12-12-2007 01:27 PM - edited 03-05-2019 07:58 PM
I have a Cisco 851W router which is connected to our office LAN (Firewall/NAT). Our office LAN is
connected to our public network which then connects to the internet through a bridged DSL modem to our ISP.
I have static routes set on the office and public LAN routers I can ping from the public network all the way to the 851W (including the wireless lan).
On the 851W I have set a default route on the 851W to the next hop. I have set static routes to the other segments of the LAN.
The problem is that I am unable to receive an answer to my ping(s) past the public router's WAN interface. I know that it is not a firewall issue as I dropped the NAT/Firewall just to verify.
Any help would be appreciated
Here is part of the running config
ip dhcp pool sdm-pool1
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 166.82.xx.xx 166.82.xx.xx
!
ip dhcp pool vlan1
import all
network 192.168.3.0 255.255.255.0
default-router 192.168.2.1
dns-server 166.82.xx.xx 166.82.xx.xx
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address 192.168.1.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
!
interface BVI1
description $ES_LAN$
ip address 192.168.2.1 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1412
Thanks in advance,
Neil
12-12-2007 01:44 PM
Neil
I see a few things but am not sure if any of them are the real source of your problem.
- I see interface BVI1 but not what is bridged to the BVI or any other sign of IRB.
- I see that DHCP pool named vlan1 specifies network 192.168.3.0 255.255.255.0 but the default router that it specifies is in 192.168.2.1 and not in the same network.
- I do not see any routing statements on the router. How does it know how to get to any remote address?
HTH
Rick
12-12-2007 02:05 PM
ok, I guess I cut out too much. Here is the complete config.
Current configuration : 4993 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname GSC851Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.2.151 192.168.2.254
ip dhcp excluded-address 192.168.3.1 192.168.3.99
ip dhcp excluded-address 192.168.3.151 192.168.3.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 166.82.xx.xx 166.82.xx.xx
!
ip dhcp pool vlan1
import all
network 192.168.3.0 255.255.255.0
default-router 192.168.2.1
dns-server 166.82.xx.xx 166.82.xx.xx
!
!
ip cef
ip tcp synwait-time 10
no ip bootp server
ip name-server 166.82.xx.xx
ip name-server 166.82.xx.xx
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-1683273127
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1683273127
revocation-check none
rsakeypair TP-self-signed-1683273127
!
!
crypto pki certificate chain TP-self-signed-1683273127
certificate self-signed 01
xxxxxxxxx
quit
username gsc851 privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address 192.168.1.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
broadcast-key vlan 1 change 45 membership-termination
!
!
encryption vlan 1 mode ciphers tkip
!
ssid gsc851
vlan 1
authentication open
authentication key-management wpa
guest-mode
infrastructure-ssid optional
wpa-psk ascii 7 xxxxxxxxxxxxxxxxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$
ip address 192.168.2.1 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 166.82.xx.xx 2
ip route 166.82.62.0 255.255.255.0 192.168.1.1 2
ip route 192.168.1.0 255.255.255.0 FastEthernet4
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
logging trap debugging
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
12-13-2007 05:13 AM
Neil
Seeing the full config is helpful - especially for resolving the incomplete reference to IRB. I have a couple of comments though I am not sure that I have fully identified the problem:
- the static route: ip route 192.168.1.0 255.255.255.0 FastEthernet4 is not necessary. Since the 192.168.1.0/24 is a connected subnet it will already be in the routing table.
- both other static routes are set up as floating statics with administrative distance of 2. Why is this? With no other routing logic why do you need floating statics?
- I do not understand the DHCP pool vlan1. The name suggests that it is for VLAN 1 but the addressing of the pool does not match the addressing of VLAN 1. Since any DHCP request from any client in VLAN 1 will come through the BVI it will get an address from the 192.168.2.0 network in pool sdm-pool1. I do not see that the addresses in pool vlan1 ever get used. And there is the issue that the default router defined in the pool is not valid for that pool.
