DNS Over a Segment

[Guest]

Hi,

I have a problem where I can not ping (IP or Name) my internet router from
segment-2. I can ping other IP's on segment-1 from segment-2, just not the
ISP router. I'm not using DHCP but I think if I do convert it may solve some
problems but that is a future project.

This is my config on segment-1:
(Everything works fine on this side)
Win2k DC Server 172.20.10.1
DNS Server 172.20.10.1
Cisco router 172.20.10.2
ISP Router 172.20.10.3

This is my config on segment-2:
(Everything works fine on this side except can't ping ISP router, can ping
W2k server & routers on both sides)
Cisco router 172.21.10.2

Network LAN connection config on Segment-2 PC's:
Gateway 172.21.10.2
DNS 172.20.10.1

I tried setting the ISP IP as a second gateway in the LAN setup but that
made no difference.

Should I setup a forwarder on my DNS server to point back to 172.21.10.2 ???

I do not have a "." setup.
I do have a Forwarder set for my ISP router
DNS server points to itself on server.
Everything works great on segment-1.

Any thought will be appreciated!

Thanks!
Bill

 

[Herb Martin]

Hi,

I have a problem where I can not ping (IP or Name) my internet router from
segment-2. I can ping other IP's on segment-1 from segment-2, just not the
ISP router.

[The above is unclear...]
Is the problem with "your router" or the "ISP router"?

I'm not using DHCP but I think if I do convert it may solve some
problems but that is a future project.

DHCP has not direct effect on this problem if you
would be using the same settings -- DHCP is just
another method to make those settings.

This is my config on segment-1:
(Everything works fine on this side)
Win2k DC Server 172.20.10.1
DNS Server 172.20.10.1
Cisco router 172.20.10.2
ISP Router 172.20.10.3

Looks to be misconfigured -- we cannot tell for
sure without the subnet masks but it is pretty obviously
wrong unless your Server and both routers share a
common subnet (broadcast domains) but I am betting
you are configured something like this:

ISP<-->Cisco--DC + DNS
(with the servers on the exterior-Network WAN)

Yes all four? machines are using addresses that are
(likely) on the same subnet which would mean this:

ISP< -- DC + DNS -->Cisco
(with the servers on an interior subnet where they
belong)

It is also odd that the ISP is using a address that is
unroutable on the Internet but maybe you just tried to
hide your real addresses and picked this. It is really
best if you give us your real settings and do not even
TYPE them in but give us the actual output of the
commands (cut and paste, or redirect to a file).

Also note: according to the above addresses, you have
two different servers: DC and DNS using the same
address.

This is my config on segment-2:
(Everything works fine on this side except can't ping ISP router, can ping
W2k server & routers on both sides)
Cisco router 172.21.10.2

Chances are you never added a route to the
(intermediate) router for the most interior networks
but your report is very confusing so this is difficult
to say definitively.

Network LAN connection config on Segment-2 PC's:
Gateway 172.21.10.2
DNS 172.20.10.1

I tried setting the ISP IP as a second gateway in the LAN setup but that
made no difference.

Two (or more default gateways) have NO effect if
the first is ALIVE (answering, working).

You can only have ONE DEFAULT gateway ACTIVE
at a time. The others are for backup in case the first one
fails.

Should I setup a forwarder on my DNS server to point back to 172.21.10.2

???

Don't mess up the DNS until you have the Routing working.

Best to show us what your network looks like:

ISP--Cisco1--subnet1-Cisco2-subnet2

...or whatever you really have.

I do not have a "." setup.

Good but...

That's DNS and your problems described above are
all IP (routing) based.

I do have a Forwarder set for my ISP router
DNS server points to itself on server.
Everything works great on segment-1.

Any thought will be appreciated!

It's likely an "intermediate" router problem where
you have no manual route to the more interior subnet.

When you have 3 routers involved (my guess) you
must have manual (or dynamic) routes on the MIDDLE
one(s).

The ISP counts as 1, your gateway router to the ISP is
2, and if you have multiple segments internally then
you LIKELY have a THIRD router (not always.)

But this is not what your describe above nor what your
addresses really suggest except for the use of "segment
1" and "segment 2".

If you have 2 (or more) internal routers (ISP is 3) then
the one(s) in the middle need additional routes added.

 

[Guest]

Hi,

I have a problem where I can not ping (IP or Name) my internet router from
segment-2. I can ping other IP's on segment-1 from segment-2, just not the
ISP router.

[The above is unclear...]
Is the problem with "your router" or the "ISP router"?

I'm not using DHCP but I think if I do convert it may solve some
problems but that is a future project.

DHCP has not direct effect on this problem if you
would be using the same settings -- DHCP is just
another method to make those settings.
ok

This is my config on segment-1 (CISCO-1):
(Everything works fine on this side)
Win2k DC Server 172.20.100.2
DNS Server 172.20.100.2
Cisco-1 router 172.20.100.10
ISP Router 172.20.100.200

Looks to be misconfigured -- we cannot tell for
sure without the subnet masks but it is pretty obviously
wrong unless your Server and both routers share a
common subnet (broadcast domains) but I am betting
you are configured something like this:

ISP<-->Cisco--DC + DNS
(with the servers on the exterior-Network WAN)

The config below describes my setup:

Yes all four? machines are using addresses that are
(likely) on the same subnet which would mean this:

ISP< -- DC + DNS -->Cisco
(with the servers on an interior subnet where they
belong)

It is also odd that the ISP is using a address that is
unroutable on the Internet but maybe you just tried to
hide your real addresses and picked this. It is really
best if you give us your real settings and do not even
TYPE them in but give us the actual output of the
commands (cut and paste, or redirect to a file).

I'm not at the site today but will past info when I get there in the next
day or so.

The ISP IP addr is the static IP for the LAN side. All segments are using a
class-B subnet.

Also note: according to the above addresses, you have
two different servers: DC and DNS using the same
address.

This is my config on segment-2:
(Everything works fine on this side except can't ping ISP router, can ping
W2k server & routers on both sides)
Cisco router 172.21.100.10

Chances are you never added a route to the
(intermediate) router for the most interior networks
but your report is very confusing so this is difficult
to say definitively.

I havent added any routes. The only thing I have done was to use a
forwarder on my DNS server to the ISP IP (Static LAN IP). Everything is
working fine on that side.

Two (or more default gateways) have NO effect if
the first is ALIVE (answering, working).

You can only have ONE DEFAULT gateway ACTIVE
at a time. The others are for backup in case the first one
fails.

Ok. My PC LAN gateway's are pointing to my ISP router (172.20.100.200) and
working fine on segment-1. A couple of PC's on Segment-1 also need to see
files on Segment-2. WHat I did for those units is have the Segment-2 router
IP (172.21-100-10 as the default GW and the ISP router IP (172.20.100.200) as
the second GW. (This is working ok but may not be setup the best way either)

???

Don't mess up the DNS until you have the Routing working.

Best to show us what your network looks like:

ISP--Cisco1--subnet1-Cisco2-subnet2

...or whatever you really have.


Good but...

That's DNS and your problems described above are
all IP (routing) based.


It's likely an "intermediate" router problem where
you have no manual route to the more interior subnet.

When you have 3 routers involved (my guess) you
must have manual (or dynamic) routes on the MIDDLE
one(s).

The ISP counts as 1, your gateway router to the ISP is
2, and if you have multiple segments internally then
you LIKELY have a THIRD router (not always.)

But this is not what your describe above nor what your
addresses really suggest except for the use of "segment
1" and "segment 2".

If you have 2 (or more) internal routers (ISP is 3) then
the one(s) in the middle need additional routes added.

I have (ISP ISP-Router <- DNS W2k Server <-> CISCO-1 router <-> Cisco-2
router)

I can talk from segment-2 (CISCO-2) to Exchange running on Segment-1
(CISCO-1) with no problem.


Hopefully I have given everything you asked for. I did try to "simplify"
the IP nbrs I orig gave. I replaced them with actual IP's. I wasn't trying
to be evassive.

Do you want the "ipconfig /all" results from the W2k server & a PC from both
sides of the segment?

Thank you, I do appreciate the patience & help!
Bill

 

[Herb Martin]

My comment are inline below but a quick looks says
the following is going to be your problem:

THE ISP router is the MIDDLE router and it must
have it's routing table change to use the scheme you
are using (with another net behind your connected
router). You probably cannot fix that so will
likely need to re-configure your net.

[dhcp stuff remove]

This is my config on segment-1 (CISCO-1):
(Everything works fine on this side)
Win2k DC Server 172.20.100.2
DNS Server 172.20.100.2
Cisco-1 router 172.20.100.10
ISP Router 172.20.100.200

Ok, I understand the above is INCORRECT and the
following is correct -- the above it what you
should likely use for many reasons.

The config below describes my setup:

Ok, this is your net -- and I had a type in my parenthesis
(correct now) -- your servers (DNS an DC) are OUTSIDE
of your own gateway and should probably NOT be located
there.

It causes many problems from routing to security.

I'm not at the site today but will past info when I get there in the next
day or so.

The ISP IP addr is the static IP for the LAN side. All segments are using a
class-B subnet.




This is my config on segment-2:
(Everything works fine on this side except can't ping ISP router, can ping
W2k server & routers on both sides)
Cisco router 172.21.100.10




I havent added any routes. The only thing I have done was to use a
forwarder on my DNS server to the ISP IP (Static LAN IP). Everything is
working fine on that side.

DNS is irrelevant until you get the routing working.

Ok. My PC LAN gateway's are pointing to my ISP router (172.20.100.200) and
working fine on segment-1. A couple of PC's on Segment-1 also need to see
files on Segment-2. WHat I did for those units is have the Segment-2 router
IP (172.21-100-10 as the default GW and the ISP router IP (172.20.100.200) as
the second GW. (This is working ok but may not be setup the best way

either)

That is almost never correct. PCs should be behind
your router and use IT for their Default Gateway IF
they are directly connected -- otherwise use the nearest
adjacent router which will forward up the chain to the
internet.

Inner "middle" routers must have static routes (or dynamic
routing protocols configured and working.)

I have (ISP ISP-Router <- DNS W2k Server <-> CISCO-1 router <-> Cisco-2
router)

What network range does you ISP give you?

