CISCO router issues

I

illumina315

Limp Gawd
Joined
Dec 21, 2004
Messages
291
Greets,

I have a CISCO 1811 fresh out of box that im having trouble configging. I have a T1 on FE1 and a DSL on FE0. The 1811 also includes 8 switches in the back, which I have them set for VLAN1, and VLAN1 itself set as a static IP of 192.168.0.1.

interface FastEthernet0
ip address my.dsl.ip.addy 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto

interface FastEthernet1
ip address my.t1.ip.addy 255.255.255.224
no ip route-cache
speed auto
half-duplex

The problem is, I can't ping the router at all. I've manually set my IP to 192.168.0.2, and can't ping it at all. I enabled DHCP through SDM, but that doesnt seem to help at all. In fact, I only time I Could connect to the router was when I directly connected from my computer to the FE0 port.

What am I doing wrong?

Many thanks in advance.
 
Please post the complete config (-passwords and such).

What do you see on the console port when you connect your PC. Does is show that VLAN 1 is up?
 
ya, we need to see the entire config. Is your T1 a point to point?, or why do you have two internet connections?

On FE0 you have a DSL, with nat.

On FE1 you have a T1 with no nat.

If your DSL is your internet, then you need: ip nat outside on FE0 interface.
Then you need: ip nat inside on VLAN1

If you have two internet connections...DSL and T1, then it will be way more complicated. You may even have to run BGP
 
current situation:
Have a CISCO PIX501 connected to a T1. (external CSU/DSU unit). Ordered a CISCO 1811 and Verizon DSL, so we can have 2 WAN links (failover only). So here's where im stuck.


router#show ver
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(2)T2,
RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 18-Oct-05 13:40 by ccai

ROM: System Bootstrap, Version 12.3(8r)YH5, RELEASE SOFTWARE (fc1)

router uptime is 1 minute
System returned to ROM by power-on
System image file is "flash:c181x-advipservicesk9-mz.124-2.T2.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

Cisco 1811 (MPC8500) processor (revision 0x300) with 118784K/12288K bytes of mem
ory.
Processor board ID FTX0949X0UA, with hardware revision 0000

10 FastEthernet interfaces
1 Serial interface
1 terminal line
31360K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

router#

router#write t
Building configuration...

Current configuration : 3765 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret blah
enable password blah
!
no aaa new-model
!
resource policy
!
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
--More--
*Jan 19 14:08:59.639: %SYS-5-CONFIG_I: Configured from console by echang on cons
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip routing
!
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.34 192.168.0.254
ip dhcp excluded-address 192.168.0.2
!
ip dhcp pool Default
import all
network 192.168.0.0 255.255.255.0
dns-server 209.116.241.10 206.205.242.132
!
!
no ip ips deny-action ips-interface
!
!
crypto pki trustpoint TP-self-signed-4248908665
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4248908665
revocation-check none
rsakeypair TP-self-signed-4248908665
!
!
crypto pki certificate chain TP-self-signed-4248908665
certificate self-signed 01
MY KEY

quit
username echang privilege 15 password 0 HARDFORUM
!
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address 71.249.227.x 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet1
description $ETH-WAN$
ip address 67.94.72.y 255.255.255.224
ip access-group 101 in
ip nat inside
ip virtual-reassembly
no ip route-cache
speed auto
half-duplex
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
shutdown
!
interface Async1
no ip address
no ip route-cache
!
ip classless
!
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any eq www host 67.94.72.222 eq smtp
snmp-server community blah RO
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
password blah
login local
transport input telnet ssh
!
no scheduler allocate
end

router#


router#show interface summary

*: interface is up
IHQ: pkts in input hold queue IQD: pkts dropped from input queue
OHQ: pkts in output hold queue OQD: pkts dropped from output queue
RXBS: rx rate (bits/sec) RXPS: rx rate (pkts/sec)
TXBS: tx rate (bits/sec) TXPS: tx rate (pkts/sec)
TRTL: throttle count

Interface IHQ IQD OHQ OQD RXBS RXPS TXBS TXPS TRTL
------------------------------------------------------------------------
Async1 0 0 0 0 0 0 0 0 0
FastEthernet0 0 0 0 0 0 0 0 0 0
FastEthernet1 0 0 0 0 0 0 0 0 0
FastEthernet2 0 0 0 0 0 0 0 0 0
FastEthernet3 0 0 0 0 0 0 0 0 0
FastEthernet4 0 0 0 0 0 0 0 0 0
FastEthernet5 0 0 0 0 0 0 0 0 0
FastEthernet6 0 0 0 0 0 0 0 0 0
FastEthernet7 0 0 0 0 0 0 0 0 0
FastEthernet8 0 0 0 0 0 0 0 0 0
FastEthernet9 0 0 0 0 0 0 0 0 0
* NVI0 0 0 0 0 0 0 0 0 0
Vlan1 0 0 0 0 0 0 0 0 0

Interface IHQ IQD OHQ OQD RXBS RXPS TXBS TXPS TRTL
------------------------------------------------------------------------
NOTE:No separate counters are maintained for subinterfaces
Hence Details of subinterface are not shown
router#



thanks again for all the help.
 
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any eq www host 67.94.72.222 eq smtp


At the end of every ACL is an implied 'deny ip any any'... you need to add ' permit ip any any' at the end so that it matches first, or else all traffic will be denied. Also, your ACL is goofy... allow traffic from any host from tcp port 80 to one host on tcp 25.. that's a odd combo.
 
Fint said:
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any eq www host 67.94.72.222 eq smtp


At the end of every ACL is an implied 'deny ip any any'... you need to add ' permit ip any any' at the end so that it matches first, or else all traffic will be denied. Also, your ACL is goofy... allow traffic from any host from tcp port 80 to one host on tcp 25.. that's a odd combo.
Click to expand...


ya.. strange.. just caught that. this was my first attempt in playing with SDM.. i've no idea what went wrong there..
 
illumina315 said:
ya.. strange.. just caught that. this was my first attempt in playing with SDM.. i've no idea what went wrong there..
Click to expand...

current...


router#write ter
Building configuration...

Current configuration : 3649 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret x
enable password x
!
no aaa new-model
!
resource policy
!
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip routing
!
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.34 192.168.0.254
ip dhcp excluded-address 192.168.0.2
!
ip dhcp pool Default
import all
network 192.168.0.0 255.255.255.0
dns-server 209.116.241.10 206.205.242.132
!
!
no ip ips deny-action ips-interface
!
!
crypto pki trustpoint TP-self-signed-4248908665
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4248908665
revocation-check none
rsakeypair TP-self-signed-4248908665
!
!
crypto pki certificate chain TP-self-signed-4248908665
certificate self-signed 01
x

quit
username echang privilege 15 password 0 x
!
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address 71.249.227.x 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet1
description $ETH-WAN$
ip address 67.94.72.x 255.255.255.224
ip access-group 101 in
ip nat inside
ip virtual-reassembly
no ip route-cache
speed auto
half-duplex
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
!
interface Async1
no ip address
no ip route-cache
!
ip classless
!
!
ip http server
ip http authentication local
ip http secure-server
!
snmp-server community x RO
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
password x
login local
transport input telnet ssh
!
no scheduler allocate
end

router#
 
illumina315 said:
current situation:
Have a CISCO PIX501 connected to a T1. (external CSU/DSU unit). Ordered a CISCO 1811 and Verizon DSL, so we can have 2 WAN links (failover only). So here's where im stuck.
Click to expand...

A couple things here.

If the PIX is between the T1 router, why do you have a public IP address for the eth-Wan interface on the 1811.

