Sorry if this is a mega simple question, but we need to setup something like this:
The physical connectivity between the ISP network and External Switch 1 i.e. the /30 network is on port GigabitEthernet 0/19. The /27 network is configured as VLAN100. How do we configure such that all hosts in the 192.168.1.64/27 network can access the Internet using the .66 HSRP IP. Then of course we can configure routing in the Firewall to allow hosts in the internal network to access the internet too. But that's another story.
Thanks so much in Advance
Solved! Go to Solution.
No. Don't need to NAT. Natting can be handled in the Firewall downstream from the Catalyst switches.
BTW, good thing to bring up. Forgot to mention that the External Switches are Catalyst 3560G-24 Port switches running the Advanced IP Services IOS.
Are you trying to get that 192.168.x.x subnet to route through ASA, NAT and then back to the Internet? That won't work. Traffic has to enter the ASA through one interface and then exit through another in order to NAT
No. Don't worry about the ASA. That ASA is just for giving the whole picture. We just want the machines in /27 block to be able to access the Internet going through the /30 block which is physically connected to the ISP's network. Once that works, the ASA will be just another machine on the /27 block which can do the NAT stuff for internal machines
Ok, but where is the trick? Enable ip routing on the 3560, configure default route to the next-hop, and set host's default gateway to the 3560 HSRP IP.
Haha, there is no trick other than the fact that we're not very good with Cisco stuff. Haven't had to touch it for a while.
ip routing IS turned on. The problem is that we're unable to ping any outside host on the Internet from inside the switch. The current config is as follows (only the relevant sections are provided):
description Primary DIA to ISP
ip address 10.1.1.66 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
service-policy input LAN-MARKER
ip address 192.168.1.67 255.255.255.224
no ip redirects
no ip proxy-arp
standby 1 ip 192.168.1.66
standby 1 priority 110
standby 1 preempt
standby 1 track 1 decrement 10
ip default-gateway 10.1.1.65
"ip default-gateway" doesn't work when "ip routing" is enabled. Instead configure default route with
ip route 0.0.0.0 0.0.0.0 10.1.1.65
I'm quite sure it does. That's how we had configured it before and everything used to work. We just had to change ISPs and had to simply change the IP addresses for the new ISP. The other difference is that previously we had iBGP configured with the ISP who provided us two WAN links and the default route for /30 block was set within the BGP configuration. Now we don't have BGP with the ISP so we don't really know where to stick in the default router for the /30 block which is .65. Previously, we had configuration like
and the default gateway for the /30 block was stuck inside the BGP configuration. There was no default router specified for the /27 block which is great coz we saved an IP address which is otherwise be wasted as the provider's gateway/network port on the other side
i repeat the command "ip default-gateway" doesn't work when "ip routing" is enabled, that command didn't do anything when BGP was running. Your BGP peer was providing you a dynamic BGP default route 0.0.0.0. Now you need to set it statically with "ip route 0.0.0.0 0.0.0.0 10.1.1.65"
haha ok....thanks for the clarification. We did change it before responding to the last message, and it didn't work either. Still can't ping any host on the internet.
The only configuration that works is IF we remove the /30 block completely and just use the /27 block.
I think this could be a problem at the ISP end also. The thing is that I am unable to ping the default gateway for the /30 block i.e. 10.1.1.65 (obv not the real IP of the ISP) from the Internet, but can ping the default gateway for the /27 block i.e. 192.168.1.65 (again, not the the real IP). However, I can ping it from the switch itself.
So you think our side of config looks good after changing ip route to 0.0.0.0 and pointing it to the default gateway of the /30 block?
Are you saying you can ping your 192.168.1.65 IP from the Internet? I assume that IP belongs to the ASA (or some server). Well that's a great indication that routing is working. You probably can't ping that 10/30 IP because ISP is blocking ping traffic to their IPs.
Paste your full config one more time, not sure yet why you can't ping Internet hosts.
By the way, your switch on the right will need a different default route:
ip route 0.0.0.0 0.0.0.0 192.168.1.67
yes, we can ping the the address .65 in the /27 block from the Internet BUT this address is NOT configured anywhere inside our network. This is the IP that's probably sitting configured on the router of the ISP. This should not be the case as after getting the /30 block, we should have all 30 IP addresses to use since we've already taken care of the path to the ISP with the /30 block. We agree that the default router of the /30 block i.e. 10.1.1.65 isn't responding to pings since it may be blocked by the ISP but we don't trust the competance of these people. They have messed up before and they might be messing up again. A ticket has been opened with them but no one has responded in the last 5 hrs!
For the given scenario only 10.1.1.65 (ISP side) and 10.1.1.66 (our side) should be pingable (assuming no one has turned off pings), but we're instead able to ping 192.168.1.65 which should NOT be pingable as this should now we completely in our network but since it is responding to pings and we have not configured it anywhere, it's clearly sitting on the ISP network, which was also proven since if we configure the switches to remove the /30 block and just use the /27 block using 192.168.1.65 as the default route, everything works. We think this is an ISP issue.
Also, we hope you've caught on to the fact that none of these ranges are real...for security reasons Both blocks we have are Class A Public IP addresses.
The config we gave earlier is the main config. Everything after that is just access rules and configuration of VLANs etc.
Yes, I figured that
It sounds like that block is assigned to some device inside ISP's network, or could even possibly be assigned to some other customer are you able to connect to it with a web browser? Are you able to reach any other IPs in that range?
the 192.168.1.65 is definitely not assigned to some other customer as we're able to use it as a default gateway if we remove the /30 block and it's on the ISP side. What they should've done is when they gave us the /30 block, they should have released the 192.168.1.65 address and aggregated the /27 block to be routed via the /30 block but they clearly haven't done that. Can't believe we wasted all this time in trying to resolve it. Should have just waited for the ISP to get back to us. Maybe we'll have to get back to this after the ISP sorts it out at their end??