Working 2621XM Config Required

Unanswered Question
Apr 4th, 2009
User Badges:

Hi all,


I am having plenty of trouble trying to get my network connecting to the internet via a 2621XM router.


I currently have my network connecting to the internet through an ISA Firewall/Proxy but am wanting to replace this with the 2621XM.


The router has been configured correctly (I assume) from what I have read on the net as wel as from a few colleagues who know more about the ins and outs or this stuff. Access to the internet is still not happening.

I have configured FA0/0 as the outside interface and FA0/1 as the interface. The config for my router is attached. (See file 2621XM_Config - Original.txt)


Once thing that my friends told me was to configure the outside interface with the static IP supplied to me by my ISP.

I know I would only do this if I had my modem in Bridged mode, but as it is currently NAT'ing from my static IP to a 10.x.x.x address, i need not bother with altering it. Should I change it?

(See file 2621XM_Config - Modified.txt)


My internet service is via ADSL.


Neither method has not worked, so I am thinking that there is something missing in each of the configs.


Two questions need answering that I am unsure how to proceed with:

1. the ip domain-name... should this be my public domain name or my internal domain name?

2. the ip name-servers... should these be my ISP name servers or my internal name servers?


My ISA proxy/firewall is setup as a forwarding-only name server and uses my ISP name-servers to forward any requests my internals are unable to resolve. The 2621XM will effectively be doing this from now on.


Does anyone have a working config of a 2621XM that I would be able to use or work from to get my setup working correctly?


Thanking anyone in advance who an help me resolve this.


regards,

Darren



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sun, 04/05/2009 - 04:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Darren,

I would suggest the following changes:


a)

on the WAN interface f0/0

int f0/0

ip nat outside


b) on the inside interface:

all interface that need to be NATTed need the ip nat inside command NAT is triggered by the fact that a packet has to cross from inside to outside if the source of the packet matches the ACL used by NAT a NAT translation is created


c) very basic

if you decide to use subinterfaces I recommend to remove ip address from main interface and to use only subinterfaces


int f0/1

no ip address


int f0/1.1

enc dot1q 1

ip address 192.168.74.254 255.255.255.0

ip helper-address 192.168.74.100

ip nat inside


int f0/1.2

ip nat inside


...

int f0/1.5

ip nat inside


Edit:

I hadn't seen you had posted also in lan switching forum.

However, the origin of your problems are the missing ip nat inside commands on all L3 internal logical interfaces.


Hope to help

Giuseppe


darrenoleary Sun, 04/05/2009 - 04:46
User Badges:

Thanks Giuseppe.


I thought i would cover myself and get as much coverage as possible for the same problem in multiple forums.


I had actually amended the config shown in the other forum to show 'ip nat outside' on the FA0/0, but as stated, the actual config on the router already had this. I accidently omitted it when I posted.

I have since also amended, based on your suggestions each of the sub-interfaces to also have 'ip nat inside'.

Is there a reason behind removing the IP details on FA0/1 and moving them to FA0/1.1? Is it just for uniformity?


Any way, I am still not able to ping any external addresses beyond my modem.

Any suggestions on this would be appreciated.



regards,

Darren

Giuseppe Larosa Sun, 04/05/2009 - 05:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Darren,

I would have answered there if I had seen before so no problems about this


>> Is there a reason behind removing the IP details on FA0/1 and moving them to FA0/1.1? Is it just for uniformity?


the reason is that without an ip address the main interface is not a L3 interface. This helps the router to understand it needs to check vlan tags.

It is a best practice used also on high end routers.


Exactly what kind of ADSL service are you getting ?

it is the modem only a modem or rather an ADSL router?

In the latter case you may need to get an ip address from the ADSL router on the C2621XM "wan" port

This is because it (the modem) has to perform NAT itself.


Hope to help

Giuseppe




darrenoleary Sun, 04/05/2009 - 05:09
User Badges:

Hi,


I have static IP address assigned to my service by my ISP.

Yes, the modem/router (D-Link 504-T) is already performing NAT itself from the static IP to the 10.1.1.1 address which is the next hop for my network at the moment. Hence why I have given fa0/0 an address of 10.1.1.254.


Should I instead, change the modem to operate in Bridged mode and assign interface fa0/0 the static address from my ISP?

Can i leave it as is and still get it to work?


thanks,

Darren

Giuseppe Larosa Sun, 04/05/2009 - 05:15
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Darren,

it can work in routed mode.


Bridged mode is possible only if a change is made also on the service provider side to have its equipment prepared to send and receive ethernet frames over ATM instead of IP packets over ATM (over DSL)


use on C2621XM


ip route 0.0.0.0 0.0.0.0 10.1.1.1


if 10.1.1.1 is the D-link internal ip.

so you don't relay on ip proxy-arp on D-link.


Hope to help

Giuseppe





darrenoleary Sun, 04/05/2009 - 05:28
User Badges:

getting there, almost!!!


I put the 'ip route 0.0.0.0 0.0.0.0 10.1.1.1' command on the 2621XM and now when i ping any internet address from the router i am getting responses, mixed at best.

For example, pinging yahoo.com.au i get the following response:

2621XM#ping yahoo.com.au

Translating "yahoo.com.au"...domain server (210.15.254.240) [OK]

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 203.84.217.26, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/30/32 ms


but pinging my ISP dns server i get the following:

2621XM#ping 210.15.254.240

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 210.15.254.240, timeout is 2 seconds:

!.!.!

Success rate is 60 percent (3/5), round-trip min/avg/max = 16/16/16 ms





Your thoughts please.



thanks,

Darren

Giuseppe Larosa Sun, 04/05/2009 - 05:43
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Darren,


can you ping an internet destination starting from an internal lan ?


you can use extended ping or /source option for this


It looks like working now from the WAn interface.

the isp DNS can be protected from icmp traffic or it is suffering problems in one of two parallel links (inside isp network).


Hope to help

Giuseppe


darrenoleary Sun, 04/05/2009 - 06:21
User Badges:

Hi Giuseppe,


Appears to be working as I can ping from the router to internet addresses and can perform a trace from the internal lan.

However, I am unable to connect to the net with IE. I have changed the IE proxy settings to suit and am unable to display a webpage.

NSLOOKUP also does not work.


?



regards,

Giuseppe Larosa Sun, 04/05/2009 - 23:21
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Darren,

good news that routing and NAT are working.


For DNS what is the DNS server on the pc ?


Hope to help

Giuseppe


darrenoleary Mon, 04/06/2009 - 22:46
User Badges:

Hi Guiseppe,

Not quite sure what you mean, but DNS Server on the PC is a forwarding-only DNS server on the ISA Proxy/Firewall and an internal DNS (MS Win2K3) for my domain.

Any names unable to be resolved by the internal DNS are forwarded to the DNS on the ISA which forwards to my ISP DNS servers.

darrenoleary Wed, 04/08/2009 - 06:23
User Badges:

Hi Giuseppe,


I have included my complete and current config for the 2621XM.

I am still experiencing problems where my network is not able to get outside. For example, pages do not load in IE and I am unable to perform nslookups or ping external addresses. I have changed the IE proxy address details from the name of my ISA server to that of the router and I have removed any/all reference of the ISA server from my internal DNS servers. Still, I am not able to get out to the net. IE still thinks its a DNS issue.


My internal DNS servers are 192.168.74.100 and 192.168.74.103 with my ISA server used as a DNS forwarder-only on 192.168.74.254.

Is there a way to get the 2621XM to act as a DNS forwarder in place of the ISA server, as this is my aim in the end?


Firstly, are the ip name-server commands shown in the config sufficient to achieve this?

The IP addresses shown are the DNS servers of my ISP.


Secondly, does the ip domain-name command need to specify my public or private domain name. They are both the same except '.local' is appended for my local name.


Something about this config must be correct because I am able to ping from the router to an external IP address or URL and get a response. Some respond with !!!!!, while others respond with !.!.!. For example, when I ping the ntp address, I get !.!.!.

Also, the router uses the ntp command to obtain the current date & time from an ntp server on the internet. This works without a problem by the look of it.


Any ideas or suggestions?


thanks an regards,

Darren



Giuseppe Larosa Wed, 04/08/2009 - 11:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Darren,

about the DNS


>> Is there a way to get the 2621XM to act as a DNS forwarder in place of the ISA server, as this is my aim in the end?


1)

are the ip name-server commands shown in the config sufficient to achieve this?


No, I think they are meant to be used by the router itself not for forwarding dns queries.


Here you have NAT and NAT has to be configured to support DNS queries.


I've found a configuration example for supporting an internal DNS server.


the idea is to build a static NAT command for the internal DNS server using as global one ip address taken from the pool.


in your case the mapping has to be on the udp DNS port because you have only one ip public address


ip nat inside source static udp internal-address 53 global-address 53


Hope to help

Giuseppe


darrenoleary Wed, 04/08/2009 - 13:59
User Badges:

Thanks for the help on this matter Giuseppe.


So, if I were to read this correctly, which of the following two commands would I have to use in my own config:


ip nat inside source static udp 192.168.74.100 53 192.168.74.100 53 extendable


or;


ip nat inside source static udp 192.168.74.100 53 210.15.254.240 53 extendable


The address of 192.168.74.100 is my internal DNS server and 210.15.254.240 is my ISP DNS server.


thanks,

Darrn

darrenoleary Mon, 04/13/2009 - 01:52
User Badges:

Hi,


I am a bit confused as to what I should have in this command.

The command:

ip nat inside source static udp internal-address 53 global-address 53


lists an internal address, I assume my DNS server, as well as a global address. Should I specify the global address as my public IP address or an IP address of my ISP DNS servers?


Thanks,

Darren

Giuseppe Larosa Mon, 04/13/2009 - 10:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Darren,

being a NAT command you can only convert your internal DNS server to the ip address of the WAN interface of your router.

So read global-address = router wan ip address.


Hope to help

Giuseppe


darrenoleary Sun, 04/05/2009 - 05:13
User Badges:

BTW,


strangely enough when I do a sh ip route, I am showing an address associated from my ISP: 203.17.101.65


This, according to an nslookup on that address is a loopback address.

I guess something is getting out to come back in, but when attempting to ping any other address from the router, i get no response, even the 203.17.101.65 address.


regards.


** amendment **

When I pin thi address from the router, i get a response. From the command prompt window, I get nothing. NSlookup provides the details of the address.

Actions

This Discussion