Re: Linux not passing traffic through 1721/1841

jscott · ‎01-07-2011

I folks. I'm hoping one of the experts around here can help me figure out what is going wrong.

I run a network that uses MPLS circuits to connect all of the companies different stores. Internet access is through a Cisco ASA5500 here at the corp headquarters.

To make all of this work, we use a little 1721 gateway router to move traffic as needed. All the clients in our corporate office use 10.10.99.1 (Cisco 1721) as a gateway. The 1721 routes the traffic either to the internet (10.10.99.106 Cisco ASA5500) or the MPLS router (159.61.54.30).

For some reason, anything that runs on Linux (Ubuntu server, ReadyNAS boxes, Thecus NAS) will not pass traffic beyond the 1721 gateway router.

I've poured over the config for that router, and I can't find anything that could be causing this not to work. Thinking that the 1721 was bad, I put an 1841 online in it's place, and it did the same thing. I'm a noob when it comes to Cisco configs, but am learning as I go along.

Can someone help me figure out this problem? Ive attached a txt file of the 1721 config.

Thanks.

cadet alain · ‎01-07-2011

Hi,

on which subnets are these linux machines?

in your post you forgot any ACL / fw config as well as nat config.

Regards.

Alain.

Don't forget to rate helpful posts.

jscott · ‎01-07-2011

THe Linux machines are on the 10.10.99.xxx subnet (255.255.255.0). 10.10.99.104, 10.10.99.150, 10.10.99

.66, 10.10.99.130.

As for the nat configs, I'm not sure how to pull those from the router. All I did was a 'show config' and copied it from Putty to a txt file.

cadet alain · ‎01-07-2011

Hi,

As for the nat configs, I'm not sure how to pull those from the router. 
 All I did was a 'show config' and copied it from Putty to a txt file.

sh run | s ip nat and sh access-list will give us what we need.

Regards.

Alain.

Don't forget to rate helpful posts.

jscott · ‎01-07-2011

Per that command, the response was:

sh run | s ip nat:

ip nat inside

sh access-list:

Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet log
    20 deny tcp any any eq www log
    30 deny tcp any any eq 22 log
    40 permit ip any any log

THose are the responses from the router.

cadet alain · ‎01-07-2011

Hi,

a few remarks/questions:

ip route 159.61.23.0 255.255.255.0 159.61.54.60 245 encompasses next statement unless you change netmask to 255.255.255.224
ip route 159.61.23.32 255.255.255.224 159.61.54.60 245

ip route 159.61.54.32 255.255.255.224 159.61.54.60   why leave default AD here?
ip route 159.61.54.64 255.255.255.224 159.61.54.60 245

Why did you use AD of 245 I don't see the point? As well as 246 on your default

You could also reduce the number of static routes:

ip route 10.10.1.0 255.255.255.0 159.61.54.60 245
ip route 10.10.2.0 255.255.255.0 159.61.54.60 245
ip route 10.10.3.0 255.255.255.0 159.61.54.60 245
ip route 10.10.4.0 255.255.255.0 159.61.54.60 245
ip route 10.10.6.0 255.255.255.0 159.61.54.60 245
ip route 10.10.7.0 255.255.255.0 159.61.54.60 245
ip route 10.10.8.0 255.255.255.0 159.61.54.60 245
ip route 10.10.9.0 255.255.255.0 159.61.54.60 245
ip route 10.10.10.0 255.255.255.0 159.61.54.60 245 same as first remark

ip route 10.10.10.0 255.255.255.224 159.61.54.60 245

You could change the 9 routes to 5 routes:

ip route 10.10.1.0 255.255.255.0 159.61.54.60 245
ip route 10.10.2.0 255.255.254.0 159.61.54.60 245

ip route 10.10.4.0 255.255.252.0 159.61.54.60 245

ip route 10.10.8.0 255.255.254.0 159.61.54.60 245

ip route 10.10.10.0 255.255.255.0 159.61.54.60 245

Regards.

Alain.

Don't forget to rate helpful posts.

spremkumar · ‎01-07-2011

Hi

You have truncated the NAT configs on the attached file and also didnt mention the ip address you are using for the linux server.

Need all the NAT related configs and also the ip address configured on the linux server to check the possible reasons for this issue.

regds

cadet alain · ‎01-07-2011

Hi,

post: sh run int xxx where xxx is interface towards linux and interface towards ASA then sh ip ro static

Can you ping router interface towards ASA sourcing from linux interface?

Regards.

Alain.

Don't forget to rate helpful posts.

jscott · ‎01-07-2011

Hi Alain,

I'm a noob here, so please forgive the dumb questions. When you asked that I run 'sh run int xxx', the xx interface is the IP address of the interface?

We are only using fe0 on this router. The Serial connections are offline as they are not needed.

Thanks.

cadet alain · ‎01-07-2011

no, sh run int xxx xxx is name of interface e.g f0/0, f0/1

By the way if you are not natting on this router you can get rid of ip nat inside on interface pointing towards linux.

Regards.

Alain.

Don't forget to rate helpful posts.

jscott · ‎01-07-2011

Thanks for the clarification.

Here is the response:

Rantoul_Gateway#sh run int f0
Building configuration...

Current configuration : 212 bytes
!
interface FastEthernet0
description Rantoul Gateway
ip address 159.61.54.129 255.255.255.224 secondary
ip address 159.61.54.33 255.255.255.224 secondary
ip address 10.10.99.1 255.255.255.0
speed auto
end

jscott · ‎01-07-2011

I've attached the updates 1721 config.

THanks.

cadet alain · ‎01-07-2011

I don't still see the config of interface going to ASA( 10.10.99.106)

you didn't send sh ip route static and sh ip int brief| exc una

Can you ping your ASA from linux interface ? : ping 10.10.99.106 so f0

Regards.

Alain.

Don't forget to rate helpful posts.

jscott · ‎01-07-2011

From the router, I can ping the ASA just fine. We are only using one physical interface on this 1721 (FE0). All traffic goes in/out there.

Here are the command results:

sh ip route static:

Rantoul_Gateway#sh ip route static
     159.61.0.0/16 is variably subnetted, 16 subnets, 2 masks
S       159.61.240.0/24 [1/0] via 10.10.99.106
S       159.61.54.192/27 [245/0] via 159.61.54.60
S       159.61.55.192/27 [245/0] via 159.61.54.60
S       159.61.53.192/27 [245/0] via 159.61.54.60
S       159.61.59.192/27 [245/0] via 159.61.54.60
S       159.61.86.128/27 [245/0] via 159.61.54.60
S       159.61.53.224/27 [245/0] via 159.61.54.60
S       159.61.59.224/27 [245/0] via 159.61.54.60
S       159.61.54.0/27 [245/0] via 159.61.54.60
S       159.61.55.0/27 [245/0] via 159.61.54.60
S       159.61.57.0/27 [245/0] via 159.61.54.60
S       159.61.23.0/24 [245/0] via 159.61.54.60
S       159.61.54.64/27 [245/0] via 159.61.54.60
S       159.61.54.96/27 [245/0] via 159.61.54.60
     10.0.0.0/8 is variably subnetted, 11 subnets, 3 masks
S       10.10.1.0/24 [245/0] via 159.61.54.60
S       10.10.2.0/23 [245/0] via 159.61.54.60
S       10.10.4.0/22 [245/0] via 159.61.54.60
S       10.10.8.0/23 [245/0] via 159.61.54.60
S       10.10.10.0/24 [245/0] via 159.61.54.60
S       10.10.11.0/24 [245/0] via 159.61.54.60
S       10.10.12.0/24 [245/0] via 159.61.54.60
S       10.10.51.0/24 [245/0] via 159.61.54.60
S       10.10.71.0/24 [245/0] via 159.61.54.60
S       10.10.111.0/24 [245/0] via 159.61.54.60
S*   0.0.0.0/0 [246/0] via 10.10.99.106
Rantoul_Gateway#

sh ip int brief:

Rantoul_Gateway#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              10.10.99.1      YES NVRAM up                    up
Serial0                    unassigned      YES manual administratively down down
Serial0.1                  unassigned      YES manual administratively down down
Rantoul_Gateway#

Thanks.

cadet alain · ‎01-07-2011

Hi,

From the router, I can ping the ASA just fine. We are only using one physical interface on this 1721 (FE0). All traffic goes in/out there.

what about pings from linux machine 10.10.99.104 ?

if they are unsuccessful can you do: sh ip arp 10.10.99.104

Regards.

Alain.

Don't forget to rate helpful posts.