Announcement

Collapse
No announcement yet.

Cisco 1841 ip route problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 1841 ip route problem

    Hi there,

    We have cisco 1841 with wan ip 80.x.x.48 and our isp gave us two ip addresses: 92.x.x.252 / 30

    We have zywall p1 behind our cisco with wan ip: 92.x.x.253

    I need to access this zywall from outside our lan and probably i need to route network but i dont know how to do that.

    Here's our configuration on cisco:

    Current configuration : 3464 bytes
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname cisco
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    enable secret 5 $1$p6SP$
    !
    no aaa new-model
    !
    resource policy
    !
    clock timezone CST -1
    clock summer-time CDT recurring
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip subnet-zero
    no ip source-route
    ip cef
    !
    !
    ip tcp synwait-time 10
    no ip dhcp use vrf connected
    !
    !
    no ip bootp server
    ip domain name mikroaldi.org
    ip name-server 195.222.32.10
    ip name-server 195.222.32.20
    !
    username murga privilege 15 secret 5 $1$$
    !
    !
    !
    interface FastEthernet0/0
    description LAN$ES_LAN$
    ip address 10.0.1.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip route-cache flow
    duplex auto
    speed auto
    no mop enabled
    !
    interface FastEthernet0/1
    description WAN
    ip address 92.x.x.253 255.255.255.252 secondary
    ip address 80.x.x.48 255.255.255.192
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip route-cache flow
    duplex auto
    speed auto
    no mop enabled
    !
    interface Serial0/0/0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    shutdown
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 80.x.x.1
    !
    no ip http server
    ip nat inside source list 101 interface FastEthernet0/1 overload
    ip nat inside source static tcp 10.0.1.10 21 80.x.x.48 21 extendable
    ip nat inside source static tcp 10.0.1.10 22 80.x.x.48 22 extendable
    ip nat inside source static tcp 10.0.1.10 23 80.x.x.48 23 extendable
    ip nat inside source static tcp 10.0.1.10 25 80.x.x.48 25 extendable
    ip nat inside source static tcp 10.0.1.10 80 80.x.x.48 80 extendable
    ip nat inside source static tcp 10.0.1.10 110 80.x.x.48 110 extendable
    ip nat inside source static tcp 10.0.1.10 143 80.x.x.48 143 extendable
    ip nat inside source static tcp 10.0.1.10 443 80.x.x.48 443 extendable
    ip nat inside source static udp 10.0.1.10 500 80.x.x.48 500 extendable
    ip nat inside source static tcp 10.0.1.10 1723 80.x.x.48 1723 extendable
    ip nat inside source static tcp 10.0.1.10 2525 80.x.x.48 2525 extendable
    ip nat inside source static tcp 10.0.1.10 3333 80.x.x.48 3333 extendable
    ip nat inside source static tcp 10.0.1.10 3389 80.x.x.48 3389 extendable
    ip nat inside source static tcp 10.0.1.10 3609 80.x.x.48 3609 extendable
    ip nat inside source static udp 10.0.1.10 4500 80.x.x.48 4500 extendable
    ip nat inside source static tcp 10.0.1.10 5900 80.x.x.48 5900 extendable
    !
    logging trap debugging
    access-list 101 permit ip any any
    access-list 102 permit tcp any any
    access-list 102 permit ip any any
    no cdp run
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    password 7 131404011
    login
    transport output telnet
    line aux 0
    password 7 075E080A16414A
    login
    transport output telnet
    line vty 0 4
    access-class 102 in
    privilege level 15
    password 7 0102131F0F
    login
    rotary 50
    transport preferred telnet
    transport input all
    !
    scheduler allocate 4000 1000
    end

    Thanks in advance!

  • #2
    Re: Cisco 1841 ip route problem

    ip route 92.x.x.253 255.255.255.255 fa0/0

    Also why is this same address a secondary address on your Wan facing interface. I would remove that.

    Why not remove the public ip off the zywall and configure it on your local lan subnet. If you need access from the outside just do a static nat.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Cisco 1841 ip route problem

      Our supervisor agency installed this zywall p1 and they dont gave us any access to this device.

