10-02-2007 06:03 PM - edited 03-05-2019 06:49 PM
Hi,
I have a small network I'm learning on and I don't know how to correctly configure a default route to the Internet to pass along to other internal routers.
I have my cablemodem connected to a 2514 which is connected to a 2600 (s0-s0) which is connected to a 2950 with some clients. I have a 2950 hanging off of the 2514 and everything works fine for those clients, just not the clients on the 2950 hanging off the 2600.
The clients off of the 2514 can get to the Internet with no problem. Clients off of the 2600 on the other hand can't do anything. When I try and do a PING it says 'Reply from 192.168.126.161: Destination net unreachable'. After two hops a tracert from a PC also says '192.168.126.161 reports: Destination net unreachable'. I don't understand why the 2514 can route to the Internet for the clients off the 2514 but not for the clients off the 2600.
I put a default route and the command 'default-information originate always' on the 2514 but still no good. I see the default route on the 2600 but it's not working. Any help would be appreciated. Here's the config from the 2514:
version 12.3
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname R1
!
enable secret 5 xxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
ip dhcp excluded-address 192.168.126.1 192.168.126.8
!
ip dhcp pool DHCPPool
import all
network 192.168.126.0 255.255.255.240
default-router 192.168.126.1
!
interface Loopback0
ip address 192.168.126.65 255.255.255.240
!
interface Ethernet0
description Outside interface
ip address dhcp
ip access-group Incoming in
ip access-group Outgoing out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip mroute-cache
ntp disable
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
description Inside interface
ip address 192.168.126.1 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip mroute-cache
!
interface Serial0
ip address 192.168.126.161 255.255.255.252
encapsulation frame-relay
ip ospf network broadcast
no keepalive
clock rate 64000
cdp enable
frame-relay interface-dlci 100
!
interface Serial1
ip address 192.168.126.165 255.255.255.252
encapsulation frame-relay
ip ospf network broadcast
no keepalive
clock rate 64000
cdp enable
frame-relay interface-dlci 200
!
router ospf 1
log-adjacency-changes
network 192.168.126.0 0.0.0.255 area 0
network 192.168.163.4 0.0.0.3 area 0
default-information originate always
!
ip nat inside source list 1 interface Ethernet0 overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended Incoming
remark Deny NetBIOS Name, Datagram and Session service
deny udp any range netbios-ns netbios-ss any
deny tcp any range 137 139 any
remark Only allow ACKed tcp packets to our network
permit tcp any xx.xx.xx.0 0.0.15.255 gt 1023 established
remark Allow DHCP replies to reach the e0 interface
permit udp any any eq bootpc
remark Allow DNS queries
permit tcp any eq domain any
permit udp any eq domain any
remark Only allow specific ICMP message type & code
permit icmp any xx.xx.xx.0 0.0.15.255 net-unreachable
permit icmp any xx.xx.xx.0 0.0.15.255 host-unreachable
permit icmp any xx.xx.xx.0 0.0.15.255 port-unreachable
permit icmp any xx.xx.xx.0 0.0.15.255 packet-too-big
permit icmp any xx.xx.xx.0 0.0.15.255 administratively-prohibited
permit icmp any xx.xx.xx.0 0.0.15.255 source-quench
permit icmp any xx.xx.xx.0 0.0.15.255 ttl-exceeded
ip access-list extended Outgoing
remark Don't allow internal hosts to send icmp
deny icmp any any
remark Only allow packets from the internal network
permit ip xx.xx.xx.0 0.0.15.255 any
access-list 1 permit 192.168.126.0 0.0.0.255
10-02-2007 10:02 PM
Hi
You have mentioned only one network to get natted used access-list 1 which is attached to nat overload statement.
Do make sure that you have both the networks allowed to get natted.
Try adding the other network as well which is configured in 2600 router.
regds
10-03-2007 08:23 AM
Thanks for the reply. I have all the subnets I am using listed below. If I understand wildcard masks correctly then 192.168.126.0 0.0.0.255 should cover any subnet of 192.168.126.x.
192.168.126.0/28
192.168.126.16/28
192.168.126.32/28
192.168.126.160/30
192.168.126.164/30
Please let me know if I'm wrong or if I missed something. Is it differnt with NAT'ing or using access lists? Thanks.
Riley
10-03-2007 10:41 AM
Riley
You have given us pretty good information about the 2514. Can you also give us some information about the 2600, especially what subnet is used on its LAN and for the clients on the 2950?
Also can you do a show ip ospf neighbor and verify that the 2514 and the 2600 have become neighbors?
HTH
Rick
10-03-2007 11:34 AM
Thanks for the reply. Here are the networks I am using, the output from 'sh ip ospf neighbor' from both 2514 and 2600, 'sh ip rout' on the 2600 and the 2600 config. The neighbor address of the 2514 is a loopback address (192.168.126.65).
2514
----
e0-DHCP from cablemodem
e1-192.168.126.1/28
s0-192.168.126.161/30
2600
----
e0-192.168.126.17/28
s0-192.168.126.162/30
2514
----
MANY-R1#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.126.162 1 FULL/DR 00:00:35 192.168.126.162 Serial0
2600
----
SFCA-R1#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
192.168.126.65 1 FULL/BDR 00:00:34 192.168.126.161 Serial1/0
2600 Show ip route
------------------
SFCA-R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.126.161 to network 0.0.0.0
192.168.126.0/24 is variably subnetted, 4 subnets, 3 masks
C 192.168.126.16/28 is directly connected, Ethernet0/0
O 192.168.126.0/28 [110/791] via 192.168.126.161, 00:06:07, Serial1/0
O 192.168.126.65/32 [110/782] via 192.168.126.161, 00:06:07, Serial1/0
C 192.168.126.160/30 is directly connected, Serial1/0
O*E2 0.0.0.0/0 [110/1] via 192.168.126.161, 00:06:07, Serial1/0
2600 config
-----------
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SFCA-R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxx
!
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
ip name-server 167.x.x.205
ip name-server 167.x.x.139
ip dhcp excluded-address 192.168.126.17 192.168.126.23
!
ip dhcp pool Addresses
network 192.168.126.16 255.255.255.240
default-router 192.168.126.17
dns-server 167.x.x.205 167.206.3.139
!
ip audit po max-events 100
!
interface Ethernet0/0
ip address 192.168.126.17 255.255.255.240
half-duplex
!
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
!
interface Serial1/0
ip address 192.168.126.162 255.255.255.252
encapsulation frame-relay
ip ospf network broadcast
no keepalive
cdp enable
frame-relay interface-dlci 100
!
router ospf 1
log-adjacency-changes
network 192.168.126.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
ip classless
!
10-03-2007 01:16 PM
Riley
This is strange. It sure looks like both the 2514 and the 2600 have valid default routes. I do not see anything on the 2514 that would discriminate between its connected PCs and the PCs coming from the 2600. It feels a bit to me as if the problem might be traffic from the PCs getting to and through the 2600. I wonder if there might be a VLAN, or trunk, or default gateway problem. But one of the posts seems to indicate that a PC connected to the 2950 connected to the 2600 does a traceroute and gets a response from the 2514. Can you verify that this is true?
HTH
Rick
10-03-2007 03:10 PM
From the switch connected to the 2600 I can ping all interfaces on the 2514, even the outside e0 interface that gets its address via DHCP from the cablemodem.
From the switch a ping to 207.46.19.190 replies as follows:
SFCA-SW1#ping 207.46.19.190
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 207.46.19.190, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
From the switch a traceroute to 207.46.19.190 replies as follows:
SFCA-SW1#traceroute 207.46.19.190
Type escape sequence to abort.
Tracing the route to 207.46.19.190
1 192.168.126.17 6 msec 6 msec 0 msec
2 192.168.126.161 31 msec 26 msec 21 msec
3 192.168.126.161 !A !A *
A traceroute from the 2514 replies as follows:
MANY-R1#traceroute 207.46.19.190
Type escape sequence to abort.
Tracing the route to wwwbaytest1.microsoft.com (207.46.19.190)
1 10.23.192.1 12 msec 12 msec 12 msec
2 dstswr2-vlan2.rh.hntnny.cv.net (167.206.34.162) 12 msec 16 msec 12 msec
3 r2-ge9-2.mhe.hcvlny.cv.net (167.206.34.133) 12 msec 12 msec 12 msec
4 rtr3-tg10-2.wan.hcvlny.cv.net (64.15.4.5) 16 msec 12 msec 16 msec
5 64.15.0.198 152 msec 180 msec 212 msec
6 64.15.0.94 20 msec 20 msec 20 msec
7 * * *
8 207.46.47.124 16 msec 20 msec 20 msec
9 so-6-0-2-0.sjc-64cb-1a.ntwk.msn.net (207.46.34.153) 96 msec 100 msec 100 mse
c
10 ge-1-0-0-0.bay-64c-1a.ntwk.msn.net (207.46.37.158) 100 msec 100 msec 100 mse
c
11 po2.bay-6nf-mcs-1b.ntwk.msn.net (64.4.62.138) 96 msec 96 msec 96 msec
12 * !A *
10-03-2007 03:33 PM
I thought this might be access list related but I removed the inbound and outbound access lists from the outside e0 interface and I still have the same issue.
10-04-2007 07:17 AM
Riley
The traceroute information is helpful. In particular this line:
3 192.168.126.161 !A !A *
The A in the response is an indication that it is "administratively prohibited" and this is usually a sign of an access-list.
I am a bit puzzled and want to verify whether you had removed the access list when this traceroute was done?
Also when you say that you removed the access list can we be specific about whether that means that you did no access-list or whether you did no access-group on the interface?
HTH
Rick
10-04-2007 08:49 AM
I did the following on e0:
no access-group Incomming in
no access-group Outgoing out
I still have access-list 1 since I need that for the NAT overload. I changed it however to include the 192.168.126.0/28 networks because I didn't know if that was the problem.
ip access-list extended Outgoing
remark Don't allow internal hosts to send icmp
deny icmp any any
remark Only allow packets from the internal network
permit ip 24.46.160.0 0.0.15.255 any
permit ip 192.168.126.0 0.0.0.255 any
10-04-2007 08:59 AM
Riley
I like that change in the Outgoing access-list. After you have done the no ip access-group (I assume it was a typo that you left "ip" out of the command in your posting) on e0, does the traceroute from the remote still have the same output?
HTH
Rick
10-04-2007 10:54 AM
I left out the 'ip' by accident in my post. I removed the access lists from the e0 interface and verified they were removed with a 'sh run'. I don't know what the actual problem is so I also removed the 'default-information originate always' and put a static route on the 2600 'ip route 0.0.0.0 0.0.0.0 s1/0'.
Without the access lists on the e0 interface I did a traceroute again and here is the output:
2514
----
MANY-R1#traceroute 167.206.3.205
Type escape sequence to abort.
Tracing the route to dhcp29.srv.hcvlny.cv.net (167.206.3.205)
1 10.23.192.1 8 msec 16 msec 12 msec
2 dstswr1-vlan2.rh.hntnny.cv.net (167.206.34.161) 12 msec 12 msec 16 msec
3 r1-ge9-2.mhe.hcvlny.cv.net (167.206.34.129) 16 msec 12 msec 12 msec
4 rtr3-tg11-2.wan.hcvlny.cv.net (64.15.4.1) 20 msec 12 msec 12 msec
5 64.15.4.22 12 msec 12 msec 16 msec
6 r1-srp5-0.mhe.hcvlny.cv.net (65.19.104.194) 12 msec 12 msec 12 msec
7 167.206.15.129 44 msec 12 msec 12 msec
8 swr8-vl8.sf.hcvlny.cv.net (167.206.15.187) 12 msec 12 msec 12 msec
9 dhcp29.srv.hcvlny.cv.net (167.206.3.205) 12 msec 56 msec 16 msec
2600
----
SFCA-R1#traceroute 167.206.3.205
Type escape sequence to abort.
Tracing the route to 167.206.3.205
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
All the way up to 30 hops ....
The 2600 can PING the s0 interface on the 2514 but not the e0 interface.
10-04-2007 11:31 AM
I took off the Incomming and Outgoing access lists, again, from the e0 interface on the 2514 and then I updated the access list 1 for the NAT overload to the following:
Standard IP access list 1
10 permit 192.168.126.0, wildcard bits 0.0.0.255 (8367 matches)
20 permit 192.168.126.16, wildcard bits 0.0.0.15
30 permit 192.168.126.160, wildcard bits 0.0.0.3
So, I added the LAN off of the 2600 (192.168.126.16/28) and the WAN between the 2600 and the 2514 (192.168.126.160/30).
Still no good. The 2600 could PING the s0 interface on the 2514 but not the e0 interface.
Then on the 2514 I added the network for the e0 interface to OSPF as follows:
router ospf 1
log-adjacency-changes
network 24.46.160.0 0.0.15.255 area 0
network 192.168.126.0 0.0.0.255 area 0
After that I saw an OSPF route on the 2600 to the 24 network that the e0 interface was on and then I could PING the e0 interface. It doesn't seem lik the static route is working on the 2600... sort of... Only after advertising the 24 network in OSPF could the 2600 PING the e0 interface. But, before I added the 24 network to OSPF the traceroutes would at least make it to the s0 interface on the 2514 so the 2600 at least knew to go in that direction??? I wish I knew what I was doing. I'm really lost with all of this....
10-04-2007 04:35 PM
It's fixed! Thank you everyone for your help.
Someone pointed out that I didn't add an 'ip nat inside' statement to the s0 interface on the 2514. I had one on the e1 interface and that's why those clients were working fine, but nothing comming through the s0 interface.
10-05-2007 05:42 AM
Riley
Thank you for posting that the problem was resolved and what the resolution was. It makes the forum more useful when people can read about a problem and can read the solution that solved the problem.
In retrospect it is a very logical solution and I am disappointed that we did not spot that sooner. I am glad that you have it solved and things are working.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide