#16
  1. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    If all of your computers are utilizing the Cisco router as their gateway, the Cisco router has to have a way to get to the internet. From your description, the Cisco router will first go through your WAN router (is that correct?), then traffic will go to the internet.

    So I believe you need to configure a default route on the Cisco router with the local IP of your WAN router. So it would look like:

    conf t
    ip route 0.0.0.0 0.0.0.0 x.x.x.x where x is the IP or your WAN router.

    To do this you'll have to have two interfaces up on different subnets. One interface will be the "inside" interface that your local network will be on. The other interface will be the "outside" network that will connect to the LAN port on your modem. The ip of the outside interface should be on the same subnet as the ip of your WAN modem; but again on a different subnet than the lan side.

    Then I believe you'll have to allow ICMP replies through the firewall for the ping feature to actually work. How are the devices on your LAN connecting

    After that you'll need to enable NAT overload on the router to allow traffic from your LAN to reach the internet. To do that check out this link .
  2. #17
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    195
    Rep Power
    7
    Ok i think your spot on with this mate..

    Thanks

    If you would mind, could you take a minute and explain your answer... and what the route is doing exactly..

    why so many 0s haha

    everything look supa good now

    did ip domain-lookup source-interface 0/0

    and now from the router i can ping google.com with 5/5 success

    Thanks man!
  4. #18
  5. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    Can you let us know what steps above you had to do to get it to work so others know as well; assuming all?

    The route command you entered created a static route to a network. In this case, 0.0.0.0 0.0.0.0 x.x.x.x represents all networks that the router doesn't already have a route to. For example, your Cisco router knows about the local network for your computers, and the local network for your WAN modem, because it has an interface connected to each of those networks. However, outside of that, it does not know about any other networks. So by specifying the command above with all zeros, you are telling the Cisco router that for any packets destined to an unkown network, it should send them to the local IP of your modem. When the modem gets the packet information, it will then send the data to the routers it uses; which know about the "internet". Make sense?

    You can read more about it here .
  6. #19
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    195
    Rep Power
    7
    Ok

    I managed to do it using only the 1 interface.

    Added the route as you said 0.0.0.0 0.0.0.0 192.168.1.1
  8. #20
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    195
    Rep Power
    7
    Can i have some advice on the following configuration.

    Thanks!
  10. #21
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    195
    Rep Power
    7
    Ok i have a small small questions..

    I am trying to set up some routes on the router. I am trying to route between subnets/netwroks and a single interface on my 1841. Is this possible?

    i have

    192.168.1.0/24 directly connected fa0/0
    192.168.10.0/24 directly connected fa0/0
    0.0.0.0 0.0.0.0 192.168.1.1 fa0/0

    trying to reach the 192.168.10.0 network. Or is this layer 3 work on layer 2 devices hence it not working?

    Thanks
  12. #22
  13. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    Hi Games,

    You would want to connect your router to the pix firewall.

    A switch is a layer 2 device, and can't forward routing protocols. You can buy layer 3 switches, but I'm guessing you're using a layer 2 switch (it would say layer 3 switch if it was...and cost quite a bit more)?
  14. #23
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    195
    Rep Power
    7
    yea figured this wouldnt work thats ok....

    regarding the above diagram, what would become my DNS server?

    Would i still be able to reach my WAN router 192.168.1.1 from the LAN 10.0.0.x through the PIX?

    The PIX appears to have the correct routes in place....but would this not defeat the purpose of the firewall, or does it just FILTER traffic.

    I appear to have NO route between my WAN and LAN interfaces on my PIX? do i need a route for this? From my LAN i cannot reach/ping anything on my WAN

    I am using a router NOT connected to the internet for testing purposes so i still have internet on the LAN.

    Config on the pix i set basic security

    firewall1(config)# sh run
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 WAN security0
    nameif ethernet1 LAN security1
    nameif ethernet2 DMZ security3
    enable password 2KFQnbNIdI.2KYOU encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname firewall1
    domain-name mega
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    pager lines 24
    mtu WAN 1500
    mtu LAN 1500
    mtu intf2 1500
    ip address WAN 192.168.10.2 255.255.255.0
    ip address LAN 192.168.1.253 255.255.255.0
    no ip address intf2
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:bf47d1d7ef89b77ed7c1d4c85c89158d
    : end

    I know there is LOW security at the mo, this is for testing

    Cheers
    Last edited by onlinegamesnz; December 3rd, 2012 at 11:17 PM.
  16. #24
  17. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    Your DNS server would depend on what kind of network you have setup. If your lan requires the use of active directory, or something similar that is heavily dependent upon local DNS inquiries, you would want your DNS server to be something that knows about the machines on your network; such as a Windows Server running DNS. However, you could get away with using your WAN router since it's just a test lab. Long/short, you should be able to use your WAN router and be just fine. In this case your DNS server would be 192.168.1.1.

    You could still reach your WAN router if you connect your LAN router (Cisco 1841) to your PIX. Your LAN network would be 10.x.x.x (whatever you're using); and would connect from Eth0 on the LAN router to Eth1 on the PIX. You would want to make sure Eth1 on the PIX is on the same subnet as Eth0 on your 1841. You would then setup a default route on the 1841 like you did previously.

    ip default-route 0.0.0.0 0.0.0.0 <insert ip of Eth1 on the PIX>.

    To get to the internet, you will have to make sure the PIX uses the interface on the wan router as it's default gateway. Once all that is setup, traffic from the LAN going to any network other than the LAN network (10.x.x.x) should get sent to the PIX Eth1 interface. From the the PIX should know a route to all other networks and send it to your WAN router's interface. From there the WAN router will obviously forward the "internet" traffic to the necessary routers on the net.

    As far as security, it's been a while, but if I recall from using ASAs (newer version of PIX) the zones utilized for LAN should have relatively high security, and the zone used for WAN/DMZ would have lower security. Traffic should be able to flow from high to low security interfaces, but not the other way around; unless of course you have a firewall rule in place. You might want to Google that to double check I'm right.

    Give that a shot and trying pinging something by it's IP and not DNS name first; this will let us know if traffic is even routing properly first.
  18. #25
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    195
    Rep Power
    7
    Originally Posted by seack79
    You would want to make sure Eth1 on the PIX is on the same subnet as Eth0 on your 1841.
    When you say same subnet, you mean same class ip, same subnet mask or same subnet range?

    ie, eth0 on 192.168.1.6 and eth1 on 192.168.1.5 or like
    10.0.1.5 and 10.0.1.6

    Because the pix will not let me configure two interfaces on the same subnet as above. It creates an error.

    thanks man!
  20. #26
  21. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    According to your picture, on the PIX firewall, Eth0 is going to the WAN and Eth1 is going to your LAN. Those will be on different subnets. You would assign Eth0 an IP of 192.168.1.2 and Eth1 an IP of 10.0.0.1 (for the LAN I would use a mask of 255.255.255.0 to keep it simple). These are using completely different subnets so it shouldn' be an issue?

    The IP of your DMZ (Eth2) would be 192.168.10.1 with a mask of 255.255.255.252 (agian according to your picture).
  22. #27
  23. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    195
    Rep Power
    7
    yes ok sweet man thanks for your help ill see how i go..

    Cheers!!
  24. #28
  25. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    195
    Rep Power
    7
    Ok still no luck....so heres where im at, please note these are the actual subnets i will be using!

    WAN Router - 10.1.1.1 255.255.255.0
    Eth0 WAN on PIX -10.1.1.2 255.255.255.0

    Eth1 LAN on PIX - 192.168.1.253 255.255.255.0
    Router - 192.168.1.254 255.255.255.0

    router has route

    ip route 0.0.0.0 0.0.0.0 192.168.1.253

    removed the old default route 0.0.0.0 0.0.0.0 192.168.1.1

    I am able to ping the LAN interface on the PIX from anywhere within the LAN. Just nothing on the WAN side of the interface works. Also i have no internet.

    route print from PIX

    firewall1# sh route
    WAN 10.1.1.0 255.255.255.0 10.1.1.2 1 CONNECT static
    LAN 192.168.1.0 255.255.255.0 192.168.1.253 1 CONNECT static
    DMZ 192.168.10.0 255.255.255.252 192.168.10.1 1 CONNECT static
    firewall1#

    im convinced its a routing issue on the PIX itself

    Thanks!
    Last edited by onlinegamesnz; December 7th, 2012 at 06:58 PM.
  26. #29
  27. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    Sorry Games, missed your post. You need to change the default route from 192.168.1.253 to 10.1.1.2. Try that and see if it works.
  28. #30
  29. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    195
    Rep Power
    7
    Hi guys, im getting back into cisco and have got myself a great CCNA book. Im just playing around with some basic routing as im seem to be missing what seems to be something quite small with BASIC routing, so before i start exploring with protocols such as RIP EIGRP and OSPF etc, i want to get my head around this!

    Im using cisco packet tracer.

    this is my scenario. I have 3 networks

    192.168.2.0/24
    192.168.10.0/24
    10.1.1.0/24

    My DHCP server will reside on network 10.1.1.0, server dhcp scopes for both 192.168.10.0 and 192.168.2.0 networks. The DHCP server in this case will be a basic 1841 router

    im using the ip-helper command to forward udp dhcp broadcasts to 10.1.1.254 which is the router at which the DHCP server resides

    but my issue is (basic i know) that i cannot reach the 10.0 network from a client on the 2.0 network and via versa.

    heres a print of sh ip route

    Gateway of last resort is not set

    10.0.0.0/24 is subnetted, 1 subnets
    C 10.1.1.0 is directly connected, FastEthernet6/0
    C 192.168.2.0/24 is directly connected, FastEthernet0/0
    C 192.168.10.0/24 is directly connected, FastEthernet1/0
    Router#

    Thanks for the help!

    PS. i might post here quite a bit over the next few months, this is the place where i have found the most help and knowledge so if you dont mind

    http://forums.devshed.com/attachment.php?attachmentid=13581&stc=1
    Attached Images
    Last edited by onlinegamesnz; January 23rd, 2013 at 03:33 AM.

IMN logo majestic logo threadwatch logo seochat tools logo