Routing problem with ip unnumbered

Answered Question
May 13th, 2010
User Badges:

Hi Folks,


I'm pretty new to Cisco's so bear with me. I'm switching my office network to a new internet provider, who gives me 8 ip addresses: xxx.xxx.73.128/29

The ISP requires that I dialup using PPPoE, and use IP unnumbered.


On my side, I use 2 Cisco 2811 ISRs, Network diagram looks like this


WAN, ISP Line

     |

     |     Fe0/1

Router 1

     |     Fe0/0    xxx.xxx.73.129

     |         

     |     Fe0/1    xxx.xxx.73.130

Router 2

     |     Fe0/0   192.168.196.1

     |

  LAN  192.168.196.x


Basically router 1 does only the PPPOE dialup, Router2 is my pre-existing router and does the NAT, firewall, ipsec tunnel to other office and stuff. Once I'm comfortable with the config I'll consolidate all to router 2 only, but having router 1 allows me to experiment with the config without endangering the old, stable config on router 2.


Problem is: Router 2 can't ping router 1 and vice versa, nor can I ping router 2 from the WAN. Yet for some reason, the ipsec tunnel on router 2 manages to go up. Machines on the LAN can access other offices via the tunnel, but cannot access the internet any more.


Router 1 does the dialup and accesses the internet just fine.


Here are the relevant bits of the configs:


Router 1:

vpdn enable

!


interface FastEthernet0/0

description =====LAN Interne=====

ip address xxx.xxx.73.129 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface FastEthernet0/1

description =====ISP Line=======

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Dialer1
description KDDI WAN Dialer
ip unnumbered FastEthernet0/0
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap hostname -----
ppp chap password 7 ---
ppp pap sent-username -----
!
ip route 0.0.0.0 0.0.0.0 Dialer1


Router 2

interface Tunnel1

ip address 10.255.0.196 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication ------

ip nhrp map multicast dynamic

ip nhrp map multicast --------

ip nhrp map 10.255.0.1 --------

ip nhrp network-id 1

ip nhrp nhs 10.255.0.1

ip tcp adjust-mss 1360

ip ospf network broadcast

ip ospf cost 100

ip ospf priority 0

qos pre-classify

tunnel source FastEthernet0/1

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile DMVPN_Profile

!

interface FastEthernet0/0
description =====LAN Interne=====$ETH-LAN$$FW_INSIDE$
ip address 192.168.196.3 255.255.255.0
ip access-group LAN_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description =====Liaison Internet=====$FW_OUTSIDE$
ip address xxx.xxx.73.130 255.255.255.248
ip access-group WAN_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect FLOW_IN in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
service-policy output QoS
!
router ospf 1
log-adjacency-changes
network 10.255.0.0 0.0.0.255 area 0
network 192.168.196.0 0.0.0.255 area 0
distribute-list FILTER_OSPF in
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.73.129
ip nat inside source list NO_NAT interface FastEthernet0/1 overload
Correct Answer by spremkumar about 7 years 1 week ago

hi


can you paste the access lists named WAN_IN here ?


regds

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
spremkumar Fri, 05/14/2010 - 00:59
User Badges:
  • Red, 2250 points or more

hi


can you paste the access lists named WAN_IN here ?


regds

Zoltan051 Fri, 05/14/2010 - 02:32
User Badges:

Silly me - indeed the pb was in access list WAN_IN, not a routing issue at all! All working now, thx!


Correct me if I'm wrong but it should be OK to get rid of the 1st router altogether, right? I could create the dialer1 interface on router 2, plug the ISP line on FE0/1, and have the router's public IP xxx.xxx.73.129 on a Loopback interface...


Anyway, I'm going to leave it like this for the time being. Lucky I had that second 2811 ISR on hand...

spremkumar Fri, 05/14/2010 - 03:04
User Badges:
  • Red, 2250 points or more

Hi


Can you post the show version output of both the routers here ? so that we can check out whether you can remove off the first router from your network and directly connect the pppoe link onto the second router


regds

Zoltan051 Fri, 05/14/2010 - 03:09
User Badges:

Here goes: it's exactly the same for  both. Both routers have 11 FastEthernet intefaces Currently using 2 on each



Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(19b),

RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Compiled Fri 13-Jun-08 04:12 by prod_rel_team


ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)


--------------------- uptime is 6 hours, 19 minutes

System returned to ROM by reload at 03:43:10 UTC Fri May 14 2010

System image file is "flash:c2800nm-advsecurityk9-mz.124-19b.bin"



This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.


A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html


If you require further assistance please contact us by sending email to

[email protected].


Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.

Processor board ID FHK0915F1GT

11 FastEthernet interfaces

1 ISDN Basic Rate interface

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity enabled.

239K bytes of non-volatile configuration memory.

62720K bytes of ATA CompactFlash (Read/Write)


Configuration register is 0x2102

spremkumar Fri, 05/14/2010 - 03:13
User Badges:
  • Red, 2250 points or more

Hi


If you were already having a 2811 then why did you go for another 2811 ? i thought you might have some 800 series router which you are looking to get replaced using with 2800 series one.


any specific requirement in place to have 2 routers out there in your network ?


regds

Zoltan051 Fri, 05/14/2010 - 03:17
User Badges:

I just had that second 2811 on hand as a backup so I used it. I didn't want to cause too much downtime on Router 2 to experiment with the config.


Ideally in the long run the configuration would be a single 2811 router, or coupled with a 800-series router to do the Pppoe connection. The reason for having two 2811 in the first place was to have a backup if one breaks down.

Actions

This Discussion

Related Content