Rick

I agree that their router treats the 252 network as the local network and wont let 254 log in. I did ask them if their engineers could add in a way for someone in the 254 to get in, and they hemmed and hawed and promptly dropped the problem in my lap.

I originally had plugged their 1760 into a port on a 3550-24 switch which did get them onto the 252 network, but that resulted in the above problem.

I don't have a router between their equipment and mine, but I do have a PIX 501 available if that would do the trick. I have given some thought to how I would configure the pix, and am getting confused as to how I should set up the inside and outside interfaces to make this work.

thanks for any help

John

John

You have mentioned the PIX in both of your messages. You are the one who knows what is going on there and I am hesitant to counter your solution. But to me the PIX solution seems overly complex especially assuming (as I currently do) that an easier solution exists. Perhaps if you supplied some more detail about the environment we could find the optimum solution a bit better.

I assume that there is a router somewhere that connects the 252 and the 254 networks (or maybe a layer 3 switch). It seems to me that you can configure address translation on that device. The interface that carries the 254 network is nat inside and the interface that carries the 252 network is nat outside. You would configure the translation to use an access list to identify the traffic to translate which would say that if the source is 254 and the destination is whatever their network is then translate. It seems to me that this would work as long as the users in 254 initiate the traffic. It does have a problem if the third party ever needed to initiate traffic to the 254 network.

Let us know what you think. And give us more more information to work with.

HTH

Rick

Rick,

I mention PIX as it was mentioned to me by someone who thought it might be a solution.. not that I need to use one, but in this case, I don't know better.

Anyhow, the two buildings are connected with a wireless bridge, and the traffic coming into the building from the bridge does pass thru a 3550-12G L3 switch before going to the 3550-24 switch that the 3rd party router is conected to. I am unfamiliar with the commands necessary to do address translation on the 3550-12G, however if that is possible, it seems to be the ideal solution.

The addresses of the computers on the 254 network that will access the 3rd party router are static, 192.168.254.181 and 182. The simplest solution would be to translate these to 192.168.252.181 and 182. I believe that the traffic would be initiated by the computers on the 254 network (if I understand the software correctly, they are connecting to a server that is also connected to the 3rd party router)

A simple attempt at drawing the data flow (I'll attach separately also):

Building 1 (254.0)

| Windows PC | | Catalyst | | Catalyst | | Catalyst | | Wireless |

| .254.18x |---| 3550-24pwr |===| 3550-12G |===| 3550-24pwr |---| Bridge |<->

| | | L2 | | L3 | | L2 | | Air1310 |

Building 2 (252.0)

| Wireless | | Catalyst | | Catalyst | | Catalyst | | 3rd party |

<->| Bridge |---| 3550-24pwr |===| 3550-12G |===| 3550-24pwr |---| router |

| Air1310 | | L2 | | L3 | | L2 | | 1760 |

--- is 100Mb link === is 1Gb link

Is there more information I can supply?

Thanks so far

John

Simple Dataflow Diagram, best viewed in monospaced font

John

I believe that address translation would be the optimum solution. And if there are only two stations that need access and static translation is possible that is even better. With static translation either side can initiate traffic.

However I am not sure that your 3550 can do it. I took a quick look at the configuration guide for the 3550 and I do not see Network Address Translation as an option in the config guide for the 3550. If the 3550 can not do it, then I guess that your options are to use the PIX (which may complicate access for the users in the 252 network), or to provision a device that can do the translation, or to push the third party harder to facilitate the access.

HTH

Rick

Rick,

You're right, the 3550-12G doesn't look like it'll do what I need. So let's look at two options here, PIX501 and getting the 3rd party to do their job.

I'll be in contact with the 3rd party in the next day or so. In case this does not pan out, what can I do with the PIX to make this work? Can I do it with a pix501?

My confusion with setting up the PIX lies in the fact that as of this moment, both devices on the inside and outside interfaces are configured for the same network. Can the PIX act sort of like a bridge with address translation? if not, do I need to change the network number on the inside or outside?

I'd hate for this to get overly complex, I'm a routing neophyte as it is.. but my bosses are breathing down my back...

thanks for any help

John

John,

There is another possibility as to why the third party is not being able to log into your 254 network, besides the 1760 router knowing the route to your 254 network and viceversa. If they are using Windows, it could be possible that their router is not forwarding Netbios broadcasts (ports 137 and 138, tcp and udp). Tell them to add the ip helper address command under the ethetrnet interface and see if they can log now.

Hope this helps.

Eduardo

Eduardo,

I believe all of the traffic will be from the 254 network into the 3rd party network. They have a server attached to the same router. Two people on the 254 network will use a client application to get into the 3rd party server.

John

John,

In that case it is in your router that you should add the ip helper command. When the computers in the 254 network try to log into the 252 net, behind the router from the third party, the broadcast is not passing through.

Try checking the following URL:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_tech_note09186a00801aa01f.shtml

Regards,

Eduardo

John

I am thinking about a solution that may work with the PIX. Part of the difficulty is that the PIX needs to connect to two different networks. I do not know how it could work if it had 252 network addresses on inside and outside interfaces. So how do we get the PIX to be connected to two different subnets?

First let me check an assumption. The third party established their own independent network with its own IP addressing separate from yours. And then when some of your people in the 252 network needed access the third party brought in the 1760 (or maybe they already had it for their network) and connected an interface of their 1760 into the 252 network. Is there any particular reason (other than it was convenient) why their 1760 interface has to be in the 252 network?

Or let me put the question in a slightly different way: what if you created a new network (maybe the 250 network), asked them to configure the 1760 interface in the 250 network, and accept connections from your users who would appear to them to be coming from the 250 network? If they would do that, then you would take the connection from their 1760 and connect it to the PIX outside interface. You would connect your 252 network to the PIX and you would put in a static route for their server with the PIX as the next hop address. So your 3550 would forward to the PIX to get to their server. The PIX could be configured to take the incoming traffic from 252 and 254 and translate it into 250.

Do you think this would work? Do you think that the third party would be willing to do it? (If I were the third party I would probably find it easier to put in a route on their router to the 254 network.)

HTH

Rick

Rick,

I've thought of that, and I guess I should give it a try.

They originally brought in their network seperately for their service, (before I had my cisco equipment installed). They then wanted to make their service accessible from our network. Now we have this issue.

I'll make inside 252 and the outside 250, no problem, I'll translate 254.181, for example to 250.181. I'll give the 3rd party heck and see what I can make happen tomorrow.

Thanks

John