10-13-2011 12:07 PM - edited 03-07-2019 02:48 AM
This one is a doozie and I'm willing to bet I'm just overlooking something. I've tried beating my head against my ccna books but osmosis just isn't working. I'm hoping someone here will just say 'psssh, you forgot this in your config'.
Here's the deal. We picked up a Cisco 2911 Router for a project. Without trying to give up too much information here (company policy and all over this project) what this router is trying to accomplish is splitting traffic between two seperate networks. (oh you know an ASCII diagram is coming up, you can just feel it). The segregated network has certian servers that have to send data to Network A via routing policies, but a majority of their traffic will be going out Network B's firewall then router. Only certian services on certian servers allowed out on Network A, the rest of the traffic goes out Network B. Everything is hardware firewalled on the network ends as well..I'll assume that I'll have to attach an image because just the description hurts my head (try setting this up). But here's an ascii setup (use your imagination).
(Network A -10.0.124.X ) - Managed Switch - Checkpoint Firewall - Cisco(GigE0/2) Cisco(GigE0/1)-Checkpoint Firewall - Cisco 1800 - Outside Network (VPN Connections).
GigE0/0 Is connected to a Managed Switch (HP Procurve).
GigE0/0 is: 192.168.16.1
GigE0/1 is: 192.168.17.1
GigE0/2 is: 192.168.18.1
Kept off of seperate subnets of course (granted I could have gone with 10.x, 172.x 192.x but that further confuses things with this setup)
So here's the deal. And attached is my config. From the router itself I can get out to Network A and ping/ssh to various servers on the 10.0.124.x network, from a computer attached to GigE0/1 I cannot get past the router. I can ping the .16.1, 17.1, 18.1 and so on and so forth with devices, but I cannot get past the router itself. Gateway on the attached computer (switch as well) is 192.168.16.1. I've done ACL's wide open, I've removed ACL's, I've removed NAT, I've setup NAT, I've added static routes, I've removed static routes, I've setup gateway of last resorts until my eyes bled. At this point in time gateway of last resort is 192.168.18.2 which is the interface of Checkpoint Firewall heading out to Network A just so I can get anything attached to GigE0/0 out through the network.
Why won't this route properly? I've spent the last few days with QWERTY embedded in my forehead and I know I've overlooked something silly. If you notice right now (according to the config) GigE0/1 is currently down as it's in the Development Environment and I'm attempting to just get a computer attached to GigE0/0 to route any traffic out through GigE0/2. Once I can get said device to route traffic out through GigE 0/2 I'll get back into access policies to route it properly. Gateway of last resort will end up being GigE0/1 once this actually works.
Current configuration : 4333 bytes
!
! Last configuration change at 09:48:49 MDT Tue Oct 11 2011
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RT-SCRUBBED-01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 SCRUBBED
!
aaa new-model
aaa session-id common
clock timezone MST -7 0
clock summer-time MDT recurring
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp bootp ignore
!
!
no ip bootp server
no ip domain lookup
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-628020236
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-628020236
revocation-check none
rsakeypair TP-self-signed-628020236
!
!
crypto pki certificate chain TP-self-signed-628020236
certificate self-signed 01
<SCRUBBED>
license udi pid SCRUBBED sn SCRUBBED
!
!
username SCRUBBED privilege 15 secret 5 SCRUBBED
username SCRUBBED password 7 SCRUBBED
!
!
ip ssh time-out 30
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
description Interface To SCRUBBED Network$ES_LAN$
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Interface To Cisco 1800
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
description Interface To SCRUBBED Network
ip address 192.168.18.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
no ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 192.168.18.2
ip route 10.0.124.0 255.255.252.0 192.168.18.2
ip route 10.5.20.0 255.255.252.0 192.168.18.2
!
!
!
!
!
!
control-plane
!
!
privilege configure level 15 shell
banner exec ^C
.
^C
banner login ^C
This is a secure system. Unauthorized use of this system will
be prosecuted to the full extent of the law. If you are not
authorized access to this system, log out now.
