cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
849
Views
7
Helpful
17
Replies

Routing issues

chicagotech
Level 1
Level 1

There are 3 routers in the main office. OX router (outside x.x.x.x and inside 192.168.0.250) connects the Internet. Cisco 1841 192.168.0.81 and USR 8200 192.168.0.95 connect to a switch. Both 192.168.0.x and 192.168.2.x subnets can access the Internet without any issues.

Cisco 1841 192.168.100.1 in the main office also connects to Cisco 1841 192.168.100.2 in a remote office. The remote office 192.168.1.x can access the main office without problems, but no Internet. The computers in the remote office even can’t ping the OX router 192.168.0.250. Tracert 4.2.2.1 stop 192.168.100.1.

The main office 1841 has these routing command

ip route 0.0.0.0 0.0.0.0 192.168.0.250

ip route 192.168.1.0 255.255.255.0 192.168.100.2

The remote office 1841 has these routing command

ip route 0.0.0.0 0.0.0.0 192.168.100.1

ip route 192.168.0.0 255.255.255.0 192.168.100.1

Ay ideas why the remote office can’t access the Internet?

The drawing can be found here http://www.howtonetworking.com/ciscoissues.htm

Bob Lin, MS-MVP, MCSE & CNE

How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com

17 Replies 17

ankurbhasin
Level 9
Level 9

Hi Friend,

Lets take a scenario when your remote office sends a ping request to 4.2.2.1 it will hit your remote office router which has a default route to reach 192.168.100.1 which is your main office 1841 router. Good till far.

Your main office 1841 router has a default router to reach 192.168.0.250 and from there onwards it goes to internet but think of the reply back.

Your routes to reach back the source 192.168.1.x subnet is not proper.

From internet when the request comes back to your OX router does your OX router know how to come back to 192.168.1.x subnet?

If yes it will reach your main office 1841 router and from there onwards it will reach your remote office and you will be good to go.

But I think your OX router does not know how to reach 192.168.1.x subnet so if possible add a route on your OX router to send a reply for destination 192.168.1.x subnet to main office 1841 router and after that everything is ok.

HTH, if yes please rate the post.

Ankur

Thank you for the quick reply. You are right. The OX router may not route back to the Cisco router. I thought that but not sure. First of all, we can’t manage the OX router and only the ISP manages the router. The ISP wants to limit the Internet access to just one subnet 192.168.0.x. So I can’t tell that for sure. I have another question. Why does the USR router work without OX router without knowing how to come back to 192.168.2.x subnet?

Hi Friend,

Could be 2 reasons why your OX router send the reply back to 192.168.2.x subnet.

One, might be your USR router doing some kind of natting and changing the source ip of 192.168.2.x subnet to the USR 192.168.0.x source which is on the ootgoing interace of USR.

Second, might be your OX router has some route to reach back to USR router for reply to 19.168.2.x subnet.

Can you confirm the config of USR router if it does some kind of natting?

HTH, if yes please rate the post.

Ankur

Hi Ankur,

Yes, USR router is doing the NAT. What are the command lines for setup the same NAT on Cisco 1841? I am new to the Cisco router, can I use the SDM to setup NAT. If yes how? Please give the details.

Thank you.

Hi Friend,

So now we know what the problem is and we are very close to the solution.

We just need to enable your 1841 main office router with NAT so that anything coming from remote office moving out from there goes out to the internet with 192.168.0.x subnet which your OX router know how to reply back.

But sorry to say I have never cofigured 1841 router using SDM but still you can try this link.

http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080530bf5.html#wp998804

I think one entry for static nat is enough for your scenario. Check this link to configure static NAT entry.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

http://www.cisco.com/warp/public/556/12.html

Don't forget to rate the helpful post.

Ankur

I will rate this post. I am reading the links and have one more question. When I do the NAT, should I do inside to outside and also outside to inside (becaue both LANs need to access each other?

Thank you.

Hi Friend,

NAT is bi-directional (2 way) so if you just have one static nat statement from inside to outside it will be enough.

