851w default static routes set but no internet

Unanswered Question
Dec 12th, 2007

I have a Cisco 851W router which is connected to our office LAN (Firewall/NAT). Our office LAN is

connected to our public network which then connects to the internet through a bridged DSL modem to our ISP.

I have static routes set on the office and public LAN routers I can ping from the public network all the way to the 851W (including the wireless lan).

On the 851W I have set a default route on the 851W to the next hop. I have set static routes to the other segments of the LAN.

The problem is that I am unable to receive an answer to my ping(s) past the public router's WAN interface. I know that it is not a firewall issue as I dropped the NAT/Firewall just to verify.

Any help would be appreciated

Here is part of the running config

ip dhcp pool sdm-pool1

import all

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 166.82.xx.xx 166.82.xx.xx

!

ip dhcp pool vlan1

import all

network 192.168.3.0 255.255.255.0

default-router 192.168.2.1

dns-server 166.82.xx.xx 166.82.xx.xx

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address 192.168.1.4 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

!

!

interface BVI1

description $ES_LAN$

ip address 192.168.2.1 255.255.255.0

ip virtual-reassembly

ip tcp adjust-mss 1412

Thanks in advance,

Neil

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Wed, 12/12/2007 - 13:44

Neil

I see a few things but am not sure if any of them are the real source of your problem.

- I see interface BVI1 but not what is bridged to the BVI or any other sign of IRB.

- I see that DHCP pool named vlan1 specifies network 192.168.3.0 255.255.255.0 but the default router that it specifies is in 192.168.2.1 and not in the same network.

- I do not see any routing statements on the router. How does it know how to get to any remote address?

HTH

Rick

neilllittle Wed, 12/12/2007 - 14:05

ok, I guess I cut out too much. Here is the complete config.

Current configuration : 4993 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname GSC851Router

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 debugging

logging console critical

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx

!

no aaa new-model

!

resource policy

!

clock timezone PCTime -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

ip subnet-zero

no ip source-route

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.99

ip dhcp excluded-address 192.168.2.151 192.168.2.254

ip dhcp excluded-address 192.168.3.1 192.168.3.99

ip dhcp excluded-address 192.168.3.151 192.168.3.254

!

ip dhcp pool sdm-pool1

import all

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 166.82.xx.xx 166.82.xx.xx

!

ip dhcp pool vlan1

import all

network 192.168.3.0 255.255.255.0

default-router 192.168.2.1

dns-server 166.82.xx.xx 166.82.xx.xx

!

!

ip cef

ip tcp synwait-time 10

no ip bootp server

ip name-server 166.82.xx.xx

ip name-server 166.82.xx.xx

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto pki trustpoint TP-self-signed-1683273127

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1683273127

revocation-check none

rsakeypair TP-self-signed-1683273127

!

!

crypto pki certificate chain TP-self-signed-1683273127

certificate self-signed 01

xxxxxxxxx

quit

username gsc851 privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx

!

!

!

bridge irb

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address 192.168.1.4 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

!

interface Dot11Radio0

no ip address

!

broadcast-key vlan 1 change 45 membership-termination

!

!

encryption vlan 1 mode ciphers tkip

!

ssid gsc851

vlan 1

authentication open

authentication key-management wpa

guest-mode

infrastructure-ssid optional

wpa-psk ascii 7 xxxxxxxxxxxxxxxxx

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

ip address 192.168.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

no cdp enable

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

no ip address

ip tcp adjust-mss 1452

bridge-group 1

!

interface BVI1

description $ES_LAN$

ip address 192.168.2.1 255.255.255.0

ip virtual-reassembly

ip tcp adjust-mss 1412

!

ip classless

ip route 0.0.0.0 0.0.0.0 166.82.xx.xx 2

ip route 166.82.62.0 255.255.255.0 192.168.1.1 2

ip route 192.168.1.0 255.255.255.0 FastEthernet4

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

logging trap debugging

no cdp run

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Richard Burts Thu, 12/13/2007 - 05:13

Neil

Seeing the full config is helpful - especially for resolving the incomplete reference to IRB. I have a couple of comments though I am not sure that I have fully identified the problem:

- the static route: ip route 192.168.1.0 255.255.255.0 FastEthernet4 is not necessary. Since the 192.168.1.0/24 is a connected subnet it will already be in the routing table.

