November 29th, 2012, 04:27 PM
If all of your computers are utilizing the Cisco router as their gateway, the Cisco router has to have a way to get to the internet. From your description, the Cisco router will first go through your WAN router (is that correct?), then traffic will go to the internet.
So I believe you need to configure a default route on the Cisco router with the local IP of your WAN router. So it would look like:
ip route 0.0.0.0 0.0.0.0 x.x.x.x where x is the IP or your WAN router.
To do this you'll have to have two interfaces up on different subnets. One interface will be the "inside" interface that your local network will be on. The other interface will be the "outside" network that will connect to the LAN port on your modem. The ip of the outside interface should be on the same subnet as the ip of your WAN modem; but again on a different subnet than the lan side.
Then I believe you'll have to allow ICMP replies through the firewall for the ping feature to actually work. How are the devices on your LAN connecting
After that you'll need to enable NAT overload on the router to allow traffic from your LAN to reach the internet. To do that check out this link .
November 29th, 2012, 11:55 PM
Ok i think your spot on with this mate..
If you would mind, could you take a minute and explain your answer... and what the route is doing exactly..
why so many 0s haha
everything look supa good now
did ip domain-lookup source-interface 0/0
and now from the router i can ping google.com with 5/5 success
November 30th, 2012, 09:51 AM
Can you let us know what steps above you had to do to get it to work so others know as well; assuming all?
The route command you entered created a static route to a network. In this case, 0.0.0.0 0.0.0.0 x.x.x.x represents all networks that the router doesn't already have a route to. For example, your Cisco router knows about the local network for your computers, and the local network for your WAN modem, because it has an interface connected to each of those networks. However, outside of that, it does not know about any other networks. So by specifying the command above with all zeros, you are telling the Cisco router that for any packets destined to an unkown network, it should send them to the local IP of your modem. When the modem gets the packet information, it will then send the data to the routers it uses; which know about the "internet". Make sense?
You can read more about it here .
November 30th, 2012, 04:11 PM
I managed to do it using only the 1 interface.
Added the route as you said 0.0.0.0 0.0.0.0 192.168.1.1
December 1st, 2012, 09:04 PM
Can i have some advice on the following configuration.
December 2nd, 2012, 11:49 PM
Ok i have a small small questions..
I am trying to set up some routes on the router. I am trying to route between subnets/netwroks and a single interface on my 1841. Is this possible?
192.168.1.0/24 directly connected fa0/0
192.168.10.0/24 directly connected fa0/0
0.0.0.0 0.0.0.0 192.168.1.1 fa0/0
trying to reach the 192.168.10.0 network. Or is this layer 3 work on layer 2 devices hence it not working?
December 3rd, 2012, 08:20 PM
You would want to connect your router to the pix firewall.
A switch is a layer 2 device, and can't forward routing protocols. You can buy layer 3 switches, but I'm guessing you're using a layer 2 switch (it would say layer 3 switch if it was...and cost quite a bit more)?
December 3rd, 2012, 10:25 PM
yea figured this wouldnt work thats ok....
regarding the above diagram, what would become my DNS server?
Would i still be able to reach my WAN router 192.168.1.1 from the LAN 10.0.0.x through the PIX?
The PIX appears to have the correct routes in place....but would this not defeat the purpose of the firewall, or does it just FILTER traffic.
I appear to have NO route between my WAN and LAN interfaces on my PIX? do i need a route for this? From my LAN i cannot reach/ping anything on my WAN
I am using a router NOT connected to the internet for testing purposes so i still have internet on the LAN.
Config on the pix i set basic security
firewall1(config)# sh run
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 WAN security0
nameif ethernet1 LAN security1
nameif ethernet2 DMZ security3
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
mtu WAN 1500
mtu LAN 1500
mtu intf2 1500
ip address WAN 192.168.10.2 255.255.255.0
ip address LAN 192.168.1.253 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
I know there is LOW security at the mo, this is for testing
Last edited by onlinegamesnz; December 3rd, 2012 at 11:17 PM.
December 4th, 2012, 09:33 AM
Your DNS server would depend on what kind of network you have setup. If your lan requires the use of active directory, or something similar that is heavily dependent upon local DNS inquiries, you would want your DNS server to be something that knows about the machines on your network; such as a Windows Server running DNS. However, you could get away with using your WAN router since it's just a test lab. Long/short, you should be able to use your WAN router and be just fine. In this case your DNS server would be 192.168.1.1.
You could still reach your WAN router if you connect your LAN router (Cisco 1841) to your PIX. Your LAN network would be 10.x.x.x (whatever you're using); and would connect from Eth0 on the LAN router to Eth1 on the PIX. You would want to make sure Eth1 on the PIX is on the same subnet as Eth0 on your 1841. You would then setup a default route on the 1841 like you did previously.
ip default-route 0.0.0.0 0.0.0.0 <insert ip of Eth1 on the PIX>.
To get to the internet, you will have to make sure the PIX uses the interface on the wan router as it's default gateway. Once all that is setup, traffic from the LAN going to any network other than the LAN network (10.x.x.x) should get sent to the PIX Eth1 interface. From the the PIX should know a route to all other networks and send it to your WAN router's interface. From there the WAN router will obviously forward the "internet" traffic to the necessary routers on the net.
As far as security, it's been a while, but if I recall from using ASAs (newer version of PIX) the zones utilized for LAN should have relatively high security, and the zone used for WAN/DMZ would have lower security. Traffic should be able to flow from high to low security interfaces, but not the other way around; unless of course you have a firewall rule in place. You might want to Google that to double check I'm right.
Give that a shot and trying pinging something by it's IP and not DNS name first; this will let us know if traffic is even routing properly first.
December 7th, 2012, 12:48 AM
When you say same subnet, you mean same class ip, same subnet mask or same subnet range?
Originally Posted by seack79
ie, eth0 on 192.168.1.6 and eth1 on 192.168.1.5 or like
10.0.1.5 and 10.0.1.6
Because the pix will not let me configure two interfaces on the same subnet as above. It creates an error.
December 7th, 2012, 09:41 AM
According to your picture, on the PIX firewall, Eth0 is going to the WAN and Eth1 is going to your LAN. Those will be on different subnets. You would assign Eth0 an IP of 192.168.1.2 and Eth1 an IP of 10.0.0.1 (for the LAN I would use a mask of 255.255.255.0 to keep it simple). These are using completely different subnets so it shouldn' be an issue?
The IP of your DMZ (Eth2) would be 192.168.10.1 with a mask of 255.255.255.252 (agian according to your picture).
December 7th, 2012, 03:16 PM
yes ok sweet man thanks for your help ill see how i go..
December 7th, 2012, 06:30 PM
Ok still no luck....so heres where im at, please note these are the actual subnets i will be using!
WAN Router - 10.1.1.1 255.255.255.0
Eth0 WAN on PIX -10.1.1.2 255.255.255.0
Eth1 LAN on PIX - 192.168.1.253 255.255.255.0
Router - 192.168.1.254 255.255.255.0
router has route
ip route 0.0.0.0 0.0.0.0 192.168.1.253
removed the old default route 0.0.0.0 0.0.0.0 192.168.1.1
I am able to ping the LAN interface on the PIX from anywhere within the LAN. Just nothing on the WAN side of the interface works. Also i have no internet.
route print from PIX
firewall1# sh route
WAN 10.1.1.0 255.255.255.0 10.1.1.2 1 CONNECT static
LAN 192.168.1.0 255.255.255.0 192.168.1.253 1 CONNECT static
DMZ 192.168.10.0 255.255.255.252 192.168.10.1 1 CONNECT static
im convinced its a routing issue on the PIX itself
Last edited by onlinegamesnz; December 7th, 2012 at 06:58 PM.
December 13th, 2012, 11:05 AM
Sorry Games, missed your post. You need to change the default route from 192.168.1.253 to 10.1.1.2. Try that and see if it works.
January 23rd, 2013, 03:24 AM
Hi guys, im getting back into cisco and have got myself a great CCNA book. Im just playing around with some basic routing as im seem to be missing what seems to be something quite small with BASIC routing, so before i start exploring with protocols such as RIP EIGRP and OSPF etc, i want to get my head around this!
Im using cisco packet tracer.
this is my scenario. I have 3 networks
My DHCP server will reside on network 10.1.1.0, server dhcp scopes for both 192.168.10.0 and 192.168.2.0 networks. The DHCP server in this case will be a basic 1841 router
im using the ip-helper command to forward udp dhcp broadcasts to 10.1.1.254 which is the router at which the DHCP server resides
but my issue is (basic i know) that i cannot reach the 10.0 network from a client on the 2.0 network and via versa.
heres a print of sh ip route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet6/0
C 192.168.2.0/24 is directly connected, FastEthernet0/0
C 192.168.10.0/24 is directly connected, FastEthernet1/0
Thanks for the help!
PS. i might post here quite a bit over the next few months, this is the place where i have found the most help and knowledge so if you dont mind
Last edited by onlinegamesnz; January 23rd, 2013 at 03:33 AM.