^C
banner motd ^CINE /
This is a secure system. Unauthorized use to this system will be punished
to the full extent of the law. If you are not authorized
for this system please log out now.
^C
!
line con 0
exec-timeout 30 0
password 7 SCRUBBED
line aux 0
exec-timeout 30 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 3
access-class 23 in
exec-timeout 30 0
password 7 SCRUBBED
transport input ssh
line vty 4
exec-timeout 0 0
transport input ssh
line vty 5
access-class 23 in
transport input ssh
line vty 6 15
transport input all
!
scheduler allocate 20000 1000
end
Solved! Go to Solution.
10-13-2011 02:23 PM
Hi,
do an extended ping on the router:
ping x.x.x.x source 192.168.16.1 and if it doesn't work then try to nat 192.168.16.0/24 on the router to g0/2:
access-list 1 permit 192.168.16.0 0.0.0.255
ip nat inside source list 1 interface g0/2
and if it works then you miss a route to 192.168.16.0 from the checkpoint firewall
Regards.
Alain.
10-13-2011 12:20 PM
Hi,
could you annotate your diagram with ip addresses and network then explain what you can and can't do.
But here in the config you are referencing ACL 1 in your dynamic nat command but I don't see any ACL 1 configured.
Regards.
Alain.
10-13-2011 12:33 PM
Alain,
Attached is a diagram with the ip addresses. I had ACL 1 in there to begin with which was to permit the 192.168.16.10 (my test box) and 192.168.16.5 (switch) But eventually removed ACL's when I decided to go back to basics and try without ACLS to just get routing to work first then build up ACL's. I can always try removing ACL 1 from the adaptor but there's no rule for ACL 1 right now.
10-13-2011 01:11 PM
Hi,
Can you ping every device in your topology from the 2900 router?
if not what do traceroutes to devices in each network tell?
Are you sure all devices have correct gateway and subnet mask?
have you checked the hardware firewalls?
Are firewalls on hosts disabled?
Regards.
Alain.
10-13-2011 01:35 PM
I can ping the 192.168.16.x devices from the router, I can ping the 192.168.17.1, 192.168.18.x, and othe r192.168.19.x devices from 192.168.19.10. From the router I can ping/traceroute anything on the 10.0.124. and 10.5.20 network without a problem. From one of the devices (be it the managed switch or the server on 192.168.16.10) I can't ping past the router. Traceroute from 192.168.16.10 drops off at 192.168.16.1 (ip address of router). Removing switch from the equation and plugging directly into the cisco just in case, and the traceroute still drops at 192.168.16.1 (gateway of device). Subnet of 192.168.16.1 is /24, server on .16 is set to /24, gateway on 192.168.16.10 is 192.168.16.1. Firewalls on hosts disabled on internal subnet (192.168.16.x) until this is sorted out.
So in a nutshell, router can get out to 10.x and 10.5.x, router can ping everything on 192.168.16.x and ssh to said devices. Anything attached to GigE0/0 cannot route past 192.168.16.1 (GigE0/0) but can ping anything on the router.
~Confused.
10-13-2011 02:23 PM
Hi,
do an extended ping on the router:
ping x.x.x.x source 192.168.16.1 and if it doesn't work then try to nat 192.168.16.0/24 on the router to g0/2:
access-list 1 permit 192.168.16.0 0.0.0.255
ip nat inside source list 1 interface g0/2
and if it works then you miss a route to 192.168.16.0 from the checkpoint firewall
Regards.
Alain.
10-13-2011 02:36 PM
Alain,
Bravo! It was the access-list on the g0/2. Once I setup that acl 1 it went through. Thank you whew, I can actually sleep tonight. I tried access lists in the beginning, removed them, tried them ,removed them..wonder what I screwed up. Regardless thank you for your help.
~Jayson
10-13-2011 02:44 PM
Hi,
happy you solved it but easiest would be to either put a route on the firewall or permit tarffic from 192.168.16.0 or return traffic to it on the firewall, this way you won't have to nat on your 2900 anymore.
Regards.
Alain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide