NY2811#sh int f0/1

FastEthernet0/1 is up, line protocol is up

Hardware is MV96340 Ethernet, address is 0013.1aa4.2a19 (bia 0013.1aa4.2a19)

Description: To SonicWall

Internet address is 192.168.0.1/24

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:03:24, output 00:00:09, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

982 packets input, 72826 bytes

Received 723 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog

0 input packets with dribble condition detected

3642 packets output, 729519 bytes, 0 underruns

0 output errors, 0 collisions, 5 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

NY2811#sh int f0/0

FastEthernet0/0 is up, line protocol is up

Hardware is MV96340 Ethernet, address is 0013.1aa4.2a18 (bia 0013.1aa4.2a18)

Description: To NY LAN

Internet address is 192.168.110.1/24

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 1 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

34916 packets input, 3638848 bytes

Received 31524 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog

0 input packets with dribble condition detected

4102 packets output, 448385 bytes, 0 underruns

0 output errors, 0 collisions, 4 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

NY2811#show service-module

Module type is T1/fractional

Hardware revision is 0.51, Software revision is 20050328,

Image checksum is 0x41503A, Protocol revision is 0.1

Receiver has no alarms.

Framing is ESF, Line Code is B8ZS, Current clock source is internal,

Fraction has 20 timeslots (64 Kbits/sec each), Net bandwidth is 1280 Kbits/sec.

Last module self-test (done at startup): Passed

Last clearing of alarm counters 04:59:16

loss of signal : 0,

loss of frame : 0,

AIS alarm : 0,

Remote alarm : 2, last occurred 04:58:32

Module access errors : 0,

Total Data (last 19 15 minute intervals):

0 Line Code Violations, 0 Path Code Violations

0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

Data in current interval (843 seconds elapsed):

0 Line Code Violations, 0 Path Code Violations

0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

NY2811#

James

I think that there are several things that are questionable in what you have posted here. But I am not sure that any of them really explain the problem that you are having.

The one that bothers me most is this from your routing table:

C 192.168.0.0/16 is directly connected, FastEthernet0/1

why does the router think that 192.168.0.0/16 is connected to fa0/1? I have looked through the config and do not see it. I would suggest that you save the running config to startup config and then reboot the router. I have sometimes seen this straighten up strange things like this. If a reboot does not clear it up then we will have to dig into this more.

I also not that nat inside is configured on the interfaces fa0/0, fa0/1, adn ser0/0/0. But there is no nat outside and no nat translation configuration. Until you are really ready to do nat (if you really need nat - which I am not sure that you do) I suggest that you remove all of the nat inside statements.

You have configured router rip with network statements for the local LAN and the remote LAN. This is not working. Depending on what you want to do with RIP it needs a network statement that includes the serial interface and perhaps the interface to the firewall. Or you should remove RIP. Can you clarify what you expect RIP to do? Then perhaps we will see the better way to configure it.

HTH

Rick

This is the basic config. What's wrong with it?

NY2811#sh run

Building configuration...

Current configuration : 1205 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname NY2811

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$NcI5$lbxD3vgvoOuymgAGelmt7.

enable password stanton

!

no aaa new-model

ip subnet-zero

!

!

ip cef

!

!

ip ips po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

!

interface FastEthernet0/0

description conncted to sonicwall

ip address 192.168.0.1 255.255.255.0

duplex full

speed auto

no mop enabled

!

interface FastEthernet0/1

description connected to NY subnet

ip address 192.168.110.1 255.255.255.0

duplex full

speed auto

no mop enabled

!

interface Serial0/0/0

description connected to GA via T1

bandwidth 1120

ip address 10.1.2.1 255.255.255.0

encapsulation ppp

no fair-queue

service-module t1 timeslots 1-20

service-module t1 remote-alarm-enable

!

interface Serial0/1/0

no ip address

shutdown

clockrate 2000000

!

no ip classless

ip route 0.0.0.0 0.0.0.0 192.168.0.2

ip route 192.168.120.0 255.255.255.0 10.1.2.2

!

ip http server

no ip http secure-server

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

password carpet

login

!

scheduler allocate 20000 1000

!

end

NY2811#

Using this basic config, from the 110.0 subnet, we are unable to get to the Internet and we cannot ping 192.168.0.2. Which means that the router does not know how to direct requests out to the FE0/0 interface.

James

It might mean that the router does not know how to direct requests out the FE0/0 - but I doubt it. It might also mean that the firewall does not know how to route to the 110.0 subnet - which I believe is the more likely problem.

HTH

Rick

Rick

Thats funny, I was just checking the router config when I got your reply. This is what we have done. We reloaded the default config on the cisco and on the Sonicwall. Completely cleaned out. We then set up a private lan so that we are disconnected from the corporate network. At this point, we have the Internet connected to the sonicwall and the sonicwall connected to the 2811 on fe0/0. The fe0/1 int is connected to a switch and my laptop is connected to the switch. We also have the p-t-p connection up and running as well. So, we can ping from the laptop down to GA via the p-t-p, but again, it cannot ping anything else on the GA subnet, 120.0.