- I see a statement for nat inside on interface Dot11Radio0.1 but do not see any other NAT configuration. If you are not doing NAT on this router I suggest that you remove the ip nat inside command.
I wonder if the problem might be that your firewall/NAT on whatever device it is configured on might not be doing proper translation for the addresses on this router. Can you tell us how it is set up on that device?
HTH
Rick
12-13-2007 09:33 AM
Rick,
I admit subnetting is my weak point as well as Cisco IOS. It been mostly been a book in one hand while typing with the other.
I have been using the configuration examples I have found on the Cisco website and the Cisco SDM to configure this router.
I cannot say that I understand fully how the different elements in this router relate to each other yet.
For your question about VLAN1 according to the information I gleaned from the document I found to configure the wireless part of the router, VLAN1 is part of the wireless bridge (interface Dot11Radio0[?]).
Looking at the running config (and a book in the other hand) I see where VLAN1 is associated with the ssid, the encription protocol, and broadcast key for the Dot11Radio0 interface.
So I am thinking that anything coming from the wireless interface goes through VLAN1 and then through the Virtual Bridge Interface (BVI).
I do know that a laptop connected to the router wireless is assigned an address in the range of the dhcp pool associated to VLAN1 (ip dhcp pool vlan1).
The result pinging/addressing destinations from the wireless interface is the same as pinging/addressing from the fast ethernet ports (FEO1 - FE03).
I think I can conclude that VLAN1/Dot11Radio0 is not at issue.
On the ip nat inside on interface Dot11Radio0.1, there was a NAT configured but I removed it to reduce the number of variables to contend with. I guess I missed it.
Routers:
- BEFSR81: Servers, Office LAN (RV042), Static IPs, Firewall/NAT (NAT is disabled).
- RV042: Office LAN, Desk tops, DHCP server, Firewall/NAT (Firewall
allows traffic from IPs in routed group on BEFSR81)
The 851W router is connected to one of the LAN ports on the RV042 router. With exception of allowing message traffic from the routed group of IP addresses on the public LAN (BEFSR81) the NAT/firewall is still at factory settings.
Dropping both of the Firewalls (and the NAT on RV042) gave the same result.
I also connected the 851W router to the public LAN (BEFSR81 router) with the same result.
I think I can conclude that I am not running into an issue with the firewall/NAT.
So that probably narrows the issue down to Interface BV1 and Interface FastEthernet4 ...maybe.
Neil
12-13-2007 10:38 AM
Neil
There are two DHCP pools configured. I am not sure why there are two pools and it looks to me like only one pool is really used. Your post says that it is the vlan1 pool. But I wonder about that. It looks to me like the sdm-pool1 is what is used. If you connect a PC to the wireless (or to one of the switched ports on the router) does it get an address in 192.168.2.x or in 192.168.3.x?
I have re-read the thread several times and would like to ask about this statement in the original post:
The problem is that I am unable to receive an answer to my ping(s) past the public router's WAN interface.
Am I correct in understanding from this that a PC connected on the 851 can ping (and otherwise communicate) with devices in the office LAN?
If so I believe that it point more to a problem with NAT going to the outside than it does to a problem with BVI or with FastEthernet4.
HTH
Rick
12-13-2007 11:24 AM
Rick
>If you connect a PC to the wireless (or to one of the switched ports on the router) does it get an address in 192.168.2.x or in 192.168.3.x?
When I connect a PC to the wireless interface the PC gets an address in 192.168.3.x (vlan1 pool)
When I connect a PC to one of fastethernet ports (FE01 - FE03) the PC gets an address in 192.168.2.x (sdm-pool1)
>Am I correct in understanding from this that a PC connected on the 851 can ping (and otherwise communicate) with devices in the office LAN?
Correct.
A PC connected on the 851 can ping (and otherwise communicate) with devices in the office LAN (RV042 router).
Also, a PC connected on the 851 can ping (and otherwise communicate) with devices in the Public LAN (BEFSR81 router). This is the router beyond the office LAN.
