Solved: Re: Packets to the Internet only make it back to vlan 1

scudderconsulting · ‎01-21-2014

Here's what seems to be happening. My internet access is through a crappy Comcast Home Gateway. The comcast unit doesn't have any place to add routes. You can only set up one private address range and that is it. Behind that router is my little Cisco lab network. I have 2 vlans and router-on-a-stick configured using an old 2600 router and a 2900 switch. if I use the computer on the vlan 1 (the vlan attached to the Internet gateway) I can access the Internet. I have DNS working on both vlans by using the DNS server on vlan 1 as the primary. So vlan 2 can resolve names, ping out to the internet, and can access any services that are available on vlan 1.

The problem comes in when I try to open a web site or other Internet service directly from vlan 2. I believe that is happening because the comcast router doesn't have a way to configure a route to vlan 2, so it is probably discarding the packets. I am not sure how to confirm this since the logging and debugging options on the Comcast gateway are extremely limited.

I know one option is to have Comcast put their router into Bridged mode, but I'd rather not do that because other people use that router to access the internet and there would be some down time involved. Apparently it is also difficult to get a support person who is even aware that the gateway can be placed into bridged mode. It can only be done by them using a POTD.

Is there any other way to make this work? I'm not sure if a proxy server on vlan 1 would be an options or not.

-Roger

CCNA Want-a-be.

John Blakley · ‎01-21-2014

Can you create subinterfaces on your router? I see what you're up against now. Are "vlan 1" and "vlan 2" physically separate switches, or are they a single switch? If they're different switches, you can still nat on the 2611 for the comcast. Comcast will nat the 192.168.10.10 subnet. I'm assuming that your lan side is 192.168.10.1 for the comcast.

So, what you can do is this:

access-list 100 permit ip 192.168.20.0 0.0.0.255 any

int e0/1

ip nat in

int e0/0

ip nat out

ip nat inside source list 100 interface e0/0 overload

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎01-21-2014

The only thing that I could suggest is configuring your connected interface that leads to the comcast equipment for nat. The problem is that your Comcast modem knows how to get to one subnet - the lan address that it holds. In order to account for that, you can have multiple subnets on your router, but you would need to nat out as the address of the wan interface on your router so the comcast modem knows how to get back. For example:

Comcast - 192.168.1.1

Your 2600 WAN interface - 192.168.1.2

Your 2600 lan interface vlan 1 - 10.10.10.1/24

your 2600 lan interface vlan 2 - 10.10.20.1/24

int fa0/0 (wan)

ip address 192.168.1.2 255.255.255.0

ip nat outside

int fa0/1.1

encaps dot1q 1 native

ip address 10.10.10.1 255.255.255.0

ip nat inside

int fa0/1.2

encaps dot1q 2

ip address 10.10.20.1 255.255.255.0

ip nat inside

access-list 100 permit ip 10.10.10.0 0.0.0.255 any

access-list 100 permit ip 10.10.20.0 0.0.0.255 any

ip nat inside source list 100 interface fa0/0 overload

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

scudderconsulting · ‎01-21-2014

I should have been more specific about my setup. This is almost what I have. The difference is that my 2611 has a serial WAN interface so I have the Comcast gateway plugged into vlan 1. The router is directly connected to each vlan using e0/0 and e0/1.

I guess I could do it your way by doing a trunk on e0/0 and have e0/1 connected to the Concast gateway... assuming I can use e0/1 as a NAT interface.

Thank for the help!

I'll rate once other people have had a chance to respond.

John Blakley · ‎01-21-2014

Can you draw up a quick diagram?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

scudderconsulting · ‎01-21-2014

scudderconsulting · ‎01-21-2014

There are two mistakes in the drawing:

vlan 1 is fa0/1, 0/3-0/7 192.168.10.11

vlan 2 is fa0/2, 0/8-0/12 192.168.20.11.

Sorry, about that.

scudderconsulting · ‎01-21-2014

There it is with corrections.

John Blakley · ‎01-21-2014

Can you create subinterfaces on your router? I see what you're up against now. Are "vlan 1" and "vlan 2" physically separate switches, or are they a single switch? If they're different switches, you can still nat on the 2611 for the comcast. Comcast will nat the 192.168.10.10 subnet. I'm assuming that your lan side is 192.168.10.1 for the comcast.

So, what you can do is this:

access-list 100 permit ip 192.168.20.0 0.0.0.255 any

int e0/1

ip nat in

int e0/0

ip nat out

ip nat inside source list 100 interface e0/0 overload

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Reza Sharifi · ‎01-21-2014

Hi John,

To do sub-interfaces on the 2600, he would need to load IP Plus image, as IP Base will not support it.

HTH

Reza

scudderconsulting · ‎01-22-2014

Yes, that is what I have learned after some research. Support for dot1q encapsulation was added to the 2610/2611 in IOS v12.2-2T. I had to upgrade the flash and add a second 32mb DRAM module before I could load that version.

Roger

scudderconsulting · ‎01-22-2014

Unfortunately I only have one switch and one router in lab so far. My goal with this setup is to work on strengthening my grounding in the basics of TCP-IP.

I think my best option at this time is to have Comcast put their gateway into bridged mode. I have a Linksys VPN router that has a configurable routing table and NAT. There will just have to be a little down time.

Thanks for the help. I needed to make sure I wasn't missing something that was right in front of me.

John Blakley · ‎01-22-2014

In all honesty, I can't see a real reason why you would need to bridge your comcast router unless you're wanting to have servers accessible from the outside. Your diagram doesn't match with what you're saying though. You stated that you have a single switch, but you show two separate connections from the 2611. Then, above, you said that your comcast router connects to "vlan 1", but you have a vwic in the 2611 and had to use the ethernet connection. The only way to do that would be to either have the comcast modem directly connected to the 2611 on e0/0 or have the modem going into a switch like the above diagram. If you only have a single switch, I'm assuming that the internal e0/1 interface is connected to that switch with both vlans on it and the comcast modem is direct. If that's the case, the second scenario will work fine unless you're simply wanting to bridge the comcast. If bridging works, which in your original statement sounded like it was hit or miss, then the only thing that would benefit you is the public addressing would be passed to the router.

John

HTH, John *** Please rate all useful posts ***

scudderconsulting · ‎01-22-2014

Let me apply the information you have given me and report back here. Thanks again for the help.

scudderconsulting · ‎01-22-2014

It works fine! I missunderstood what you meant about having two seperate switches.

John Blakley · ‎01-22-2014

Glad to hear it!

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***