Re: Liteweight needs confirmation: SBS config of Mulitple NIC

AAAAARRRRGGGGGHHHH, Cisco configs give me a headache.

But it does look to me as if Cisco 'owns' .1, and would allow .2 to route
via Cisco.

<bulldog8@xxxxxxxxx> wrote in message
news:1162188433.449742.134660@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
SuperGumby -

Thanks for the info ... It may take a bit for me to digest, but I'm
working on it.

Meanwhile, a little history may be needed ...

The original setup was:

T1 -> Cisco 1751 -> Firebox v10 -> Switch -> all other devices

The office started with 2 PCs and 2 VoIP phones. IT support and
management disagreed on degree of security needed, so he departed and
left no info behind. They would not even tell me who it was so that I
could contact him ....

All was well for 2 years, expanded to 4 PCs and 4 VoIP phones. When
they added another employee, they brought in another PC/VoIP set, but
could not connect and could not obtain an IP from the network. Their
IT at that time also added the SBS server, and hardcoded all IPs in the
upper range (10.xx.xx.50 and up) for the new devices. They could then
see the network and all other devices, but not access the internet.

The ISP indicated that the routers IP was 69.x.x.1/30 for intranet
visibility. From the internet, (i.e. ISP Office.) they could telnet to
69.x.x.2/30 for maintenance. Both addreses .1/30 and .2/30, belong to
the Cisco router

<==== Router Config Info, if it helps anyone ====>
memory-size iomem 25
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
no ip source-route
!
!
no ip domain-lookup
ip domain-name VoIP_ISP.net <not their real name ...>
ip name-server 216.XXX.XXX.6
ip name-server 216.XXX.XXX.7
!
no ip bootp server
ip cef
ip ssh time-out 120
ip ssh authentication-retries 3
!
class-map match-all voip
match access-group 112
!
!
policy-map qos-policy
class voip
priority 1000
class class-default
fair-queue
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
interface FastEthernet0/0
description CNTD_TO_CUST
ip address 69.xxx.xxx.1 255.255.255.252
speed 100
!
interface Serial0/0
ip address 172.xxx.xxx.xxx 255.255.255.252
service-policy output qos-policy
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.xxx.xxx.xxx
no ip http server
ip pim bidir-enable
!
access-list 9 permit yada..yada...yada
access-list 9 permit yada..yada...yada
access-list 9 permit 192.168.110.0 0.0.0.255
access-list 9 permit 192.168.199.0 0.0.0.255
access-list 9 permit <4 more of this type entry>
...
access-list 90 permit yada..yada...yada
access-list 90 permit yada..yada...yada
access-list 90 permit 192.168.110.0 0.0.0.255
access-list 90 permit 192.168.199.0 0.0.0.255
access-list 112 permit ip any any precedence critical
access-list 112 permit ip any host <tftp server address>

<====== End Router Config Info ====>

I reset the Firebox and took the default settings, which included Ping
in & out.
Walked through the set-up wizard
I added a policy matching the UDP and TCP ports required for VoIP (as
provided by the ISP)
I added a policy for HTTP out
Confirmed static routing for 0.0.0.0 0.0.0.0 69.xx.xx.1 (set by
config wizard)
(Online tutorial and Users Guide are useless as they do not provide
reasons behind specific settings. Policy items are easy to understand,
but their routing examples leave a lot unanswered)

Tried to ping the Cisco router from the Firebox, but it failed
Pinged SBS server and it worked (single NIC enabled).
Pinged the Firebox router from SBS - worked
Pinged Cisco Router from SBS - err message about 'Destination gateway
not reachable'

Not too confident in my abilities with the firebox, I took it out of
the network config. I reconfigured the SBS server to sit on both
networks with each NIC having a different Subnet, and connecting the
Cisco router to NIC2 with a matching subnet and .1/30 as the gateway
(based on experience with Unix boxes app, web, and DB server
configs..). I was hoping the SBS server would act as a router,
shuffling traffic from NIC1 to NIC2 as needed ...

In all cases, the lights on the back of the router were lit, but on the
front panel the Sw0 and Eth lights blinked occasionally (power & Ok
lights remained lit). ISP could not ping the router from their side
either, and their mgmt software kept setting an alarm on our line.
*** The problem may be on the ISP side *** (i.e Router is acting up...)

All may be well on my side, but just want to confirm all is as it
should be. I will run the CEICW wizard to see what changes it makes.

Thanks,
Jon



.

Relevant Pages

  • Re: Liteweight needs confirmation: SBS config of Mulitple NIC
    ... match access-group 112 ... access-list 9 permit yada..yada...yada ... Tried to ping the Cisco router from the Firebox, ... Pinged SBS server and it worked. ...
    (microsoft.public.windows.server.sbs)
  • Re: Strange Router behaviour
    ... the new router is a Cisco 871 ... access-list 1 permit x.x.x.0 0.0.0.255 ... access-list 101 permit ip any host x.x.x.x ...
    (comp.dcom.sys.cisco)
  • Re: BitTorrent kills 837
    ... NAT problem on our 837 router. ... access-list 102 permit ip 192.168.168.0 0.0.0.255 any ...
    (comp.dcom.sys.cisco)
  • Re: BitTorrent kills 837
    ... NAT problem on our 837 router. ... access-list 102 permit ip 192.168.168.0 0.0.0.255 any ...
    (comp.dcom.sys.cisco)
  • Re: Cisco 1720 Question
    ... We have a location that has a Cisco 1720 that connects three ... wants to setup a VPN into their server on port 5000. ... > I had nothing to do with the setup of this router and I do know that the ... Check to see if there are any "access-group" commands under any of the ...
    (comp.dcom.sys.cisco)