Router on a stick and NAT.

Answered Question
Oct 18th, 2007

I have 2 vlans, 1 private and 1 public on a 1924 switch, trunk B is attached to f0/0 on a 2621 and packets are routed via sub-ifs. I was initially using some SOHOs to connect the Internet and my two vlans together with links between each vlan group to the sohos and the sohos to each other. (See attached diagram)

I would like to move this 2 router setup to just 1 router. I've tried what I thought was going to be a simple setup and it has yet to work 100%. Is what I want to do possible with just a 2621? Or will I need to add an wic-1enet, get rid of the trunking and just link 1 ethernet port to each vlan?

What I've found out so far -

Using the config below, hosts on my private lan (vlan42) are able to ping and access each other, their gateway (f0/0.42), f0/0.191, & di1. Host's on my private lan (vlan42) can not get past di1 to get on to the Internet. Hosts on vlan191 can get onto the Internet ok, and the Internet to them.

When I ssh from a host on vlan42 to a host on vlan191 nat appears to work. The vlan191 host tells me I'm coming from my inside global address (f0/0.191) IP address. But from hosts on vlan191 I can ping hosts directly on vlan42 (192.168.42.x), nat doesn't appear to be working in this direction.

c1924 (cs1-iwc)

+e0 - e7

+ vlan191 (Public IPs)

+e17 - e24

+ vlan42 (Private IPs)

+Trunk B - Cabled to c2621 f0/0

+ Allowed vlans 1, 42, 191

c2621 (cr1-iwc)

+f0/0 (Trunked link to 1924)

+f0/0.42 (nat inside)

+ip 192.168.42.33/28

+f0/0.191 (nat outside)

+ip x.x.191.33/28

+f0/1 - Hooked to DSL Modem

+di1 - pppoe setup

c2621 setup:

cr1-iwc#sh run

Building configuration...

Current configuration : 5468 bytes

!

version 12.3

service timestamps debug datetime localtime

service timestamps log datetime msec localtime show-timezone

!

hostname cr1-iwc

!

boot-start-marker

boot-end-marker

!

!

memory-size iomem 15

no aaa new-model

ip subnet-zero

ip cef

!

!

!

ip audit po max-events 100

!

!

ip tcp path-mtu-discovery

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.42

encapsulation isl 42

ip address 192.168.42.33 255.255.255.240

no ip redirects

ip nat inside

no snmp trap link-status

!

interface FastEthernet0/0.191

encapsulation isl 191

ip address x.x.191.33 255.255.255.240

no ip redirects

ip nat outside

no snmp trap link-status

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface Dialer1

description PPPoE Connection

ip address negotiated

ip mtu 1492

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username x

!

ip nat inside source list NAT interface FastEthernet0/0.191 overload

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

!

!

ip access-list standard NAT

permit 192.168.42.32 0.0.0.15

!

!

!

!

dial-peer cor custom

!

end

Thanks for any insight that anyone can offer.

-Sean

Attachment: 
I have this problem too.
0 votes
Correct Answer by sundar.palaniappan about 9 years 3 months ago

Sean,

Can you make the following changes and try.

Add:

interface Dialer1

ip nat outside

ip access-list ext NAT

permit ip 192.168.42.32 0.0.0.15 any

Remove:

no ip access-list standard NAT

HTH

Sundar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
sundar.palaniappan Thu, 10/18/2007 - 15:32

Sean,

Can you make the following changes and try.

Add:

interface Dialer1

ip nat outside

ip access-list ext NAT

permit ip 192.168.42.32 0.0.0.15 any

Remove:

no ip access-list standard NAT

HTH

Sundar

Actions

This Discussion