I wouldn't even worry about WAN issues right now. shut them both down, turn off all ACL's, and lets start with your internal interfaces

1st of all, turn on the following

ip routing
ip cef

under your dhcp pool, you need a default router. the command to set that is "default-router 192.168.0.1". Otherwise you'll get an dhcp address, but no gateway (hence, no internet)

Now, i haven't worked with the integrated switches for the x8xx platform, but just to be safe, for fastethernet 2, do the following

switchport mode access
switchport mode access vlan 1
spanning-tree portfast


after you have established access to the vlan interface, we can start talking about your wan setup.

Can you explain a bit more about what you want to accomplish by having a T1 and DSL Line? outbound redundancy? inbound redundancy?
 
Darthkim said:
A couple things here.

If the PIX is between the T1 router, why do you have a public IP address for the eth-Wan interface on the 1811.

I wouldn't even worry about WAN issues right now. shut them both down, turn off all ACL's, and lets start with your internal interfaces

1st of all, turn on the following

ip routing
ip cef

under your dhcp pool, you need a default router. the command to set that is "default-router 192.168.0.1". Otherwise you'll get an dhcp address, but no gateway (hence, no internet)

Now, i haven't worked with the integrated switches for the x8xx platform, but just to be safe, for fastethernet 2, do the following

switchport mode access
switchport mode access vlan 1
spanning-tree portfast


after you have established access to the vlan interface, we can start talking about your wan setup.

Can you explain a bit more about what you want to accomplish by having a T1 and DSL Line? outbound redundancy? inbound redundancy?
Click to expand...


router(config)#interface fastethernet 2
router(config-if)#switchport mode access
router(config-if)#switchport mode access vlan 1
^
% Invalid input detected at '^' marker.

router(config)#ip dhcp default-router 192.168.0.1
^
% Invalid input detected at '^' marker.


for some reason those are bouncing.


We have a mail server on site, and we need redudant inbound traffic, and outbound too (preferably). I'm going to add the DSL IP to our DNS MX record after this is up, but that's pretty much why im trying to get this dual WAN setup to work.
 
illumina315 said:
router(config)#interface fastethernet 2
router(config-if)#switchport mode access
router(config-if)#switchport mode access vlan 1
Click to expand...

Wrong Command
router(config-if)#switchport mode access vlan 1

Correct Command
router(config-if)#switchport access vlan 1
 
Wrong Command
illumina315 said:
router(config)#ip dhcp default-router 192.168.0.1
^
% Invalid input detected at '^' marker..
Click to expand...

Correct Command
router(config)#ip dhcp pool XXXXXX
router(config)#default-router 192.168.0.1


Also, I noticed in one of your previous config postings that Vlan1 was SHUTDOWN, has that been resolved?
 
ya.. i caught the shutdown, and fixed that.

i have DHCP internally now, but no connection to the outside.. not sure where to proceed from here.
 
illumina315 said:
ya.. i caught the shutdown, and fixed that.

i have DHCP internally now, but no connection to the outside.. not sure where to proceed from here.
Click to expand...

Get your "external" connections up and running and add a default route on the router...

router#ip route 0.0.0.0 0.0.0.0 X.X.X.X
 
illumina315 said:
where x.x.x.x is my external IP or gateway?
Click to expand...

X.X.X.X would be your gateway of last resort, for a setup like this it will be the gateway of your ISP...
 
awesome! thanks! i have the DSL side operational!

Now i just need to wait for the coworkers to leave before i can test the T1...

thanks a bunch!
 
If you want inbound and outband internet redundancy, you'll have to run bgp, with your own AS number.

If you have public assigned IPs routing to the T1, you can only route inbound and outbound to that circuit. The only way to accomplish this is to get your own AS number, and bgp will route your public address space to both internet connections.
 
Good luck getting an ISP to run BGP with a DSL customer... BGP is for real enterprise networks.
 
our primary objective is to ensure our mail server can always be accessed..i was thinking something simple, like:



mail server: 192.168.0.100
DSL static ip x.x.x.x routed to 192.168.0.100
T1 static ip y.y.y.y routed to 192.168.0.100

i'd then edit the MX records, with a
10 x.x.x.x
20 y.y.y.y
30 3rd party spooling IP.

