Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

lab simulated back-back frame relay WAN

Hi,

i have a 2621 set up as a nat/firewall

out to the internet and a 1720 connected via back to back frame relay.

(the original idea was to replace a multitech RF660 with the 2621, and that came out pretty cool... the in a moment of bordom i figured i could add a WAN connection and route to another LAN)

i have connectivity from the ethernet interface of the 1720 all the way to

the (both)ethernet interfaces of the 2621,

but the lan side of the 1720 does not get to the internet...

a trace stops at the S0/1 interface of the 2621.

i've attached both running configs.(2621.txt and 1720.txt)

if anyone has ideas, id love to hear them! i'm guessing that either the serial IF on the 2621 or one of the IFs on the 1720 also has to nat... but i need ideas from anyone :)

thanks in advance

larry

1 ACCEPTED SOLUTION

Accepted Solutions

Re: lab simulated back-back frame relay WAN

This should fix it. Your serial interface on 2621 should have a "ip nat inside" statement, so that it will NAT all traffic coming in from the subnet 192.168.0.0/24.

7 REPLIES

Re: lab simulated back-back frame relay WAN

YOu dont need to do NAT on the 1720. You can actually take that off. NAT needs to be done only at the border device. (2621). You have a command on the 2621 viz..

ip nat inside source list 21 interface FastEthernet0/1 overload

access-list 21 permit 172.16.39.0 0.0.0.255

ACL 21 defines which traffic gets NATed and which does not.

Since you are already NATing the LAN (192.168.0.0) behind the 1720 to 1.1.1.0 address space, just add a line,

access-list 21 permit 1.1.1.0 0.0.0.255

If you are removing the NAT off the 1720, add the following line to the access-list 21.

access-list 21 permit 192.168.0.0 0.0.0.255

HTH

New Member

Re: lab simulated back-back frame relay WAN

Thank for the fast reply!

i think i've tried your suggestion(or variations) in previous tests,

but tried again as you spec'd.

then i opened up access lists 101,102 for ip any any

just for testing, so i could ping/tracert from a pc on

192.168.0.(102), and from the console at the 1720...

(i have removed nat from the 1720, and access list 21 on the 1720 is not associated to any interface on the 1720; it could be removed too i think??)

the results from 'debug ip icmp' as generated by

ping and tracert from a pc:

1st a ping to the outside FA0/1 on the 2621 from a pc

at 192.168.0.102

Oct 2 10:17:41.636: ICMP: echo reply sent, src 68.202.216.110, dst 192.168.0.10

2

Oct 2 10:17:42.636: ICMP: echo reply sent, src 68.202.216.110, dst 192.168.0.10

2

Oct 2 10:17:43.636: ICMP: echo reply sent, src 68.202.216.110, dst 192.168.0.10

2

Oct 2 10:17:44.640: ICMP: echo reply sent, src 68.202.216.110, dst 192.168.0.10

2

2nd, a tracert from a pc at 192.168.0.102 to the

DSL router (the next hop after 68.202.216.110 FA0/1)

Oct 2 10:18:34.787: ICMP: time exceeded (time to live) sent to 192.168.0.102 (d

est was 68.202.216.105)

Oct 2 10:18:34.811: ICMP: time exceeded (time to live) sent to 192.168.0.102 (d

est was 68.202.216.105)

Oct 2 10:18:34.835: ICMP: time exceeded (time to live) sent to 192.168.0.102 (d

est was 68.202.216.105)

thanks again... i really appreciate this!

Re: lab simulated back-back frame relay WAN

Forgot to add, that your 2621 does not know how to reach 192.168.0.0 network. so add a route,

ip route 192.168.0.0 255.255.255.0 1.1.1.2 (1721).

New Member

Re: lab simulated back-back frame relay WAN

i think ospf is taking care of this...

i can ping from a pc at 192.168,0,102 all the way to

the other lan, 172.16.39.201(PC), and from 192.168.0.102 to 68.202.216.110, the 'outside' interface cloeset to the dsl next hop.

also, from 192.168.0.102 to 1.1.1.1, 1.1.1.2.

going the other way, i can ping from 172.16.39.201(PC) to 192.168.0.102

and from any device on 172.16.39.0 out to the internet.

i posted another question a few min.ago about

the actual dsl router needing a route added back to 1.1.1.0 via the 2621.

what do you think?

thx!!

here's 'sh ip route'

(i'm changing a few #s for security... no offence to anyone ;> )

(sh ip route 2621)

Gateway of last resort is 68.202.216.105 to network 0.0.0.0

1.0.0.0/30 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Serial0/1

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.39.0 is directly connected, FastEthernet0/0

68.0.0.0/29 is subnetted, 1 subnets

C 68.202.216.104 is directly connected, FastEthernet0/1

O 192.168.0.0/24 [110/1563] via 1.1.1.1, 00:13:37, Serial0/1

192.168.3.0/27 is subnetted, 1 subnets

C 192.168.3.0 is directly connected, Loopback0

S* 0.0.0.0/0 [1/0] via 68.202.216.105

(sh ip route 1720)

Gateway of last resort is 1.1.1.2 to network 0.0.0.0

1.0.0.0/30 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Serial0

C 192.169.10.0/24 is directly connected, Loopback0

172.16.0.0/24 is subnetted, 1 subnets

O 172.16.39.0 [110/1563] via 1.1.1.2, 00:16:31, Serial0

68.0.0.0/29 is subnetted, 1 subnets

O 68.202.216.104 [110/1572] via 1.1.1.2, 00:16:31, Serial0

C 192.168.0.0/24 is directly connected, FastEthernet0

S* 0.0.0.0/0 [1/0] via 1.1.1.2

New Member

Re: lab simulated back-back frame relay WAN

just another thought...

could it be that the DSL router needs a route added

back to 1.1.1.0 via 68.202.216.110?

(since the DSL router is running ospf or rip...)

in other tests, i've seen 'unreachable' reported from

68.202.216.105(DSL router)

Re: lab simulated back-back frame relay WAN

This should fix it. Your serial interface on 2621 should have a "ip nat inside" statement, so that it will NAT all traffic coming in from the subnet 192.168.0.0/24.

New Member

Re: lab simulated back-back frame relay WAN

Thank You. that did it.

i agree with you about the value of this forum.

had this been a 'real world' issue, you'd have

helped me resolve it in just a few hours.

and i learned something in the process.

i am a ccna en route to ccnp/ccie so

everything i learn is valuable!

thanks again!

335
Views
0
Helpful
7
Replies
CreatePlease to create content