Re: 1841 on fiber connection

dhrumant_g · ‎10-13-2009

I just moved from two T1s to dedicated fiber. The fiber comes in to a ZyXEL L2 switch where it gets converted into ethernet and from there I have it going to a PIX 501 which is connected to my internal network.

(ISP <> PIX <> internal network) If I go to an IP address pointing to one of my internal servers from inside my network, it won't work; but I can go to it from outside and it works fine. So my previous setup had two 1841 routers connected before the PIX, like so: ISP <> 1841 <> PIX <> internal network.

I need to connect the router up so that I can access an internal server with inside using an external ip or hostname, like www.domain.com that points to my web server.

Can someone please help me configure the router to get this done?

I can post my config if it's needed.

Giuseppe Larosa · ‎10-14-2009

Hello Dhrumant,

post the configuration of 1841 and of PIX.

skip username and passwords and mask public ip addresses or by using RFC1918 private ip addresses or letters like x.y.z.k.

It shouldn't be difficult it should be enough to:

give an ip address of new provider to a lan interface to be connected to the provider zyxel switch

int fas0/1

ip address x.y.z.k 255.255.255.248

ip nat outside

ip route 0.0.0.0 0.0.0.0 x.y.z.w

where x.y.z.w is the provider default gateway.

remove any default route that was pointing to the T1 serial interface.

This under the hyphotesis you have two FE ports on your 1841 with one available.

And that NAT was done on C1841 (it could be done on PIX)

Edit:

nothing should change for the PIX connecting to the same IP subnet as before on internal lan of C1841 unless NAT was done on the PIX

Hope to help

Giuseppe

dhrumant_g · ‎10-14-2009

here are the links to the configs:

1841 = http://nopaste.com/p/aUspJAJ1nb

PIX = http://nopaste.com/p/ahjCSXIt8

at the moment the setup is ISP <> PIX <> internal network

my hope is that by adding the router: ISP <> 1841 <> PIX <> internal network, when I go to x.x.1.4 (which is the ip address for my WWW inside at 192.1680.35) it will work.

On the 1841 there are two FE ports and two VWIC MFT1 cards.

all the nat and pat is done on the PIX the pix inside is: 192.168.0.0 and outside public ip is x.x.1.2, gw: x.x.1.1, subnetmask: 255.255.255.240

Thank you,

Dru

Giuseppe Larosa · ‎10-15-2009

Hello Dru,

the C1841 is configured to bridge between lan ports so it is useless it is like a switch.

so the C1841 with this configuration can do nothing to solve your issue.

About pix:

I'm not an expert of pix but configuration looks like correct

static (inside,outside) tcp interface 3389 192.168.0.162 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 5900 192.168.0.197 5900 netmask 255.255.255.255 0 0

static (inside,outside) x.X.1.4 192.168.0.35 dns netmask 255.255.255.255 0 0

static (inside,outside) x.x.1.3 192.168.0.254 dns netmask 255.255.255.255 0 0

However, I think you should try to access server x.x.1.4 from internet to verify the correct working.

Hope to help

Giuseppe

dhrumant_g · ‎10-16-2009

Yes, x.x.1.4 is working from the internet and so is the domain name that points to x.x.1.4. However, x.x.1.4 is not working from within the network.

I do believe that the PIX is configured correctly.

Can you please help me to configure the C1841?

Giuseppe Larosa · ‎10-16-2009

Hello Dru,

from inside your network you should access the server on its private ip address.

NAT is done for the outside world and works because the ip flow crosses the ip nat outside and ip nat inside interfaces.

The same would happen using a router for NAT instead of PIX.

Hope to help

Giuseppe

dhrumant_g · ‎10-16-2009

Understood, but I need to be able to go to x.x.1.4 or domain.com from the inside.

Before we switched to fiber about a month ago, we had two t1 lines coming into the 1841 (actually there were 2 1841 routers, but I think 1 was on loopback mode or something) <> switch <> PIX <> internal network, and we were also able to go to x.x.1.4 or domain.com from the inside and it worked fine.

It stopped working when we switched to fiber and I had to reset the router to factory defaults because I didn't know the password to get in.

So at the moment it is ISP (ZyXEL L2 switch) <> PIX <> internal network and I was convinced that if I put the router back in before the PIX, it would work as it did before.

Giuseppe Larosa · ‎10-17-2009

Hello Dhru,

>> Understood, but I need to be able to go to x.x.1.4 or domain.com from the inside.

I see this would be handy.

However, before the C1841 was needed because internet link was a WAN T1. You had two actually.

>> I had to reset the router to factory defaults because I didn't know the password to get in.

this doesn't help, knowing how it was configured before could help

Edit:

I look again at your older posts

It would be good to know what version of PIX you have.:

PIX OS 6.3.5 from your config file

I need to say I'm not an expert of PIX configurations other colleagues may be of more help.

let's use the following config example to help

https://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094ea2.shtml#configs

or

https://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094ea2.shtml#configs

edit2:

using also pix 6.3.x command reference I would say:

static (inside,outside) x.X.1.4 192.168.0.35 dns netmask 255.255.255.255 0 0

this line is correct and should do what you want but it also depends from

nat (inside) 0 access-list inside_outbound_nat0_acl

that invokes an ACL

access-list inside_outbound_nat0_acl permit ip any 192.168.0.240 255.255.255.240

are trying to access the web service starting from an ip address permitted by this ACL?

Hope to help

Giuseppe

dhrumant_g · ‎10-17-2009

thank you giuseppe, for your reply.

I have a PIX 501 - 6.3(5)

>>are trying to access the web service starting from an ip address permitted by this ACL?

I have no idea how to find out the answer to this question, sorry.

Also I do have a backup of the old config from one of the 1841s, here it is:

http://nopaste.com/p/aqhmmp5WJ

Giuseppe Larosa · ‎10-18-2009

Hello Drhu,

the C1841 was not involved with NAT also before.

It was configured for multilink PPP over Frame-Relay to use the two T1 links as logical single datalink.

>> I have no idea how to find out the answer to this question, sorry.

from a Windows PC do

start-> run-> cmd

on the shell type

ipconfig /all

look for ip address if it is not between

192.168.0.240-192.168.0.254 it should not be able to access the server using x.x.1.4 (the public ip address).

check if with a ip address in the range 192.168.0.240-192.168.0.254 you can access on x.x.1.4

Hope to help

Giuseppe

dhrumant_g · ‎10-19-2009

Hi Giuseppe,

I tried with an IP of 192.168.0.251 and it did not work.

dhrumant_g · ‎10-19-2009

Hi Giuseppe,

I think I should just reconfigure my network in this way:

ISP <>

1841 (it version advsecurity-k9) (give an outside ip of x.x.1.5, inside of 10.1.1.1) <>

PIX 501(outside of 10.1.1.2, inside of 192.168.0.1) <>

internal network.

I'm thinking it will work like this, what do you think?