I shouldn't have a problem with this, right?
 
illumina315 said:
our primary objective is to ensure our mail server can always be accessed..i was thinking something simple, like:



mail server: 192.168.0.100
DSL static ip x.x.x.x routed to 192.168.0.100
T1 static ip y.y.y.y routed to 192.168.0.100

i'd then edit the MX records, with a
10 x.x.x.x
20 y.y.y.y
30 3rd party spooling IP.

I shouldn't have a problem with this, right?
Click to expand...

That should work fine for incoming mail traffic, but what about traffic going out? The default gateway of your mail server will be the router, but what is the router's default gateway? Really the best solution for this is to have two routers, one connected to the DSL line and one connected to the T1. Run HSRP on the LAN side and all your problems are solved...
 
PHUNBALL said:
That should work fine for incoming mail traffic, but what about traffic going out? The default gateway of your mail server will be the router, but what is the router's default gateway? Really the best solution for this is to have two routers, one connected to the DSL line and one connected to the T1. Run HSRP on the LAN side and all your problems are solved...
Click to expand...


would a PIX501 be considered a 2nd router? and do you have a good link to a HSRP info page for noobs?


thanks again.
 
illumina315 said:
would a PIX501 be considered a 2nd router? and do you have a good link to a HSRP info page for noobs?


thanks again.
Click to expand...


I tried one of the CISCO tutorials on PBR, and not sure if its working yet...
http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml


router#write t
Building configuration...

Current configuration : 4415 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 x
enable password x
!
no aaa new-model
!
resource policy
!
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.34 192.168.0.254
ip dhcp excluded-address 192.168.0.2
!
ip dhcp pool Default
import all
network 192.168.0.0 255.255.255.0
dns-server 151.202.0.85 65.106.1.196
default-router 192.168.0.1
lease 5
!
!
no ip ips deny-action ips-interface
ip sla monitor 1
type echo protocol ipIcmpEcho 67.94.72.xxx
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 71.249.227.yyy
ip sla monitor schedule 2 life forever start-time now
!
!
crypto pki trustpoint TP-self-signed-4248908665
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4248908665
revocation-check none
rsakeypair TP-self-signed-4248908665
!
!
crypto pki certificate chain TP-self-signed-4248908665
certificate self-signed 01
x
quit
username echang privilege 15 password 0 x
!
!
track 123 rtr 1 reachability
!
track 124 rtr 2 reachability
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address 71.249.227.154 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description $ETH-WAN$
ip address 67.94.72.220 255.255.255.224
ip nat outside
ip virtual-reassembly
speed auto
half-duplex
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map alpha
!
interface Async1
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.94.72.193 track 123
ip route 0.0.0.0 0.0.0.0 71.249.227.1 track 124

!
!
ip http server
ip http authentication local
ip http secure-server
ip nat source static tcp 192.168.0.104 5900 71.249.227.x 5900 extendable
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.0.218 5900 67.94.72.x 5900 extendable
!
access-list 1 permit 192.168.0.0 0.0.0.255
snmp-server community jamaica RO
!
route-map alpha permit 10
set ip next-hop verify-availability 67.94.72.xxx 10 track 123
set ip next-hop verify-availability 71.249.227.yyy 20 track 124
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
password x
login local
transport input telnet ssh
!
end

router#



Current Problems:
Router can ping out on T1 connection (when DSL plugged in), but inside LAN cannot.

When using 'show track', both links come as 'up', even if one link is purposely unplugged.


thanks!
 
illumina315 said:
would a PIX501 be considered a 2nd router? and do you have a good link to a HSRP info page for noobs?


thanks again.
Click to expand...

I don't think you can run HSRP on a 501...
 
PHUNBALL said:
That's what I figured, the smallest PIX I have used lately is the 515E...
Click to expand...

Sadly, we don't have a budget for more hardware, since we're poor right now. Are there any other solutions you guys know of? I'm stuck in a rut here.

thanks again.
 
bump for desperate need of help. I want to throw this damn thing out the window and chase it with myself :(
 
Who did you buy this from? Your Cisco account team, SE, or reseller should be able to provide you with some support on this. Surely you didn't buy it off of ebay or something like that?
 
You should be able to do this with 2 statics (1 being a floating static). If you can wait till this weekend, I can test it on my lab 2621.
 
i bought it from CDW about 2? weeks ago, and they 'dont offer customer support on cisco products'


If you dont mind, darkstar, that would be MUCH appreciated. What is a 'floating static' ?

thanks a bunch
 
after playing with it some more, here's where im at:

Current Config :

Problems : FE1 still has no access from VLAN1 or router.


router#write t
Building configuration...

Current configuration : 4130 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret x
enable password x
!
no aaa new-model
!
resource policy
!
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.34 192.168.0.254
ip dhcp excluded-address 192.168.0.2
!
ip dhcp pool Default
import all
network 192.168.0.0 255.255.255.0
dns-server 151.202.0.85 65.106.1.196
default-router 192.168.0.1
lease 5
!
!
ip name-server 151.202.0.85
ip name-server 209.116.241.10
no ip ips deny-action ips-interface
ip sla monitor 1
type echo protocol ipIcmpEcho 67.94.72.193
timeout 1000
threshold 2
frequency 3
ip sla monitor schedule 1 life forever start-time now
!
!
crypto pki trustpoint TP-self-signed-4248908665
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4248908665
revocation-check none
rsakeypair TP-self-signed-4248908665
!
!
crypto pki certificate chain TP-self-signed-4248908665
certificate self-signed 01
x

quit
username echang privilege 15 password 0 x
!
!
track 123 rtr 1 reachability
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address 71.249.227.154 255.255.255.0
ip virtual-reassembly
ip nat outside
duplex auto
speed auto
!
interface FastEthernet1
description $ETH-WAN$
ip address 67.94.72.220 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.94.72.193 track 123
ip route 0.0.0.0 0.0.0.0 71.249.227.1 100
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat source static tcp 192.168.0.104 5900 71.249.227.155 5900 extendable
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.0.218 5900 67.94.72.218 5900 extendable
!
access-list 1 permit any
snmp-server community x RO
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
password x
login local
transport input telnet ssh
!
no scheduler allocate
end

router#



thanks again
 
It is a static route with a manually set high AD so as to have it not be placed in the routing table if the primary route is functional. When the primary route dies, the floating static is the only one left, so it gets placed in the routing table and used.
I don't mind setting it up, I am kind of curious. However I am the senior network engineer on call this week, and its been some long days.
Rhetorical question: Why does everything wait until I am getting ready to go home before it breaks?

EDIT: What connects to each interface? Is it PIX to CSU/DSU to T1 on one WAN interface, and a DSL modem on the other? What kind of switch is on the LAN side? I may have missed something, I kind of skimmed the thread.
 
Darkstar850 said:
It is a static route with a manually set high AD so as to have it not be placed in the routing table if the primary route is functional. When the primary route dies, the floating static is the only one left, so it gets placed in the routing table and used.
I don't mind setting it up, I am kind of curious. However I am the senior network engineer on call this week, and its been some long days.
Rhetorical question: Why does everything wait until I am getting ready to go home before it breaks?

EDIT: What connects to each interface? Is it PIX to CSU/DSU to T1 on one WAN interface, and a DSL modem on the other? What kind of switch is on the LAN side? I may have missed something, I kind of skimmed the thread.
Click to expand...

First off, many thanks for your help.

