I really need your help. I'm a Network student and I'm attempting to configure my first "real world" set of routers. I'm learning that the "lab" environment and the real world are 2 different things. I'm hoping someone can help me quickly. My office is going live with their new system next week and I need to get these routers communicating properly.
Here's the setup: I have a triangle setup with the bottom of the triangle open. At the top of the triangle is the main office (NB) which has the terminal services server, app server, data server, etc. I have 2 satelite offices (MHC and JAX) currently connected with frame relay. We are converting to fiber in the main office (NB) coming in through a layer 3 switch provided and configured by the ISP and non-configurable to us. I have a 1700 series router on the internal side of the layer 3 switch with one bri port that I am configuring to use with an adapter and one fastethernet port. The ISP assigned IP is 126.96.36.199/30. I assigned the router 188.8.131.52/30. Since there will be 20-30 computers initially accessing services I configured NAT with PAT and ip route statements that I'm not sure are stated correctly.
Both satelite offices will RDT to the main office NB and will access data/apps, etc. from there. They will access the internet from their location rather than going through the NB site.
I need to at least get the NB office and MHC office talking and I can then customize the configuration for JAX. I initially put in NAT and PAT and was able to ping within the NB office but not get out to the internet. With the ip route statements added, I have not found out yet whether or not it was successful since I am not the one that is doing the testing.
If you would, please look at my configurations as they stand presently and let me know what I have messed up on and maybe what I need to do differently, even if I need to change my approach. As I said, we are running out of time. I thought this would easily work as it had in class, but I have since found out differently.
Thanks in advance for any help anyone can give me.
First thing in newbern router you really dont require 2 default routes.
Do remove the route pointing towards the next hop ip,just have the default pointing towards your bri interface.
The routing part on both your MHC is wrong.
ip route 192.168.2.0 255.255.255.0 184.108.40.206
you are routing your own network via some public ip..
Also to access your internal servers kept behind the nat table you should make sure that you have proper Port based translation configured on your routers.
And also theres no connectivity mentioned in the config between your offices..
You can refer the below link for more on NAT..
I have tried numerous times to access the NAT link without success. Do I have to use NAT for this configuration or is there an easier solution? NAT has been a thorn in my side in school. I think I must have a mental block towards it or something.
If you dont have enough public ip space provided by your SP you need to go with NAT only.
In which case you need to do Port based translation so that you can have single ip being used to access different applications hosted on different ports numbers..
Do I need any ip route statements to tell MHC where to access the data/app servers and NB where to send MHC and JAX data back to? How about ACL's to allow traffic in from the other offices? Or will NAT with PAT alone be enough? We want to keep the overhead on these routers as minimal as possible since the company won't spring for new routers and/or memory upgrades.
What I would do is setup a GRE tunnel between your headoffice and your branch offices.
I am assuming that your ISP is providing a direct link between your HO and branch offices is this correct? So you have a different connection out to the internet - is that the case or not?
If your ISP is linking your offices directly then you don't use NAT, you will need to have your internal traffic go out 'untouched', as you would have trouble denatting the traffic at the other end.
So to setup a GRE tunnel you would need something like the attached documents
You will then need to setup another tunnel in the NB router with interface tunnel1 and change just the ip address of the tunnel to the next range ie 172.16.0.21 for the NB router and 172.16.0.22 for the Jax router. Have a look at the routes as i have set them up in each file, then route the jax traffic to tunnel1, and on the jax router route the NB traffic to tunnel0 same as the MHC config is.
Email me on email@example.com and let me know how you get on.
We actually have 2 ISP's involved and it isn't a direct link. The NB office has fiber through a layer 3 switch of the ISP's and the other 2 have copper to the modem.
I tried with NAT and PAT today at the main NB office and was able to see the switch but unable to get through it. I also found out this morning that they have a watchguard firewall that's going to play into out configuratons. The switch is the ISP's and we can't configure it. We're in the process of trying to find out the exact configuration of it.
I'll let you know when I get the info from the switch and watchguard firewall. I think that's part of the problem. They're giving me bits and pieces and say that's all and then through more monkey's in the puzzle.
Thanks so much and have a great Easter!
Ok regardless you should be doing this with a tunnel not Nat and Pat. You are talking about an internal range going out through your router at NB, being natted, then arriving at your branches and trying to be unnatted, there is no way you are going to be able to A. Have enough internet addresses to do a one to one nat and denat, and B. Dynamically nat and denat and gain access to the services you want. Pat and Nat are generally only used for external access requirements only not for internal ranges to access other internal ranges across the internet. This is a huge security risk and if your company knew this is what you were attempting then they wouldn't be too impressed.
You need to setup a VPN between your sites - I have redone your entire config for both NB and MHC with an IPsec tunnel between the sites, and NAT for outbound 'Internet' traffic with access lists and a route-map so the traffic over the tunnels isn't being natted.
It would appear that you don't have a firewall at the NB location so what you need to do is to download at least a IP/ADSL/FW/IDS PLUS IPSEC 3DES IOS for the 1700's, for my configs to work. These will then provide you with a stateful firewall with CBAC access lists (ie inbound traffic ACE's are dynamically generated based on what traffic is allowed out).
The watchguard firewall at MHC needs to allow at least UDP port 500, and ESP (ip protocol 50) traffic from 220.127.116.11 for the VPN to be able to be established, I have already allowed these in the configs so you can see what you need to do for the watchguard.
Once you have both these configs in place you should be able to ping 192.168.1.x from NB and vice versa from MHC, and acccess the internet from both locations.
Note I would put on c1700-k9o3sy7-mz.124-11.T1.bin (which is for a 1721 so may need to get a different one if you don't have 1721's. Also this requires 96MB RAM, and 32MB flash.) Contact me on my email if you have problems getting this