problem in my home lab

For one thing, your 2620 is pointing to itself as the default gateway. It should be pointing to the directly connected interface of the bottom router, which you provided no specs for.

Overall, your diagram appears incomplete. All networks, all router interfaces need to be labeled.

I am assuming the wireless router is providing NAT? If not, then the router ahead of it (between it and the internet) may not know about the networks behind the wireless.
Even with NAT, I find it strange that you could ping the wireless private IP from PC3, since I would venture to guess that it does not have a routing table other than the default gateway to the internet. In such a case, it could receive packets from the 'far' networks (such as the network PC3 is attached to) but would not know where to send the response packets.

Remember when troubleshooting routing, packets have to travel both ways. I myself sometimes forget this, and assume default gateways alone would work, which is true for getting the packet out to the internet, but forget to trace packet routes from the internet back to the deepest (farthest away from the internet) host.

Danman32 wrote:

For one thing, your 2620 is pointing to itself as the default gateway. It should be pointing to the directly connected interface of the bottom router, which you provided no specs for.

I realized, thanks for clearing. I'll make the change and see what happens

Danman32 wrote:

Overall, your diagram appears incomplete. All networks, all router interfaces need to be labeled.

I don't need to use those interfaces this time. Is there a convention to configure the interfaces even u don't use them?

Danman32 wrote:

Even with NAT, I find it strange that you could ping the wireless private IP from PC3, since I would venture to guess that it does not have a routing table other than the default gateway to the internet. In such a case, it could receive packets from the 'far' networks (such as the network PC3 is attached to) but would not know where to send the response packets.

that's why i set up NAT on "top2520". I know that the wireless router will NAT/PAT the 192.168.0.X into a public address, so turning any 172.18.X.X into 192. will do it(i hope). This leads to my other question: How can I be sure the IP of "e0" of top2520(192.168.0.123) will be translated because it's not assigned by the wireless router. I simply think if PC3 can ping 192.168.0.1 will prove this, i might be wrong. But someone give me a clear explanation?

what about the first problem?

Interfaces that you claim to be unused might end up being used when dealing with dynamic routing, unless something makes the cost force them to be lower priority. Shutting then down would take them off of being potential route paths.

So you have a double NAT. That sometimes can be a problem.
Can you get to the wireless router's HTTP configuration page from PC3? If so, that rules out routing and port blocking up to and including the wireless router itself.

I haven't seen a broadband router that is performing NAT care if it issued a backend host the IP address or if the IP address was static, as long as it is in the same network thus not violating routing rules, and isn't being blocked by firewall configs.

If for some reason the internet response being translated by the wireless ends up appearing as a separate communications. The overload keyword should be tracking this however.

Perhaps you might find the issue by SHOWing IP NAT TRANSLATIONS and DEBUG IP NAT.

I don't have enough experience configuring/troubleshooting DHCP on Cisco. However, on PC3 you can type IPCONFIG /ALL and it will display the IP address of the DHCP that it got the address from.

rossonieri#1

hello,

ok, your pc3 can ping the wireless router - simply because true that you have the same netmask by NAT of your top2520, but you dont have the authentication to go to the internet (the wireless router perform a basic function just like windows ICS:small DNS server etc...).

configure your top 2520 e0 to obtain DHCP is simply :
intf#ip address negotiate

cheers... : )

mwgood

Can you post the routing table for each router?

thank you, ross! you gave real help. Now, the problem still the same. And I found some new interesting thing.

I'll post the new config of top2520, middle2520, 2620, and then show you the interesting stuff.

top2520
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service tcp-small-servers
!
hostname top2520
!
boot-start-marker
boot system flash c2500-i-l.123-6.bin
boot-end-marker
!
enable secret 5 $1$CXdJ$pWkqsBrO/tkmVjbmnxvXJ0
enable password cisco
!
no aaa new-model
ip subnet-zero
!
interface Ethernet0
ip address dhcp
ip nat outside
no ip route-cache
!
interface Serial0
ip address 172.18.1.10 255.255.255.252
ip nat inside
no ip route-cache
clockrate 64000
!
interface Serial1
ip address 172.18.1.13 255.255.255.252
ip nat inside
no ip route-cache
!
interface Serial2
no ip address
shutdown
!
interface Serial3
no ip address
shutdown
!
interface BRI0
no ip address
no ip route-cache
shutdown
!
router ospf 3
log-adjacency-changes
network 172.18.0.0 0.0.255.255 area 0
network 192.168.0.0 0.0.255.255 area 0
!
ip nat inside source list 2 interface Ethernet0 overload
no ip http server
ip classless
!
!
access-list 2 permit 172.18.0.0 0.0.255.255
!
line con 0

middle2520
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service tcp-small-servers
!
hostname middle2520
!
boot-start-marker
boot system flash c2500-i-l.123-6.bin
boot-end-marker
!
enable secret 5 $1$YBk4$S9gg.6FOBHS/4CNBDJEMe/
enable password cisco
!
no aaa new-model
ip subnet-zero
ip name-server 192.168.0.1
!
!
interface Ethernet0
no ip address
no ip route-cache
!
interface Serial0
ip address 172.18.1.5 255.255.255.252
no ip route-cache
clockrate 64000
!
interface Serial1
ip address 172.18.1.14 255.255.255.252
no ip route-cache
clockrate 64000
!
interface Serial2
no ip address
shutdown
!
interface Serial3
no ip address
shutdown
!
interface BRI0
no ip address
no ip route-cache
shutdown
!
router ospf 8
log-adjacency-changes
network 172.18.0.0 0.0.255.255 area 0
!
no ip http server
ip classless
!
!
line con 0

2620
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2620
!
enable secret 5 $1$rv50$/EjYIG4Ry6uCOV/vCt0ej0
enable password cisco
!
ip subnet-zero
!
!
ip dhcp excluded-address 172.18.10.1 172.18.10.50
!
ip dhcp pool 172.18.10.0/24
network 172.18.10.0 255.255.255.0
dns-server 192.168.0.1
default-router 172.18.10.1
!
interface FastEthernet0/0
ip address 172.18.10.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 172.18.1.18 255.255.255.252
!
router ospf 11
log-adjacency-changes
network 172.18.0.0 0.0.255.255 area 0
!
ip default-gateway 192.168.0.1
ip classless
ip http server
ip pim bidir-enable
!
!
line con 0

With the config above, I ping some websites from top2520 and middle2520.

top2520#ping www.yahoo.com
Translating "www.yahoo.com"...domain server (192.168.0.1) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.73.186.238, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/64/76 ms
top2520#ping www.ebay.com
Translating "www.ebay.com"...domain server (192.168.0.1) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.135.192.124, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
top2520#ping www.amazon.com
Translating "www.amazon.com"...domain server (192.168.0.1) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 207.171.166.102, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

middle2520#ping www.yahoo.com
Translating "www.yahoo.com"...domain server (192.168.0.1) [OK]

Translating "www.yahoo.com"...domain server (192.168.0.1) [OK]

Translating "www.yahoo.com"...domain server (192.168.0.1) [OK]

Translating "www.yahoo.com"...domain server (192.168.0.1) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.73.186.238, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
middle2520#ping www.ebay.com
Translating "www.ebay.com"...domain server (192.168.0.1) [OK]

Translating "www.ebay.com"...domain server (192.168.0.1) [OK]

Translating "www.ebay.com"...domain server (192.168.0.1) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.135.192.123, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

We can see, on top 2520 I can ping yahoo.com(also can ping my own website) but can't ping amazon and ebay. On middle2520, can't ping any outside website. Isn't this weired? I still can't go to the internet from pc3, if I didn't do the right thing in my lab, why top2520 can ping some of outside world?

mikej412

mwgood wrote:

Can you post the routing table for each router?

and a traceroute?

You might want to check this link
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml

Have you setup a default route within OSPF?

You've got your DNS server running on an IP that can be reached with your routing protocols-- so you've got the remote IP address -- but do you have a default route in your routing table? It still sounds like a simple routing issue (rather than a big fat fuzzy NAT issue).

If you create a static route on the 26xx using the 25xx NAT router as the destination -- does it work then? (ethernet 0 is going to the wireless/cable router, right?).

Amazon and eBay probably have security set not to allow ICMP traffic -- so stick with testing with yahoo.

On the top2520, I wouldn't put the 192.168.0.0/16 in the OSPF process unless you make the interface passive, or you redistribute it to OSPF. You are sending hellos out of that interface which may not hurt anything, but it is a poor practice that can be a security hole. I doubt your wireless router knows anything about OSPF so it is not doing it any good.

You don't need to advertise that network into OSPF if you use the default-information originate always command. I don't know about now, but, once upon a time, this command (and the various ways it is used) were required knowledge for CCNP candidates.

I don't believe you understand the ip default-gateway command that you have on the 2620. This is used when ip routing is turned off. Per Cisco:

To define a default gateway (router) when IP routing is disabled, use the ip default-gateway command in global configuration mode.

This is where the default-information originate command on the top2520 will help you.

mikej412 is correct about Internet pings. They are very hit-or-miss; many sites now ignore ICMP. Find one that responds and stick with it.

Just checked and verified Ebay and Amazon do not respond to pings.
I know google does, I use it all the time.

Note though that yahoo worked (responded) on TOP, but not MIDDLE, yet it was able to resolve through the wireless router.

I still would observe NAT translations. If there is indeed a routing problem, at least for outbound, you should see that, since if no NAT is attempted, the packet probably isn't getting to TOP to be translated. However, if TOP gets a reply and translates it, then there most likely is a route back problem.

How about showing the resulting route tables on the 3 routers?

Ok, let's make it simply now.

I'll tell you guys what each router can do under the newest configuration, then I post the newest configuration of top2520, middle2520, 2620, then the route table of them.

Still the same topology, now on top2520 i can ping any pingable websites, this is understandable because the e0 of top2520 got an 192.168.0.X ip from the wireless router automatically, just like pc1. The wireless's default gateway is 192.168.0.1, so it is the ip of dns server, dhcp server.

Except top2520, any device in my network can't ping outside world. but they can reach the dns server of the wireless router and get the ip of the unknown websites back. This means the packets can go through top2520 and come back! then why they can't ping outside?

Let's just make the question simple. Forget about 2620 and pc3, who can help me make the middle2520 ping the internet?

top2520
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service tcp-small-servers
!
hostname top2520
!
boot-start-marker
boot system flash c2500-i-l.123-6.bin
boot-end-marker
!
enable secret 5 $1$CXdJ$pWkqsBrO/tkmVjbmnxvXJ0
enable password cisco
!
no aaa new-model
ip subnet-zero
!
!
interface Ethernet0
ip address dhcp
ip nat outside
no ip route-cache
!
interface Serial0
ip address 172.18.1.10 255.255.255.252
ip nat inside
no ip route-cache
clockrate 64000
!
interface Serial1
ip address 172.18.1.13 255.255.255.252
ip nat inside
no ip route-cache
!
interface Serial2
no ip address
shutdown
!
interface Serial3
no ip address
shutdown
!
interface BRI0
no ip address
no ip route-cache
shutdown
!
router ospf 3
log-adjacency-changes
network 172.18.0.0 0.0.255.255 area 0
network 192.168.0.0 0.0.0.255 area 0
!
ip nat inside source list 2 interface Ethernet0 overload
no ip http server
ip classless
!
!
access-list 2 permit 172.18.0.0 0.0.255.255
!
line con 0

middle2520
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service tcp-small-servers
!
hostname middle2520
!
boot-start-marker
boot system flash c2500-i-l.123-6.bin
boot-end-marker
!
enable secret 5 $1$YBk4$S9gg.6FOBHS/4CNBDJEMe/
enable password cisco
!
no aaa new-model
ip subnet-zero
ip name-server 192.168.0.1
!
!
!
interface Ethernet0
no ip address
no ip route-cache
!
interface Serial0
ip address 172.18.1.5 255.255.255.252
no ip route-cache
clockrate 64000
!
interface Serial1
ip address 172.18.1.14 255.255.255.252
no ip route-cache
clockrate 64000
!
interface Serial2
no ip address
shutdown
!
interface Serial3
no ip address
shutdown
interface BRI0
no ip address
no ip route-cache
shutdown
!
router ospf 8
log-adjacency-changes
network 172.18.0.0 0.0.255.255 area 0
!
no ip http server
ip classless
!
!
!
line con 0

2620
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2620
!
enable secret 5 $1$rv50$/EjYIG4Ry6uCOV/vCt0ej0
enable password cisco
!
ip subnet-zero
!
!
ip host 2620
ip name-server 192.168.0.1
ip dhcp excluded-address 172.18.10.1 172.18.10.50
!
ip dhcp pool 172.18.10.0/24
network 172.18.10.0 255.255.255.0
dns-server 192.168.0.1
default-router 172.18.10.1
!
!
interface FastEthernet0/0
ip address 172.18.10.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 172.18.1.18 255.255.255.252
!
router ospf 11
log-adjacency-changes
network 172.18.0.0 0.0.255.255 area 0
!
ip classless
ip http server
ip pim bidir-enable
!
!
line con 0

middle2520#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.18.0.0/16 is variably subnetted, 5 subnets, 2 masks
O 172.18.1.16/30 [110/933] via 172.18.1.6, 00:26:04, Serial0
C 172.18.1.12/30 is directly connected, Serial1
O 172.18.10.0/24 [110/934] via 172.18.1.6, 00:26:04, Serial0
O 172.18.1.8/30 [110/128] via 172.18.1.6, 00:26:04, Serial0
[110/128] via 172.18.1.13, 00:26:04, Serial1
C 172.18.1.4/30 is directly connected, Serial0
O 192.168.0.0/24 [110/74] via 172.18.1.13, 00:26:05, Serial1

top2520#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

172.18.0.0/16 is variably subnetted, 5 subnets, 2 masks
O 172.18.1.16/30 [110/933] via 172.18.1.9, 00:26:54, Serial0
C 172.18.1.12/30 is directly connected, Serial1
O 172.18.10.0/24 [110/934] via 172.18.1.9, 00:26:54, Serial0
C 172.18.1.8/30 is directly connected, Serial0
O 172.18.1.4/30 [110/128] via 172.18.1.9, 00:26:54, Serial0
[110/128] via 172.18.1.14, 00:26:54, Serial1
C 192.168.0.0/24 is directly connected, Ethernet0
S* 0.0.0.0/0 [254/0] via 192.168.0.1

2620#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

172.18.0.0/16 is variably subnetted, 5 subnets, 2 masks
C 172.18.1.16/30 is directly connected, Serial0/0
O 172.18.1.12/30 [110/192] via 172.18.1.17, 00:29:39, Serial0/0
C 172.18.10.0/24 is directly connected, FastEthernet0/0
O 172.18.1.8/30 [110/128] via 172.18.1.17, 00:29:39, Serial0/0
O 172.18.1.4/30 [110/128] via 172.18.1.17, 00:29:39, Serial0/0
O 192.168.0.0/24 [110/138] via 172.18.1.17, 00:29:39, Serial0/0

middle2520#ping www.yahoo.com
Translating "www.yahoo.com"...domain server (192.168.0.1) [OK]

Translating "www.yahoo.com"...domain server (192.168.0.1) [OK]

Translating "www.yahoo.com"...domain server (192.168.0.1) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.73.186.238, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
middle2520#

I got it. Top knows how to get to any internet address (S* 0.0.0.0/0 [254/0] via 192.168.0.1 ) but middle does not. It only knows about 192.168.0.x, but not how to go to any addresses beyond that. Remeber, it isn't the internet destined address that gets translated, but what the internet sees as the calling address.

The DNS proxy (your wireless router) is reachable because it is in a routable address, so www.yahoo.com becomes resolvable, but the resolved address 209.73.186.238 is not routable; not in any routing entry in Middle. Add a route of last resort to middle and 2620, or get TOP to advertise the default, and I bet it will all work.

madonion wrote:

Except top2520, any device in my network can't ping outside world. but they can reach the dns server of the wireless router and get the ip of the unknown websites back. This means the packets can go through top2520 and come back! then why they can't ping outside?

Let's just make the question simple. Forget about 2620 and pc3, who can help me make the middle2520 ping the internet?

You are not distributing the default route so the other routers have no way of knowing where anything not on the 192.168.0.0/16 and 172.18.0.0/16 networks is. If you will remove the 192.168.0.0/16 from OSPF on your top router, and use the default-information originate command, you should be successful.

The other routers and host will know all about the 172.18.0.0/16 networks, and anything they don't know about will go to top2520 that knows to send them out to your wireless router.

You have to remember, you are not getting OSPF from the wireless router or the Internet. You have to do something to address the unknown Internet addresses that you are trying to ping.

Properly, top2520 is an ASBR, but you are not letting it be one. Instead, you are trying to use the wireless router as an ASBR, but it doesn't run OSPF.

http://www.techexams.net/forums/viewtopic.php?t=16530

thanx! guys, especially danman32 and mike! It's just the "route of last resort" problem. after I added the command to middle2520, bottom2520, 2620, it all works, pc3 can go to internet.

maybe when it's hard to solve a problem, we better go down to the "packet" level. This morning while having breakfast, i let me think like i'm a packet, my mind got clear. Open the computer, danman32 just spoke out. thanks again! I think the different use of command in different IOS blew my mind out, plus i was a bit vague about the concept.

now, oops, another crisis

I still think you are doing it the hard way, and, if this is to be a practice lab, not the the Cisco way.

madonion wrote:

maybe when it's hard to solve a problem, we better go down to the "packet" level. This morning while having breakfast, i let me think like i'm a packet, my mind got clear. Open the computer, danman32 just spoke out. thanks again! I think the different use of command in different IOS blew my mind out, plus i was a bit vague about the concept.

Yup, trace the packet flow. As I have said before though, don't forget the packet coming back with the response, as I often do with static (default) routes.

BubbaJ wrote:

I still think you are doing it the hard way, and, if this is to be a practice lab, not the the Cisco way.

are you talking about double PAT and the advertising of 192.168.0.0/24 on top2520 in ospf, Bub? I tested it, while top2520 allow inside traffic out&in, traffic originated from outside can't ping inside devices. say, on pc1, you can't ping any node inside.

the cisco way is what i'm trying to learn, any opnion or suggestion is extremely welcomed.