I would agree that the Sonicwall is the more likely culprit. So, what you are saying is that in no way do we need to add another routing statement or anything else on the 2811 for it to direct requests out to the fe0/1 interface?

Is there another way we could test this?

James

Assuming that the last config that you posted still accurately represents the NY router (you have mentioned cleaning out and starting over several times and I am not entirely clear what the current config really is) then you have these routing statements in the router:

ip route 0.0.0.0 0.0.0.0 192.168.0.2

ip route 192.168.120.0 255.255.255.0 10.1.2.2

Assuming that the firewall is at address 192.168.0.2 then you should have a functioning default route. And assuming that the GA router is at address 10.1.2.2 then you should have a functioning route to the GA network. I do not see a need for any additional routing statements assuming that the local subnet is routed (110), the GA subnet (120) is routed, and everything else goes to the firewall. You can help verify that this is correct by posting the output of show ip route from the NY router. It might also be helpful if you post the output of show ip interface brief. And it might be helpful to get the output of those commands from the GA router also.

HTH

Rick

Rick,

I think we finally got it. We did not need to add any other routes on the 2811 and the sonicwall needed a route added as well as a few other things. But, at this point it looks good. We created a private 110.0 subnet so as not to interfere with the current lan on the actual network. This allowed us to test it and fool around with the settings. I appreciate your help and if anything goes wrong when we put it on the real network, I will let you know. I honestly think it will work now.

I haven't used cisco equipment in so many years...I have forgotten most of it. But, I feel more confident now. I still can't understand how I passed my CCNA years ago!! I guess I will need to revisit that test and relearn some of these concepts. However, there is no better learning tool than trying to correct other people's mistakes. This network was and is a mess, but I am slowly correcting it. Active Directory was a nightmare, but that is my strength, so I have cleared it up. Routing and network engineering is not something I do very often. BUt, it has been a good learning experience because it forced me to completely go "back to the books" to relearn and understand how all these pieces fit together. That will pay off in the future. Have a good holiday and new year.

I'll keep in touch if things go wrong when we put this on the real network.

James

I am glad that things appear to be on the right track now. I hope that it does go well when you put it into the production network.

I am glad that it has been a good experience for you. I agree that working on something like this is a very good way to go back and review fundamentals and that is important in the overall success of the effort.

Best wishes with your network.

HTH

Rick

One more question. Will it be a problem that on both new routers there will be an interface on a subnet of 192.168.0.0?

So, when you do a ping it could conceivably go to either router because both of them will have that address?

James

I am not sure that I understand your question, especially the part about both new routers. Which routers are the new routers? I thought that there was an old router and a new router.

Probably we need to understand the topology better to be able to answer your question. If the 192.168.0.0 subnet connects to the Sonicwall, then the Sonicwall would potentially have 2 routers that talk to it through that subnet. If both routers have the same IP address then that is an obvious problem. If the routers have different addresses, then the issue becomes how is the Sonicwall configured? If it has a route statement that says that the 110 subnet is reached through 192.168.0.1 (and if only one of the routers has that address) then it should not be a problem.

HTH

Rick

Both sonicwalls will be connected to a router. So the topology is Internet to sonicwall to cisco router to lans.

The connection between the sonicwall and the cisco is on a 192.168.0.0/24 network.

Both offices will have the same configuration. So, each router will have an interface with that subnet. Is this a problem? It's almost like having a private lan between the cisco and sonicwall. Would the solution then be to put one on a 192.168.0.0 subnet and the other on a 192.168.1.1 network?

James

OK. I did not understand that the discussion was about both offices. Now that I understand that here is what I think:

As long as the subnet is local between the sonicwall and the router (is used to transport data between sonicwall and router and no other devices are connected in that subnet) then the routers do not need to advertise the subnet and it would not be a problem if both sites use the same network (and same addresses).

Having said that it would not cause a problem, I would say that I believe that a better solution would be to subdivide the subnet. Let NY use 192.168.0.0 255.255.255.128 and use addresses 192.168.0.1 and 192.168.0.2. Then let GA use 192.168.0.128 255.255.255.128 and use addresses 192.168.0.129 and 192.168.0.130.

HTH

Rick

Thats an interesting idea, but in this case is probably not realistic because of the number of machines, ip cameras and other devices that would have to be manually changed to reflect the new ip scheme.

On another note, I took the new GA router that we are going to implement, which is a 2611. Gave it the same ip addresses as the NY router to see if it would work as the NY router just to test basic routing and connectivity before shipping it to GA. When I do a sh ip route, it comes back with the normal info or "legend" that tells you what the routes mean and then it states gateway of last resort is not set and there are no routes listed. But I put them in there, did a copy run start. Everything seems to work.

gateway of last resort would be 0.0.0.0 0.0.0.0 192.168.0.2 in this case.

Why would no routes show up?