Simple VLAN can't access internet

Answered Question
Jun 26th, 2010

I am trying to learn about VLANs and attempting to create a 2nd VLAN on my Cisco 871 router on FastEthernet #3 as a secure "guest" network. I can't get my 2nd VLAN to access the internet.

VLAN1 (default): 192.168.3.1 255.255.255.0

VLAN2: 192.168.4.1 255.255.255.0  configured on FastEthernet #3

On VLAN2 I can get an address from the DHCP server and I can ping 192.168.4.1 and 192.168.3.1. However I can not access the internet or ping the WAN gateway on VLAN2. I have assigned FE3 to VLAN2. Added the 2nd vlan subnet to the DHCP pool and added the 2nd vlan subnet to the NAT ACL. What am I missing? Do I need to add a static route? I would be confused if this was the case, since I don't see any static routes defined for the default VLAN. I believe you can have 2 VLANs on the 871.

Unfortunetly I am using CCP mainly for config, but can sort of make my way through the CLI. Here is the relevant sections of my config. Sorry if CCP put extra junk in it, or if I deleted too much.

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T3,
ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE
System image file is "flash:c870-advipservicesk9-mz.124-15.T3.bin"

version 12.4

no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.4.1 192.168.4.99
ip dhcp excluded-address 192.168.4.201 192.168.4.254
ip dhcp excluded-address 192.168.3.1 192.168.3.99
ip dhcp excluded-address 192.168.3.151 192.168.3.254

!
ip dhcp pool DHCP_Pool
   import all
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1
   dns-server 192.168.3.12 167.206.251.129
!
ip dhcp pool DHCP_Vlan2
   import all
   network 192.168.4.0 255.255.255.0
   dns-server 192.168.3.12 167.206.251.129
   default-router 192.168.3.1
!
!
ip port-map user-1401-1410 port tcp from 1402 to 1410  description FTP Data Ports
ip port-map user-protocol--1 port tcp 7001
ip port-map user-ftp-1280 port tcp 1280 list 2 description FTP on Port 1280
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$$ES_WAN$
ip address dhcp client-id FastEthernet4 hostname Cisco-Router
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
ip nat inside
ip virtual-reassembly
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Vlan2
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.3.200 192.168.3.210
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
ip nat inside source list 3 interface FastEthernet4 overload
!
!
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 192.168.3.0 0.0.0.255
access-list 3 permit 192.168.4.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.3.21

I have this problem too.
0 votes
Correct Answer by Hitesh Vinzoda about 6 years 5 months ago

Hi,

So far i can see one problem with the config and that is

ip dhcp pool DHCP_Vlan2
   import all
   network 192.168.4.0 255.255.255.0
   dns-server 192.168.3.12 167.206.251.129
   default-router 192.168.3.1

it should be 192.168.4.1

Change it and give it a try

HTH

Hitesh Vinzoda

Pls rate useful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Hitesh Vinzoda Sat, 06/26/2010 - 21:32

Hi,

So far i can see one problem with the config and that is

ip dhcp pool DHCP_Vlan2
   import all
   network 192.168.4.0 255.255.255.0
   dns-server 192.168.3.12 167.206.251.129
   default-router 192.168.3.1

it should be 192.168.4.1

Change it and give it a try

HTH

Hitesh Vinzoda

Pls rate useful posts

Ganesh Hariharan Sat, 06/26/2010 - 22:40

I am trying to learn about VLANs and attempting to create a 2nd VLAN on my Cisco 871 router on FastEthernet #3 as a secure "guest" network. I can't get my 2nd VLAN to access the internet.

VLAN1 (default): 192.168.3.1 255.255.255.0

VLAN2: 192.168.4.1 255.255.255.0  configured on FastEthernet #3

On VLAN2 I can get an address from the DHCP server and I can ping 192.168.4.1 and 192.168.3.1. However I can not access the internet or ping the WAN gateway on VLAN2. I have assigned FE3 to VLAN2. Added the 2nd vlan subnet to the DHCP pool and added the 2nd vlan subnet to the NAT ACL. What am I missing? Do I need to add a static route? I would be confused if this was the case, since I don't see any static routes defined for the default VLAN. I believe you can have 2 VLANs on the 871.

Unfortunetly I am using CCP mainly for config, but can sort of make my way through the CLI. Here is the relevant sections of my config. Sorry if CCP put extra junk in it, or if I deleted too much.

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T3,
ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE
System image file is "flash:c870-advipservicesk9-mz.124-15.T3.bin"

version 12.4

no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.4.1 192.168.4.99
ip dhcp excluded-address 192.168.4.201 192.168.4.254
ip dhcp excluded-address 192.168.3.1 192.168.3.99
ip dhcp excluded-address 192.168.3.151 192.168.3.254

!

ip dhcp pool DHCP_Pool

   import all

   network 192.168.3.0 255.255.255.0

   default-router 192.168.3.1

   dns-server 192.168.3.12 167.206.251.129

!

ip dhcp pool DHCP_Vlan2

   import all

   network 192.168.4.0 255.255.255.0

   dns-server 192.168.3.12 167.206.251.129

   default-router 192.168.3.1

!

!

ip port-map user-1401-1410 port tcp from 1402 to 1410  description FTP Data Ports

ip port-map user-protocol--1 port tcp 7001

ip port-map user-ftp-1280 port tcp 1280 list 2 description FTP on Port 1280

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

As pointed by Hitesh change the default router ip for vlan 2 in DHCP pool and try access the internet from vlan 2 host.

Hope to Help !!

Ganesh.H

chrisdohan Sun, 06/27/2010 - 07:29

Thanks for replying. I did change the VLAN2 DHCP pool to 192.168.4.1 as suggested and made sure my clients refreshed their config. However, same problem remains. I still can't ping outside addresses including my ISP's gateway. I can ping the router gateway 192.168.4.1 and the external public IP address, but that's it.

Any additional steps to debug this problem? I can access/ping the IP addresses from within the router and the first default VLAN.

Thank you for your time so far.

chrisdohan Sun, 06/27/2010 - 09:52

I figured it out. I took a close look at the difference between VLAN1 and VLAN2:

interface Vlan1
description $FW_INSIDE$
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Vlan2
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly

and noticed that VLAN2 does not have the "zone-member security in-zone" line. I have a firewall configured for this router and the firewall was blocking the connections on VLAN2. I really don't understand the firewall at all for this router, so I need to learn about that next. I also purposely deleted most of the firewall rules in my posted config to make it shorter.

Last question would be, if I want to block interVLAN communication, is this generally done by firewall rules or NAT ACLs?

Richard Burts Sun, 06/27/2010 - 21:43

Chris

I do not see how NAT ACLs would prevent inter vlan traffic. I believe that the usual solution would be implementation of access list/access-group on the VLAN interfaces.

HTH

Rick

chrisdohan Mon, 06/28/2010 - 07:05

Thanks. I learned a lot from this test setup. Yes, NAT ACLs make no sense. Blocking inter VLAN seems to work as expected with normal access lists attatched to the VLAN interface.

Thanks again.

Actions

This Discussion