      I removed from wan int on cisco this secondary ip and configured route as you said but i cant ping this zywall p1 from outside. what could be the problem?

      Anyway thanks a lot for your help.

      my new config:


      Using 3417 out of 196600 bytes
      !
      version 12.4
      no service pad
      service tcp-keepalives-in
      service tcp-keepalives-out
      service timestamps debug datetime msec localtime show-timezone
      service timestamps log datetime msec localtime show-timezone
      service password-encryption
      service sequence-numbers
      !
      hostname cisco
      !
      boot-start-marker
      boot-end-marker
      !
      security authentication failure rate 3 log
      security passwords min-length 6
      enable secret 5 $1$p6SP$
      !
      no aaa new-model
      !
      resource policy
      !
      clock timezone CST -1
      clock summer-time CDT recurring
      mmi polling-interval 60
      no mmi auto-configure
      no mmi pvc
      mmi snmp-timeout 180
      ip subnet-zero
      no ip source-route
      ip cef
      !
      !
      ip tcp synwait-time 10
      no ip dhcp use vrf connected
      !
      !
      no ip bootp server
      ip domain name mikroaldi.org
      ip name-server 195.222.32.10
      ip name-server 195.222.32.20
      !
      username murga privilege 15 secret 5 $1$Sc4z$
      !
      !
      !
      interface FastEthernet0/0
      description LAN$ES_LAN$
      ip address 10.0.1.1 255.255.255.0
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip nat inside
      ip route-cache flow
      duplex auto
      speed auto
      no mop enabled
      !
      interface FastEthernet0/1
      description WAN
      ip address 80.x.x.48 255.255.255.192
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip nat outside
      ip route-cache flow
      duplex auto
      speed auto
      no mop enabled
      !
      interface Serial0/0/0
      no ip address
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip route-cache flow
      shutdown
      !
      ip classless
      ip route 0.0.0.0 0.0.0.0 80.65.83.1
      ip route 92.x.x.253 255.255.255.255 FastEthernet0/0
      !
      no ip http server
      ip nat inside source list 101 interface FastEthernet0/1 overload
      ip nat inside source static tcp 10.0.1.10 21 80.x.x.48 21 extendable
      ip nat inside source static tcp 10.0.1.10 22 80.x.x.48 22 extendable
      ip nat inside source static tcp 10.0.1.10 23 80.x.x.48 23 extendable
      ip nat inside source static tcp 10.0.1.10 25 80.x.x.48 25 extendable
      ip nat inside source static tcp 10.0.1.10 80 80.x.x.48 80 extendable
      ip nat inside source static tcp 10.0.1.10 110 80.x.x.48 110 extendable
      ip nat inside source static tcp 10.0.1.10 143 80.x.x.48 143 extendable
      ip nat inside source static tcp 10.0.1.10 443 80.x.x.48 443 extendable
      ip nat inside source static udp 10.0.1.10 500 80.x.x.48 500 extendable
      ip nat inside source static tcp 10.0.1.10 1723 80.x.x.48 1723 extendable
      ip nat inside source static tcp 10.0.1.10 2525 80.x.x.48 2525 extendable
      ip nat inside source static tcp 10.0.1.10 3333 80.x.x.48 3333 extendable
      ip nat inside source static tcp 10.0.1.10 3389 80.x.x.48 3389 extendable
      ip nat inside source static tcp 10.0.1.10 3609 80.x.x.48 3609 extendable
      ip nat inside source static udp 10.0.1.10 4500 80.x.x.48 4500 extendable
      ip nat inside source static tcp 10.0.1.10 5900 80.x.x.48 5900 extendable
      !
      logging trap debugging
      access-list 101 permit ip any any
      access-list 102 permit tcp any any
      access-list 102 permit ip any any
      no cdp run
      !
      control-plane
      !
      banner login ^CAuthorized access only!
      Disconnect IMMEDIATELY if you are not an authorized user!^C
      !
      line con 0
      password 7 131404011B0D1739797769
      login
      transport output telnet
      line aux 0
      password 7 071E325F5E080A1645414A
      login
      transport output telnet
      line vty 0 4
      access-class 102 in
      privilege level 15
      password 7 010215174B0A151C731F0F
      login
      rotary 50
      transport preferred telnet
      transport input all
      !
      scheduler allocate 4000 1000
      end

      Comment


      • #4
        Re: Cisco 1841 ip route problem

        Try this:

        ip proxy-arp

        under the fa0/0 interface
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Cisco 1841 ip route problem

          Also what is the default gateway set to on the zywall?
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment


          • #6
            Re: Cisco 1841 ip route problem

            Originally posted by auglan View Post
            Also what is the default gateway set to on the zywall?
            I asked admins from this agency and they told me that gw on zywall is 92.x.x.254.

            Comment


            • #7
              Re: Cisco 1841 ip route problem

              Remove this:

              ip route 92.x.x.253 255.255.255.255 FastEthernet0/0


              Add this:

              ip route 92.x.x.253 255.255.255.255 92.x.x.254
              CCNA, CCNA-Security, CCNP
              CCIE Security (In Progress)

              Comment


              • #8
                Re: Cisco 1841 ip route problem

                This is my output after pinging both addresses 253 and 254:

                Reply from 80.x.x.1: TTL expired in transit.
                Reply from 80.x.x.48: TTL expired in transit.
                Reply from 80.x.x.48: TTL expired in transit.
                Reply from 80.x.x.48: TTL expired in transit.

                Also I added ip proxy-arp on f0/0

                Comment


                • #9
                  Re: Cisco 1841 ip route problem

                  Looks like you have a routing loop between .1 and .48. Check your routing tables on those devices and make sure you dont any routes pointing back at each other.
                  CCNA, CCNA-Security, CCNP
                  CCIE Security (In Progress)

                  Comment


                  • #10
                    Re: Cisco 1841 ip route problem

                    Originally posted by auglan View Post
                    Looks like you have a routing loop between .1 and .48. Check your routing tables on those devices and make sure you dont any routes pointing back at each other.
                    Before changing this route to 254 i changed this ip proxy-arp and ping worked for 253 but for 254 says that ttl expired.

                    Comment


                    • #11
                      Re: Cisco 1841 ip route problem

                      Its hard to see whats going on without seeing a digram and configs of everything in the path. It it worked with just the ip proxy-arp command and the static route pointing out the interface instead of the next hop then you may have to leave it like that.
                      CCNA, CCNA-Security, CCNP
                      CCIE Security (In Progress)

                      Comment


                      • #12
                        Re: Cisco 1841 ip route problem

                        Originally posted by auglan View Post
                        Its hard to see whats going on without seeing a digram and configs of everything in the path. It it worked with just the ip proxy-arp command and the static route pointing out the interface instead of the next hop then you may have to leave it like that.
                        Here's diagram:



                        Only switching hub is between router and zywall.

                        Comment


                        • #13
                          Re: Cisco 1841 ip route problem

                          Is that switch a layer 3 switch? Can you get that config?
                          CCNA, CCNA-Security, CCNP
                          CCIE Security (In Progress)

                          Comment


                          • #14
                            Re: Cisco 1841 ip route problem

                            Originally posted by auglan View Post
                            Is that switch a layer 3 switch? Can you get that config?
                            its a switch without configuration. it just forwards packets.

                            Comment


                            • #15
                              Re: Cisco 1841 ip route problem

                              Okay so there is no layer 3 interface for that particular subnet. The device is just blindly putting packets on the wire when using the wan interface. Without a layer 3 interface as its gateway it just sends packets out on the wire. When the lan router interface has ip proxy-arp enabled it will answer arp requests on that devices behalf. In reality this is a bad design as the device has no routing intelligence and therefore relies on the router for layer3/layer2 resolution. Does it work with the ip proxy-arp command and the first static route? If so thats all you can do with it. A better option would be to replace that switch with a layer3 switch and configure an SVI with an ip from that subnet. That way the device is on its own vlan and has a default gateway on the external (public interface)
                              Last edited by auglan; 16th May 2012, 19:46.
                              CCNA, CCNA-Security, CCNP
                              CCIE Security (In Progress)

                              Comment

                              Working...
                              X