A PC connected on the 851 can ping the wAN interface of Public LAN's router (BEFSR81) (through the office LAN), but not the next hop (ISP's network).
PC->[851]->[RV042]->[BEFSR81]->ISP
Also, a PC connected on the 851 that is connected to a LAN on the Public LAN's router (office lan eliminated) can ping the WAN interface of the Public LAN's router, but not the next hop (ISP's network).
PC->[851]->[BEFSR81]->ISP
Neil
12-13-2007 11:50 AM
Neil
The logic of the two DHCP pools still is a bit of a puzzle but I am beginning to understand it somewhat better. The BVI is associated with VLAN 1 and uses the 192.168.2.0 network and devices in the switch ports get 192.168.2.x addresses (sdm-pool1). The radio subinterface uses the 192.168.3.0 network and devices in the wireless get 192.168.3.x addresses. What I was slow to recognize is that the radio subinterface is also associated with VLAN 1. So what that really means is that VLAN 1 has two different subnets associated with it (and uses two different DHCP pools). In normal practice a VLAN has a single subnet associated with it. But it does not break anything for a VLAN to have two different subnets. So I will agree that while it seems a bit odd - there is not anything in the DHCP or in the BVI that is causing the problem.
When you confirm that a PC connected to the 851 can successfully communicate with devices in the Office LAN and the public LAN then I become convinced that the problem is not on the 851. The 851 is routing to "remote" destinations and receiving responses from the remote destinations. I am not sure what would be different about access the ISP network - other than the possible issue of NAT. My guess is that devices in the Office LAN and public LAN are getting translated but that devices on the 851 are not getting translated.
Can you tell me anything else about how NAT is set up for this network?
HTH
Rick
12-13-2007 02:29 PM
Rick
>The logic of the two DHCP pools still is a bit of a puzzle.
Not to divert the issue but I take it that the Dot11radio interface is able to be placed in the same DHCP pool?
>Can you tell me anything else about how NAT is set up for this network?
I think that the only thing I can add is that the Office LAN router (RV042) has only one Firewall rule. That is it allows all traffic from the WAN interface from the IP range of my routed group. The WAN interface is a static IP configured to an IP in the routed group.
One other thing I just discovered. I logged into the router interface (disdaining the SDM)and was able to ping IP addresses off the ISP's network.
Pinging from a laptop in the shell ...er CMD line Those same IP addresses still will not return anything.
So where is that ping on the router coming from? after the BVI1 interface or where?
12-13-2007 08:55 PM
Neil
I believe that this is helpful information.
When you do a ping on the router it uses the IP address of the outbound interface as its source address. So if you are on the router interface and ping to the ISP it will use the 192.168.1.4 address as its source. And I believe that going our through the firewall that address gets translated. But the 192.168.2.x and 192.168.3.x are not getting translated.
One clarification: this post and at least one other have talked about a Firewall rule that permits the outbound traffic. The Firewall rule permitting traffic is not the same thing as address translation which the Firewall is probably doing. I believe you that the Firewall rule may be permitting this traffic. But I suspect that the lact of a translation rule for this traffic is the problem.
Also not to divert: I see no reason why the VLAN 1 ports in the router switch module and the radio could not use the same DHCP pool.
HTH
Rick
12-14-2007 08:39 AM
>I believe you that the Firewall rule may be permitting this traffic. But I suspect that the lact of a translation rule for this traffic is the problem.
I conclude then that the root cause is between the 851 LAN interface and the WAN interface. It is puzzling because I removed the NAT and Firewall on the 851 router.
In previous trouble shooting I think I eliminated the possibility that a translation issue was caused by a NAT or Firewall on the other (Linksys) routers. My second test was conducted on the public network without a NAT or firewall in between the LAN and ISP.
>Also, a PC connected on the 851 that is connected to a LAN on the Public LAN's router (office lan eliminated) can ping the WAN interface of the Public LAN's router, but not the next hop (ISP's network).
>PC->[851]->[BEFSR81]->ISP
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: