Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1343
Views
0
Helpful
12
Replies

Routing between our offices

Greg Maaaag
Level 1
Level 1

‎02-06-2013 09:39 AM - edited ‎03-04-2019 06:57 PM

Hello!

WE've got 2 router between our offices

Here're configs:

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Office_Sad

!

boot-start-marker

boot system flash:/c1900-universalk9-mz.SPA.152-2.T.bin

boot-end-marker

!

!

!

no aaa new-model

!

!

no ipv6 cef

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

!

!

ip dhcp excluded-address 192.168.4.1 192.168.4.99

!

ip dhcp pool pool

network 192.168.4.0 255.255.255.0

default-router 192.168.4.12

dns-server 192.168.240.100

!

!

ip flow-cache timeout active 1

ip domain name office

ip cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1150895397

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1150895397

revocation-check none

rsakeypair TP-self-signed-1150895397

!

!

crypto pki certificate chain TP-self-signed-1150895397

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31313530 38393533 3937301E 170D3133 30313137 31343235

  30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31353038

  39353339 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100CF84 99BF3D83 04319C0F C0A0CB94 995F790E 1CB35E02 E61DB82D C7F802D6

  2CED4FB4 15F23851 CC2B34CD 4D5F361B 7A30D2F8 358E1FDC C249302F 3610C37D

  3785084A 11313A21 51AA45B8 82E7FB12 6F193865 78169750 29C395CF 417CECFF

  CDF01641 4B8C76C7 4983BC23 500D17F4 AC10A7E5 9AD9603C 4FC8CF74 407562C7

  308F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 14448C26 307AF176 92606BCB DFAB80EB 15780CD7 C7301D06

  03551D0E 04160414 448C2630 7AF17692 606BCBDF AB80EB15 780CD7C7 300D0609

  2A864886 F70D0101 05050003 8181009B 0524D36D FCD95DF3 3C8686F3 AD1A5671

  C9E5D263 9019CC62 2DDCCD36 DA653B33 3507E515 CEAC360F 12581860 E984A649

  322BF087 FB33B1C1 28DCEA0A EF1E1F24 C583D51B C10C1902 17A2B3FB 5B203965

  1931F5D9 6076F9E4 C96621E3 8858A2FE F0822C7A 19171797 A44FE809 E8446C71

  C37495F1 60D53B93 21D8F3B5 F16E6B

        quit

license udi pid CISCO1941/K9 sn FCZ164791BH

license boot module c1900 technology-package securityk9

!

!

username b1_adm privilege 15 secret 5 *

!

redundancy

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 89.104.*.* 255.255.255.0

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map vpn

!

interface GigabitEthernet0/1

ip address 192.168.4.12 255.255.255.0

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip flow-export source GigabitEthernet0/1

ip flow-export version 5

ip flow-export destination 192.168.4.26 9996

!

ip nat pool Trassir 192.168.4.23 192.168.4.23 netmask 255.255.255.0 type rotary

ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip nat inside destination list 105 pool Trassir

ip route 0.0.0.0 0.0.0.0 89.104.*.225

ip route 192.168.9.0 255.255.255.0 89.104.*.229

!

ip sla 1

icmp-echo * source-interface GigabitEthernet0/0

threshold 2

timeout 2000

frequency 5

ip sla schedule 1 life forever start-time now

access-list 100 permit ip any any

access-list 105 permit tcp any any range 3080 3084

access-list 105 permit tcp any any eq 8080

access-list 105 permit tcp any any eq 4433

!

!

snmp-server community mon_cacti RO

snmp-server ifindex persist

snmp-server enable traps entity-sensor threshold

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

login local

transport input all

!

scheduler allocate 20000 1000

!

end

and another:

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname PaulShark-Sad

!

boot-start-marker

boot system flash:/ios.bin

boot-end-marker

!

!

enable secret 5 *

!

no aaa new-model

memory-size iomem 10

!

!

!

!

!

ip dhcp excluded-address 192.168.9.1 192.168.9.100

!

ip dhcp pool pool

network 192.168.9.0 255.255.255.0

default-router 192.168.9.12

dns-server 192.168.240.100 82.112.184.34

!

ip dhcp pool reserv

host 192.168.9.99 255.255.255.0

client-identifier 01b4.b52f.f11b.83

client-name hp400_ps

domain-name office.local

!

!

!

ip flow-cache timeout active 1

no ip domain lookup

ip domain name office

ip cef

no ipv6 cef

!

!

license udi pid CISCO881W-GN-E-K9 sn FCZ1638C56X

!

!

username b1_adm privilege 15 secret 5 *

!

!

!

!

!

ip tcp synwait-time 5

!

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

ip address 89.104.*229 255.255.255.240

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

ip route-cache same-interface

duplex auto

speed auto

crypto map vpn

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip address 192.168.254.93 255.255.255.0

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface Vlan1

ip address 192.168.9.12 255.255.255.0

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

ip route-cache same-interface

!

ip forward-protocol nd

no ip http server

no ip http secure-server

ip flow-export source FastEthernet4

ip flow-export version 5

ip flow-export destination 89.104.*.230 9996

ip flow-top-talkers

top 10

sort-by bytes

cache-timeout 100

!

ip nat inside source list 100 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 89.104.*.225

ip route 192.168.4.0 255.255.255.0 89.104.*.230

!

access-list 100 deny   ip 192.168.9.0 0.0.0.255 192.168.181.0 0.0.0.255

access-list 100 deny   ip 192.168.9.0 0.0.0.255 192.168.240.0 0.0.0.255

access-list 100 permit ip 192.168.9.0 0.0.0.255 any

access-list 102 permit ip 192.168.9.0 0.0.0.255 192.168.181.0 0.0.0.255

access-list 102 permit ip 192.168.9.0 0.0.0.255 192.168.240.0 0.0.0.255

no cdp run

!

route-map vpn permit 10

match ip address 102

set interface FastEthernet4

!

snmp-server community mon_cacti RO

!

!

line con 0

exec-timeout 30 30

privilege level 15

password 7 *

logging synchronous

login

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

privilege level 15

password 7 *

login local

transport input all

!

!

end

So just simple scheme: two routeres,

first LAN: 192.168.4.0/24 WAN: 89.104.*.230

second: LAN: 192.168.9.0/24 WAN: 89.104.*229

I added static routes for their subnets, ping from their external interfaces reache destination networks, for example i ping from 89.104.*.230 local ip 192.168.9.12 and it's okay.

But when i try to ping from 192.168.4.4 ip 192.168.9.12 it doesn't go

Why?

Labels:
0 Helpful
12 Replies 12

Henrik Grankvist
Level 4
Level 4

‎02-06-2013 12:18 PM

Hi Greg

If I'm not thinking completely insane right now: How would this work?

If you are on a host in the 192.168.4.0/24 subnet and you are trying to reach the a host in the 192.168.9.0/24 subnet, you will have to traverse the internet. The packet will have a destination IP address of 192.168.9.12 which is a private IP-address, and as you may know; those are blocked on the internet.

Or have I missed something?

0 Helpful

Greg Maaaag
Level 1
Level 1
In response to Henrik Grankvist

‎02-06-2013 12:34 PM

Yes you are right, but not internet, this routers are in one ISP vlan from one subnet.

I can give for this routers secondary IPs from 192.168.181.0/24 subnet, for example first router secondary external ip 192.168.181.13 and another is 192.168.181.14, i can ping from any subnet their external IPs so they see teach other.

How can I make 192.168.4.0/24 reach 192.168.9.0/24 ?

0 Helpful

turnera
Level 1
Level 1
In response to Greg Maaaag

‎02-06-2013 12:39 PM

Greg,

Do you have a discrete point-to-link between the two offices? A link that does not go to an ISP of any sort?

Because if you are still going through some sort of an ISP then you are going over a public interface of some sort and as was stated above by Henrick, you cannot do that because of the rule about private IP space.

0 Helpful

Greg Maaaag
Level 1
Level 1
In response to turnera

‎02-06-2013 12:45 PM

ISP gives us native L2 without any MLPS or something. I can plug into wan port with local ip in both offices and they'll see each other.

Right now it looks like this:

All routers connected to vpn-conentrator on vyatta via ipsec with aes128, md5.

I want to switch VPN to static routing, starting from this routers:

0 Helpful

glenn.newman
Level 1
Level 1
In response to Greg Maaaag

‎02-06-2013 03:11 PM

Access lists 100 and 105 is used to determine which source and destinations are translated and should include

"access-list 100 deny ip 192.168.9.0 0.0.0.255 192.168.4.0 0.0.0.255" or the reverse so that traffic is not NAT'd coming in or out on both sides

A "permit TCP" does not include ICMP but a "permit IP" does or you can have a seperate permit ICMP statement. 

Test by doing a "telnet 192.168.4.4 8080" to test a TCP port.

Try capturing the traffic to see if it is getting NAT'd or do a "show ip nat translation | i 192.168.4.4" to see inside and outside addresses.

0 Helpful

Greg Maaaag
Level 1
Level 1
In response to glenn.newman

‎02-06-2013 10:47 PM

shouldn't router look in the routing table, see route 192.168.4.0/24 to 89.104.2.230 and route all traffic to that hop with acl permint any any ?

0 Helpful

Henrik Grankvist
Level 4
Level 4
In response to Greg Maaaag

‎02-07-2013 06:50 AM

Hello again!

I must say it's really hard to understand your topology. You say you have secondary IP-addresses, but I can't see any... But maybe this will fix you issue.

So you have a static default route to find the other subnet, that way the router knows where to send the packets, but does your ISP know where that subnet is located? If the ISP doesn't have static routes for those subnets, it will not find them.

What I think you could try is to make a simple logical tunnel between the two routers.

R1:

interface tunnel 1

description Tunnel to R2

ip address 192.168.255.1 255.255.255.0

tunnel source

tunnel destination

R2:

interface tunnel 1

description Tunnel to R1

ip address 192.168.255.2 255.255.255.0

tunnel source

tunnel destination

And then when you have done this, you will need to redirect your static routes so they points to the tunnel interface, or start using a dynamic routing protocol.

0 Helpful

glenn.newman
Level 1
Level 1
In response to Henrik Grankvist

‎02-07-2013 10:56 AM

The access lists that I am refering to are used to describe which traffic gets addres translated with the "ip nat source list" command.  This is assuming that you want the traffic going to the other side to retain it's private address and that the network between them allows private addresses.  The deny says "don't NAT this traffic to the outside interface IP address".

The post above which creates GRE tunnel will accomplish the same thing with a little processing and packet encapsulation overhead.  This affects the maximum size packet (usually fixed at 1500 on the interfaces) that can be sent from either side.  There can be packet loss issues also if the "don't fragment" bit is set and the packet is too large.

0 Helpful

Greg Maaaag
Level 1
Level 1
In response to glenn.newman

‎02-07-2013 08:42 PM

2 glenn

thanks, i'll try to do it today in the evening and see if it work)

as I said the main point is if we change ISP and, for example, new ISP well just provide us different subnets with different gateways, we need all this topology get work somehow...

0 Helpful

Greg Maaaag
Level 1
Level 1
In response to Henrik Grankvist

‎02-07-2013 08:40 PM

2 Henrik

Thank you for the answer!

Yes, your topology is very difficult because our present ISP gives us native L2 using some kind of vpn cloud for all our branches, we can use any IPs of ISP's vlan on any branch and if we will change ISP, we'll have lots of problems.

So first of all I decided to switch from VPN to static routing without ipsec and the switch to dynamic routing via OSPF..

can this interface tunnel go down like vpn tunnel?

0 Helpful

Henrik Grankvist
Level 4
Level 4
In response to Greg Maaaag

‎02-08-2013 04:22 AM

The tunnel interface will go down if the physical interface is down. You can run IPsec over GRE and still run OSPF over the tunnel eventhough you run IPsec.

0 Helpful

Greg Maaaag
Level 1
Level 1
In response to Henrik Grankvist

‎02-08-2013 01:40 PM

I want to take away ipsec tunnel because it somehow goes down....

I started cacti with snmp of cpu, errors and traffic

I strated netflow with ManageEngine Netflow Analyzer

Somewhy tunnels between byatta and other branches go down. Today tunnel between vyatta and 1st branch went down, yesturday between vyatta and 4th branch, there is no schema and no resons like high cpu or high traffic load....

I can't understand why it goes down and that's why i decided to take away ipsec

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card