FE0 : DSL Modem from Verizon (with static IPs)
FE1 : CSU/DSU from XO.com/Allegiance Telecom

inside lan: Generic retail switches. (im working on getting them to upgrade that)
 
Fint said:
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any eq www host 67.94.72.222 eq smtp


At the end of every ACL is an implied 'deny ip any any'... you need to add ' permit ip any any' at the end so that it matches first, or else all traffic will be denied. Also, your ACL is goofy... allow traffic from any host from tcp port 80 to one host on tcp 25.. that's a odd combo.
Click to expand...
Correct but...
His access list statement says to allow anyone coming into that address for SMTP traffic is allows so long as they're originating on port 80. No one works this way and you will not get your email this way. So essentially adding the "permit any any" statement at the end negates what he's trying to accomplish with the first line anyways.

I would change the line to:
access-list 101 permit tcp any host 67.94.72.222 eq smtp

Still reading the rest of the thread........
 
Darkstar850 said:
<snip>
Rhetorical question: Why does everything wait until I am getting ready to go home before it breaks?

EDIT: What connects to each interface? Is it PIX to CSU/DSU to T1 on one WAN interface, and a DSL modem on the other? What kind of switch is on the LAN side? I may have missed something, I kind of skimmed the thread.
Click to expand...
I like that first question...it's excessively true. :mad:

I also agree on the topology of his network. I'm not sure I understand it. Seems strange to me. If he could put some kind of layout down that might help answer some questions. I for one don't understand why he's got his PIX on the Internet side of his router. That is backwards to me. I would have the router bring the T1 and DSL line in then have the router Ethernet attach to the PIX and have the PIX RJ45 into a switch.

For security I'd access list the crap out of the 1811's interfaces, reflexive access lists for each. For the PIX I'd NAT everything there and make for the allowances there such as outgoing and incoming IP traffic. Of course the access lists on each would be very similar. But this is just my opinion. :)
 
Im planning to get rid of the PIX 501.


DSL and T1 -> 1811 -> internal LAN.

I was going to access-list everythnig once i got the WANs working.
 
illumina315 said:
Im planning to get rid of the PIX 501.


DSL and T1 -> 1811 -> internal LAN.

I was going to access-list everythnig once i got the WANs working.
Click to expand...
I figured that stuff out how does each terminate to the 1811? I imagine for the DSL line you have some sort of external DSL modem that's acting in bridge mode but how is your T1 line terminating? Normally it would come in via twisted pair such as CAT5/6, plug in with an RJ45 into a CSU/DSU, then cable into your router. Or your router has a built in CSU/DSU and your just plug your RJ45 into your router.

Lastly I think it's a big mistake to remove the PIX from the equation. The PIX affords you stateful inspection on it's firewalling. I believe you have the advanced security IOS on your router but the stateful firewalling is not on by default. Furthermore it's slightly different from the PIX firewalling. I don't believe that you can be secure enough.
 
Wolf-R1 said:
I figured that stuff out how does each terminate to the 1811? I imagine for the DSL line you have some sort of external DSL modem that's acting in bridge mode but how is your T1 line terminating? Normally it would come in via twisted pair such as CAT5/6, plug in with an RJ45 into a CSU/DSU, then cable into your router. Or your router has a built in CSU/DSU and your just plug your RJ45 into your router.

Lastly I think it's a big mistake to remove the PIX from the equation. The PIX affords you stateful inspection on it's firewalling. I believe you have the advanced security IOS on your router but the stateful firewalling is not on by default. Furthermore it's slightly different from the PIX firewalling. I don't believe that you can be secure enough.
Click to expand...

The DSL is connected via a DSL modem -> RJ45 -> 1811
T1 is connected to a CSU/DSU > RJ45 > 1811.

That PIX argument makes sense. Do you think I should keep DHCP on the PIX? or keep it on the 1811?
 
Ok, I haven't gotten around to setting up my test, but here is my recommendation. Let's start simple. Now I work on a huge network, and thus I do not know all of the configs as well that are used for smaller sites, but I would strip out all the PBR stuff you tried to do, as well as any other stuff that is not absolutely necessary.
Let's get baseline connectivity functioning, and then add the bells and whistles. Although that PBR tracking feature looks pretty neat.
 
You must log in or register to reply here.
Back
Top