cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4313
Views
0
Helpful
15
Replies

Cisco 1841 - Routing Question

andy.dodd
Level 1
Level 1

Hi,

I have just started studying for my CCNA at the moment and I am starting collect routers and switches for my own lab. I have just got a Cisco 1841 and I plan on using it at my main home router. However, I am having a few problems with the setup at the moment.

On the router which I am trying to use I am trying to configure FA0/0 & F0/1 for to separate networks.

Internet  -- (WIC-1ASDL) - Cisco 1841 ------   FA0/0 - Wired Network  - Switch

                                                                FA0/1 - Wireless Network - AP

FA0/0 (Wired Network) On a PC connected to this network I am able get out to the Internet and also ping any IP on the 192.168.0.0/24 which is all working as it should. However, on the PC I can ping the port FA0/1 (192.168.1.254/24) on the PC but not the AP within that subnet but on the router I am able to ping the AP. The AP is also is able to get a connection to the Internet but has the same problems as the PC.

Am I missing a ACL or do I have to VLAN the ports off?

Many Thanks

1 Accepted Solution

Accepted Solutions

Hello,

In the Route-map based configuration, we are asking the router to apply NAT

rule only for the internet bound traffic and deny the NAT rules for local

traffic. In the earlier configuration you had, you were allowing NAT for all

traffic. You do not need to tie down the access-lists to specific ports but

just make sure that you are denying local traffic.

Regards,

NT

View solution in original post

15 Replies 15

Hi,

You have two separate subnets directly connected to the 1841.

F0/0 and F0/1

If they are directly connected to the router (meaning there's no Layer 3 device in between), then you don' t need any routes because both subnets have the router as their default gateway.

So, if you want to talk from a device on F0/0 to a device on F0/1 or vice versa (the device will send the packets to the default gateway which is the interface on the router, and the router will know how to route the packets out the other interface).

You might have a NAT statement or an ACL not allowing this traffic.

If you do a ''sh ip int brief'' on the router you see the default gateway for both networks assigned to F0/0 and F0/1?

Federico.

Hi Federico Coto Fajardo,

Many Thanks for the quick reply, all devices are directly connected to the router. However, If I ping the IP address on the router it all works fine.

So I am guessing I am missing a ACL?

Here is the output from the #sh ip int brief

Cisco1841#sh ip int brief

Interface                  IP-Address      OK? Method Status                Prot                                        ocol

FastEthernet0/0            192.168.0.254   YES NVRAM  up                    up                                         

FastEthernet0/1            192.168.1.254   YES NVRAM  up                    up                                         

ATM0/0/0                   unassigned      YES NVRAM  up                    up                                         

NVI0                       192.168.0.254   YES unset  up                    up                                         

SSLVPN-VIF0                unassigned      NO  unset  up                    up                                         

Virtual-Access1            unassigned      YES unset  up                    up                                         

Virtual-Access2            unassigned      YES unset  up                    up                                         

Dialer1                    82.69.X.X    YES IPCP   up                    up                                         

Cisco1841#

Also here is my current running config

Cisco1841#show run

Building configuration...

Current configuration : 2529 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Cisco1841

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 warnings

no logging console

!

aaa new-model

!

!

!

!

aaa session-id common

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 192.168.0.1 192.168.0.10

ip dhcp excluded-address 192.168.1.254

ip dhcp excluded-address 192.168.0.254

!

ip dhcp pool Wired_Range

   import all

   network 192.168.0.0 255.255.255.0

   default-router 192.168.0.254

   dns-server 212.23.3.100 212.23.6.100

   lease 4

!

ip dhcp pool Wireless_Range

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.254

   dns-server 212.23.3.100 212.23.6.100

   lease 4

!

!

ip cef

ip domain name home.local

ip name-server 212.23.3.100

ip name-server 212.23.6.100

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

username admin privilege 15 password 7

archive

log config

  hidekeys

!

!

!

!

!

!

!

!

interface FastEthernet0/0

description Wired Local Network

ip address 192.168.0.254 255.255.255.0

ip access-group 150 out

ip nat inside

no ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description Wireless Internal Network

ip address 192.168.1.254 255.255.255.0

ip access-group 160 out

ip nat inside

no ip virtual-reassembly

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Dialer1

description WIC1-ADSL Dialer to Zen Internet

mtu 1478

ip address negotiated

ip access-group 101 in

no ip unreachables

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer persistent

dialer-group 1

ppp chap hostname

ppp chap password 7

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http authentication local

no ip http secure-server

!

!

ip nat inside source list 5 interface Dialer1 overload

!

access-list 5 permit 192.168.0.0 0.0.0.255

access-list 5 permit 192.168.1.0 0.0.0.255

access-list 101 deny   icmp any any echo

access-list 101 permit ip any any

no cdp run

!

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

password 7

transport input ssh

!

scheduler allocate 20000 1000

end

Some comments:

Both interfaces have ACL 150 and ACL 160 applied, but they don't exist in the configuration.
Could you remove them and try again?

int fa0/0
no ip access-group 150 out

int fas 0/1
no ip access-group 160 out

I see there's NAT to get out to the Internet, but no NAT between internal interface (which is ok).
Please try again.

Federico.

I have removed both ACLs with no luck.

Cisco1841#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Cisco1841#

PC1:

C:\Users\Andy>ping 192.168.1.254

Pinging 192.168.1.254 with 32 bytes of data:

Reply from 192.168.1.254: bytes=32 time<1ms TTL=255

Reply from 192.168.1.254: bytes=32 time<1ms TTL=255

Reply from 192.168.1.254: bytes=32 time<1ms TTL=255

Reply from 192.168.1.254: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.1.254:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Users\Andy>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 192.168.1.1:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Andy>

Do this tests:

From the router:
ping 192.168.0.x  --> which is the computer on that segment
ping 192.168.1.x  --> which is the computer on this other segment

Both results should be positive.
If you have any problems there make sure there's no firewall (windows firewall enabled on the PCs)

Then still from the router:
ping 192.168.0.x source 192.168.1.254
ping 192.168.1.x source 192.168.0.254

The above tests is to make sure that you can reach each subnet from the router (but from the other interface).

If you have a problem with this let us know, otherwise you should be able to PING between PCs.

Federico.

Here are the results from the tests, do I need to add in a ip route or acl ? i.e ip route 192.168.0.0. 0.255.255.255 fa0/0 ?

Cisco1841#ping 192.168.0.16

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.16, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Cisco1841#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Cisco1841#ping 192.168.0.16 source 192.168.1.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.16, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.254

.....

Success rate is 0 percent (0/5)

Cisco1841#ping 192.168.1.1 source 192.168.0.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.0.254

.....

Success rate is 0 percent (0/5)

Cisco1841#

Are you positive that the default gateway for the 192.168.0.16 is 192.168.0.254?
As well for 192.168.1.1 default gateway 192.168.1.254?

Federico.

I am 99% sure both gateways are correct, as both subnets have access to the internet but not each other.

Please attach again the following:

sh run int fa0/0
sh run int fas0/1

Also,
We can enable logs:
logging on
logging buffere 7
show log
ter mon

So, we you try communication between the two subnets, check the output of the ''show log'' to see where's the problem.

Federico.

Hello,

Most likely, your NAT could be interfering with the traffic. Please try the

following:

no ip nat inside source list 5 interface Dialer1 overload

no access-list 5 permit 192.168.0.0 0.0.0.255

no access-list 5 permit 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 deny ip 192.168.0.0 0.0.0.255 any

Route-map Internet

Match ip address 101

Exit

ip nat inside source route-map Internet interface Dialer1 overload

Hope this helps.

Regards,

NT

Hi nagaraja,

I reckon, instead of last two below commands ,,

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 deny ip 192.168.0.0 0.0.0.255 any

we need to put below one command

access-list 101 permit ip any any

Please correct me , if i am wrong

Hello Vinod,

Generally, you do not add "ip any any" in the NAT as, if the NAT function

malfunctions, it could try to NAT traffic from outside to inside as well.

So, it is a good idea to be more specific in the access-lists to be used in

NAT rules (for the routers). But, otherwise, you could use "ip any any".

Regards,

NT

andy.dodd
Level 1
Level 1

Thanks for all the suggestions, i'll try each method out once I return home later this evening and report back.

Here is the #sh int fa0/0 & fa0/1 config

Cisco1841#sh run int fa0/0

Building configuration...

Current configuration : 172 bytes

!

interface FastEthernet0/0

description Wired Local Network

ip address 192.168.0.254 255.255.255.0

ip nat inside

no ip virtual-reassembly

duplex auto

speed auto

end

Cisco1841#sh run int fa0/1

Building configuration...

Current configuration : 178 bytes

!

interface FastEthernet0/1

description Wireless Internal Network

ip address 192.168.1.254 255.255.255.0

ip nat inside

no ip virtual-reassembly

duplex auto

speed auto

end

After trying most of the things in this thread.

This seems to work.....

Route-map Internet

Match ip address 101

Exit

ip nat inside source route-map Internet interface Dialer1 overload

What is the difference between the above then the old config:

ip nat inside source list 5 interface Dialer1 overload

!

access-list 5 permit 192.168.0.0 0.0.0.255

access-list 5 permit 192.168.1.0 0.0.0.255

Just so I can understand where I when wrong?  Many Thanks for all that helped

What is the best practice for ACLs that are NAT'ed? Is it worth locking it down to ports used i.e 80 443 etc.... ?

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: