Re: Lan to Lan router

habbas.ali · ‎08-24-2006

Hello, i want to configure a routerfirewall with two interfaces fastethernet between my Lan and a prolan.

Lan-----Routerfirewall----RouterProlan------Network's partners 192.168.x.0/RoamingUsers

I have configured only the routing and Nat without filtering but it don't work

I can ping only the 192.168.51.0 network but no others networks (partners) via the prolan. And roaming users cannot access to Lan

Any help

It's 1721 router with a Cisco 4-port 10/100BASE-T Fast Ethernet Switch WAN Interface Card (WIC-4ESW)

I think there is a problem with the Nat

Any Help

vijayasankar · ‎08-24-2006

Hi,

Please a more clear setup details.

ip nat inside source list 101 pool overlag overload

access-list 101 permit ip 10.166.0.0 0.0.255.255 192.168.51.0 0.0.0.255

As of now, i could see that you are doing the only when you try to access 192.168.51.0/24

Hence if you try to access any other networks, your traffic will not get natted and will go via the default gateway 10.166.50.1, with the original source ip.

HTH

-VJ

habbas.ali · ‎09-04-2006

Hello thanks for your response,

to clear setup i made a visio may be it helps understanding what i want to do

vijayasankar · ‎09-04-2006

Hi,

Static nat and the overload nat are in the network range 10.0.172.0/24

Hence ensure that you have a proper route in the "routerprolan" to route this subnet to your "routerfirewall".

in routerprolan, you should be having a route like this.

ip route 10.0.172.0 255.255.255.0 10.166.50.2

For the other static nat ips also ensure that you have proper return routes.

Also ensure that in your router, you are able to see the routes(via ospf) for the destination partner networks 192.168.11.0/24, 192.168.253.0/24, 192.168.52.0/24.

Ensure that the return routes for your nated ips are present in the partnet routers also.

HTH

-VJ

habbas.ali · ‎09-05-2006

Hi, thanks for your response

In fact, there is all the routes in the prolan router and partner router. There is already a Linux router, and everything works fine, and actually i am trying to replace this linux router by the Cisco routerfirewall. So i think the routes are good

amohabir1 · ‎09-06-2006

Your access-list 101 statement only includes access to the network you can currently get to. It seems you are nat'ing this traffic for some reason. I assume you would have to do the same for all of the other networks. Add access lists for all of the other networks.

access-list 101 permit ip 10.166.0.0 0.0.255.255 192.168.11.0 0.0.0.255

access-list 101 permit ip 10.166.0.0 0.0.255.255 192.168.253.0 0.0.0.255

access-list 101 permit ip 10.166.0.0 0.0.255.255 192.168.52.0 0.0.0.255

vijayasankar · ‎09-06-2006

Hi Anand,

Kindly check the visio diagram. There is no problem with the ACL 101, that ACL is serving for 1 particular remote site.. Not for others. For others, they are doing static nat for reachability.

-VJ

habbas.ali · ‎09-07-2006

Hi Vijay,,

i made amistake on the visio the ip address of the Lan connected interface is 10.166.11.29 and not 10.166.11.22.

Also the ospf routes to partners networks 192.168.x.x are presents and good

jackyoung · ‎09-07-2006

Habbas, could you please double confirm it works when using a Linux server before w/ same IP address assignment ?

The VLAN 1 is 10.166.11.29/22 and it is not the same subnet of some users (10.166.52.x) behind the LAN. How do those users access to remote ?

Should the NAT be carried ar routeprolan instead of routerfirewall ?

Please clarify ? Thx.

habbas.ali · ‎09-08-2006

Hi Jack, yes i confirm with the Linux router it works with no problem, this is the router in production. All we trying to do is unplug and replug the networks cables from Linux to Cisco router, we are using the same ip address

The other subnets are network agencies linked by another router. The network 10.166.8.0 /22 is the headoffice

The prolan router is an Isp's router, we can not configure it. It's a package IP/MPLS Prolan with the routers

Thanks

jackyoung · ‎09-10-2006

Thanks for the clarification. What I believe the config. in routerfirewall is fine.

Did you check the config. in routerproflan to ensure there are routes for the return path of other three sites ?

Can you get the routing table of routerproflan and the three non-working sites ? Thx.

habbas.ali · ‎09-11-2006

Hi Jack,

I am sorry, we cannot see the routes in the prolan routerprolan because it's belong to the isp and we do not have the password to connect to the router.

But we can know the routes for return are good in prolanrouter because with the linuxrouter in replacement of RouterFirewall it's works fine , it is what we are using for several months without any problem.

Thanks a lot

jackyoung · ‎09-11-2006

Can you provide the trace router result from the remote to central and central to remote ?

habbas.ali · ‎10-04-2006

Hi Jack sorry for the late response, here i post the show version , show ip route translation, the trace route to remote and a show ip route

Thank you

jackyoung · ‎10-05-2006

It is fine. I found the trace route is carried from the router prolann but according to the original config., there is no such static route.

Could you post the updated config. and confirm there is static route to point to the 10.166.50.2 as GW for the return path.

Moreover, due to you have the default route to point to the 10.166.50.1 as next-hop, so there is no need to set the static route for 192.168.11.0/24 unless you learn it somewhere.

Could you provide the traceroute from remote side (or remote PC) instead of from local router ? Thx.