HTH

Ankur

I tried to setup NAT, but not sure I did right. It doesn't work. Here are the code.

interface FastEthernet0/1

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address 192.168.0.81 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface Serial0/0/0

ip address 192.168.100.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.0.250

ip route 192.168.1.0 255.255.255.0 192.168.100.2

!

ip http server

ip http authentication local

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source static network 192.168.100.1 192.168.0.81 /32

!

logging trap debugging

access-list 1 remark INSIDE_IF=FastEthernet0/0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.100.0 0.0.0.255

no cdp run

Hi Friend,

Lets do some changes in NAT first you have configured a static NAT statement with an ip and not for a network.

Second instead of static NAT lets have a dynamic NAT

Remove your previous NAT statement and configure this and update if it worked

ip nat inside source list 3 interface FastEthernet0/1 overload

access-list 3 permit 192.168.100.0 0.0.0.255

HTH, if yes please rate the post.

Ankur

Aftre setup what you listed, I lost the access to the Cisco router 192.168.0.81 (I was remote access it remotely).How can I setup NAT to let both sites can access each other? Can access-list 3 permit ay will do that?

Thank you.

Hi Friend,

First of all I am really sorry as I mistook the ip address and cause of which you lost the access of the router.

I hope you have got the access back now.

I think you are accessing this router from your remote site which is 192.168.1.x subnet? Please confirm his.

You just need to change you access list

access-list 3 permit 192.168.1.0 0.0.0.255

HTH

Ankur

II was accessing the 192.168.0.81 from the Internet. That mean from the Internet to 192.168.0.0 and from 192.168.0.0 access the router 192.168.0.81. The good news is I didn't save, So I have some one to re-set the router and I can access it now.

What they want to is be able to access eatch other, remote office and mian office. Plus the remote office access the internet. Should I add

access-list 3 permit 192.168.1.0 0.0.0.255

access-list 3 permit 192.168.0.0 0.0.0.255

or

access-list 3 permit any

Hi Friend,

access-list 3 permit 192.168.1.0 0.0.0.255 is enough to get any one from your remote office access the internet and if any one waan a access remote site 1841 router from internet also it should work

Make sure you are implementing this on your 1841 Main office router.

HTH

Ankur

Still the same problem that 192.168.1.x and Cisco router on the remote office (192.168.1.91/192.168.100.2) can’t pass the XO router even I tried the following commands. Can some one take look the configuration (see below)?

I tried these:

interface FastEthernet0/1

ip address 192.168.0.81 255.255.255.0

ip nat outside

interface Serial0/0/0

ip address 192.168.100.1 255.255.255.0

ip nat inside

access-list 1 permit 192.168.1.0 0.0.0.255

ip nat inside source list 1 interface FastEthernet0/1 overload

I also tried these:

conf t

int fat0/1

ip nat outside

int s0/0/0

ip nat inside

exit

access-list 99 permit any

ip nat inside source list 99 fa0/1 overload

end

Here are the code:

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret 5 $1$40lL$Jy2/yuIKx9wL3RrgzpzyH.

!

no aaa new-model

!

resource policy

!

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip source-route

ip cef

!

!

ip tcp synwait-time 10

no ip dhcp use vrf connected

!

!

no ip bootp server

!

username ccmd privilege 15 secret 5 $1$s9Yv$6buU8kcAE6XxF5lBnfzmk1

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address 192.168.0.81 255.255.255.0

ip access-group sdm_fastethernet0/1_in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface Serial0/0/0

ip address 192.168.100.1 255.255.255.0

ip access-group sdm_serial0/0/0_in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.0.250

ip route 192.168.1.0 255.255.255.0 192.168.100.2

!

ip http server

ip http authentication local

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source static network 192.168.100.1 192.168.0.81 /32

!

ip access-list extended sdm_fastethernet0/1_in

remark SDM_ACL Category=1

permit ip any any

ip access-list extended sdm_serial0/0/0_in

remark SDM_ACL Category=1

permit ip any any

!

logging trap debugging

access-list 1 remark INSIDE_IF=FastEthernet0/0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.100.0 0.0.0.255

access-list 99 remark SDM_ACL Category=16

access-list 99 permit any

no cdp run

!

control-plane

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

password 7 08314D5D1A0E0A05164B5C

login local

transport input telnet

line vty 5 15

privilege level 15

login local

transport input telnet

!

scheduler allocate 4000 1000

end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco