Solved: Help with cisco 1841

marklet8217 · ‎11-30-2013

Hi everyone - thanks for taking time to help me out. First off - I am a complete and total noob, I know how to access the command line through telnet and issue show running_config. Beyond that, please understand that I don't know much.

A school I work for has paid for a new ethernet internet service, to replace a T1 line. Right now both services are operational. The T1 is running though a Cisco 1841 router on the serial0/0/0 interface. The ethernet connection comes from a gateway(or modem or router, anyway, a box that was supplied by the ISP) and probably should end up in fastethernet0/1 since fastethernet0/0 is being used to connect to the switch. The IP information supplied by the new ISP is as follows:

Static ip settings:

*.*.94.86	IP Address
255.255.255.252	Subnet Mask
*.*.94.85	Gateway
64.16.28.2	DNS1
137.118.1.33	DNS2

Below is our current config: 99% of this was created by someone no longer working for the school and 1% is my messing around to try to make this work. PLEASE BE KIND - I know it's a mess, please help me clean it up.

What can I do to get the ethernet internet distributed through the 1841 to the school while keeping the same functionality as before? The way it is now, we are not getting any kind of connection to the new ISP, only from the AT&T T1 line.

Running_config:

IRAH#show running-config

Building configuration...

Current configuration : 4510 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname IRAH

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 debugging

logging console critical

enable secret 5 ***********************************

!

no aaa new-model

!

resource policy

!

clock timezone PCTime -7

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip source-route

ip cef

!

ip tcp synwait-time 10

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.1

!

ip dhcp pool sdm-pool1

import all

network 192.168.0.0 255.255.255.0

dns-server 192.168.0.5 8.8.8.8

default-router 192.168.0.1

!

no ip bootp server

ip domain name irah.com

ip name-server 192.168.0.5

ip name-server 8.8.8.8

!

username administrator privilege 15 secret 5 **********************************

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$

ip address 192.168.0.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description GRTI Ethernet

ip address ***.***.94.86 255.255.255.252

ip access-group 110 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface Serial0/0/0

description AT&T Internet

ip address ***.***.145.22 255.255.255.252

ip access-group 110 out

ip nat outside

encapsulation ppp

ip route-cache flow

!

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

ip http server

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Serial0/0/0 overload

ip nat inside source list 11 interface Serial0/0/0 overload

ip nat inside source static 192.168.0.5 ***.***.145.115

ip nat inside source static 192.168.0.6 ***.***.145.116

ip nat inside source static 192.168.0.7 ***.***.145.117

!

logging trap debugging

access-list 1 remark INSIDE_IF=FastEthernet0/0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 110 permit ip any any

access-list 110 permit tcp any any eq www

access-list 110 permit tcp any any eq ftp

access-list 110 permit tcp any any eq pop3

access-list 110 permit tcp any any eq echo

access-list 110 permit tcp any any eq smtp

access-list 110 permit tcp any any eq domain

access-list 110 permit tcp any any eq 3389

access-list 110 permit udp any any eq echo

access-list 110 permit udp any any eq tftp

access-list 110 permit udp any any eq domain

access-list 110 permit tcp host ***.***.145.125 any

access-list 110 permit udp host ***.***.145.125 any

access-list 110 permit tcp host ***.***.145.116 eq www any

access-list 110 permit tcp host ***.***.145.116 eq ftp any

access-list 110 permit tcp host ***.***.145.116 eq ftp-data any

access-list 110 permit tcp host ***.***.145.116 eq 3389 any

access-list 110 permit tcp host ***.***.145.116 eq smtp any

access-list 110 permit tcp host ***.***.145.117 eq 3389 any

access-list 110 permit tcp host ***.***.145.115 eq 3389 any

access-list 110 permit tcp host ***.***.145.115 eq 3389 0.0.0.5 255.255.255.0

no cdp run

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device and

it provides the default username "cisco" for one-time use. If you have already

used the username "cisco" to login to the router and your IOS image supports the

"one-time" user option, then this username has already expired. You will not be

able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet

line vty 5 15

privilege level 15

login local

transport input telnet

!

scheduler allocate 4000 1000

end

Richard Burts · ‎12-01-2013

What you have done in interface FastEther0/1 looks pretty good. I have some suggestions and some questions about how you want to do things that may lead to other suggestions of things to do.

The first question is how you want both connections to work. If you want both connections to actively carry traffic and to share the load then you would need to add another static default route which would look something like this

ip route 0.0.0.0 0.0.0.0 ***.***.94.85

But when you have interfaces with such different capacity having both active and sharing load can lead to issues in which the slower T1 gets overloaded and the FastEther is underutilized as the router attempts to share load equally on both. You might do better to use them as primary and backup (with the possibility of sending some traffic over the T1 backup so that it carries some load but not sharing equally).

Another question would be whether you want to do anything with the DNS server information sent to you by the new ISP. My suggestion is that if what you have got now is working ok then I might stay with what you have got and not use the new DNS information.

One of the biggest changes will be how to do address translation. What you have now is a pretty simple NAT configuration. But when you add a new outbound interface then the NAT gets a bit more complex. You will need to use route maps that might look something like this

ip nat inside source route-map ATT_NAT interface Serial0/0/0 overload

ip nat inside source route-map GRTI_NAT interface Fasteth0/1 overload

route-map ATT_NAT permit 10

match ip address 1

match interface Serial0/0/0

route-map GRTI_NAT permit 10

match ip address 1

match interface FastEth0/1

Also I see references to addresses ***.***.145.115 ***.***.145.116 and ***.***.145.117. What are they? It appears that they are addresses related to ATT. You will need to determine whether it is valid to send traffic with those addresses over the new connection to the new ISP if they are actually ATT addresses.

I will point out one other issue, though it is not about the new connection. Access list 110 is used to filter outbound traffic and the very first line is this

access-list 110 permit ip any any

The permit any any here means that no other line in the access list will ever match. I do not know if this is a new change or if it has been this way for a long time. But I would certainly suggest that the access list needs to be re-written.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎12-02-2013

The permit 10 starts the configuration of an instance (or of a paragraph) in the route map. If you were going to use both outbound interfaces then you would have needed route maps to do the NAT correctly on 2 interfaces. Since you will be taking the T1 out as you put the new one in you will be translating on only 1 interface at a time and the more simple way to configure address translation that you were using (and that Jon mentions) is good enough. So you do not need the route map.

Here are a few other detail about the config.

you have configured the router to use your local time zone rather than GMT but have not told it to observe daylight saving time. If you want daylight savings then use this command

clock summertime PCtime recurring

you can substitute whatever identifier you might prefer for PCtime which just supplied the identifier for local time.

You have a second command doing dynamic address translation in the config. It uses the same outbound interface and it uses an access list that does not appear in the config. So I think it was doing no good. So remove it with this

no ip nat inside source list 11 interface Serial0/0/0 overload

While you are cleaning up the access list you should remove the lines that reference the addresses (115, 116, 117) that are going away.

The banner exec is something that came with the router when it was new. It is no longer appropriate and I suggest that you remove it with

no banner exec

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎12-01-2013

What you have done in interface FastEther0/1 looks pretty good. I have some suggestions and some questions about how you want to do things that may lead to other suggestions of things to do.

The first question is how you want both connections to work. If you want both connections to actively carry traffic and to share the load then you would need to add another static default route which would look something like this

ip route 0.0.0.0 0.0.0.0 ***.***.94.85

But when you have interfaces with such different capacity having both active and sharing load can lead to issues in which the slower T1 gets overloaded and the FastEther is underutilized as the router attempts to share load equally on both. You might do better to use them as primary and backup (with the possibility of sending some traffic over the T1 backup so that it carries some load but not sharing equally).

Another question would be whether you want to do anything with the DNS server information sent to you by the new ISP. My suggestion is that if what you have got now is working ok then I might stay with what you have got and not use the new DNS information.

One of the biggest changes will be how to do address translation. What you have now is a pretty simple NAT configuration. But when you add a new outbound interface then the NAT gets a bit more complex. You will need to use route maps that might look something like this

ip nat inside source route-map ATT_NAT interface Serial0/0/0 overload

ip nat inside source route-map GRTI_NAT interface Fasteth0/1 overload

route-map ATT_NAT permit 10

match ip address 1

match interface Serial0/0/0

route-map GRTI_NAT permit 10

match ip address 1

match interface FastEth0/1

Also I see references to addresses ***.***.145.115 ***.***.145.116 and ***.***.145.117. What are they? It appears that they are addresses related to ATT. You will need to determine whether it is valid to send traffic with those addresses over the new connection to the new ISP if they are actually ATT addresses.

I will point out one other issue, though it is not about the new connection. Access list 110 is used to filter outbound traffic and the very first line is this

access-list 110 permit ip any any

The permit any any here means that no other line in the access list will ever match. I do not know if this is a new change or if it has been this way for a long time. But I would certainly suggest that the access list needs to be re-written.

HTH

Rick

HTH

Rick

marklet8217 · ‎12-02-2013

Thanks for the quick response.

I should have mentioned that we're not looking to load balance - the new ethernet will replace the existing T1.

I have not implemented any of your changes yet, but I have a few questions before I start. When I take the T1 line out of the serial0/0/0 interface, and plug in the ethernet to FastEthernet0/1, there is no connection to the internet in the building.

1. Is this because the static route "ip route 0.0.0.0 0.0.0.0 ***.***.94.85" is missing? Does this let the router know where the gateway is?

2. Should I delete the old static route if we don't plan to use ATT? What is the command to do this? "no ip route 0.0.0.0 0.0.0.0 Serial0/0/0"?

3. Are there any other superfluous settings that I should delete if we're getting rid of the T1 service?

The extra WAN addresses you mention are indeed ATT addresses that were only used as convenience and should probably come down.

I wish I knew what each item on the access-list did, I think I'll do that next. Thanks for the heads-up on that.

Anyway, thanks again for your help

Jon Marshall · ‎12-02-2013

Mark

1 & 2) Yes to both. So you would do -

no ip route 0.0.0.0 0.0.0.0 s0/0/0

ip route 0.0.0.0 0.0.0.0 x.x.94.85

3) you need to rewrite your NAT statement ie.

no ip nat inside source list 1 interface s0/0/0 overload

ip nat inside source list 1 interface fa0/0 overload

Also, are you saying you no longer need these -

ip nat inside source static 192.168.0.5 ***.***.145.115

ip nat inside source static 192.168.0.6 ***.***.145.116

ip nat inside source static 192.168.0.7 ***.***.145.117

because obviously when you switch over these translations will no longer be available.

Jon

marklet8217 · ‎12-02-2013

Jon,

Did you mean for this:

ip nat inside source list 1 interface fa0/0 overload

to be this?

ip nat inside source list 1 interface fa0/1 overload

Jon Marshall · ‎12-02-2013

Mark

Good catch, yes it should be fa0/1.

Apologies for the mistake.

Jon

Sandeep Choudhary · ‎12-02-2013

HI mark,

Just adding to Richard...

Using IP SLA the Cisco IOS gets the ability to use Internet Control Message Protocol (ICMP) pings to identify when a WAN link goes down at the remote end and hence allows the initiation of a backup connection from an alternative port.

Config example:

--------------------------------------------------------------------------------

R1(config)# ip sla 1

R1(config)# icmp-echo ***.***.94.85 source-interface FastEthernet0/1

R1(config)# timeout 1000

R1(config)# threshold 2

R1(config)# frequency 3

R1(config)# ip sla schedule 1 life forever start-time now

R1(config)# track 1 ip sla 1 reachability

(The above command will track the state of the IP SLA operation. If there are no ping responses from the next-hop IP the track will go down and it will come up when the ip sla operation starts receiving ping response)

R1(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/0 track 1

R1(config)# ip route 0.0.0.0 0.0.0.0 ***.***.94.85 10

---------------------------------------------------

To verify the track status use the use the “show track” command as

R1# show track

Track 1

IP SLA 1 reachability

Reachability is Down

1 change, last change 00:03:19

Latest operation return code: Unknown

Hope it helps.

Regards

Dont forget to rate helpful posts.

Jon Marshall · ‎12-02-2013

Sandeep

From Mark's second post -

I should have mentioned that we're not looking to load balance - the new ethernet will replace the existing T1.

So i'm not sure how IP SLA will help here. I'm not criticising, i just don't want to confuse the issue.

Jon

Sandeep Choudhary · ‎12-02-2013

HI John,

u r rght ,, that was my reading failure.

@mARK: My config is valuable only if u want to use 2 provider at a time for load balance.

Regards

marklet8217 · ‎12-02-2013

Rick,

In this statement:

route-map ATT_NAT permit 10

What does the "permit 10" do?

Richard Burts · ‎12-02-2013

The permit 10 starts the configuration of an instance (or of a paragraph) in the route map. If you were going to use both outbound interfaces then you would have needed route maps to do the NAT correctly on 2 interfaces. Since you will be taking the T1 out as you put the new one in you will be translating on only 1 interface at a time and the more simple way to configure address translation that you were using (and that Jon mentions) is good enough. So you do not need the route map.

Here are a few other detail about the config.

you have configured the router to use your local time zone rather than GMT but have not told it to observe daylight saving time. If you want daylight savings then use this command

clock summertime PCtime recurring

you can substitute whatever identifier you might prefer for PCtime which just supplied the identifier for local time.

You have a second command doing dynamic address translation in the config. It uses the same outbound interface and it uses an access list that does not appear in the config. So I think it was doing no good. So remove it with this

no ip nat inside source list 11 interface Serial0/0/0 overload

While you are cleaning up the access list you should remove the lines that reference the addresses (115, 116, 117) that are going away.

The banner exec is something that came with the router when it was new. It is no longer appropriate and I suggest that you remove it with

no banner exec

HTH

Rick

HTH

Rick

marklet8217 · ‎12-04-2013

There must be another issue, I've made the following changes:

no ip route 0.0.0.0 0.0.0.0 s0/0/0
ip route 0.0.0.0 0.0.0.0 x.x.94.85
no ip nat inside source list 1 interface s0/0/0 overload
ip nat inside source list 1 interface fa0/1 overload
no ip nat inside source list 11 interface Serial0/0/0 overload
no banner exec

Then unplugged the T1 and plugged in the Ethernet and still have no connection to internet. Tried power-cycle both boxes, still nothing. I did successfully ping the gateway (*.*.94.85), but could not ping google - a tracert said that the nameserver could not be found. DNS maybe?

We have a DNS server at 192.168.0.5, with the secondary at 8.8.8.8 (google)

Or are the static routes to the old WAN IP causing the problem?

You guys have been great so far - any help greatly appreciated.

Mark

PS. AZ doesn't use daylight savings time

Jon Marshall · ‎12-04-2013

Mark

Can you try tracert from PC inside to 8.8.8.8 (if you haven't already) ie. the IP not the name.

Can you ping 8.8.8.8 from the router ?

Or are the static routes to the old WAN IP causing the problem?

I can't see any, only the default route.

Did you remove the permit ip any any from acl 110 ?

Jon

Richard Burts · ‎12-04-2013

Can you ping 8.8.8.8 from the router when connected to the new ISP connection?

It does sound like some issue with the DNS config. Perhaps, at least as a test, I would suggest removing

ip name-server 192.168.0.5

and see if it improves things.

I am not sure what you mean when you suggest it may be an issue with static routes to old WAN IP. Do you mean your routes or is it routes from the provider?

I did not remember that AZ does not use daylight savings time - and did not know that you are in AZ. But if you do not need it then do not use it

HTH

Rick

HTH

Rick

marklet8217 · ‎12-17-2013

It was a config issue on the ISP side - what you guys helped me with was spot-on. Working now. Thanks again!