(The above command will track the state of the IP SLA operation. If there are no ping responses from the next-hop IP the track will go down and it will come up when the ip sla operation starts receiving ping response)
R1(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/0 track 1
R1(config)# ip route 0.0.0.0 0.0.0.0 ***.***.94.85 10
---------------------------------------------------
To verify the track status use the use the “show track” command as
R1# show track
Track 1
IP SLA 1 reachability
Reachability is Down
1 change, last change 00:03:19
Latest operation return code: Unknown
Hope it helps.
Regards
Dont forget to rate helpful posts.
12-02-2013 12:44 PM
Sandeep
From Mark's second post -
I should have mentioned that we're not looking to load balance - the new ethernet will replace the existing T1.
So i'm not sure how IP SLA will help here. I'm not criticising, i just don't want to confuse the issue.
Jon
12-02-2013 12:50 PM
HI John,
u r rght ,, that was my reading failure.
@mARK: My config is valuable only if u want to use 2 provider at a time for load balance.
Regards
12-02-2013 01:53 PM
Rick,
In this statement:
route-map ATT_NAT permit 10
What does the "permit 10" do?
12-02-2013 02:28 PM
The permit 10 starts the configuration of an instance (or of a paragraph) in the route map. If you were going to use both outbound interfaces then you would have needed route maps to do the NAT correctly on 2 interfaces. Since you will be taking the T1 out as you put the new one in you will be translating on only 1 interface at a time and the more simple way to configure address translation that you were using (and that Jon mentions) is good enough. So you do not need the route map.
Here are a few other detail about the config.
you have configured the router to use your local time zone rather than GMT but have not told it to observe daylight saving time. If you want daylight savings then use this command
clock summertime PCtime recurring
you can substitute whatever identifier you might prefer for PCtime which just supplied the identifier for local time.
You have a second command doing dynamic address translation in the config. It uses the same outbound interface and it uses an access list that does not appear in the config. So I think it was doing no good. So remove it with this
no ip nat inside source list 11 interface Serial0/0/0 overload
While you are cleaning up the access list you should remove the lines that reference the addresses (115, 116, 117) that are going away.
The banner exec is something that came with the router when it was new. It is no longer appropriate and I suggest that you remove it with
no banner exec
HTH
Rick
12-04-2013 11:25 AM
There must be another issue, I've made the following changes:
Then unplugged the T1 and plugged in the Ethernet and still have no connection to internet. Tried power-cycle both boxes, still nothing. I did successfully ping the gateway (*.*.94.85), but could not ping google - a tracert said that the nameserver could not be found. DNS maybe?
We have a DNS server at 192.168.0.5, with the secondary at 8.8.8.8 (google)
Or are the static routes to the old WAN IP causing the problem?
You guys have been great so far - any help greatly appreciated.
Mark
PS. AZ doesn't use daylight savings time
12-04-2013 11:54 AM
Mark
Can you try tracert from PC inside to 8.8.8.8 (if you haven't already) ie. the IP not the name.
Can you ping 8.8.8.8 from the router ?
Or are the static routes to the old WAN IP causing the problem?
I can't see any, only the default route.
Did you remove the permit ip any any from acl 110 ?
Jon
12-04-2013 01:39 PM
Can you ping 8.8.8.8 from the router when connected to the new ISP connection?
It does sound like some issue with the DNS config. Perhaps, at least as a test, I would suggest removing
ip name-server 192.168.0.5
and see if it improves things.
I am not sure what you mean when you suggest it may be an issue with static routes to old WAN IP. Do you mean your routes or is it routes from the provider?
I did not remember that AZ does not use daylight savings time - and did not know that you are in AZ. But if you do not need it then do not use it
HTH
Rick
12-17-2013 10:26 AM
It was a config issue on the ISP side - what you guys helped me with was spot-on. Working now. Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide