cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
904
Views
0
Helpful
10
Replies

Adding ISP secondary subnet to 2801

maximtory
Level 1
Level 1

Hello,

I can't seem to get the secondary IP subnet to get out from inside my LAN. I added the subnet as "secondary" and called my ISP to confirm their setting are set and routing the new subnet to our router. Am I forgetting to do something? Do I need to add a route on my router?

Thanks in advance for your help.

Chris

10 Replies 10

John Blakley
VIP Alumni
VIP Alumni

Can you post your config? What is the end goal? Are you getting new public addresses routed to you?

HTH,

John

HTH, John *** Please rate all useful posts ***

We are trying to add a second subnet to our inside interface. We are running out of IP's so we needed to add another set of IP's our ISP has given us.

running config(I took out the ACL's but let me know if you need them.):

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname router2801

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$bOqN$43j31EaIigZ57suJyXUE/0

!

no aaa new-model

!

resource policy

!

clock timezone Hawaii -10

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

ip tcp synwait-time 10

no ip dhcp use vrf connected

!

!

no ip bootp server

no ip domain lookup

ip domain name test.org

ip name-server z.z.z.z

ip name-server z.z.z.z

!.

username xxxxx privilege 15 view root secret 5 rtsghrthgrtygw5445y5yw4tgtr

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$

ip address y.y.y.y 255.255.255.0

ip route-cache flow

speed 10

full-duplex

no mop enabled

!

interface FastEthernet0/1

description $ETH-LAN$$FW_INSIDE$

ip address x2.x2.x2.x2 255.255.255.224 secondary

ip address x.x.x.x 255.255.255.224

ip access-group 101 in

ip access-group 102 out

ip route-cache flow

speed 100

full-duplex

no mop enabled

!

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x(ISP Gateway) permanent

!

ip http server

ip http authentication local

ip http timeout-policy idle 5 life 86400 requests 10000

!

logging x.x.x.x

access-list 101 remark SDM_ACL Category=17

access-list 101

line con 0

login local

line aux 0

line vty 0 4

access-class 101 in

privilege level 15

password 7 04540703032E

login local

transport input telnet

line vty 5 15

privilege level 15

password 7 0209085E0709

login local

transport input none

!

end

Well, two things I see. You have access-groups assigned to your fa0/1, but you don't have the acls in the running config. Can you post those? Are you bridging this connection with your provider, and not routing?

HTH,

John

HTH, John *** Please rate all useful posts ***

Chris

It is slightly hard to tell from the post which interface is inside and which is outside since they both have comments that indicate that they are inside. And the hiding of details of the default route makes it difficult to know quite what it is doing.

From the fact that there is no address translation configured would I assume that both x.x.x.x and x2.x2.x2.x2 are public addresses? Or would I be better to assume that the router connects to a firewall which does the translation?

If they are public IPs and there is no translation then I believe that John's suggestion that it may be the access list is probably the best quess.

And if there is a firewall which is doing translation then I believe that the best guess is that the firewall is not changed to handle the second subnet.

If you provide the appropriate details we might be able to give better answers.

HTH

Rick

HTH

Rick

Sorry for the confusion. The new subnet we are getting will be for the inside of our router. We use a 2801 with 1 external interface and 1 internal interface. We don't have a firewall yet so we have been told by our contractor to use additonal acl's to help with security. I have addedded x2.x2.x2.x2 as a "secondary" subnet on the inside, but we still only have 1 ip on our external int and 1 on the single interface(x.x.x.x).

Basically the only line I added to our current config is "ip address x.x.x.x 255.255.255.224 secondary"

We didn't add any other routes or acl's. Do we need to, that is where I am having some confusion. The ISP tech said they are already routing the new subnet to our router, and we wouldn't have to do anything. But I am assuming I have to configure the router to allow the new subnet to get in and out. We have a lot of acl's let me know if you need me to add them to this. Thanks for all your help.

Chris

The additional information is helpful. And I believe that it confirms that both addresses on the "inside" interface are public addresses which do not require address translation. If the ISP tech says that they are already routing that subnet to you then you certainly do not need to add any routes or anything like that. I suspect that you do need to change one or both of the access lists. It would be very helpful if you would post them. (and we may need a bit more detail than x.x.x.x and x2.x2.x2.x2 for addressing)

Also I note that you seem to be using access list 101 as an interface access list using access-group and also using the access list on the vty with access-class. While it is possible to use the same access list for both it is very unusual. I would suggest that you use a different access list (and probably a standard access list rather than an extended access list) for the access-class on the vty.

HTH

Rick

HTH

Rick

!----------------------------------------------------------------------------

!version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname ro01-map

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$bOqN$43j31EaIigZ57suJyXUE/0

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

ip tcp synwait-time 10

no ip dhcp use vrf connected

!

!

no ip bootp server

no ip domain lookup

ip domain name test.org

ip name-server 216.36.57.90

ip name-server 68.215.210.50

!

username dfsg privilege 15 secret 5 $1$KLBE$YdnM/NzfpVAt9vOaOtIiW0

username hlffd privilege 15 secret 5 $1$mUQH$9hKPSVXg/d8d6MupjTc04.

username oledflfddm privilege 15 view root secret 5 $1$qODq$yeCrO4WqfVxjGwyluwY/e/

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$

ip address 66.93.59.220 255.255.255.0

ip route-cache flow

speed 10

full-duplex

no mop enabled

!

interface FastEthernet0/1

description $ETH-LAN$$FW_INSIDE$

ip address 74.202.18.25 255.255.255.224 secondary

ip address 68.215.228.190 255.255.255.224

ip access-group 101 in

ip access-group 102 out

ip route-cache flow

speed 100

full-duplex

no mop enabled

!

ip classless

ip route 0.0.0.0 0.0.0.0 66.193.159.1 permanent

!

ip http server

ip http authentication local

ip http timeout-policy idle 5 life 86400 requests 10000

!

logging 68.215.228.179

access-list 101 remark SDM_ACL Category=17

access-list 101 permit tcp 68.215.228.160 0.0.0.31 any log

access-list 101 permit udp 68.215.228.160 0.0.0.31 any log

access-list 101 permit icmp any 68.215.228.160 0.0.0.31 log

access-list 101 permit tcp any host 68.215.228.163 log

access-list 101 permit tcp host 71.42.114.242 host 68.215.228.164 eq www log

access-list 101 permit esp 68.215.228.160 0.0.0.31 any log

access-list 101 remark DMZ any to inside allow changed to ftp server

access-list 101 permit tcp host 68.215.228.175 any log

access-list 101 remark NTP

access-list 101 permit udp any host 192.5.41.41 eq ntp log

access-list 101 deny ip any any log

access-list 102 remark SDM_ACL Category=17

access-list 102 permit ip any 68.215.228.176 0.0.0.15 log

access-list 102 permit tcp any 68.215.228.160 0.0.0.15 established

access-list 102 permit icmp any 68.215.228.160 0.0.0.31 log

access-list 102 permit tcp any host 68.215.228.175 eq ftp log

access-list 102 permit tcp any 68.215.228.160 0.0.0.15 eq www log

access-list 102 permit tcp any host 68.215.228.163 eq 443 log

access-list 102 permit tcp any host 68.215.228.163 eq smtp

access-list 102 permit tcp any host 68.215.228.163 eq 1025 log

access-list 102 permit tcp any 68.215.228.160 0.0.0.15 eq 5900 log

access-list 102 permit tcp any 68.215.228.160 0.0.0.15 eq 8080 log

access-list 102 permit udp any 68.215.228.160 0.0.0.31 log

access-list 102 permit esp any 68.215.228.160 0.0.0.31 log

access-list 102 permit tcp any 68.215.228.160 0.0.0.31 eq 15868 log

access-list 102 permit tcp any 68.215.228.160 0.0.0.31 eq 993 log

access-list 102 permit tcp 68.215.228.192 0.0.0.63 any eq 22 log

access-list 102 permit icmp 68.215.228.192 0.0.0.63 any log

^C

!

line con 0

login local

line aux 0

line vty 0 4

access-class 101 in

privilege level 15

password 7 04540703sdfsf032E

login local

transport input telnet

line vty 5 15

privilege level 15

password 7 0209085E07ssdfsd09

login local

transport input none

!

end

Sorry it took so long to get back to you. Here is the running config ith the IPs changed.

Chris

Thank you for posting the additional details. It does confirm that your problem is with the access lists. I see several problems with the access lists. The biggest problem is that the inbound access list 101 does not have any permit statements for anything in 74.202.18.0/27 as the source (remember that inbound access lists are for traffic from the LAN coming into the interface, so the LAN is the source address). And the outbound access list 102 does not have any permit statements for the new subnet either (remember that in outbound access lists the local subnet is the destination).

So the most important thing that you need to do is to add permit statements to both access list 101 and 102 to permit the new subnet. At a minimum it might look like:

access-list 101 permit ip 74.202.18.0 0.0.0.31 any

and

access-list 102 permit ip any 74.202.18.0 0.0.0.31

and if your requirements are to treat different hosts differently (as the access list does for the original subnet) then you would need to create that logic.

There are some other issues in the access lists, but they are not involved in why the new subnet does not work.

- these 2 lines use 68.215.228.160 as the destination, but are in the inbound access list where that subnet should be the source and not the destination:

access-list 101 permit icmp any 68.215.228.160 0.0.0.31 log

access-list 101 permit tcp any host 68.215.228.163 log

so I do not see how these lines could ever get a hit.

- this line also has the addresses reversed from what they should be:

access-list 101 permit icmp any 68.215.228.160 0.0.0.31 log

access-list 101 permit tcp any host 68.215.228.163 log

- and access list 102, which is outbound, has these lines where the source and destination are reversed:

access-list 102 permit tcp 68.215.228.192 0.0.0.63 any eq 22 log

access-list 102 permit icmp 68.215.228.192 0.0.0.63 any log

Fix up the access lists and let us know how it is working.

HTH

Rick

HTH

Rick

Thanks for your help so far, I really appreciate it. I have made the changes, but seem to still have difficulty getting to the router from the device. What would I use for the gateway when adding a static IP to a device? Thanks again for your help.

maximtory
Level 1
Level 1

Thanks, Rick.

It looks like its working now, it looks like we can put in either gateways in(the old or new subnet gateway). Thanks for your help, you guys are the best. If you have any other suggestions on things we can change on our ACL's/running config we would totally appreciate it as well.

Review Cisco Networking for a $25 gift card