- both other static routes are set up as floating statics with administrative distance of 2. Why is this? With no other routing logic why do you need floating statics?

- I do not understand the DHCP pool vlan1. The name suggests that it is for VLAN 1 but the addressing of the pool does not match the addressing of VLAN 1. Since any DHCP request from any client in VLAN 1 will come through the BVI it will get an address from the 192.168.2.0 network in pool sdm-pool1. I do not see that the addresses in pool vlan1 ever get used. And there is the issue that the default router defined in the pool is not valid for that pool.

- I see a statement for nat inside on interface Dot11Radio0.1 but do not see any other NAT configuration. If you are not doing NAT on this router I suggest that you remove the ip nat inside command.

I wonder if the problem might be that your firewall/NAT on whatever device it is configured on might not be doing proper translation for the addresses on this router. Can you tell us how it is set up on that device?

HTH

Rick

neilllittle Thu, 12/13/2007 - 09:33

Rick,

I admit subnetting is my weak point as well as Cisco IOS. It been mostly been a book in one hand while typing with the other.

I have been using the configuration examples I have found on the Cisco website and the Cisco SDM to configure this router.

I cannot say that I understand fully how the different elements in this router relate to each other yet.

For your question about VLAN1 according to the information I gleaned from the document I found to configure the wireless part of the router, VLAN1 is part of the wireless bridge (interface Dot11Radio0[?]).

Looking at the running config (and a book in the other hand) I see where VLAN1 is associated with the ssid, the encription protocol, and broadcast key for the Dot11Radio0 interface.

So I am thinking that anything coming from the wireless interface goes through VLAN1 and then through the Virtual Bridge Interface (BVI).

I do know that a laptop connected to the router wireless is assigned an address in the range of the dhcp pool associated to VLAN1 (ip dhcp pool vlan1).

The result pinging/addressing destinations from the wireless interface is the same as pinging/addressing from the fast ethernet ports (FEO1 - FE03).

I think I can conclude that VLAN1/Dot11Radio0 is not at issue.

On the ip nat inside on interface Dot11Radio0.1, there was a NAT configured but I removed it to reduce the number of variables to contend with. I guess I missed it.

Routers:

- BEFSR81: Servers, Office LAN (RV042), Static IPs, Firewall/NAT (NAT is disabled).

- RV042: Office LAN, Desk tops, DHCP server, Firewall/NAT (Firewall

allows traffic from IPs in routed group on BEFSR81)

The 851W router is connected to one of the LAN ports on the RV042 router. With exception of allowing message traffic from the routed group of IP addresses on the public LAN (BEFSR81) the NAT/firewall is still at factory settings.

Dropping both of the Firewalls (and the NAT on RV042) gave the same result.

I also connected the 851W router to the public LAN (BEFSR81 router) with the same result.

I think I can conclude that I am not running into an issue with the firewall/NAT.

So that probably narrows the issue down to Interface BV1 and Interface FastEthernet4 ...maybe.

Neil

Richard Burts Thu, 12/13/2007 - 10:38

Neil

There are two DHCP pools configured. I am not sure why there are two pools and it looks to me like only one pool is really used. Your post says that it is the vlan1 pool. But I wonder about that. It looks to me like the sdm-pool1 is what is used. If you connect a PC to the wireless (or to one of the switched ports on the router) does it get an address in 192.168.2.x or in 192.168.3.x?

I have re-read the thread several times and would like to ask about this statement in the original post:

The problem is that I am unable to receive an answer to my ping(s) past the public router's WAN interface.

Am I correct in understanding from this that a PC connected on the 851 can ping (and otherwise communicate) with devices in the office LAN?

If so I believe that it point more to a problem with NAT going to the outside than it does to a problem with BVI or with FastEthernet4.

HTH

Rick

neilllittle Thu, 12/13/2007 - 11:24

Rick

>If you connect a PC to the wireless (or to one of the switched ports on the router) does it get an address in 192.168.2.x or in 192.168.3.x?

When I connect a PC to the wireless interface the PC gets an address in 192.168.3.x (vlan1 pool)

When I connect a PC to one of fastethernet ports (FE01 - FE03) the PC gets an address in 192.168.2.x (sdm-pool1)

>Am I correct in understanding from this that a PC connected on the 851 can ping (and otherwise communicate) with devices in the office LAN?

Correct.

A PC connected on the 851 can ping (and otherwise communicate) with devices in the office LAN (RV042 router).

Also, a PC connected on the 851 can ping (and otherwise communicate) with devices in the Public LAN (BEFSR81 router). This is the router beyond the office LAN.

A PC connected on the 851 can ping the wAN interface of Public LAN's router (BEFSR81) (through the office LAN), but not the next hop (ISP's network).

PC->[851]->[RV042]->[BEFSR81]->ISP

Also, a PC connected on the 851 that is connected to a LAN on the Public LAN's router (office lan eliminated) can ping the WAN interface of the Public LAN's router, but not the next hop (ISP's network).

PC->[851]->[BEFSR81]->ISP

Neil

Richard Burts Thu, 12/13/2007 - 11:50

Neil

The logic of the two DHCP pools still is a bit of a puzzle but I am beginning to understand it somewhat better. The BVI is associated with VLAN 1 and uses the 192.168.2.0 network and devices in the switch ports get 192.168.2.x addresses (sdm-pool1). The radio subinterface uses the 192.168.3.0 network and devices in the wireless get 192.168.3.x addresses. What I was slow to recognize is that the radio subinterface is also associated with VLAN 1. So what that really means is that VLAN 1 has two different subnets associated with it (and uses two different DHCP pools). In normal practice a VLAN has a single subnet associated with it. But it does not break anything for a VLAN to have two different subnets. So I will agree that while it seems a bit odd - there is not anything in the DHCP or in the BVI that is causing the problem.

When you confirm that a PC connected to the 851 can successfully communicate with devices in the Office LAN and the public LAN then I become convinced that the problem is not on the 851. The 851 is routing to "remote" destinations and receiving responses from the remote destinations. I am not sure what would be different about access the ISP network - other than the possible issue of NAT. My guess is that devices in the Office LAN and public LAN are getting translated but that devices on the 851 are not getting translated.

Can you tell me anything else about how NAT is set up for this network?

HTH

Rick

neilllittle Thu, 12/13/2007 - 14:29

Rick

>The logic of the two DHCP pools still is a bit of a puzzle.

Not to divert the issue but I take it that the Dot11radio interface is able to be placed in the same DHCP pool?

>Can you tell me anything else about how NAT is set up for this network?

I think that the only thing I can add is that the Office LAN router (RV042) has only one Firewall rule. That is it allows all traffic from the WAN interface from the IP range of my routed group. The WAN interface is a static IP configured to an IP in the routed group.

One other thing I just discovered. I logged into the router interface (disdaining the SDM)and was able to ping IP addresses off the ISP's network.

Pinging from a laptop in the shell ...er CMD line Those same IP addresses still will not return anything.

So where is that ping on the router coming from? after the BVI1 interface or where?

Richard Burts Thu, 12/13/2007 - 20:55

Neil

I believe that this is helpful information.

When you do a ping on the router it uses the IP address of the outbound interface as its source address. So if you are on the router interface and ping to the ISP it will use the 192.168.1.4 address as its source. And I believe that going our through the firewall that address gets translated. But the 192.168.2.x and 192.168.3.x are not getting translated.

One clarification: this post and at least one other have talked about a Firewall rule that permits the outbound traffic. The Firewall rule permitting traffic is not the same thing as address translation which the Firewall is probably doing. I believe you that the Firewall rule may be permitting this traffic. But I suspect that the lact of a translation rule for this traffic is the problem.

Also not to divert: I see no reason why the VLAN 1 ports in the router switch module and the radio could not use the same DHCP pool.

HTH

Rick

neilllittle Fri, 12/14/2007 - 08:39

>I believe you that the Firewall rule may be permitting this traffic. But I suspect that the lact of a translation rule for this traffic is the problem.

I conclude then that the root cause is between the 851 LAN interface and the WAN interface. It is puzzling because I removed the NAT and Firewall on the 851 router.

In previous trouble shooting I think I eliminated the possibility that a translation issue was caused by a NAT or Firewall on the other (Linksys) routers. My second test was conducted on the public network without a NAT or firewall in between the LAN and ISP.

>Also, a PC connected on the 851 that is connected to a LAN on the Public LAN's router (office lan eliminated) can ping the WAN interface of the Public LAN's router, but not the next hop (ISP's network).

>PC->[851]->[BEFSR81]->ISP

Actions

This Discussion