Routing question...

lochmoigh

I am trying to get my 3550 to allow the hosts attached out through the internet.

Currently I have 3550--->3662----wireless---> cable modem. the 3662 pings out to google. the 3550 has a routed port to the 3662, I do have vlans setup (I will send the particulars this evening). I need to setup a subinterface on the 3550 routed port to allow the host ports access correct? I do have the gateway setup and static routes pointing the way out. I realize this is a little vague but any help pointing in the right direction would be great.

ehnde

Do you have a default route on the 3550?

ip route 0.0.0.0 0.0.0.0 172.16.20.1

Or something like that.

networker050184

Does the cable modem have a route back to the internal subnets? If not you need to add the route or NAT on the 3662.

lochmoigh

Yes to the first

no to the second. I will work on that.

lochmoigh

Alright I can telnet into both my router and my switch, so I have forgotten /missed something I am including the output for the switch and the router. Any help is greatly appreciated.


nysw07#sh run
Building configuration...

Current configuration : 3262 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname nysw07
!
enable secret 5 $1$CE7D$fJSzVOMa6z14VDTC9vXwT.
!
ip subnet-zero
ip routing
!
ip dhcp pool LAN
network 192.168.100.0 255.255.255.0
bootfile lan
!
!
spanning-tree mode pvst
spanning-tree extend system-id


!
ip default-gateway 192.168.10.2
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.1 150
ip route 192.168.0.0 255.255.255.0 192.168.10.0
ip http server


3662 Router
3662#sh run
Building configuration...

Current configuration : 866 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 3662
!
enable secret 5 $1$g628$IiwbqJGkpiY5QGcfzCaAU/
!
ip subnet-zero
!
!
call rsvp-sync
!
fax interface-type fax-mail
mta receive maximum-recipients 0
hostname 3662
!
enable secret 5 $1$g628$IiwbqJGkpiY5QGcfzCaAU/
!
ip subnet-zero
!
call rsvp-sync
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
interface FastEthernet0/0
ip address 192.168.0.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
ip default-gateway 192.168.0.10
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 192.168.10.0 255.255.255.0 192.168.0.0
no ip http server

networker050184

Whats up with this?

ip route 192.168.10.0 255.255.255.0 192.168.0.0

That is a connected network so that static routes isn't going to have any affect. Regardless, there would be no reason to route those addresses that way.

You also do not need this on a router (a router thats routing anyway).

ip default-gateway 192.168.0.10

You have the default route though so that should take care of setting your gateway of last resort.

Have you verified the modem can get back the inside addresses? Remember, routing is a two way street. You need a route there and back. If you are trying to send out traffic with a source other than the modems internal network it's not going to route back to you automatically.

lochmoigh

networker050184 wrote: »

Whats up with this?

ip route 192.168.10.0 255.255.255.0 192.168.0.0

That is a connected network so that static routes isn't going to have any affect. Regardless, there would be no reason to route those addresses that way.

You also do not need this on a router (a router thats routing anyway).

ip default-gateway 192.168.0.10

You have the default route though so that should take care of setting your gateway of last resort.

Have you verified the modem can get back the inside addresses? Remember, routing is a two way street. You need a route there and back. If you are trying to send out traffic with a source other than the modems internal network it's not going to route back to you automatically.

I have been grasping at straws. I can't get into the modem itself. ISP thing. I can telnet into the switch from remote locations, I just cannot get back out. Pinging out to the wireless router just will not happen from the switch, the 3662 can ping it just fine.

networker050184

Ok, you need to think about the IP packet and the routing tables. I'm going to make a few assumptions so I might be a bit off. Regardless you will need to look at it with the same logic.

When the packet comes from the switch it's going to have a source of 192.168.10.X and a destination of 4.2.2.2 (as an example).

When the 3662 gets it its going to look at the destination of 4.2.2.2 and route it out its default route to 192.168.0.1.

When 192.168.0.1 (I'm assuming its your wireless router) receives the packet it looks at the destination of 4.2.2.2. Assuming its doing the NAT, a few things might happen. If the NAT is restricted to the internal range only (192.168.0.0/24) then the packet will not be NAT'ed because it has a source of 192.168.10.x. If the NAT is wide open, then the packet will be NAT'ed and sent on its way to the modem.

