Hi, I removed the "ip http server" from all routers. I also removed the "ip nat inside" from the first Mexico router. So far so good. But when I did a "no ip route 192.168.100.0 255.255.255.0 Serial0/0:0.300" I immediatly lost connection to the router and am now trying to reach someone down there to reboot it not good, as it should have been issued for 192.168.100.20
So still working on clean up for that box. In Amsterdam: I could really, really use a VPN connection between 172.29.30.0 and 172.29.10.0 subnets so will look at that while I wait for the Mexico router to be rebooted. (yes, somewhat over my head here, but shall persevere) Daniel Cotts wrote: > > You have a static NAT translation for 192.168.100.20 on both > routers. I'd > suggest removing it from the Mexican router. > > You haven't said whether or not you are doing standard or > extended pings. > Whether you are pinging from a host or the routers. > Do a traceroute when the pings are fast and when they are slow. > See where > the packets are going. You might want to do a "sh ip route" in > each > condition. > Some small housekeeping: > Mexican router: > I see no need for the "ip nat inside" on the Serial0/0:0.300 > subinterface. > Nothing from that interface meets the conditions of access-list > 101. > You can remove the "ip policy route-map nonat from > subinterfaces 0/0:0.300 > and 0/0:0.301 . There is no route-map in the config. > You have 192.168.100.0 on F0/1 (shutdown) in Mexico. You have > 192.168.100.0 > on F0/1 in SC-SAN. You still have a NAT static in Mexico for the > 192.168.100.20 host. Might be good to remove that static > mapping and remove > the unused address completely from the interface to avoid > confusion. > "ip http server" can be a security hole. > > SC-SAN router: > VPN connection to 172.29.30.0 uses access list 100 to define > allowed > traffic. I don't understand the first line of that list. Does > it refer to > the NAT pool of addresses? If so, how do they work inside? If > not, who are > they? Who is really allowed access to 172.29.30.0? > Again the ip policy and route-map statements aren't doing > anything. There is > an issue that could use a route-map. The users in 172.29.30.0 > can't reach > the statically NATed servers 192.168.100.20 & 135 over the VPN. > There is a > way to solve that problem (if it is a problem.) > Keep us posted on your progress. I would like to know the > solution. > > > -----Original Message----- > > From: Sammi Dog [mailto:[EMAIL PROTECTED]] > > Sent: Friday, September 13, 2002 5:23 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Two Interfaces = Extremely Slow Ping [7:53266] > > > > > > I would appreciate any and all comments. > > > > >From: "Chris McNally" > >Hi all, > >We have one router in > > the U.S. and > > > one in Mexico. They are connected to each >other via frame > > relay and they > > > each have their own internet portal. >When the Mexico > router is > > > disconnected from its internet interface the ping >returns > > between U.S. > > > are averaging 70ms but when they plug in their internet > > >side the ping > > > returns shoot above 500ms and often hit 800. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53628&t=53266 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
