10-29-2006 06:49 AM - edited 03-05-2019 12:30 PM
I'm currently attempting to run a 1720 as an edge router with a PIX 501 behind it. As of now, I can pull a public IP on the 1720's WAN interface (I'm using a WIC-1ENET card with broadand) but I can't get any activity from the fa0 port.
However, if I when I put a Linksys WRV200 in front of the pix, I can pass traffic to the computers sitting behind the pix and route without any issues.
My goal is to remove SOHO devices from gateway positions and use industry rated hardware instead. Provided I get some responses, I'll post configs if need be.
Jay
10-31-2006 12:31 AM
Hi Jay
Are you able to ping any of the outside ips from PIXs inside lan ?
Also what kinda NAT is being configured there in your network?
Also do post your configs (both pix & router) here, so that the same can be verified..
regds
11-05-2006 12:30 PM
Sorry I'm late replying...
Yes, I'm able to ping. I've changed my configuration; now I have my 2610 as my only router at the moment; I figure if I can just get that to connect to the internet, I can work my way back on everything else. So, my goal is to make a simple internet connection with just my 2610 for the moment. Unfortunately, I still can't connect. Here's my config:
Building configuration...
Current configuration : 1162 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname London1
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret xxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxx
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip dhcp excluded-address 172.16.31.1
ip dhcp excluded-address 172.16.31.2 172.16.31.99
ip dhcp excluded-address 172.16.31.102 172.16.31.254
!
ip dhcp pool Guardtower
import all
network 172.16.0.0 255.255.255.0
default-router 172.16.31.1
!
!
!
!
!
interface Ethernet0/0
description "The Great Outdoors (WAN)"
ip address dhcp
ip access-group 10 out
ip nat outside
full-duplex
no cdp enable
!
interface Ethernet1/0
description "Private LAN"
ip address 172.16.31.1 255.255.255.0
ip access-group 10 in
ip nat inside
full-duplex
no cdp enable
!
ip nat inside source list 11 interface Ethernet0/0 overload
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
!
access-list 10 permit any
access-list 11 permit any
no cdp run
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxxxxxxxxx
login
!
!
end
Any ideas where I'm going wrong?
Jay
11-05-2006 10:11 PM
Hi Jay
Can you also post your pix config ?
regds
11-06-2006 06:24 AM
I've taken my PIX offline until further notice. Once I can get my 2610 routing, then I'll probably re-install my pix.
Thanks for responding, by the way...
Jay
11-06-2006 06:36 AM
hi,
instead of doing
access-list 11 permit any
do this
access-list 101 permit ip 172.16.0.0 0.0.255.255 any
if 172.16.0.0 is the first 2 octet of your network if not then add to the access-list the network that you want to allow to hit internet
11-06-2006 10:16 AM
If at all possible, if "anyone" sees why this isn't working, could you "put it in the proper context" so that it does work? At this point, I figure it's best if someone who "knows" what's wrong makes it a working config (if you don't mind) and I can then trace back the steps it took to get it working.
I'm on a home 8mb/488kbps ADSL connection by the way...
Jay
11-06-2006 12:28 PM
Hi Jay,
I am not sure whether I follow your ideas but I can see discrepancy in subnetting.
I understand that your clients are on e0/0 which is subnetted to C-class address (/24).
When your router serves as dhcp server you either intend to provide 172.16.31.X address range (but due to "excluded" commands you can only assign 172.16.31.100-101 addresses), in this case your network statement under "ip dhcp pool Guardtower" should read: "network 172.16.31.0 255.555.255.0" NOT "network 172.16.0.0 255.255.255.0" or you intend to provide class B address range in which case your network statement should read "network 172.16.0.0 255.255.0.0". But then you MAY face problems with routing as you specify your default router as e0/0 interface. Also I have no information what sort of address you get assigned from your ISP when your box acts as a dhcp client.
So if you do not mind can you please change your "network (dhcp)" command and see if there is any progress.
Best regards,
Antonin
11-06-2006 02:39 PM
Okay,
I've scaled it down to just the commands I "think" I need to get my 2610 to connect to the internet and it "still" isn't working:
Building configuration...
Current configuration : 1018 bytes
!
! Last configuration change at 21:26:43 UTC Mon Nov 6 2006
! NVRAM config last updated at 21:26:46 UTC Mon Nov 6 2006
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname London1
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret xxx
enable password xxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
!
!
!
!
interface Ethernet0/0
description "The Great Outdoors (WAN)"
ip address 87.xxx.xxx.54 255.255.255.0 (WAN IP)
ip nat outside
full-duplex
no cdp enable
!
interface Ethernet1/0
description "Private LAN"
ip address 172.16.31.1 255.255.255.0
ip nat inside
full-duplex
no cdp enable
!
ip default-gateway 87.xxx.xxx.54
ip nat inside source list 11 interface Ethernet0/0 overload
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
!
access-list 11 permit any
no cdp run
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxxxxxxxxxx
login
!
!
end
I'm out of ideas...
Jay
11-06-2006 09:48 PM
Hi Jay
I have 2 suggestions to make here.
1.As already mentioned by the other poster do change the access list entry accordingly to allow only your local lan subnet.
2.Do remove the ip default-gateway command and also the default route pointing via ethernet0/0.
You need to find out the ip address of the gateway equipment from the SP where you are currently getting connected and draft your default route pointing to that ip.
I feel that should solve your problem.
regs
11-07-2006 04:52 AM
the problem with your number 2 suggestion is the ISP didn't give him a static ip to use for his router, if he was given a static IP that would be fine but since it's via DHCP the default route to the e0/0 int is just fine.
@poster
change the NAT as i have said, i'm pretty sure that's where your problem is
11-07-2006 10:59 AM
Actally,
if I've never mentioned, I do have a static ip (and about 5 others I'm not using at the moment). I set it to dhcp because I wanted to make sure I was getting out to the internet.
This is pissing me off. I had my pix 501 running inside of 15 minutes so I don't know why it's so friggin' difficult with this piddly 2610?!?!?!? All I want is a simple basic config and I'm into three+ days with this thing :)
Jay
11-07-2006 11:17 AM
so, did you change the NAT statement?
11-07-2006 03:25 PM
Yep, and then some and it still didn't work:
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname London1
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$YxtK$2CA0c/57PnC/6tOsyMwDu0
enable password xxxxxx
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip dhcp excluded-address 172.16.31.1
!
ip dhcp pool guardtower
dns-server 87.xxx.xxx.30 87.xxx.xxx.28
!
!
!
!
!
interface Ethernet0/0
description "The Great Outdoors (WAN)"
ip address dhcp
ip nat outside
full-duplex
no cdp enable
!
interface Ethernet1/0
description "Private LAN"
ip address 172.16.31.1 255.255.255.0
ip nat inside
full-duplex
no cdp enable
!
router rip
network 172.16.0.0
!
ip default-gateway 87.xxx.xxx.7
ip nat inside source list 101 interface Ethernet0/0 overload
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 87.xxx.xxx.7
!
!
access-list 101 permit ip 172.16.0.0 0.0.255.255 any
no cdp run
!
line con 0
line aux 0
line vty 0 4
password xxxxxx
login
!
!
end
I tried adding the "dns-server" command and that didn't help either...
Jay
11-08-2006 10:34 AM
did the isp give you a deafult gateway to use? change your default route to "ip route 0.0.0.0 0.0.0.0 E0/0" and try again. do sh int and get the ip address assigned to e0/0 by the dhcp and do an extended ping to 4.2.2.2 and use the dhcp ip as source and tell us if it's ok or not
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide