Networking questions

SephStorm

Hi all,

Building a network, and im having some issues, I believe my first issue is IP addressing. This is the network layout:



Ok. now right now I am working on the modem-router-fw connection. The fw connection itself seems to be working, meaning I can ping from an internal host to the firewall. I cannot however get internet access, and I believe the issue is on the router.

currently the modem is configured with a static ip from the ISP ex. 10.25.30.525 (I know this connection needs to be bridged)

I set eth0 (external) on the router to ip 10.25.30.525 and vlan 1 (containing eth 1-internal) to 192.168.0.1

external interface on the fw is .0.2 and internal interface is configured with the internal range.

Anyone see any issues? Is my addressing wrong? Do you think the modem isnt bridging correctly? Anyway to identify the issue, or narrow it down?

dustinmurphy

Personally, I would put the firewall as the outer-most device before the modem.

I always start with figuring out where my disconnect is. If you can ping from the internal host to the inside of the firewall, can you hit the OUTSIDE interface on the firewall? Can you hit the inside interface of the router? Can you hit the OUTSIDE interface of the router? Can you hit your ISP's gateway? Do you have the default gateway configured on the router? What gateway are your internal hosts configured with? Do you have NAT setup on your router? What brand/model is the router/firewall?

There is a lot of information that is missing from your post. IMO, there's no way for us to help without knowing most of this information...

To check the bridging of the modem, connect directly to it... give your box the right connection info and see if it works.

ptilsen

Can you Ping the router internally? What if you remove the firewall?

Is the router setup for address translation so you can share Internet?

SephStorm

Thanks for your replies. I can ping from the pc to the internal interface of the firewall, but not to the external interface of the FW. I have checked the fw and the routing table contains the entries for the inside and outside IP's and the default route (the external ip). NAT is also configured on the firewall, but not dchp or any other services.

I cant move the firewall because i am a home cable user, and I cant connect coaxial to my firewall to my knowledge. I would probably need a coax to serial or ethernet converter. I probably could remove the firewall to create the simplest network, but I would like to use it for a learning experience. It will be providing NAT/DHCP.

it_consultant

SephStorm wrote: »

Hi all,

Building a network, and im having some issues, I believe my first issue is IP addressing. This is the network layout:



Ok. now right now I am working on the modem-router-fw connection. The fw connection itself seems to be working, meaning I can ping from an internal host to the firewall. I cannot however get internet access, and I believe the issue is on the router.

currently the modem is configured with a static ip from the ISP ex. 10.25.30.525 (I know this connection needs to be bridged)

I set eth0 (external) on the router to ip 10.25.30.525 and vlan 1 (containing eth 1-internal) to 192.168.0.1

external interface on the fw is .0.2 and internal interface is configured with the internal range.

Anyone see any issues? Is my addressing wrong? Do you think the modem isnt bridging correctly? Anyway to identify the issue, or narrow it down?

Is the 10.25.40.525 a fake address for privacy? You should be getting a public IP to your firewall if the modem is truly in bridge mode. It sounds like your ACLs are screwed up and they are denying traffic from the internal to the external port on the firewall.

MAC_Addy

Completely off topic, but what are you using to create the network topology?

SephStorm

Sorry about the wait I was on the cisco forums trying to get an answer. Anyway, I use gliffy for the diagrams, I just use the free trial, and screenshot it, i dont have an account. I simplified the setup, at this point it is just modem, router, pc. I can ping everywhere except the default gateway address, of course no internet access. Id like to post my config, see what you guys see. Note: im keeping the public ip for clarification. here is the ipconf of the pc directly connected to the modem, in bridging mode. Also note, when connected this way, the pc can ping the DG, but not when connected to the router.

Connection-specific DNS Suffix . : sc.rr.com
IPv4 Address. . . . . . . . . . . : 24.88.73.221
Subnet Mask . . . . . . . . . . . : 255.255.248.0
Default Gateway . . . . . . . . . : 24.88.72.1

no ip dhcp use vrf connected
!
ip dhcp pool pool
network 192.168.1.0 255.255.255.0
domain-name stormnet.local
dns-server 209.18.47.61 209.18.47.62
default-router 24.88.73.221
lease 7
!

no ip domain lookup
ip domain name stormnet.local
!
multilink bundle-name authenticated
!

username password 7
archive
log config
hidekeys
!

interface Loopback0
no ip address
shutdown
!
interface FastEthernet0
description outside
ip address 24.88.73.221 255.255.248.0
ip nat outside
ip virtual-reassembly
speed auto
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface Vlan1
description inside
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 24.88.72.1
!

no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!

control-plane
!

line con 0
exec-timeout 0 0
logging synchronous
line aux 0

blindrox

SephStorm wrote: »

ip dhcp pool pool
network 192.168.1.0 255.255.255.0
domain-name stormnet.local
dns-server 209.18.47.61 209.18.47.62
default-router 24.88.73.221

You're passing out a default gateway to your DHCP users that is not on the same subnet as the IP addresses you are assigning them. The default gateway (default-router in the config), should be the inside router interface that your PC will connect to.

SephStorm

I'll have to give that a shot this afternoon, but if that is the case, why can't I ping from the router to that address, or another address on the internet?

SephStorm

That doesnt appear to have changed anything. Is it possible I need encapsulation on the outside link? I tried a traceroute on both the pc and the router. from the pc I get:

Tracing route to 24.88.72.1 over a maximum of 30 hops

1 1 ms 1 ms 1 ms 192.168.1.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.

Router:Type escape sequence to abort.
Tracing the route to 24.88.72.1

1 * * *
2 * * *

There has to be a problem finding the 24.88.72.0 network but I dont know how that could be when it is in the routing table:

Gateway of last resort is 24.88.72.1 to network 0.0.0.0

24.0.0.0/21 is subnetted, 1 subnets
C 24.88.72.0 is directly connected, FastEthernet0
C 192.168.1.0/24 is directly connected, Vlan1
S* 0.0.0.0/0 [1/0] via 24.88.72.1

show ip nat translations comes back empty

CROUTEX#show adjacencies
Protocol Interface Address
IP FastEthernet0 24.88.72.1(7)
IP NVI0 point2point(3)

show arp
Internet 24.88.72.1 0 0001.5c40.7041 ARPA FastEthernet0
Internet 24.88.73.221 - 0011.93ca.e4a4 ARPA FastEthernet0
Internet 192.168.1.1 - 0011.93ca.e4a4 ARPA Vlan1
Internet 192.168.1.2 0 88ae.1d57.bd3e ARPA Vlan1
IP Vlan1 192.168.1.2(5)

dustinmurphy

blindrox is right... passing out a default gateway outside of the subnet will not work. Although it may have not changed anything in your situation, he is right.... the default-gateway handed out by DHCP should be the router's inside address.

First thing I would check is if you can ping from the PC to 24.88.73.221 (the outside interface) that will tell you whether there is some sort of disconnect in the router (an ACL or something).

It seems that your IP addressing is off on the WAN side... or your modem isn't bridged correctly. Try connecting the PC directly to the modem and plug in the information to see if your modem is bridging correctly (also try DHCP, if available from your ISP)

You're not going to have any NAT translations because no traffic is moving across to the WAN side of the link. I also think you'll need an ip nat inside source statement and ACL to permit NAT to work, but you should make sure your router can hit the WAN gateway first.

Edit: nevermind about the NAT statement... I missed it. ...but you're calling a source list (ACL) of 1... which as listed you do not have an ACL 1.

dustinmurphy

Also, consider rebooting the modem as you may have some information in the ARP table that doesn't allow you to use the new router (not every ISP does this, but I have to reboot my Cox Cable modem if I change out my Router)

SephStorm

Connection-specific DNS Suffix . : sc.rr.com
IPv4 Address. . . . . . . . . . . : 24.88.73.221
Subnet Mask . . . . . . . . . . . : 255.255.248.0
Default Gateway . . . . . . . . . : 24.88.72.1

That is the info for when the pc is directly connected. i've also rebooted and reset the modem.

I can ping the outside interface 73.221. Do you think I should remove the acl statement?