Added a 1711 to the mix - trouble allowing traffic

Unanswered Question
Feb 13th, 2008
User Badges:

I recently added a 1711 router to one of our remote offices that was previously running only with a Linksys/ Cisco WRV54G router (in gateway mode, firewall enabled, block anonymous WAN request enabled). Given the attached picture and configuration of the 1711.


Can someone help explain why a client connected to the wireless router (192.168.199.0/24) can only pass DNS and ICMP to the internet and back with success. (This seems to me to rule out any NAT or Route issues) while all other attempts show that connections are attempted from the client, but never actually established.


I have enabled an inspection map that should allow all ICMP, HTTP(s), TCP, UDP, and fragment (though I'm not sure I need the fragment) return traffic (established internally) from the internet.


One last thought - which I didn't get around to trying is to see if a client connected directly to VLAN1 (instead of the Linksys) will have the expected internet access. Must the Linksys operate in router mode given my current configuration or does it even matter. If so what implications on routing does that have (if any)?


Thanks Everyone!



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rick Morris Wed, 02/13/2008 - 12:27
User Badges:
  • Silver, 250 points or more

I am no expert on connections like this so I will attempt to help to maybe bounce some ideas off of.


In your config you have VLAN 2 with ip range of 192.168.198.0, but nothing in your drawing has that IP subnet applied. You also have VLAN 2 assigned to FastEthernet 2


You have VLAN 1 built but not assigned.

Try assigning VLAN 1 to FastEthernet 1.


From the router can you ping the Linksys?

From the linksys can you ping the router?


I assume from the config the Linksys is assigning DHCP in the 192.168.199.0/24 range, then in the Linksys you are allowing traffic from one network to talk to the router on VLAN 1?


Just ideas. I hope it helps.

bsisco Wed, 02/13/2008 - 12:52
User Badges:

Hi Engagerocks


Thanks for the reply.


VLAN2 is for the DMZ port (fastethernet 2) which currently has no devices or hosts. It's not currently relevant to the issue - unless that is I put a host on the DMZ and experience the same issue. I'll try that tonight.


As for VLAN1 interesting - I hadn't noticed that it was not applied to an interface - which makes things even more odd because, as I have the linksys router attached to that interface and it's WAN port is DHCP configured and it gets an IP address from VLAN1's pool 192.168.200.0 (it gets 192.168.200.1) that thought hadn't occurred to me and I wonder why VLAN1 is talking on Fastethernet 1.


As for the ping tests I can:

sucessfully ping - inside of linksys 192.168.199.1, the outside of linksys 192.168.200.1, VLAN1 192.168.200.254, Fastethernet 0 my public IP address, and I can ping www.google.com and other internet addresses.


From the router I can ping internally and externally.


I'll try a few more things tonight and post my results.

Rick Morris Wed, 02/13/2008 - 12:57
User Badges:
  • Silver, 250 points or more

As I understand it.


You pull an IP from the router to the Linksys, and the hosts connected to the Linksys pull a DHCP address?


Is that correct?

From the host try a tracert and see where it dies, I would be interested in knowing that.

bsisco Wed, 02/13/2008 - 13:57
User Badges:

Will do. (Tonight as the router is not currently accesible)


Also to note that I can currently connect to the configured VPN profile, but I cannot access any of the .200.0 clients despite that being my route I get a 'destination unreachable' from the outside IP address of my router (1711) also not exactly what I expected. The tunnel was built based on a split tunneling example in Cisco's documentation.

bsisco Wed, 02/13/2008 - 18:04
User Badges:

Yes.


Tracert shows a full path to http://www.yahoo.com both with my client directly connected to interface1 as well as wirelessly through the linksys.


DNS works as well via both connections.


I tried to apply vlan 1 to fastethernet 1 and despite entering 'switchport access vlan 1' and the router accepting the command it does not show - I think this may be intended considering the physical interface is located on the 4-port ethernet switch module.


I tried applying rules that read

allow ip any any

on both fastehernet0 in and vlan1 in, but I get the same exact results (even after a 'clear ip nat trans *')


Last but not least here's a snippet of the 'sh ip nat trans' Looks like it's doing what it's suppoed to:

Pro Inside global Inside local Outside local Outside global

tcp my.pub.ip.84:4470 192.168.200.4:4470 72.14.253.82:80 72.14.253.82:80

tcp my.pub.ip.84:4471 192.168.200.4:4471 72.14.253.82:80 72.14.253.82:80

bsisco Mon, 02/18/2008 - 10:55
User Badges:

Turned out the issues was the IP CEF command. This is twice this command has bit me in the a$$. I take it that the command is not widely supported, despite the fact that the lock-down assessment of my router advises me to enable it.

Actions

This Discussion