Cisco 1720 router config problem 1

[CAVcc]

I have a problem with a router config on a 1720. We recently changed T1 service and since I cannot get the configuration to work correctly. I can ping the gateway IP to the ISP but not my own serial IP.

IP information
Router IP : 67.39.104.217
Subnet Mask: 255.255.255.248/29

Gateway IP to ISP: 66.73.26.33
WAN Serial Address: 66.73.26.34
Subnet MAsk: 255.255.255.252/30

Service Type: Basic Frame
CSU Timeslots: 1-24
Protocol: ANSI
Encapsulation: IETF
DLCI: 665

I also have a Point-to-Point circuit on serial1 which is connected to another Cisco 1720 and is currently working just fine.

Any help with what I am doing incorrect is greatly appreciated. The old circuit that was installed previously was a fractional t1 (256k) using ppp. Also, 199.1.1.x is the LAN ip scheme and 199.1.1.3 is the gateway on the LAN.

Current Router config.


Current configuration : 2197 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname "RTCleve"
!
logging buffered 8000 debugging
enable password *********
!
memory-size iomem 25
ip subnet-zero
ip domain-name ameritech.net
ip name-server 66.73.20.40
ip name-server 206.141.193.55
!
!
bridge irb
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0
description connected to EthernetLAN
no ip address
speed auto
bridge-group 1
!
interface Serial0
description connected to Internet
ip address 66.73.26.34 255.255.255.252
ip nat outside
encapsulation frame-relay IETF
no fair-queue
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
frame-relay interface-dlci 665
frame-relay lmi-type ansi
!
interface Serial1
no ip address
bridge-group 1
!
interface BVI1
ip address 199.1.1.3 255.255.255.0
ip nat inside
!
router rip
version 2
passive-interface Serial0
network 199.1.1.0
no auto-summary
!
ip nat inside source list 5 interface Serial0 overload
ip nat inside source static 199.1.1.2 67.39.104.218
ip nat inside source static 199.1.1.1 67.39.104.219
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip http server
!
logging 206.141.193.55
access-list 5 permit 199.1.1.0 0.0.0.255
access-list 5 permit 199.1.1.64 0.0.0.63
access-list 5 remark Internal IP NAT Pool
access-list 99 permit 199.1.1.200
access-list 100 permit tcp any host 67.39.104.218 established
access-list 100 permit tcp any host 67.39.104.218 eq pop3
access-list 100 permit tcp any host 67.39.104.218 eq smtp
access-list 100 permit udp any eq domain host 67.39.104.218
access-list 100 deny ip any host 67.39.104.218
access-list 100 permit ip any any
snmp-server engineID local 000000090200000217618808
snmp-server community criminalmind RO 2
snmp-server community trapper view v1default RO
snmp-server location Cleveland
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server host 206.141.193.55 trapper
bridge 1 protocol ieee
!
line con 0
exec-timeout 0 0
password ********
login
line aux 0
line vty 0 4
password ********
login
!
no scheduler allocate
end

RTCleve#
RTCleve#ping 66.73.26.34 'Serial IP Address'

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.73.26.34, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


RTCleve#ping 66.73.26.33 'ISP Gateway IP'

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.73.26.33, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/8 ms



RTCleve#ping 67.39.104.217 'Assigned Router IP address'

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 67.39.104.217, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
RTCleve#logout

 

[IllegalOperation]

First off, are you pinging these interfaces from this router...or from a different device? Your configuration on Serial0 looks correct, but start the troubleshooting on the first layer. Do a show int S0. Is the status up/up? Make sure your getting no alarms on the WIC, and the "CD" indicator is lit.

Go to layer two, and verify that the frame relay is functioning properly with these commands....


show frame map (lets you know if the feature is active or not)

show frame lmi (check for lmi enquiries sent and messages received)

show frame pvc (shows you the stats of the link in detail)


If your relay looks good and is communicating with SBC's switch, move on to layer 3.

If you cant ping the router's WAN address from the "outside", then you wouldnt be able to ping any of the other addresses other than the ISP's gateway. I also noticed that your not even using the 67.39.104.217 address at all, so you wouldnt be able to ping it anyway. Like I said before, your serial configuration looks acceptable. Perhaps you need to set the bandwidth on the interface to 256 (I believe you said its a 256K link)? If your troubleshooting with the access list active, go ahead and temporarily take it off. Other than that, the problem sounds like layer 2...

 

[CAVcc]

Yes those pings shown at the bottom of the config file are from the router. If I added the 67.39.104.217 to the fastethernet then it would ping? And do I really need to ping that IP, SBC was telling to test that and if I couldn't something was wrong. I still feel like something is wrong in the provisioning of this line, but I'm being told that my configuration must be wrong.. just trying to cover my rear. I will try the status commands you mentioned and post the response back in a while.

Thanks for your input.. two sets of eyes are always better than one. And SBC is making me out to be a fool.. Thanks again..

 

[CAVcc]

Here are the results of the status of the frame:

show frame map
Serial0 (up): ip 66.73.26.33 dlci 665(0x299,0xA490), dynamic,
broadcast,
IETF, BW = 1535000, status defined, active
RTCleve#show frame lmi

LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = ANSI
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 76293 Num Status msgs Rcvd 76279
Num Update Status Rcvd 0 Num Status Timeouts 21
RTCleve#show frame pvc

PVC Statistics for interface Serial0 (Frame Relay DTE)

Active Inactive Deleted Static
Local 1 0 0 0
Switched 0 0 0 0
Unused 0 0 0 0

DLCI = 665, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0

input pkts 62875 output pkts 393 in bytes 5387747
out bytes 175112 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 0 out DE pkts 0
out bcast pkts 15 out bcast bytes 828
pvc create time 1w1d, last time pvc status changed 1w1d

 

[ChrisAC]

You're saying that your routers IP address is 67.39.104.217 on the 67.39.104.16 /29 network, yet you don't appear to have configured this on your router. As far as the router is concerned, it doesn't have that network and so when you try to ping 67.39.104.217 it will send that traffic out via it's default route to your ISP.

Your IP range is a /29 public range and your connection to your ISP is made using a /30 range. Your end has 66.73.26.34 and the other end (ISP) has 66.73.26.33. They will therefore create a static route that points the 67.39.104.16 /29 network via your routers serial address, 66.73.26.34.

You can't ping an interface that you haven't yet configured!

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[IllegalOperation]

Yes iproute, I wasnt concerned about 67.39.104.217 as he doesnt even have that configured. My concern was that he also could not ping even the 66.73.26.34 address from his own router....which is assigned to his WAN interface. Strange that he can hit the WAN gateway from the router but not its own interface. Also, where did the 67.39.104.16 /29 network come from? Did you mean 67.39.104.217 /29 instead?

By the way CAVcc, your line to SBC appears ok and ready to go. It is exchanging both LMI and regular traffic....

 

[ChrisAC]

Well, it is strange that he can't ping his own s0 interface, but at least he can ping the ISP router so connectivity to the internet/ISP is okay.

And I did mean 67.39.104.16 /29. That is the network address. So, he has

67.39.104.16 unusable (network address)
67.39.104.17
to
67.39.104.22 available for use
67.39.104.23 broadcast address.

Therefore the next range would be 67.39.104.24 /29.

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[IllegalOperation]

Thanks iproute, the reason why I ask is because I dont see the 67.39.104.16 /29 network anywhere in his configurations or from what he said. I believe I am missing something silly here.


I do see the 67.39.104.216 /29 network, which was assigned to him by his ISP.....

67.39.104.216: network address
67.39.104.217 - 67.39.104.222: usables
67.39.104.223: broadcast

 

[CAVcc]

Thanks to both you for your help, but IllegalOp you are correct it is 67.39.104.216/29 network block

67.39.104.217 Router 18-22 useables

I know this is something that I am missing but I can't seem to put my finger on it. I have removed all access-list entries and still have the same problem I can only ping the ISPs router...???

Would it have anything to do with the routing being used BVI1?

 

[CAVcc]

OK. I figured out why I couldn't get to my ser0. I changed the IP route command from Serial0 to the 66.73.26.33 add so now the IP route command looks like this
ip route 0.0.0.0 0.0.0.0 66.73.26.33, I guess it wasn't liking the Serial0

Now my problem is I can ping from the outside world but the 66.73.26.34 address expires in transit, and I cannot ping 199.1.1.3 on my LAN which should be the gateway out on the BVI bridge group. I don't know much about the bridge groups and assume something is now incorrect here...???

 

[CAVcc]

OK I have figured out my problem, the problem was I was missing the - bridge 1 route ip - on my bridge group.

Now my issue is that NAT is not properly working on my 2 public IPs 67.39.104.218 and 219

I am so sick off this router config, I know it must be something really stupid. But I can't look at this config anymore, please help me... Thanks in advance..


version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname "RTCleve"
!
logging buffered 8000 debugging
enable password *******
!
memory-size iomem 25
ip subnet-zero
ip domain-name ameritech.net
ip name-server 66.73.20.40
ip name-server 206.141.193.55
!
!
bridge irb
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0
description connected to EthernetLAN
ip address 67.39.104.217 255.255.255.248
speed auto
bridge-group 1
!
interface Serial0
description connected to Internet
ip address 66.73.26.34 255.255.255.252
ip nat outside
encapsulation frame-relay IETF
no fair-queue
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
frame-relay interface-dlci 665
frame-relay lmi-type ansi
!
interface Serial1
no ip address
bridge-group 1
!
interface BVI1
ip address 199.1.1.3 255.255.255.0
ip nat inside
!
router rip
version 2
passive-interface Serial0
network 199.1.1.0
no auto-summary
!
ip nat inside source list 5 interface Serial0 overload
ip nat inside source static 199.1.1.2 67.39.104.218
ip nat inside source static 199.1.1.1 67.39.104.219
ip classless
ip route 0.0.0.0 0.0.0.0 66.73.26.33
ip http server
!
logging 206.141.193.55
access-list 5 permit 199.1.1.0 0.0.0.255
access-list 5 permit 199.1.1.64 0.0.0.63
access-list 5 remark <Internal IP NAT Pool>
access-list 99 permit 199.1.1.200
access-list 100 permit tcp any host 67.39.104.218 established
access-list 100 permit tcp any host 67.39.104.218 eq pop3
access-list 100 permit tcp any host 67.39.104.218 eq smtp
access-list 100 permit udp any eq domain host 67.39.104.218
access-list 100 deny ip any host 67.39.104.218
access-list 100 permit ip any any
access-list 100 remark <Exchange Server Firewall>
snmp-server engineID local 000000090200000217618808
snmp-server community criminalmind RO 2
snmp-server community trapper view v1default RO
snmp-server location Cleveland
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server host 206.141.193.55 trapper
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
exec-timeout 0 0
password *******
login
line aux 0
line vty 0 4
password **********
login
!
no scheduler allocate
end

 

[ChrisAC]

Ah, yeah. My mistake. I put 67.39.104.16 /29 when I really meant 67.39.104.216 /29. Typo's are so easy ;-)

Anyway, CAVcc, your NAT problem ...

You have 'ip nat outside' on the serial0 interface which is your /30 link to the ISP. I presume that you are not wanting to NAT to the s0 address. As you have the 67.39.104.216 /29 network defined on FastEthernet0 and these are the public addresses that you want to NAT the private addresses on your BVI interface to, you will need 'ip nat outside' on FastEthernet0, not Serial0.

In this situation where you have a link address on the outside and a private network on the inside and you want to NAT to a public range, I tend to put the public range on interface loopback0 and then 'ip nat outside' on that.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[CAVcc]

Chris,

Thanks for your input. However the thing I don't understand is the second static nat entry works, but the first one does not. The one routed to the 199.1.1.2 will not work. I don't really understand that much, matter of fact I see it entered and getting stats in the 'show ip nat trans' table... Not sure why it isn't working properly???

I will try to change the ip nat inside command to the FastEthernet interface and see if that changes anything. But by what your telling me, I would think that neither of the IP addresses would work. When I posted the last message I was unaware that the second was working, I was only testing the first IP when configuring..

Any input there?

Thanks again
My name is Chris too...!!!

 

[ChrisAC]

Does 199.1.1.1 have a default route set?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[CAVcc]

No. it doesn't.

 

[ChrisAC]

If it doesn't have it's default route set then how does it know where to send the reply traffic?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************