Help - Default route to Internet

rileymartin · ‎10-02-2007

Hi,

I have a small network I'm learning on and I don't know how to correctly configure a default route to the Internet to pass along to other internal routers.

I have my cablemodem connected to a 2514 which is connected to a 2600 (s0-s0) which is connected to a 2950 with some clients. I have a 2950 hanging off of the 2514 and everything works fine for those clients, just not the clients on the 2950 hanging off the 2600.

The clients off of the 2514 can get to the Internet with no problem. Clients off of the 2600 on the other hand can't do anything. When I try and do a PING it says 'Reply from 192.168.126.161: Destination net unreachable'. After two hops a tracert from a PC also says '192.168.126.161 reports: Destination net unreachable'. I don't understand why the 2514 can route to the Internet for the clients off the 2514 but not for the clients off the 2600.

I put a default route and the command 'default-information originate always' on the 2514 but still no good. I see the default route on the 2600 but it's not working. Any help would be appreciated. Here's the config from the 2514:

version 12.3

service tcp-keepalives-in

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname R1

!

enable secret 5 xxxxxxxxxxxxxxxx

!

no aaa new-model

ip subnet-zero

no ip source-route

ip cef

ip dhcp excluded-address 192.168.126.1 192.168.126.8

!

ip dhcp pool DHCPPool

import all

network 192.168.126.0 255.255.255.240

default-router 192.168.126.1

!

interface Loopback0

ip address 192.168.126.65 255.255.255.240

!

interface Ethernet0

description Outside interface

ip address dhcp

ip access-group Incoming in

ip access-group Outgoing out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

no ip mroute-cache

ntp disable

no cdp enable

hold-queue 32 in

hold-queue 100 out

!

interface Ethernet1

description Inside interface

ip address 192.168.126.1 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no ip mroute-cache

!

interface Serial0

ip address 192.168.126.161 255.255.255.252

encapsulation frame-relay

ip ospf network broadcast

no keepalive

clock rate 64000

cdp enable

frame-relay interface-dlci 100

!

interface Serial1

ip address 192.168.126.165 255.255.255.252

encapsulation frame-relay

ip ospf network broadcast

no keepalive

clock rate 64000

cdp enable

frame-relay interface-dlci 200

!

router ospf 1

log-adjacency-changes

network 192.168.126.0 0.0.0.255 area 0

network 192.168.163.4 0.0.0.3 area 0

default-information originate always

!

ip nat inside source list 1 interface Ethernet0 overload

no ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip access-list extended Incoming

remark Deny NetBIOS Name, Datagram and Session service

deny udp any range netbios-ns netbios-ss any

deny tcp any range 137 139 any

remark Only allow ACKed tcp packets to our network

permit tcp any xx.xx.xx.0 0.0.15.255 gt 1023 established

remark Allow DHCP replies to reach the e0 interface

permit udp any any eq bootpc

remark Allow DNS queries

permit tcp any eq domain any

permit udp any eq domain any

remark Only allow specific ICMP message type & code

permit icmp any xx.xx.xx.0 0.0.15.255 net-unreachable

permit icmp any xx.xx.xx.0 0.0.15.255 host-unreachable

permit icmp any xx.xx.xx.0 0.0.15.255 port-unreachable

permit icmp any xx.xx.xx.0 0.0.15.255 packet-too-big

permit icmp any xx.xx.xx.0 0.0.15.255 administratively-prohibited

permit icmp any xx.xx.xx.0 0.0.15.255 source-quench

permit icmp any xx.xx.xx.0 0.0.15.255 ttl-exceeded

ip access-list extended Outgoing

remark Don't allow internal hosts to send icmp

deny icmp any any

remark Only allow packets from the internal network

permit ip xx.xx.xx.0 0.0.15.255 any

access-list 1 permit 192.168.126.0 0.0.0.255

spremkumar · ‎10-02-2007

Hi

You have mentioned only one network to get natted used access-list 1 which is attached to nat overload statement.

Do make sure that you have both the networks allowed to get natted.

Try adding the other network as well which is configured in 2600 router.

regds

rileymartin · ‎10-03-2007

Thanks for the reply. I have all the subnets I am using listed below. If I understand wildcard masks correctly then 192.168.126.0 0.0.0.255 should cover any subnet of 192.168.126.x.

192.168.126.0/28

192.168.126.16/28

192.168.126.32/28

192.168.126.160/30

192.168.126.164/30

Please let me know if I'm wrong or if I missed something. Is it differnt with NAT'ing or using access lists? Thanks.

Riley

Richard Burts · ‎10-03-2007

Riley

You have given us pretty good information about the 2514. Can you also give us some information about the 2600, especially what subnet is used on its LAN and for the clients on the 2950?

Also can you do a show ip ospf neighbor and verify that the 2514 and the 2600 have become neighbors?

HTH

Rick

HTH

Rick

rileymartin · ‎10-03-2007

Thanks for the reply. Here are the networks I am using, the output from 'sh ip ospf neighbor' from both 2514 and 2600, 'sh ip rout' on the 2600 and the 2600 config. The neighbor address of the 2514 is a loopback address (192.168.126.65).

2514

----

e0-DHCP from cablemodem

e1-192.168.126.1/28

s0-192.168.126.161/30

2600

----

e0-192.168.126.17/28

s0-192.168.126.162/30

2514

----

MANY-R1#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

192.168.126.162 1 FULL/DR 00:00:35 192.168.126.162 Serial0

2600

----

SFCA-R1#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface

192.168.126.65 1 FULL/BDR 00:00:34 192.168.126.161 Serial1/0

2600 Show ip route

------------------

SFCA-R1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.126.161 to network 0.0.0.0

192.168.126.0/24 is variably subnetted, 4 subnets, 3 masks

C 192.168.126.16/28 is directly connected, Ethernet0/0

O 192.168.126.0/28 [110/791] via 192.168.126.161, 00:06:07, Serial1/0

O 192.168.126.65/32 [110/782] via 192.168.126.161, 00:06:07, Serial1/0

C 192.168.126.160/30 is directly connected, Serial1/0

O*E2 0.0.0.0/0 [110/1] via 192.168.126.161, 00:06:07, Serial1/0

2600 config

-----------

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname SFCA-R1

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxx

!

no aaa new-model

ip subnet-zero

no ip source-route

ip cef

!

ip name-server 167.x.x.205

ip name-server 167.x.x.139

ip dhcp excluded-address 192.168.126.17 192.168.126.23

!

ip dhcp pool Addresses

network 192.168.126.16 255.255.255.240

default-router 192.168.126.17

dns-server 167.x.x.205 167.206.3.139

!

ip audit po max-events 100

!

interface Ethernet0/0

ip address 192.168.126.17 255.255.255.240

half-duplex

!

interface BRI0/0

no ip address

encapsulation hdlc

shutdown

!

interface Serial1/0

ip address 192.168.126.162 255.255.255.252

encapsulation frame-relay

ip ospf network broadcast

no keepalive

cdp enable

frame-relay interface-dlci 100

!

router ospf 1

log-adjacency-changes

network 192.168.126.0 0.0.0.255 area 0

!

no ip http server

no ip http secure-server

ip classless

!

Richard Burts · ‎10-03-2007

Riley

This is strange. It sure looks like both the 2514 and the 2600 have valid default routes. I do not see anything on the 2514 that would discriminate between its connected PCs and the PCs coming from the 2600. It feels a bit to me as if the problem might be traffic from the PCs getting to and through the 2600. I wonder if there might be a VLAN, or trunk, or default gateway problem. But one of the posts seems to indicate that a PC connected to the 2950 connected to the 2600 does a traceroute and gets a response from the 2514. Can you verify that this is true?

HTH

Rick

HTH

Rick

rileymartin · ‎10-03-2007

From the switch connected to the 2600 I can ping all interfaces on the 2514, even the outside e0 interface that gets its address via DHCP from the cablemodem.

From the switch a ping to 207.46.19.190 replies as follows:

SFCA-SW1#ping 207.46.19.190

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 207.46.19.190, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

From the switch a traceroute to 207.46.19.190 replies as follows:

SFCA-SW1#traceroute 207.46.19.190

Type escape sequence to abort.

Tracing the route to 207.46.19.190

1 192.168.126.17 6 msec 6 msec 0 msec

2 192.168.126.161 31 msec 26 msec 21 msec

3 192.168.126.161 !A !A *

A traceroute from the 2514 replies as follows:

MANY-R1#traceroute 207.46.19.190

Type escape sequence to abort.

Tracing the route to wwwbaytest1.microsoft.com (207.46.19.190)

1 10.23.192.1 12 msec 12 msec 12 msec

2 dstswr2-vlan2.rh.hntnny.cv.net (167.206.34.162) 12 msec 16 msec 12 msec

3 r2-ge9-2.mhe.hcvlny.cv.net (167.206.34.133) 12 msec 12 msec 12 msec

4 rtr3-tg10-2.wan.hcvlny.cv.net (64.15.4.5) 16 msec 12 msec 16 msec

5 64.15.0.198 152 msec 180 msec 212 msec

6 64.15.0.94 20 msec 20 msec 20 msec

7 * * *

8 207.46.47.124 16 msec 20 msec 20 msec

9 so-6-0-2-0.sjc-64cb-1a.ntwk.msn.net (207.46.34.153) 96 msec 100 msec 100 mse

c

10 ge-1-0-0-0.bay-64c-1a.ntwk.msn.net (207.46.37.158) 100 msec 100 msec 100 mse

c

11 po2.bay-6nf-mcs-1b.ntwk.msn.net (64.4.62.138) 96 msec 96 msec 96 msec

12 * !A *

rileymartin · ‎10-03-2007

I thought this might be access list related but I removed the inbound and outbound access lists from the outside e0 interface and I still have the same issue.

Richard Burts · ‎10-04-2007

Riley

The traceroute information is helpful. In particular this line:

3 192.168.126.161 !A !A *

The A in the response is an indication that it is "administratively prohibited" and this is usually a sign of an access-list.

I am a bit puzzled and want to verify whether you had removed the access list when this traceroute was done?

Also when you say that you removed the access list can we be specific about whether that means that you did no access-list or whether you did no access-group on the interface?

HTH

Rick

HTH

Rick

rileymartin · ‎10-04-2007

I did the following on e0:

no access-group Incomming in

no access-group Outgoing out

I still have access-list 1 since I need that for the NAT overload. I changed it however to include the 192.168.126.0/28 networks because I didn't know if that was the problem.

ip access-list extended Outgoing

remark Don't allow internal hosts to send icmp

deny icmp any any

remark Only allow packets from the internal network

permit ip 24.46.160.0 0.0.15.255 any

permit ip 192.168.126.0 0.0.0.255 any

Richard Burts · ‎10-04-2007

Riley

I like that change in the Outgoing access-list. After you have done the no ip access-group (I assume it was a typo that you left "ip" out of the command in your posting) on e0, does the traceroute from the remote still have the same output?

HTH

Rick

HTH

Rick

rileymartin · ‎10-04-2007

I left out the 'ip' by accident in my post. I removed the access lists from the e0 interface and verified they were removed with a 'sh run'. I don't know what the actual problem is so I also removed the 'default-information originate always' and put a static route on the 2600 'ip route 0.0.0.0 0.0.0.0 s1/0'.

Without the access lists on the e0 interface I did a traceroute again and here is the output:

2514

----

MANY-R1#traceroute 167.206.3.205

Type escape sequence to abort.

Tracing the route to dhcp29.srv.hcvlny.cv.net (167.206.3.205)

1 10.23.192.1 8 msec 16 msec 12 msec

2 dstswr1-vlan2.rh.hntnny.cv.net (167.206.34.161) 12 msec 12 msec 16 msec

3 r1-ge9-2.mhe.hcvlny.cv.net (167.206.34.129) 16 msec 12 msec 12 msec

4 rtr3-tg11-2.wan.hcvlny.cv.net (64.15.4.1) 20 msec 12 msec 12 msec

5 64.15.4.22 12 msec 12 msec 16 msec

6 r1-srp5-0.mhe.hcvlny.cv.net (65.19.104.194) 12 msec 12 msec 12 msec

7 167.206.15.129 44 msec 12 msec 12 msec

8 swr8-vl8.sf.hcvlny.cv.net (167.206.15.187) 12 msec 12 msec 12 msec

9 dhcp29.srv.hcvlny.cv.net (167.206.3.205) 12 msec 56 msec 16 msec

2600

----

SFCA-R1#traceroute 167.206.3.205

Type escape sequence to abort.

Tracing the route to 167.206.3.205

1 * * *

2 * * *

3 * * *

4 * * *

5 * * *

All the way up to 30 hops ....

The 2600 can PING the s0 interface on the 2514 but not the e0 interface.

rileymartin · ‎10-04-2007

I took off the Incomming and Outgoing access lists, again, from the e0 interface on the 2514 and then I updated the access list 1 for the NAT overload to the following:

Standard IP access list 1

10 permit 192.168.126.0, wildcard bits 0.0.0.255 (8367 matches)

20 permit 192.168.126.16, wildcard bits 0.0.0.15

30 permit 192.168.126.160, wildcard bits 0.0.0.3

So, I added the LAN off of the 2600 (192.168.126.16/28) and the WAN between the 2600 and the 2514 (192.168.126.160/30).

Still no good. The 2600 could PING the s0 interface on the 2514 but not the e0 interface.

Then on the 2514 I added the network for the e0 interface to OSPF as follows:

router ospf 1

log-adjacency-changes

network 24.46.160.0 0.0.15.255 area 0

network 192.168.126.0 0.0.0.255 area 0

After that I saw an OSPF route on the 2600 to the 24 network that the e0 interface was on and then I could PING the e0 interface. It doesn't seem lik the static route is working on the 2600... sort of... Only after advertising the 24 network in OSPF could the 2600 PING the e0 interface. But, before I added the 24 network to OSPF the traceroutes would at least make it to the s0 interface on the 2514 so the 2600 at least knew to go in that direction??? I wish I knew what I was doing. I'm really lost with all of this....

rileymartin · ‎10-04-2007

It's fixed! Thank you everyone for your help.

Someone pointed out that I didn't add an 'ip nat inside' statement to the s0 interface on the 2514. I had one on the e1 interface and that's why those clients were working fine, but nothing comming through the s0 interface.

Richard Burts · ‎10-05-2007

Riley

Thank you for posting that the problem was resolved and what the resolution was. It makes the forum more useful when people can read about a problem and can read the solution that solved the problem.

In retrospect it is a very logical solution and I am disappointed that we did not spot that sooner. I am glad that you have it solved and things are working.

HTH

Rick

HTH

Rick