(It's odd they are using 172.20.x.y although legal.)

This means they will have to translate for you to reach
the Internet, but YOU will also need to translate if you
use a different private range.

I can talk from segment-2 (CISCO-2) to Exchange running on Segment-1
(CISCO-1) with no problem.


Hopefully I have given everything you asked for. I did try to "simplify"
the IP nbrs I orig gave. I replaced them with actual IP's. I wasn't trying
to be evassive.

Do you want the "ipconfig /all" results from the W2k server & a PC from both
sides of the segment?

Thank you, I do appreciate the patience & help!
Bill

 

[Guest]

My comment are inline below but a quick looks says
the following is going to be your problem:

THE ISP router is the MIDDLE router and it must
have it's routing table change to use the scheme you
are using (with another net behind your connected
router). You probably cannot fix that so will
likely need to re-configure your net.

Thanks Herb, I appreciate your time and patience in what I orig. thought was
a small matter.

Ok, when you say I'll need to re-configure my net, are you referring to the
routers only or are there other things that need fix'ed?

Do you still want me to post the ipconfig /all for the PC's/server
in-question?

[dhcp stuff remove]

This is my config on segment-1 (CISCO-1):
(Everything works fine on this side)
Win2k DC Server 172.20.100.2
DNS Server 172.20.100.2
Cisco-1 router 172.20.100.10
ISP Router 172.20.100.200

Ok, I understand the above is INCORRECT and the
following is correct -- the above it what you
should likely use for many reasons.

The config below describes my setup:

Ok, this is your net -- and I had a type in my parenthesis
(correct now) -- your servers (DNS an DC) are OUTSIDE
of your own gateway and should probably NOT be located
there.

It causes many problems from routing to security.

I'm not at the site today but will past info when I get there in the next
day or so.

The ISP IP addr is the static IP for the LAN side. All segments are using a
class-B subnet.




This is my config on segment-2:
(Everything works fine on this side except can't ping ISP router, can ping
W2k server & routers on both sides)
Cisco router 172.21.100.10




I havent added any routes. The only thing I have done was to use a
forwarder on my DNS server to the ISP IP (Static LAN IP). Everything is
working fine on that side.

DNS is irrelevant until you get the routing working.

Ok. My PC LAN gateway's are pointing to my ISP router (172.20.100.200) and
working fine on segment-1. A couple of PC's on Segment-1 also need to see
files on Segment-2. WHat I did for those units is have the Segment-2 router
IP (172.21-100-10 as the default GW and the ISP router IP (172.20.100.200) as
the second GW. (This is working ok but may not be setup the best way

either)

That is almost never correct. PCs should be behind
your router and use IT for their Default Gateway IF
they are directly connected -- otherwise use the nearest
adjacent router which will forward up the chain to the
internet.

Inner "middle" routers must have static routes (or dynamic
routing protocols configured and working.)

It looks like I'll need to find a CISCO tech to help with setting up the
CISCO routers. With the exception of the new ISP router, this was all
in-place when I inherrited the network.

Thanks!
Bill

What network range does you ISP give you?

(It's odd they are using 172.20.x.y although legal.)

This means they will have to translate for you to reach
the Internet, but YOU will also need to translate if you
use a different private range.

The IP's I listed are my internal IP's.
My ISP router IP is 206.something

I can talk from segment-2 (CISCO-2) to Exchange running on Segment-1
(CISCO-1) with no problem.


Hopefully I have given everything you asked for. I did try to "simplify"
the IP nbrs I orig gave. I replaced them with actual IP's. I wasn't trying
to be evassive.

Do you want the "ipconfig /all" results from the W2k server & a PC from both
sides of the segment?

Thank you, I do appreciate the patience & help!
Bill

 

[Herb Martin]

Thanks Herb, I appreciate your time and patience in what I orig. thought was
a small matter.

Ok, when you say I'll need to re-configure my net, are you referring to the
routers only or are there other things that need fix'ed?

The routers at least -- that is what I was referring to.

I also was putting off your DNS refences until we get
the routing to work.

Do you still want me to post the ipconfig /all for the PC's/server
in-question?

What comes first is probably connecting the equipment.

You might also tell me what address ranges your ISP
provided you WITH subnet mask so I can figure out
that is really legal/workable for you.

I suspect that you need to pull those server behind the
router -- need, not just "should."

--
Herb Martin

My comment are inline below but a quick looks says
the following is going to be your problem:

THE ISP router is the MIDDLE router and it must
have it's routing table change to use the scheme you
are using (with another net behind your connected
router). You probably cannot fix that so will
likely need to re-configure your net.

Thanks Herb, I appreciate your time and patience in what I orig. thought was
a small matter.

Ok, when you say I'll need to re-configure my net, are you referring to the
routers only or are there other things that need fix'ed?

Do you still want me to post the ipconfig /all for the PC's/server
in-question?

:

Hi,

I have a problem where I can not ping (IP or Name) my internet

router
from

segment-2. I can ping other IP's on segment-1 from segment-2,

just
not

the
ISP router.

[dhcp stuff remove]

This is my config on segment-1 (CISCO-1):
(Everything works fine on this side)
Win2k DC Server 172.20.100.2
DNS Server 172.20.100.2
Cisco-1 router 172.20.100.10
ISP Router 172.20.100.200

ISP<-->Cisco--DC + DNS

Ok, I understand the above is INCORRECT and the
following is correct -- the above it what you
should likely use for many reasons.

The config below describes my setup:
Yes all four? machines are using addresses that are
(likely) on the same subnet which would mean this:

ISP< -- DC + DNS -->Cisco
(with the servers on an EXTERIOR subnet

Ok, this is your net -- and I had a type in my parenthesis
(correct now) -- your servers (DNS an DC) are OUTSIDE
of your own gateway and should probably NOT be located
there.

It causes many problems from routing to security.

It is also odd that the ISP is using a address that is
unroutable on the Internet but maybe you just tried to
hide your real addresses and picked this. It is really
best if you give us your real settings and do not even
TYPE them in but give us the actual output of the
commands (cut and paste, or redirect to a file).

I'm not at the site today but will past info when I get there in the next
day or so.

The ISP IP addr is the static IP for the LAN side. All segments are

using
a

class-B subnet.



Also note: according to the above addresses, you have
two different servers: DC and DNS using the same
address.



This is my config on segment-2:
(Everything works fine on this side except can't ping ISP router, can ping
W2k server & routers on both sides)
Cisco router 172.21.100.10



Chances are you never added a route to the
(intermediate) router for the most interior networks
but your report is very confusing so this is difficult
to say definitively.


I havent added any routes. The only thing I have done was to use a
forwarder on my DNS server to the ISP IP (Static LAN IP). Everything is
working fine on that side.

DNS is irrelevant until you get the routing working.

Network LAN connection config on Segment-2 PC's:
Gateway 172.21.10.2
DNS 172.20.10.1


I tried setting the ISP IP as a second gateway in the LAN setup

but
that

made no difference.

Two (or more default gateways) have NO effect if
the first is ALIVE (answering, working).

You can only have ONE DEFAULT gateway ACTIVE
at a time. The others are for backup in case the first one
fails.

Ok. My PC LAN gateway's are pointing to my ISP router

(172.20.100.200)
and

working fine on segment-1. A couple of PC's on Segment-1 also need to see
files on Segment-2. WHat I did for those units is have the Segment-2 router
IP (172.21-100-10 as the default GW and the ISP router IP

(172.20.100.200)
as

the second GW. (This is working ok but may not be setup the best way

either)

That is almost never correct. PCs should be behind
your router and use IT for their Default Gateway IF
they are directly connected -- otherwise use the nearest
adjacent router which will forward up the chain to the
internet.

Inner "middle" routers must have static routes (or dynamic
routing protocols configured and working.)

It looks like I'll need to find a CISCO tech to help with setting up the
CISCO routers. With the exception of the new ISP router, this was all
in-place when I inherrited the network.

Thanks!
Bill

What network range does you ISP give you?

(It's odd they are using 172.20.x.y although legal.)

This means they will have to translate for you to reach
the Internet, but YOU will also need to translate if you
use a different private range.

The IP's I listed are my internal IP's.
My ISP router IP is 206.something

from
both

 

[Guest]

Herb,

I pasted the CISCO router configs from both sides of the T-1 link at the
bottom of this post. I pasted ipconfig /all's from a segment-1 PC that is
working fine and also a segment-2 PC that works fine except it can not see or
even ping the Internet router. I also pasted the same info from my DC/DNS
server.

The routers at least -- that is what I was referring to.

I also was putting off your DNS refences until we get
the routing to work.


What comes first is probably connecting the equipment.

The equipment is installed and operating but obviously not configured
correctly! Lots of hair pulled over this!

You might also tell me what address ranges your ISP
provided you WITH subnet mask so I can figure out
that is really legal/workable for you.

I don't have any range of addresses from my ISP. All I have is their
dynamic IP in the ISP Router on the WAN side. I have a static IP of
172.20.100.200 255.255.0.0 in the ISP Router LAN side.

I suspect that you need to pull those server behind the
router -- need, not just "should."

--
Herb Martin

My comment are inline below but a quick looks says
the following is going to be your problem:

THE ISP router is the MIDDLE router and it must
have it's routing table change to use the scheme you
are using (with another net behind your connected
router). You probably cannot fix that so will
likely need to re-configure your net.

Thanks Herb, I appreciate your time and patience in what I orig. thought was
a small matter.

Ok, when you say I'll need to re-configure my net, are you referring to the
routers only or are there other things that need fix'ed?

Do you still want me to post the ipconfig /all for the PC's/server
in-question?

:

Hi,

I have a problem where I can not ping (IP or Name) my internet router
from
segment-2. I can ping other IP's on segment-1 from segment-2, just
not
the
ISP router.

[dhcp stuff remove]


This is my config on segment-1 (CISCO-1):
(Everything works fine on this side)
Win2k DC Server 172.20.100.2
DNS Server 172.20.100.2
Cisco-1 router 172.20.100.10
ISP Router 172.20.100.200


ISP<-->Cisco--DC + DNS

Ok, I understand the above is INCORRECT and the
following is correct -- the above it what you
should likely use for many reasons.


The config below describes my setup:
Yes all four? machines are using addresses that are
(likely) on the same subnet which would mean this:

ISP< -- DC + DNS -->Cisco
(with the servers on an EXTERIOR subnet

Ok, this is your net -- and I had a type in my parenthesis
(correct now) -- your servers (DNS an DC) are OUTSIDE
of your own gateway and should probably NOT be located
there.

It causes many problems from routing to security.

It is also odd that the ISP is using a address that is
unroutable on the Internet but maybe you just tried to
hide your real addresses and picked this. It is really
best if you give us your real settings and do not even
TYPE them in but give us the actual output of the
commands (cut and paste, or redirect to a file).

I'm not at the site today but will past info when I get there in the next
day or so.

The ISP IP addr is the static IP for the LAN side. All segments are using
a
class-B subnet.



Also note: according to the above addresses, you have
two different servers: DC and DNS using the same
address.



This is my config on segment-2:
(Everything works fine on this side except can't ping ISP router, can ping
W2k server & routers on both sides)
Cisco router 172.21.100.10



Chances are you never added a route to the
(intermediate) router for the most interior networks
but your report is very confusing so this is difficult
to say definitively.


I havent added any routes. The only thing I have done was to use a
forwarder on my DNS server to the ISP IP (Static LAN IP). Everything is
working fine on that side.

DNS is irrelevant until you get the routing working.

Network LAN connection config on Segment-2 PC's:
Gateway 172.21.10.2
DNS 172.20.10.1


I tried setting the ISP IP as a second gateway in the LAN setup but
that
made no difference.

Two (or more default gateways) have NO effect if
the first is ALIVE (answering, working).

You can only have ONE DEFAULT gateway ACTIVE
at a time. The others are for backup in case the first one
fails.

Ok. My PC LAN gateway's are pointing to my ISP router (172.20.100.200)
and
working fine on segment-1. A couple of PC's on Segment-1 also need to see
files on Segment-2. WHat I did for those units is have the Segment-2
router
IP (172.21-100-10 as the default GW and the ISP router IP (172.20.100.200)
as
the second GW. (This is working ok but may not be setup the best way
either)

That is almost never correct. PCs should be behind
your router and use IT for their Default Gateway IF
they are directly connected -- otherwise use the nearest
adjacent router which will forward up the chain to the
internet.

Inner "middle" routers must have static routes (or dynamic
routing protocols configured and working.)

It looks like I'll need to find a CISCO tech to help with setting up the
CISCO routers. With the exception of the new ISP router, this was all
in-place when I inherrited the network.

Thanks!
Bill

Should I setup a forwarder on my DNS server to point back to
172.21.10.2
???

Don't mess up the DNS until you have the Routing working.

Best to show us what your network looks like:

ISP--Cisco1--subnet1-Cisco2-subnet2

...or whatever you really have.

I do not have a "." setup.

Good but...

That's DNS and your problems described above are
all IP (routing) based.

I do have a Forwarder set for my ISP router
DNS server points to itself on server.
Everything works great on segment-1.

Any thought will be appreciated!

It's likely an "intermediate" router problem where
you have no manual route to the more interior subnet.

When you have 3 routers involved (my guess) you
must have manual (or dynamic) routes on the MIDDLE
one(s).

The ISP counts as 1, your gateway router to the ISP is
2, and if you have multiple segments internally then
you LIKELY have a THIRD router (not always.)

But this is not what your describe above nor what your
addresses really suggest except for the use of "segment
1" and "segment 2".

If you have 2 (or more) internal routers (ISP is 3) then
the one(s) in the middle need additional routes added.


I have (ISP ISP-Router <- DNS W2k Server <-> CISCO-1 router <-> Cisco-2
router)

What network range does you ISP give you?

(It's odd they are using 172.20.x.y although legal.)

This means they will have to translate for you to reach
the Internet, but YOU will also need to translate if you
use a different private range.

The IP's I listed are my internal IP's.
My ISP router IP is 206.something

I can talk from segment-2 (CISCO-2) to Exchange running on Segment-1
(CISCO-1) with no problem.


Hopefully I have given everything you asked for. I did try to "simplify"
the IP nbrs I orig gave. I replaced them with actual IP's. I wasn't
trying
to be evassive.

Do you want the "ipconfig /all" results from the W2k server & a PC from
both
sides of the segment?

Thank you, I do appreciate the patience & help!
Bill

================================================
================================================
================================================
Router-1
User Access Verification

Password:
hhwp_r1>enable
Password:
hhwp_r1#sh run
Building configuration...

Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hhwp_r1
!
boot system flash 1:aaa1582.bin
no logging console
enable secret 5 $1$PyQl$mcp79woaaeEPCkRmFeg0e0
enable password ********
!
!
!
!
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip domain-lookup
!
ipx routing 0003.e3e2.b820
!
!
!
interface FastEthernet0/0
ip address 172.20.100.10 255.255.0.0
no ip mroute-cache
speed auto
half-duplex
ipx network 2B3FE51F
no mop enabled
bridge-group 1
!
interface Serial0/0
ip address 192.168.1.1 255.255.255.0
no ip mroute-cache
ipx network 1234567A
no fair-queue
bridge-group 1
!
router eigrp 100
network 10.0.0.0
network 172.20.0.0
network 192.168.1.0
no auto-summary
no eigrp log-neighbor-changes
!
router igrp 1
redistribute connected
network 172.20.0.0
network 172.21.0.0
network 192.168.1.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.2
no ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
!
bridge 1 protocol dec
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password ********
login
!
end

hhwp_r1#

================================================


Router-2
User Access Verification

Password:
hhwp_r2>enable
Password:
hhwp_r2#sh run
Building configuration...

Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hhwp_r2
!
boot system flash 1:aaa1582.bin
no logging console
enable secret 5 $1$PyQl$mcp79woaaeEPCkRmFeg0e0
enable password ********
!
!
!
!
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip domain-lookup
!
ipx routing 0003.e377.2900
!
!
!
interface FastEthernet0/0
ip address 172.21.100.10 255.255.0.0
no ip mroute-cache
speed auto
half-duplex
ipx network 12345678
no mop enabled
bridge-group 1
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.0
no ip mroute-cache
ipx network 1234567A
no fair-queue
bridge-group 1
!
router eigrp 100
network 10.0.0.0
network 172.21.0.0
network 192.168.1.0
no auto-summary
no eigrp log-neighbor-changes
!
router igrp 1
redistribute connected
network 172.20.0.0
network 172.21.0.0
network 192.168.1.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
!
bridge 1 protocol dec
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password *******
login
!
end

hhwp_r2#


================================================

Segment-1 PC - Works fine!

Windows IP Configuration



Host Name . . . . . . . . . . . . : RM16

Primary Dns Suffix . . . . . . . : hhwpcac.org

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hhwpcac.org



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit
Controller

Physical Address. . . . . . . . . : 00-11-43-A9-9F-69

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.20.16.1

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.20.100.200

172.20.100.10

DNS Servers . . . . . . . . . . . : 172.20.100.2



================================================

Segment-2 PC - Works fine except for accessing Internet.



Windows IP Configuration



Host Name . . . . . . . . . . . . : Hats-Dell-2

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network
Connection

Physical Address. . . . . . . . . : 00-0C-F1-8C-B8-B6

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.21.33.11

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.21.100.10

172.20.100.200

================================================


DC/DNS Server



Windows 2000 IP Configuration



Host Name . . . . . . . . . . . . : hhwpnt1
Primary DNS Suffix . . . . . . . : hhwpcac.org
Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hhwpcac.org

Ethernet adapter Local Area Connection 3:



Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys EG1032 v2 Instant Gigabit
Network Adapter #2
Physical Address. . . . . . . . . : 00-0C-41-EB-CB-13

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.20.100.2

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.21.100.10

DNS Servers . . . . . . . . . . . : 172.20.100.2

======
(This for a dial-up proxy server that is also active for some users)

======
PPP adapter ABC Net:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

Physical Address. . . . . . . . . : 00-53-45-00-00-00

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 209.143.26.111

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . : 209.143.26.111

DNS Servers . . . . . . . . . . . : 209.143.0.10
66.209.140.124
NetBIOS over Tcpip. . . . . . . . : Disabled


================================================
================================================
================================================

 

[Herb Martin]

Herb,

I pasted the CISCO router configs from both sides of the T-1 link at the
bottom of this post. I pasted ipconfig /all's from a segment-1 PC that is
working fine and also a segment-2 PC that works fine except it can not see or
even ping the Internet router. I also pasted the same info from my DC/DNS
server.

I can go wade through that but it doesn't
really matter until you straighten out the
physical connectivity...and you didn't answer
my question about the assigned address(es)
and subnet mask from your ISP.

The only parts I will likely need from the Cisco
are the basic IP settings and the Routing table
(or how you set it.)

I can search for that but there is no reason to
do this until you have the network figured out
physically.

--
Herb Martin

thought
was to
the

The routers at least -- that is what I was referring to.

I also was putting off your DNS refences until we get
the routing to work.


What comes first is probably connecting the equipment.

The equipment is installed and operating but obviously not configured
correctly! Lots of hair pulled over this!

You might also tell me what address ranges your ISP
provided you WITH subnet mask so I can figure out
that is really legal/workable for you.

I don't have any range of addresses from my ISP. All I have is their
dynamic IP in the ISP Router on the WAN side. I have a static IP of
172.20.100.200 255.255.0.0 in the ISP Router LAN side.

I suspect that you need to pull those server behind the
router -- need, not just "should."

--
Herb Martin

:

My comment are inline below but a quick looks says
the following is going to be your problem:

THE ISP router is the MIDDLE router and it must
have it's routing table change to use the scheme you
are using (with another net behind your connected
router). You probably cannot fix that so will
likely need to re-configure your net.

Thanks Herb, I appreciate your time and patience in what I orig.

thought
was

a small matter.

Ok, when you say I'll need to re-configure my net, are you referring

to
the

routers only or are there other things that need fix'ed?

Do you still want me to post the ipconfig /all for the PC's/server
in-question?




:

Hi,

I have a problem where I can not ping (IP or Name) my internet router
from
segment-2. I can ping other IP's on segment-1 from segment-2, just
not
the
ISP router.

[dhcp stuff remove]


This is my config on segment-1 (CISCO-1):
(Everything works fine on this side)
Win2k DC Server 172.20.100.2
DNS Server 172.20.100.2
Cisco-1 router 172.20.100.10
ISP Router 172.20.100.200


ISP<-->Cisco--DC + DNS

Ok, I understand the above is INCORRECT and the
following is correct -- the above it what you
should likely use for many reasons.


The config below describes my setup:
Yes all four? machines are using addresses that are
(likely) on the same subnet which would mean this:

ISP< -- DC + DNS -->Cisco
(with the servers on an EXTERIOR subnet

Ok, this is your net -- and I had a type in my parenthesis
(correct now) -- your servers (DNS an DC) are OUTSIDE
of your own gateway and should probably NOT be located
there.

It causes many problems from routing to security.

It is also odd that the ISP is using a address that is
unroutable on the Internet but maybe you just tried to
hide your real addresses and picked this. It is really
best if you give us your real settings and do not even
TYPE them in but give us the actual output of the
commands (cut and paste, or redirect to a file).

I'm not at the site today but will past info when I get there in

the
next

day or so.

The ISP IP addr is the static IP for the LAN side. All segments

are
using

a
class-B subnet.



Also note: according to the above addresses, you have
two different servers: DC and DNS using the same
address.



This is my config on segment-2:
(Everything works fine on this side except can't ping ISP router,

can
ping

W2k server & routers on both sides)
Cisco router 172.21.100.10



Chances are you never added a route to the
(intermediate) router for the most interior networks
but your report is very confusing so this is difficult
to say definitively.


I havent added any routes. The only thing I have done was to use a
forwarder on my DNS server to the ISP IP (Static LAN IP).

Everything
is

working fine on that side.

DNS is irrelevant until you get the routing working.

Network LAN connection config on Segment-2 PC's:
Gateway 172.21.10.2
DNS 172.20.10.1


I tried setting the ISP IP as a second gateway in the LAN

setup
but

that
made no difference.

Two (or more default gateways) have NO effect if
the first is ALIVE (answering, working).

You can only have ONE DEFAULT gateway ACTIVE
at a time. The others are for backup in case the first one
fails.

Ok. My PC LAN gateway's are pointing to my ISP router (172.20.100.200)
and
working fine on segment-1. A couple of PC's on Segment-1 also

need to
see

files on Segment-2. WHat I did for those units is have the Segment-2
router
IP (172.21-100-10 as the default GW and the ISP router IP (172.20.100.200)
as
the second GW. (This is working ok but may not be setup the best way
either)

That is almost never correct. PCs should be behind
your router and use IT for their Default Gateway IF
they are directly connected -- otherwise use the nearest
adjacent router which will forward up the chain to the
internet.

Inner "middle" routers must have static routes (or dynamic
routing protocols configured and working.)

It looks like I'll need to find a CISCO tech to help with setting up the
CISCO routers. With the exception of the new ISP router, this was all
in-place when I inherrited the network.

Thanks!
Bill



Should I setup a forwarder on my DNS server to point back to
172.21.10.2
???

Don't mess up the DNS until you have the Routing working.

Best to show us what your network looks like:

ISP--Cisco1--subnet1-Cisco2-subnet2

...or whatever you really have.

I do not have a "." setup.

Good but...

That's DNS and your problems described above are
all IP (routing) based.

I do have a Forwarder set for my ISP router
DNS server points to itself on server.
Everything works great on segment-1.

Any thought will be appreciated!

It's likely an "intermediate" router problem where
you have no manual route to the more interior subnet.

When you have 3 routers involved (my guess) you
must have manual (or dynamic) routes on the MIDDLE
one(s).

The ISP counts as 1, your gateway router to the ISP is
2, and if you have multiple segments internally then
you LIKELY have a THIRD router (not always.)

But this is not what your describe above nor what your
addresses really suggest except for the use of "segment
1" and "segment 2".

If you have 2 (or more) internal routers (ISP is 3) then
the one(s) in the middle need additional routes added.


I have (ISP ISP-Router <- DNS W2k Server <-> CISCO-1 router <-> Cisco-2
router)

What network range does you ISP give you?

(It's odd they are using 172.20.x.y although legal.)

This means they will have to translate for you to reach
the Internet, but YOU will also need to translate if you
use a different private range.


The IP's I listed are my internal IP's.
My ISP router IP is 206.something



I can talk from segment-2 (CISCO-2) to Exchange running on Segment-1
(CISCO-1) with no problem.


Hopefully I have given everything you asked for. I did try to "simplify"
the IP nbrs I orig gave. I replaced them with actual IP's. I wasn't
trying
to be evassive.

Do you want the "ipconfig /all" results from the W2k server & a PC from
both
sides of the segment?

Thank you, I do appreciate the patience & help!
Bill

================================================
================================================
================================================
Router-1
User Access Verification

Password:
hhwp_r1>enable
Password:
hhwp_r1#sh run
Building configuration...

Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hhwp_r1
!
boot system flash 1:aaa1582.bin
no logging console
enable secret 5 $1$PyQl$mcp79woaaeEPCkRmFeg0e0
enable password ********
!
!
!
!
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip domain-lookup
!
ipx routing 0003.e3e2.b820
!
!
!
interface FastEthernet0/0
ip address 172.20.100.10 255.255.0.0
no ip mroute-cache
speed auto
half-duplex
ipx network 2B3FE51F
no mop enabled
bridge-group 1
!
interface Serial0/0
ip address 192.168.1.1 255.255.255.0
no ip mroute-cache
ipx network 1234567A
no fair-queue
bridge-group 1
!
router eigrp 100
network 10.0.0.0
network 172.20.0.0
network 192.168.1.0
no auto-summary
no eigrp log-neighbor-changes
!
router igrp 1
redistribute connected
network 172.20.0.0
network 172.21.0.0
network 192.168.1.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.2
no ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
!
bridge 1 protocol dec
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password ********
login
!
end

hhwp_r1#

================================================


Router-2
User Access Verification

Password:
hhwp_r2>enable
Password:
hhwp_r2#sh run
Building configuration...

Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hhwp_r2
!
boot system flash 1:aaa1582.bin
no logging console
enable secret 5 $1$PyQl$mcp79woaaeEPCkRmFeg0e0
enable password ********
!
!
!
!
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip domain-lookup
!
ipx routing 0003.e377.2900
!
!
!
interface FastEthernet0/0
ip address 172.21.100.10 255.255.0.0
no ip mroute-cache
speed auto
half-duplex
ipx network 12345678
no mop enabled
bridge-group 1
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.0
no ip mroute-cache
ipx network 1234567A
no fair-queue
bridge-group 1
!
router eigrp 100
network 10.0.0.0
network 172.21.0.0
network 192.168.1.0
no auto-summary
no eigrp log-neighbor-changes
!
router igrp 1
redistribute connected
network 172.20.0.0
network 172.21.0.0
network 192.168.1.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
!
bridge 1 protocol dec
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password *******
login
!
end

hhwp_r2#


================================================

Segment-1 PC - Works fine!

Windows IP Configuration



Host Name . . . . . . . . . . . . : RM16

Primary Dns Suffix . . . . . . . : hhwpcac.org

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hhwpcac.org



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit
Controller

Physical Address. . . . . . . . . : 00-11-43-A9-9F-69

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.20.16.1

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.20.100.200

172.20.100.10

DNS Servers . . . . . . . . . . . : 172.20.100.2



================================================

Segment-2 PC - Works fine except for accessing Internet.



Windows IP Configuration



Host Name . . . . . . . . . . . . : Hats-Dell-2

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network
Connection

Physical Address. . . . . . . . . : 00-0C-F1-8C-B8-B6

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.21.33.11

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.21.100.10

172.20.100.200

================================================


DC/DNS Server



Windows 2000 IP Configuration



Host Name . . . . . . . . . . . . : hhwpnt1
Primary DNS Suffix . . . . . . . : hhwpcac.org
Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hhwpcac.org

Ethernet adapter Local Area Connection 3:



Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys EG1032 v2 Instant Gigabit
Network Adapter #2
Physical Address. . . . . . . . . : 00-0C-41-EB-CB-13

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.20.100.2

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.21.100.10

DNS Servers . . . . . . . . . . . : 172.20.100.2

======
(This for a dial-up proxy server that is also active for some users)

======
PPP adapter ABC Net:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

Physical Address. . . . . . . . . : 00-53-45-00-00-00

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 209.143.26.111

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . : 209.143.26.111

DNS Servers . . . . . . . . . . . : 209.143.0.10
66.209.140.124
NetBIOS over Tcpip. . . . . . . . : Disabled


================================================
================================================
================================================

 

[Guest]

Herb,

I'm not sure what your asking about physical connections being correct. On
segment-1, the ISP Router, Cisco-Router-1, and the DC/DNS all plug into the
same switch. On segment-2, the router & all PC's connect to the same switch.

I do not have assigned addresses from my ISP. I have a static IP on my LAN
side.

On the ISP Router WAN side the settings are
IP 209.143.5.191,
Subnet 255.255.255.0,
Default Gateway 209.143.5.1,
DNS 209.143.0.10

I'm not trying to be difficult and not answer your questions.

If any other info will help, please let me know.

I was going to include this in my last post but a co-worker sent it before
it was finished.

Thanks!
Bill

Herb,

I pasted the CISCO router configs from both sides of the T-1 link at the
bottom of this post. I pasted ipconfig /all's from a segment-1 PC that is
working fine and also a segment-2 PC that works fine except it can not see or
even ping the Internet router. I also pasted the same info from my DC/DNS
server.

I can go wade through that but it doesn't
really matter until you straighten out the
physical connectivity...and you didn't answer
my question about the assigned address(es)
and subnet mask from your ISP.

The only parts I will likely need from the Cisco
are the basic IP settings and the Routing table
(or how you set it.)

I can search for that but there is no reason to
do this until you have the network figured out
physically.

--
Herb Martin

:

My comment are inline below but a quick looks says
the following is going to be your problem:

THE ISP router is the MIDDLE router and it must
have it's routing table change to use the scheme you
are using (with another net behind your connected
router). You probably cannot fix that so will
likely need to re-configure your net.

Thanks Herb, I appreciate your time and patience in what I orig. thought
was
a small matter.

Ok, when you say I'll need to re-configure my net, are you referring to
the
routers only or are there other things that need fix'ed?

The routers at least -- that is what I was referring to.

I also was putting off your DNS refences until we get
the routing to work.

Do you still want me to post the ipconfig /all for the PC's/server
in-question?

What comes first is probably connecting the equipment.

The equipment is installed and operating but obviously not configured
correctly! Lots of hair pulled over this!

You might also tell me what address ranges your ISP
provided you WITH subnet mask so I can figure out
that is really legal/workable for you.

I don't have any range of addresses from my ISP. All I have is their
dynamic IP in the ISP Router on the WAN side. I have a static IP of
172.20.100.200 255.255.0.0 in the ISP Router LAN side.

I suspect that you need to pull those server behind the
router -- need, not just "should."

--
Herb Martin




:

My comment are inline below but a quick looks says
the following is going to be your problem:

THE ISP router is the MIDDLE router and it must
have it's routing table change to use the scheme you
are using (with another net behind your connected
router). You probably cannot fix that so will
likely need to re-configure your net.

Thanks Herb, I appreciate your time and patience in what I orig. thought
was
a small matter.

Ok, when you say I'll need to re-configure my net, are you referring to
the
routers only or are there other things that need fix'ed?

Do you still want me to post the ipconfig /all for the PC's/server
in-question?




:

Hi,

I have a problem where I can not ping (IP or Name) my internet
router
from
segment-2. I can ping other IP's on segment-1 from segment-2,
just
not
the
ISP router.

[dhcp stuff remove]


This is my config on segment-1 (CISCO-1):
(Everything works fine on this side)
Win2k DC Server 172.20.100.2
DNS Server 172.20.100.2
Cisco-1 router 172.20.100.10
ISP Router 172.20.100.200


ISP<-->Cisco--DC + DNS

Ok, I understand the above is INCORRECT and the
following is correct -- the above it what you
should likely use for many reasons.


The config below describes my setup:
Yes all four? machines are using addresses that are
(likely) on the same subnet which would mean this:

ISP< -- DC + DNS -->Cisco
(with the servers on an EXTERIOR subnet

Ok, this is your net -- and I had a type in my parenthesis
(correct now) -- your servers (DNS an DC) are OUTSIDE
of your own gateway and should probably NOT be located
there.

It causes many problems from routing to security.

It is also odd that the ISP is using a address that is
unroutable on the Internet but maybe you just tried to
hide your real addresses and picked this. It is really
best if you give us your real settings and do not even
TYPE them in but give us the actual output of the
commands (cut and paste, or redirect to a file).

I'm not at the site today but will past info when I get there in the
next
day or so.

The ISP IP addr is the static IP for the LAN side. All segments are
using
a
class-B subnet.



Also note: according to the above addresses, you have
two different servers: DC and DNS using the same
address.



This is my config on segment-2:
(Everything works fine on this side except can't ping ISP router, can
ping
W2k server & routers on both sides)
Cisco router 172.21.100.10



Chances are you never added a route to the
(intermediate) router for the most interior networks
but your report is very confusing so this is difficult
to say definitively.


I havent added any routes. The only thing I have done was to use a
forwarder on my DNS server to the ISP IP (Static LAN IP). Everything
is
working fine on that side.

DNS is irrelevant until you get the routing working.

Network LAN connection config on Segment-2 PC's:
Gateway 172.21.10.2
DNS 172.20.10.1


I tried setting the ISP IP as a second gateway in the LAN setup
but
that
made no difference.

Two (or more default gateways) have NO effect if
the first is ALIVE (answering, working).

You can only have ONE DEFAULT gateway ACTIVE
at a time. The others are for backup in case the first one
fails.

Ok. My PC LAN gateway's are pointing to my ISP router
(172.20.100.200)
and
working fine on segment-1. A couple of PC's on Segment-1 also need to
see
files on Segment-2. WHat I did for those units is have the Segment-2
router
IP (172.21-100-10 as the default GW and the ISP router IP
(172.20.100.200)
as
the second GW. (This is working ok but may not be setup the best way
either)

That is almost never correct. PCs should be behind
your router and use IT for their Default Gateway IF
they are directly connected -- otherwise use the nearest
adjacent router which will forward up the chain to the
internet.

Inner "middle" routers must have static routes (or dynamic
routing protocols configured and working.)

It looks like I'll need to find a CISCO tech to help with setting up the
CISCO routers. With the exception of the new ISP router, this was all
in-place when I inherrited the network.

Thanks!
Bill



Should I setup a forwarder on my DNS server to point back to
172.21.10.2
???

Don't mess up the DNS until you have the Routing working.

Best to show us what your network looks like:

ISP--Cisco1--subnet1-Cisco2-subnet2

...or whatever you really have.

I do not have a "." setup.

Good but...

That's DNS and your problems described above are
all IP (routing) based.

I do have a Forwarder set for my ISP router
DNS server points to itself on server.
Everything works great on segment-1.

Any thought will be appreciated!

It's likely an "intermediate" router problem where
you have no manual route to the more interior subnet.

When you have 3 routers involved (my guess) you
must have manual (or dynamic) routes on the MIDDLE
one(s).

The ISP counts as 1, your gateway router to the ISP is
2, and if you have multiple segments internally then
you LIKELY have a THIRD router (not always.)

But this is not what your describe above nor what your
addresses really suggest except for the use of "segment
1" and "segment 2".

If you have 2 (or more) internal routers (ISP is 3) then
the one(s) in the middle need additional routes added.


I have (ISP ISP-Router <- DNS W2k Server <-> CISCO-1 router <->
Cisco-2
router)

What network range does you ISP give you?

(It's odd they are using 172.20.x.y although legal.)

This means they will have to translate for you to reach
the Internet, but YOU will also need to translate if you
use a different private range.


The IP's I listed are my internal IP's.
My ISP router IP is 206.something



I can talk from segment-2 (CISCO-2) to Exchange running on Segment-1
(CISCO-1) with no problem.


Hopefully I have given everything you asked for. I did try to
"simplify"
the IP nbrs I orig gave. I replaced them with actual IP's. I wasn't
trying
to be evassive.

Do you want the "ipconfig /all" results from the W2k server & a PC
from
both
sides of the segment?

Thank you, I do appreciate the patience & help!
Bill

================================================
================================================
================================================
Router-1
User Access Verification

Password:
hhwp_r1>enable
Password:
hhwp_r1#sh run
Building configuration...

Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hhwp_r1
!
boot system flash 1:aaa1582.bin
no logging console
enable secret 5 $1$PyQl$mcp79woaaeEPCkRmFeg0e0
enable password ********
!
!
!
!
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip domain-lookup
!
ipx routing 0003.e3e2.b820
!
!
!
interface FastEthernet0/0
ip address 172.20.100.10 255.255.0.0
no ip mroute-cache
speed auto
half-duplex
ipx network 2B3FE51F
no mop enabled
bridge-group 1
!
interface Serial0/0
ip address 192.168.1.1 255.255.255.0
no ip mroute-cache
ipx network 1234567A
no fair-queue
bridge-group 1
!
router eigrp 100
network 10.0.0.0
network 172.20.0.0
network 192.168.1.0
no auto-summary
no eigrp log-neighbor-changes
!
router igrp 1
redistribute connected
network 172.20.0.0
network 172.21.0.0
network 192.168.1.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.2
no ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
!
bridge 1 protocol dec
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password ********
login
!
end

hhwp_r1#

================================================


Router-2
User Access Verification

Password:
hhwp_r2>enable
Password:
hhwp_r2#sh run
Building configuration...

Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hhwp_r2
!
boot system flash 1:aaa1582.bin
no logging console
enable secret 5 $1$PyQl$mcp79woaaeEPCkRmFeg0e0
enable password ********
!
!
!
!
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip domain-lookup
!
ipx routing 0003.e377.2900
!
!
!
interface FastEthernet0/0
ip address 172.21.100.10 255.255.0.0
no ip mroute-cache
speed auto
half-duplex
ipx network 12345678
no mop enabled
bridge-group 1
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.0
no ip mroute-cache
ipx network 1234567A
no fair-queue
bridge-group 1
!
router eigrp 100
network 10.0.0.0
network 172.21.0.0
network 192.168.1.0
no auto-summary
no eigrp log-neighbor-changes
!
router igrp 1
redistribute connected
network 172.20.0.0
network 172.21.0.0
network 192.168.1.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
!
bridge 1 protocol dec
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password *******
login
!
end

hhwp_r2#


================================================

Segment-1 PC - Works fine!

Windows IP Configuration



Host Name . . . . . . . . . . . . : RM16

Primary Dns Suffix . . . . . . . : hhwpcac.org

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hhwpcac.org



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit
Controller

Physical Address. . . . . . . . . : 00-11-43-A9-9F-69

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.20.16.1

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.20.100.200

172.20.100.10

DNS Servers . . . . . . . . . . . : 172.20.100.2



================================================

Segment-2 PC - Works fine except for accessing Internet.



Windows IP Configuration



Host Name . . . . . . . . . . . . : Hats-Dell-2

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network
Connection

Physical Address. . . . . . . . . : 00-0C-F1-8C-B8-B6

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.21.33.11

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.21.100.10

172.20.100.200

================================================


DC/DNS Server



Windows 2000 IP Configuration



Host Name . . . . . . . . . . . . : hhwpnt1
Primary DNS Suffix . . . . . . . : hhwpcac.org
Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hhwpcac.org

Ethernet adapter Local Area Connection 3:



Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys EG1032 v2 Instant Gigabit
Network Adapter #2
Physical Address. . . . . . . . . : 00-0C-41-EB-CB-13

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.20.100.2

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.21.100.10

DNS Servers . . . . . . . . . . . : 172.20.100.2

======
(This for a dial-up proxy server that is also active for some users)

======
PPP adapter ABC Net:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

Physical Address. . . . . . . . . : 00-53-45-00-00-00

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 209.143.26.111

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . : 209.143.26.111

DNS Servers . . . . . . . . . . . : 209.143.0.10
66.209.140.124
NetBIOS over Tcpip. . . . . . . . : Disabled


================================================
================================================
================================================

 

[Herb Martin]

Herb,

I'm not sure what your asking about physical connections being correct. On
segment-1, the ISP Router, Cisco-Router-1, and the DC/DNS all plug into the
same switch. On segment-2, the router & all PC's connect to the same

switch.

Several messages ago we discussed how
your servers belong behind the router (Cisco)
in almost all cases and how I need to know
what addresses the ISP assigned you on the
WAN side -- with the mask.

I do not have assigned addresses from my ISP.

That is incorrect and you (finally) posted it below...

I have a static IP on my LAN side.

On the ISP Router WAN side the settings are
IP 209.143.5.191,
Subnet 255.255.255.0,
Default Gateway 209.143.5.1,
DNS 209.143.0.10

Ok, those are not what you showed earlier, so perhaps
this was more of your obfuscating the real addresses
earlier or you just posted incorrectly.

You need to set it up this way (which is not what you
gave earlier):

ISP<--WAN-->public:Ciscorivate--INTERNAL NET(s)

"Internal Net(s)" can include multiple subnets and routers
but the routers will have to be taught how to find all
nets with manual routes. (or tell each other with dynamic routing.)

For one, if there are more internal routers (you have
indicated that) then you will need to ADD ROUTES
on the "public:Ciscorivate" router.

Do you understand that need and how to do it?

I'm not trying to be difficult and not answer your questions.

I figured that, but you need to at least acknowledge
a question to say, "I don't know" or something if you
cannot answer it.

Above you said you couldn't answer the ISP question
but then answered it three lines later. Not an "issue"
except that we must communicate clearly if you will
solve your problem.

You can also call me -- I believe I offered before.
Number on my web site: LearnQuick.Com.

If any other info will help, please let me know.

I was going to include this in my last post but a co-worker sent it before
it was finished.

No real problem except the issue of helping you.

So you guys (together) are "Carl & Bill", right?

Thanks!
Bill

Herb,

I pasted the CISCO router configs from both sides of the T-1 link at the
bottom of this post. I pasted ipconfig /all's from a segment-1 PC that is
working fine and also a segment-2 PC that works fine except it can not

see
or

even ping the Internet router. I also pasted the same info from my DC/DNS
server.

I can go wade through that but it doesn't
really matter until you straighten out the
physical connectivity...and you didn't answer
my question about the assigned address(es)
and subnet mask from your ISP.

The only parts I will likely need from the Cisco
are the basic IP settings and the Routing table
(or how you set it.)

I can search for that but there is no reason to
do this until you have the network figured out
physically.

--
Herb Martin

:



:

My comment are inline below but a quick looks says
the following is going to be your problem:

THE ISP router is the MIDDLE router and it must
have it's routing table change to use the scheme you
are using (with another net behind your connected
router). You probably cannot fix that so will
likely need to re-configure your net.

Thanks Herb, I appreciate your time and patience in what I orig. thought
was
a small matter.

Ok, when you say I'll need to re-configure my net, are you

referring
to

the
routers only or are there other things that need fix'ed?

The routers at least -- that is what I was referring to.

I also was putting off your DNS refences until we get
the routing to work.

Do you still want me to post the ipconfig /all for the PC's/server
in-question?


What comes first is probably connecting the equipment.

The equipment is installed and operating but obviously not configured
correctly! Lots of hair pulled over this!


You might also tell me what address ranges your ISP
provided you WITH subnet mask so I can figure out
that is really legal/workable for you.

I don't have any range of addresses from my ISP. All I have is their
dynamic IP in the ISP Router on the WAN side. I have a static IP of
172.20.100.200 255.255.0.0 in the ISP Router LAN side.



I suspect that you need to pull those server behind the
router -- need, not just "should."

--
Herb Martin




:

My comment are inline below but a quick looks says
the following is going to be your problem:

THE ISP router is the MIDDLE router and it must
have it's routing table change to use the scheme you
are using (with another net behind your connected
router). You probably cannot fix that so will
likely need to re-configure your net.

Thanks Herb, I appreciate your time and patience in what I orig. thought
was
a small matter.

Ok, when you say I'll need to re-configure my net, are you

referring
to

the
routers only or are there other things that need fix'ed?

Do you still want me to post the ipconfig /all for the PC's/server
in-question?




:

Hi,

I have a problem where I can not ping (IP or Name) my internet
router
from
segment-2. I can ping other IP's on segment-1 from segment-2,
just
not
the
ISP router.

[dhcp stuff remove]


This is my config on segment-1 (CISCO-1):
(Everything works fine on this side)
Win2k DC Server 172.20.100.2
DNS Server 172.20.100.2
Cisco-1 router 172.20.100.10
ISP Router 172.20.100.200


ISP<-->Cisco--DC + DNS

Ok, I understand the above is INCORRECT and the
following is correct -- the above it what you
should likely use for many reasons.


The config below describes my setup:
Yes all four? machines are using addresses that are
(likely) on the same subnet which would mean this:

ISP< -- DC + DNS -->Cisco
(with the servers on an EXTERIOR subnet

Ok, this is your net -- and I had a type in my parenthesis
(correct now) -- your servers (DNS an DC) are OUTSIDE
of your own gateway and should probably NOT be located
there.

It causes many problems from routing to security.

It is also odd that the ISP is using a address that is
unroutable on the Internet but maybe you just tried to
hide your real addresses and picked this. It is really
best if you give us your real settings and do not even
TYPE them in but give us the actual output of the
commands (cut and paste, or redirect to a file).

I'm not at the site today but will past info when I get there

in
the

next
day or so.

The ISP IP addr is the static IP for the LAN side. All

segments
are

using
a
class-B subnet.



Also note: according to the above addresses, you have
two different servers: DC and DNS using the same
address.



This is my config on segment-2:
(Everything works fine on this side except can't ping ISP

router,
can

ping
W2k server & routers on both sides)
Cisco router 172.21.100.10



Chances are you never added a route to the
(intermediate) router for the most interior networks
but your report is very confusing so this is difficult
to say definitively.


I havent added any routes. The only thing I have done was to

use
a

forwarder on my DNS server to the ISP IP (Static LAN IP). Everything
is
working fine on that side.

DNS is irrelevant until you get the routing working.

Network LAN connection config on Segment-2 PC's:
Gateway 172.21.10.2
DNS 172.20.10.1


I tried setting the ISP IP as a second gateway in the LAN setup
but
that
made no difference.

Two (or more default gateways) have NO effect if
the first is ALIVE (answering, working).

You can only have ONE DEFAULT gateway ACTIVE
at a time. The others are for backup in case the first one
fails.

Ok. My PC LAN gateway's are pointing to my ISP router
(172.20.100.200)
and
working fine on segment-1. A couple of PC's on Segment-1 also need to
see
files on Segment-2. WHat I did for those units is have the Segment-2
router
IP (172.21-100-10 as the default GW and the ISP router IP
(172.20.100.200)
as
the second GW. (This is working ok but may not be setup the

best
way

either)

That is almost never correct. PCs should be behind
your router and use IT for their Default Gateway IF
they are directly connected -- otherwise use the nearest
adjacent router which will forward up the chain to the
internet.

Inner "middle" routers must have static routes (or dynamic
routing protocols configured and working.)

It looks like I'll need to find a CISCO tech to help with setting

up
the

CISCO routers. With the exception of the new ISP router, this was all
in-place when I inherrited the network.

Thanks!
Bill



Should I setup a forwarder on my DNS server to point back to
172.21.10.2
???

Don't mess up the DNS until you have the Routing working.

Best to show us what your network looks like:

ISP--Cisco1--subnet1-Cisco2-subnet2

...or whatever you really have.

I do not have a "." setup.

Good but...

That's DNS and your problems described above are
all IP (routing) based.

I do have a Forwarder set for my ISP router
DNS server points to itself on server.
Everything works great on segment-1.

Any thought will be appreciated!

It's likely an "intermediate" router problem where
you have no manual route to the more interior subnet.

When you have 3 routers involved (my guess) you
must have manual (or dynamic) routes on the MIDDLE
one(s).

The ISP counts as 1, your gateway router to the ISP is
2, and if you have multiple segments internally then
you LIKELY have a THIRD router (not always.)

But this is not what your describe above nor what your
addresses really suggest except for the use of "segment
1" and "segment 2".

If you have 2 (or more) internal routers (ISP is 3) then
the one(s) in the middle need additional routes added.


I have (ISP ISP-Router <- DNS W2k Server <-> CISCO-1 router

Cisco-2
router)

What network range does you ISP give you?

(It's odd they are using 172.20.x.y although legal.)

This means they will have to translate for you to reach
the Internet, but YOU will also need to translate if you
use a different private range.


The IP's I listed are my internal IP's.
My ISP router IP is 206.something



I can talk from segment-2 (CISCO-2) to Exchange running on Segment-1
(CISCO-1) with no problem.


Hopefully I have given everything you asked for. I did try to
"simplify"
the IP nbrs I orig gave. I replaced them with actual IP's. I wasn't
trying
to be evassive.

Do you want the "ipconfig /all" results from the W2k server & a PC
from
both
sides of the segment?

Thank you, I do appreciate the patience & help!
Bill

--
Herb Martin









================================================
================================================
================================================
Router-1
User Access Verification

Password:
hhwp_r1>enable
Password:
hhwp_r1#sh run
Building configuration...

Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hhwp_r1
!
boot system flash 1:aaa1582.bin
no logging console
enable secret 5 $1$PyQl$mcp79woaaeEPCkRmFeg0e0
enable password ********
!
!
!
!
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip domain-lookup
!
ipx routing 0003.e3e2.b820
!
!
!
interface FastEthernet0/0
ip address 172.20.100.10 255.255.0.0
no ip mroute-cache
speed auto
half-duplex
ipx network 2B3FE51F
no mop enabled
bridge-group 1
!
interface Serial0/0
ip address 192.168.1.1 255.255.255.0
no ip mroute-cache
ipx network 1234567A
no fair-queue
bridge-group 1
!
router eigrp 100
network 10.0.0.0
network 172.20.0.0
network 192.168.1.0
no auto-summary
no eigrp log-neighbor-changes
!
router igrp 1
redistribute connected
network 172.20.0.0
network 172.21.0.0
network 192.168.1.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.2
no ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
!
bridge 1 protocol dec
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password ********
login
!
end

hhwp_r1#

================================================


Router-2
User Access Verification

Password:
hhwp_r2>enable
Password:
hhwp_r2#sh run
Building configuration...

Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hhwp_r2
!
boot system flash 1:aaa1582.bin
no logging console
enable secret 5 $1$PyQl$mcp79woaaeEPCkRmFeg0e0
enable password ********
!
!
!
!
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip domain-lookup
!
ipx routing 0003.e377.2900
!
!
!
interface FastEthernet0/0
ip address 172.21.100.10 255.255.0.0
no ip mroute-cache
speed auto
half-duplex
ipx network 12345678
no mop enabled
bridge-group 1
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.0
no ip mroute-cache
ipx network 1234567A
no fair-queue
bridge-group 1
!
router eigrp 100
network 10.0.0.0
network 172.21.0.0
network 192.168.1.0
no auto-summary
no eigrp log-neighbor-changes
!
router igrp 1
redistribute connected
network 172.20.0.0
network 172.21.0.0
network 192.168.1.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
!
bridge 1 protocol dec
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password *******
login
!
end

hhwp_r2#


================================================

Segment-1 PC - Works fine!

Windows IP Configuration



Host Name . . . . . . . . . . . . : RM16

Primary Dns Suffix . . . . . . . : hhwpcac.org

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hhwpcac.org



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit
Controller

Physical Address. . . . . . . . . : 00-11-43-A9-9F-69

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.20.16.1

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.20.100.200

172.20.100.10

DNS Servers . . . . . . . . . . . : 172.20.100.2



================================================

Segment-2 PC - Works fine except for accessing Internet.



Windows IP Configuration



Host Name . . . . . . . . . . . . : Hats-Dell-2

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network
Connection

Physical Address. . . . . . . . . : 00-0C-F1-8C-B8-B6

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.21.33.11

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.21.100.10

172.20.100.200

================================================


DC/DNS Server



Windows 2000 IP Configuration



Host Name . . . . . . . . . . . . : hhwpnt1
Primary DNS Suffix . . . . . . . : hhwpcac.org
Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hhwpcac.org

Ethernet adapter Local Area Connection 3:



Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys EG1032 v2 Instant Gigabit
Network Adapter #2
Physical Address. . . . . . . . . : 00-0C-41-EB-CB-13

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.20.100.2

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.21.100.10

DNS Servers . . . . . . . . . . . : 172.20.100.2

======
(This for a dial-up proxy server that is also active for some users)

======
PPP adapter ABC Net:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

Physical Address. . . . . . . . . : 00-53-45-00-00-00

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 209.143.26.111

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . : 209.143.26.111

DNS Servers . . . . . . . . . . . : 209.143.0.10
66.209.140.124
NetBIOS over Tcpip. . . . . . . . : Disabled


================================================
================================================
================================================

 

[Roland Hall]

You need to change your passwords on your Cisco routers IMMEDIATELY!! DO
NOT EVER REVEAL PASSWORDS, EVEN HASHED. Would you like me to tell you what
they are?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382

 

[Roland Hall]

in message

: I'm not sure what your asking about physical connections being correct.
On
: segment-1, the ISP Router, Cisco-Router-1, and the DC/DNS all plug into
the
: same switch. On segment-2, the router & all PC's connect to the same
switch.
:
: I do not have assigned addresses from my ISP. I have a static IP on my
LAN
: side.
:
: On the ISP Router WAN side the settings are
: IP 209.143.5.191,
: Subnet 255.255.255.0,
: Default Gateway 209.143.5.1,
: DNS 209.143.0.10

What is the LAN side of the ISP's router? The WAN side was not needed.
Why do you need two routers for two networks?

It appears you have a router from the ISP at your location but it's fuzzy
from there. Does the ISPs LAN connection connect to a switch? You have a
192.168.x.x network Serial-Serial between your two routers. You have two
different Class B networks with two routers. So, the ISPs LAN side address
is probably on the same subnet as Router1.

Is this what you have:

ISP ROUTER] (LAN IP? 172.20.100.200 maybe?) -> [switch] -> 172.20.100.10/16
[Router1] 192.168.1.1/24 -> 192.168.1.2/24 [Router2] 172.21.100.10/16 ->
[switch]

Router1's DFG is 192.168.1.2 WHY? Appears to be wrong. If 172.20.100.200
is the ISPs LAN IP address, then it should be that: 172.20.100.200
Router2's DFG is 192.168.1.1 which appears to be correct.

Host: RM16 - remove 2nd gateway 172.20.100.10 You're not routing through
Router1 to get to the net.
Host: Hats-Dell-2 - remove 2nd gateway 172.20.100.200 Your DFG is the LAN
side of Router2, not the LAN side of the ISPs router.

Also, you need a route back to the 172.21.0.0/16 network on the ISPs router.
Otherwise it will think you are on the Internet and never route back to you.
Your border router needs to know about all of your private networks. The
private networks only need to know neighbors.

If LAN1 and LAN2 are connecting to the same switch, you have other issues.

Don't forget to change your enable secret passwords on your routers
immediately. If you don't control your ISPs router at your location, you
need to notify them right away to make config changes.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382

 

[Roland Hall]

BTW...

This is a lot easier to read with putting your security at risk.
Router-1
interface FastEthernet0/0
ip address 172.20.100.10 255.255.0.0
!
interface Serial0/0
ip address 192.168.1.1 255.255.255.0
!
router eigrp 100
network 10.0.0.0
network 172.20.0.0
network 192.168.1.0
!
router igrp 1
network 172.20.0.0
network 172.21.0.0
network 192.168.1.0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2

Router-2
interface FastEthernet0/0
ip address 172.21.100.10 255.255.0.0
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.0
!
router eigrp 100
network 10.0.0.0
network 172.21.0.0
network 192.168.1.0
!
router igrp 1
network 172.20.0.0
network 172.21.0.0
network 192.168.1.0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Host Name . . . . . . . . . . . . : RM16
IP Address. . . . . . . . . . . . : 172.20.16.1
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.20.100.200
172.20.100.10
DNS Servers . . . . . . . . . . . : 172.20.100.2

Host Name . . . . . . . . . . . . : Hats-Dell-2
IP Address. . . . . . . . . . . . : 172.21.33.11
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.21.100.10
172.20.100.200
DC/DNS Server
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : hhwpnt1
Primary DNS Suffix . . . . . . . : hhwpcac.org
IP Address. . . . . . . . . . . . : 172.20.100.2
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.21.100.10
DNS Servers . . . . . . . . . . . : 172.20.100.2

(This for a dial-up proxy server that is also active for some users)
IP Address. . . . . . . . . . . . : 209.143.26.111
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 209.143.26.111

I'm not sure where the network 10.x.x.x comes in for EIGRP on
Router1/Router2.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382

 

[Guest]

They were changed.

No that won't be necessary, thanks.

 

[Guest]

BTW...

This is a lot easier to read with putting your security at risk.
Router-1
interface FastEthernet0/0
ip address 172.20.100.10 255.255.0.0
!
interface Serial0/0
ip address 192.168.1.1 255.255.255.0
!
router eigrp 100
network 10.0.0.0
network 172.20.0.0
network 192.168.1.0
!
router igrp 1
network 172.20.0.0
network 172.21.0.0
network 192.168.1.0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2

Router-2
interface FastEthernet0/0
ip address 172.21.100.10 255.255.0.0
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.0
!
router eigrp 100
network 10.0.0.0
network 172.21.0.0
network 192.168.1.0
!
router igrp 1
network 172.20.0.0
network 172.21.0.0
network 192.168.1.0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Host Name . . . . . . . . . . . . : RM16
IP Address. . . . . . . . . . . . : 172.20.16.1
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.20.100.200
172.20.100.10
DNS Servers . . . . . . . . . . . : 172.20.100.2

Host Name . . . . . . . . . . . . : Hats-Dell-2
IP Address. . . . . . . . . . . . : 172.21.33.11
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.21.100.10
172.20.100.200
DC/DNS Server
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : hhwpnt1
Primary DNS Suffix . . . . . . . : hhwpcac.org
IP Address. . . . . . . . . . . . : 172.20.100.2
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.21.100.10
DNS Servers . . . . . . . . . . . : 172.20.100.2

(This for a dial-up proxy server that is also active for some users)
IP Address. . . . . . . . . . . . : 209.143.26.111
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 209.143.26.111

I'm not sure where the network 10.x.x.x comes in for EIGRP on
Router1/Router2.

It was there when I inherrited the network. Up to this point I took the
mindset that "if it aint broke, don't fix it". Well it needs it now.
Perhaps that was some default setting left there by a previous emp.

 

[Guest]

in message

: I'm not sure what your asking about physical connections being correct.
On
: segment-1, the ISP Router, Cisco-Router-1, and the DC/DNS all plug into
the
: same switch. On segment-2, the router & all PC's connect to the same
switch.
:
: I do not have assigned addresses from my ISP. I have a static IP on my
LAN
: side.
:
: On the ISP Router WAN side the settings are
: IP 209.143.5.191,
: Subnet 255.255.255.0,
: Default Gateway 209.143.5.1,
: DNS 209.143.0.10

What is the LAN side of the ISP's router? The WAN side was not needed.
Why do you need two routers for two networks?

I was told by the ISP I needed an additional router to attach to our
network. Could we have connected the Internet Modem to our CISCO router via
the switch?

It appears you have a router from the ISP at your location but it's fuzzy
from there. Does the ISPs LAN connection connect to a switch? You have a
192.168.x.x network Serial-Serial between your two routers. You have two
different Class B networks with two routers. So, the ISPs LAN side address
is probably on the same subnet as Router1.

Yes, the router from the ISP connects to a switch, the same switch as
Router-1 and the DC/DNS server.

The 192.168.x.x was there when I inherited the system. I'm not sure if it
was used for anything or was just a default entry. The only connection
between the routers is the Fastethernet0/0. Does that mean the Serial-Serial
setup is ignored?

Yes, the ISPs LAN side address is the same subnet as Router1 and also the
DC/DNS server.

Is this what you have:

ISP ROUTER] (LAN IP? 172.20.100.200 maybe?) -> [switch] -> 172.20.100.10/16
[Router1] 192.168.1.1/24 -> 192.168.1.2/24 [Router2] 172.21.100.10/16 ->
[switch]

Yes, that looks pretty much right. We are using the Fastethernet0/0 so I
don’t think the 192.168.x.x (serial) applies here but I could be very wrong!

Router1's DFG is 192.168.1.2 WHY? Appears to be wrong. If 172.20.100.200
is the ISPs LAN IP address, then it should be that: 172.20.100.200

Good question! I’ll try changing this.

Router2's DFG is 192.168.1.1 which appears to be correct. OK


Host: RM16 - remove 2nd gateway 172.20.100.10 You're not routing through
Router1 to get to the net.

OK, I think this was setup this was to allow the HAT’s-Dell-2 to access a PC
on the second gateway in addition to accessing the internet.

Host: Hats-Dell-2 - remove 2nd gateway 172.20.100.200 Your DFG is the LAN
side of Router2, not the LAN side of the ISPs router.

OK, I’ll make the change!

Also, you need a route back to the 172.21.0.0/16 network on the ISPs router.
Otherwise it will think you are on the Internet and never route back to you.
Your border router needs to know about all of your private networks. The
private networks only need to know neighbors.

OK, I’m not sure how to configure this in the ISP router but will work on it!

If LAN1 and LAN2 are connecting to the same switch, you have other issues.

Should be ok here, they connect to two separate switches on either side of
the T-1.

Don't forget to change your enable secret passwords on your routers
immediately. If you don't control your ISPs router at your location, you
need to notify them right away to make config changes.

Taken care of!


Many thanks!!!

 

[Roland Hall]

: They were changed.
:
: No that won't be necessary, thanks.

(O:=

I usually remove that line or just put <censored>.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382 <censored> in
place of it.

 

[Roland Hall]

in message
:
:
: "Roland Hall" wrote:
:
: > BTW...
: >
: > This is a lot easier to read with putting your security at risk.
: > Router-1
: > interface FastEthernet0/0
: > ip address 172.20.100.10 255.255.0.0
: > !
: > interface Serial0/0
: > ip address 192.168.1.1 255.255.255.0
: > !
: > router eigrp 100
: > network 10.0.0.0
: > network 172.20.0.0
: > network 192.168.1.0
: > !
: > router igrp 1
: > network 172.20.0.0
: > network 172.21.0.0
: > network 192.168.1.0
: > !
: > ip route 0.0.0.0 0.0.0.0 192.168.1.2
: >
: > Router-2
: > interface FastEthernet0/0
: > ip address 172.21.100.10 255.255.0.0
: > !
: > interface Serial0/0
: > ip address 192.168.1.2 255.255.255.0
: > !
: > router eigrp 100
: > network 10.0.0.0
: > network 172.21.0.0
: > network 192.168.1.0
: > !
: > router igrp 1
: > network 172.20.0.0
: > network 172.21.0.0
: > network 192.168.1.0
: > !
: > ip route 0.0.0.0 0.0.0.0 192.168.1.1
: > Host Name . . . . . . . . . . . . : RM16
: > IP Address. . . . . . . . . . . . : 172.20.16.1
: > Subnet Mask . . . . . . . . . . . : 255.255.0.0
: > Default Gateway . . . . . . . . . : 172.20.100.200
: > 172.20.100.10
: > DNS Servers . . . . . . . . . . . : 172.20.100.2
: >
: > Host Name . . . . . . . . . . . . : Hats-Dell-2
: > IP Address. . . . . . . . . . . . : 172.21.33.11
: > Subnet Mask . . . . . . . . . . . : 255.255.0.0
: > Default Gateway . . . . . . . . . : 172.21.100.10
: > 172.20.100.200
: > DC/DNS Server
: > Windows 2000 IP Configuration
: > Host Name . . . . . . . . . . . . : hhwpnt1
: > Primary DNS Suffix . . . . . . . : hhwpcac.org
: > IP Address. . . . . . . . . . . . : 172.20.100.2
: > Subnet Mask . . . . . . . . . . . : 255.255.0.0
: > Default Gateway . . . . . . . . . : 172.21.100.10
: > DNS Servers . . . . . . . . . . . : 172.20.100.2
: >
: > (This for a dial-up proxy server that is also active for some users)
: > IP Address. . . . . . . . . . . . : 209.143.26.111
: > Subnet Mask . . . . . . . . . . . : 255.255.255.255
: > Default Gateway . . . . . . . . . : 209.143.26.111
: >
: > I'm not sure where the network 10.x.x.x comes in for EIGRP on
: > Router1/Router2.
:
:
: It was there when I inherrited the network. Up to this point I took the
: mindset that "if it aint broke, don't fix it". Well it needs it now.
: Perhaps that was some default setting left there by a previous emp.

Understandable. I was just mentioning anything I saw.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382

 

[Roland Hall]

in message
:
: "Roland Hall" wrote:
:
: > "Bill" wrote in message
: > : >
: > : I'm not sure what your asking about physical connections being
correct.
: > On
: > : segment-1, the ISP Router, Cisco-Router-1, and the DC/DNS all plug
into
: > the
: > : same switch. On segment-2, the router & all PC's connect to the same
: > switch.
: > :
: > : I do not have assigned addresses from my ISP. I have a static IP on
my
: > LAN
: > : side.
: > :
: > : On the ISP Router WAN side the settings are
: > : IP 209.143.5.191,
: > : Subnet 255.255.255.0,
: > : Default Gateway 209.143.5.1,
: > : DNS 209.143.0.10
: >
:
: > What is the LAN side of the ISP's router? The WAN side was not needed.
: > Why do you need two routers for two networks?
:
: I was told by the ISP I needed an additional router to attach to our
: network. Could we have connected the Internet Modem to our CISCO router
via
: the switch?

Well, if the ISP has a router at your location, then it is usually behind
the terminal devices, i.e. DSU/CSU

If you only have two private networks and one gateway to a public network,
you only really need one router as long as it has two LAN interfaces,
otherwise you do need one more, but not two more. You mentioned T-1,
referenced below so if you have this:

ISP Router -> LocalLoop -> ISP Router -> Switch1(LAN1) -> Router1 ->
LocalLoop -> LongHaul (T-1) -> LocalLoop -> Router2 -> Switch2(LAN2)

Then you do need two routers in lieu of the ISPs router on your end. If
LAN1/LAN2 were in the same physical location then it would become a design
issue to determine which router(s) were required.

: > It appears you have a router from the ISP at your location but it's
fuzzy
: > from there. Does the ISPs LAN connection connect to a switch? You have
a
: > 192.168.x.x network Serial-Serial between your two routers. You have
two
: > different Class B networks with two routers. So, the ISPs LAN side
address
: > is probably on the same subnet as Router1.
:
: Yes, the router from the ISP connects to a switch, the same switch as
: Router-1 and the DC/DNS server.
:
: The 192.168.x.x was there when I inherited the system. I'm not sure if it
: was used for anything or was just a default entry. The only connection
: between the routers is the Fastethernet0/0. Does that mean the
Serial-Serial
: setup is ignored?

From the configs, Router1:Serial0/0 connects to Router2:Serial0/0. That is
the only way they connect.

: Yes, the ISPs LAN side address is the same subnet as Router1 and also the
: DC/DNS server.
:
:
: >
: > Is this what you have:
: >
: > ISP ROUTER] (LAN IP? 172.20.100.200 maybe?) -> [switch] ->
172.20.100.10/16
: > [Router1] 192.168.1.1/24 -> 192.168.1.2/24 [Router2] 172.21.100.10/16 ->
: > [switch]
:
: Yes, that looks pretty much right. We are using the Fastethernet0/0 so I
: don't think the 192.168.x.x (serial) applies here but I could be very
wrong!

It applies if you want Router2 to be connected and able to access the
Internet. Are these two LANs at the same location?

: > Router1's DFG is 192.168.1.2 WHY? Appears to be wrong. If
172.20.100.200
: > is the ISPs LAN IP address, then it should be that: 172.20.100.200
: Good question! I'll try changing this.
:
:
: > Router2's DFG is 192.168.1.1 which appears to be correct.
: OK
:
: >
: > Host: RM16 - remove 2nd gateway 172.20.100.10 You're not routing
through
: > Router1 to get to the net.
:
: OK, I think this was setup this was to allow the HAT's-Dell-2 to access a
PC
: on the second gateway in addition to accessing the internet.

What second gateway?

: > Host: Hats-Dell-2 - remove 2nd gateway 172.20.100.200 Your DFG is the
LAN
: > side of Router2, not the LAN side of the ISPs router.
:
: OK, I'll make the change!
:
:
: >
: > Also, you need a route back to the 172.21.0.0/16 network on the ISPs
router.
: > Otherwise it will think you are on the Internet and never route back to
you.
: > Your border router needs to know about all of your private networks.
The
: > private networks only need to know neighbors.
:
: OK, I'm not sure how to configure this in the ISP router but will work on
it!

If you have access to the ISP's router, all you need to do is add a route

Connect, logon, enable, type in enable password (comments in [])
conf t
[configuration terminal]
ip route 172.21.100.0 255.255.0.0 172.20.100.0
[ip route network mask interface]
wr mem or copy running-config startup-config
[write memory]

: > If LAN1 and LAN2 are connecting to the same switch, you have other
issues.
:
: Should be ok here, they connect to two separate switches on either side of
: the T-1.

This probably answers some questions above.

: > Don't forget to change your enable secret passwords on your routers
: > immediately. If you don't control your ISPs router at your location,
you
: > need to notify them right away to make config changes.
:
: Taken care of!

ok

: Many thanks!!!

You're welcome. How is connectivity now?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382

 

[Guest]

I will say I have certainly learned a lot about routers the last several
days. It looks like that is my problem.

The CISCO routers are both behind the Internet router so there was not a
real threat there but I changed passwords anyway. I sure didn't know that
could be de-coded from the config dump.

I learn from my mistakes as well so this is a good thing since no harm was
done.

I think I know what needs to be changed now.

Thanks,
Bill