Once the modem receives the packet it will look at the destination as well. Depending on the set up it will either go through the same NAT steps or just bridge it etc.

So, assuming it gets through NAT and the packet is routed to 4.2.2.2 it now has to come back. Once the packet comes back in and is translated back it will have a destination address of 192.168.10.x. Now when the wireless/modem (again depending on the setup) looks up a destination of 192.168.10.x it will not have a match and try to forward it back out the default route again. It will eventually just be dropped as an non routeable destination as its private.

With that said, you have two things to look at. A. NAT and B. routes to the inside addresses.

lochmoigh

networker050184 wrote: »

Ok, you need to think about the IP packet and the routing tables. I'm going to make a few assumptions so I might be a bit off. Regardless you will need to look at it with the same logic.

When the packet comes from the switch it's going to have a source of 192.168.10.X and a destination of 4.2.2.2 (as an example).

When the 3662 gets it its going to look at the destination of 4.2.2.2 and route it out its default route to 192.168.0.1.

When 192.168.0.1 (I'm assuming its your wireless router) receives the packet it looks at the destination of 4.2.2.2. Assuming its doing the NAT, a few things might happen. If the NAT is restricted to the internal range only (192.168.0.0/24) then the packet will not be NAT'ed because it has a source of 192.168.10.x. If the NAT is wide open, then the packet will be NAT'ed and sent on its way to the modem.

Once the modem receives the packet it will look at the destination as well. Depending on the set up it will either go through the same NAT steps or just bridge it etc.

So, assuming it gets through NAT and the packet is routed to 4.2.2.2 it now has to come back. Once the packet comes back in and is translated back it will have a destination address of 192.168.10.x. Now when the wireless/modem (again depending on the setup) looks up a destination of 192.168.10.x it will not have a match and try to forward it back out the default route again. It will eventually just be dropped as an non routeable destination as its private.

With that said, you have two things to look at. A. NAT and B. routes to the inside addresses.

It's starting to sink in. I appreciate it. I may swap things around and have the 3662 directly connected to the modem, and move the wireless internal.
THanks.

networker050184

lochmoigh wrote: »

It's starting to sink in. I appreciate it. I may swap things around and have the 3662 directly connected to the modem, and move the wireless internal.
THanks.

That still probably will not help you out. You're still going to end up with the modem not knowing how to get to the internal networks.

You can always just NAT on the 3662 so that everything gets translated to 192.168.0.0/24 and you won't have to worry about all that. Then you will have a few layers of NAT going on, but should still function.

lochmoigh

networker050184 wrote: »

That still probably will not help you out. You're still going to end up with the modem not knowing how to get to the internal networks.

You can always just NAT on the 3662 so that everything gets translated to 192.168.0.0/24 and you won't have to worry about all that. Then you will have a few layers of NAT going on, but should still function.

I hear you, the only confusing thing is the 3662will pings out to the net.

User Access Verification

Password:
3662>en
Password:
3662#ping google.com
Translating "google.com"...domain server (255.255.255.255) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.47.105, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/39/40 ms
3662#

networker050184

lochmoigh wrote: »

I hear you, the only confusing thing is the 3662will ping out to the net.

That is because the 3662's outside interface is in the known internal network of the wireless router. When you ping form the 3662 the source IP will be 192.168.0.x. Just as if you had a computer plugged in there. On the other hand when you ping from the switch it will be 192.168.10.x. The wireless knows how to route to 192.168.0.0/24 as its directly connected but knows nothing about 192.168.10.0/24. Its the NAT/return path that is causing the issues, not the route out.

Another possible solution is to add a route on the wireless router and allow that range to be NAT'ed also.

lochmoigh

networker050184 wrote: »

That is because the 3662's outside interface is in the known internal network of the wireless router. When you ping form the 3662 the source IP will be 192.168.0.x. Just as if you had a computer plugged in there. On the other hand when you ping from the switch it will be 192.168.10.x. The wireless knows how to route to 192.168.0.0/24 as its directly connected but knows nothing about 192.168.10.0/24. Its the NAT/return path that is causing the issues, not the route out.

Another possible solution is to add a route on the wireless router and allow that range to be NAT'ed also.

That makes sense. Thanks.