Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3869
Views
0
Helpful
9
Replies

CIsco 1841 VLAN routing

ronald.tuns
Level 1
Level 1

‎03-19-2014 07:00 AM - edited ‎03-04-2019 10:37 PM

Hi everyone,

I'm having some trouble with routing traffic from one vlan to the other on a 1841.

What am I trying to do:

- route traffic from vlan1 to the internet with a specific public IP

- route traffic from vlan2 to the internet with a specific public IP

- allow traffic from vlan1 to vlan2 and vice versa

- NAT specific ports to a host on vlan1

What's not working:

- hosts from vlan1 can ping the vlan2 interface, but not the hosts on vlan2 and vice versa

Here's the config (I have disabled access-rules for simplicity):

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco1841
!
boot-start-marker
boot-end-marker
!
!

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
no process cpu extended history
no process cpu autoprofile hog
dot11 syslog
ip source-route
no ip routing
!
!
!
!
!
no ip cef
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
ip name-server 1.2.3.4


multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
username admin privilege 15 password 0 notthepassword
!
redundancy
!
!
!
!
!
!
interface FastEthernet0/0
 description $FW_OUTSIDE$
 ip address 2.1.2.1 255.255.255.248 secondary
 ip address 2.1.2.2 255.255.255.248
 ip access-group 102 in
 ip inspect CCP_LOW out
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache
 speed auto
 half-duplex
 no cdp enable
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
!

interface FastEthernet0/0/0
 no ip address
 no cdp enable
!
interface FastEthernet0/0/1
 switchport access vlan 2
 no ip address
 no cdp enable
!
interface FastEthernet0/0/2
 no ip address
 shutdown
 no cdp enable
!
interface FastEthernet0/0/3
 no ip address
 shutdown
 no cdp enable
!
!
interface Vlan1
 description $FW_INSIDE$
 ip address 192.168.175.252 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly in
 no ip route-cache
!
interface Vlan2
 description $FW_INSIDE$
 ip address 192.168.176.254 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat pool natvlan1  2.1.2.1 2.1.2.1 netmask 255.255.255.248
ip nat pool natvlan2 2.1.2.2 2.1.2.2 netmask 255.255.255.248
ip nat inside source list 100 pool natvlan1 overload
ip nat inside source list 101 pool natvlan2 overload
ip nat inside source static tcp 192.168.175.1 25 2.1.2.1 25 extendable
ip nat inside source static tcp 192.168.175.1 80 2.1.2.1 80 extendable
ip nat inside source static tcp 192.168.175.1 443 2.1.2.1 443 extendable
ip nat inside source static tcp 192.168.175.6 876 2.1.2.1 876 extendable
ip nat inside source static tcp 192.168.175.4 8550 2.1.2.1 8850 extendable
ip route 0.0.0.0 0.0.0.0 2.1.2.3
!
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 102 permit ip any any
!
!
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 password notthepassword
 transport input all
!
scheduler allocate 20000 1000
end

Any help is greatly appreciated!

Labels:
0 Helpful
9 Replies 9

Dragan Ilic
Level 4
Level 4

‎03-19-2014 08:19 AM

Could you provide output of "sh vlan-sw"?

HTH,

Dragan

HTH,
Dragan
0 Helpful

ronald.tuns
Level 1
Level 1
In response to Dragan Ilic

‎03-20-2014 06:03 AM

Hi Dragan,

This is the output:

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/0/0, Fa0/0/2, Fa0/0/3
2    VLAN0002                         active    Fa0/0/1
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
2    enet  100002     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        ibm  -        0      0
1005 trnet 101005     1500  -      -      1        ibm  -        0      0

0 Helpful

Dragan Ilic
Level 4
Level 4
In response to ronald.tuns

‎03-20-2014 06:08 AM

As Jon suggested - can you ping a PC from the router adequate interface?

If not then you have something on your hosts which is causing problems (FW or AV etc)...it MUST work in other words smiley

HTH,

Dragan

HTH,
Dragan
0 Helpful

ronald.tuns
Level 1
Level 1
In response to Dragan Ilic

‎03-20-2014 06:20 AM

Hi Dragan,

I just answered Jon's question:

If I place a PC in VLAN1, I can ping the VLAN2 interface on the 1841. From the 1841, I can also ping the PC in VLAN1 from the VLAN2 interface.

So it seems that traffic behind the 1841 is not routed back for some reason...

Grtz,

Ronald

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎03-19-2014 09:52 AM

Ronald

Firstly check for firewalls on the PCs that could be blocking the pings ie. can you ping a PC from the router ?

If you can then -

1) remove acls 100 and 101 from the vlan interfaces. They are not doing anything anyway and they need modifying which would break communication if you left them applied

2) modify both acls ie. -

access-list 100 deny ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255

access-list 100 permit ip 192.168.175.0 0.0.0.255 any

access-list 101 deny ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255

access-list 101 permit ip 192.168.176.0 0.0.0.255 any

Jon

0 Helpful

ronald.tuns
Level 1
Level 1
In response to Jon Marshall

‎03-20-2014 06:15 AM

Hi John,

I have removed the access-list, but there is no change unfortunately.

If I place a PC in VLAN1, I can ping the VLAN2 interface on the 1841. From the 1841, I can also ping the PC in VLAN1 from the VLAN2 interface.

I have checked gateway settings and firewall settings on the PC, but these are fine.

Grtz,

Ronald

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to ronald.tuns

‎03-20-2014 06:50 AM

Ronald

You removed the acls from the interfaces but did you modify them as i suggested ?

You still need them but modified.

Jon

0 Helpful

svansteensel
Level 1
Level 1

‎03-24-2014 05:57 AM

Ronald,

Have you verified your NAT config (sh ip nat translation)? I see that your ACL's specify all traffic to be submissive to NAT, you should exclude traffic from VLAN 1 to VLAN 2 and vice versa from being NATed.

regards Sebastian

0 Helpful

paul driver
VIP
VIP

‎03-24-2014 10:47 AM

 Hello

1) Why do you have secondary addressing on the wan interface, the wan ISP will have a route back your allocated ip range anyway., can you use an single ip and then nat pool on 2.1.2.1/2 respectively

2) remove the cbac from the wan interface and apply it on the lan interfaces INBOUND., so it inspects the traffic destined to your lan.

3) I assume your acls statements of permitting all traffic are temporary especially for the wan interface as it is at present allowing everything back in, that shouldnt be the case, it should denying everything.

4) ip routing is disabled

So to summarise,

 

no access-list 100
no access-list 101
no access-list 102
access-list 100 permit ip any 192.168.175.0 0.0.0.255 log
access-list 101 permit ip any 192.168.176.0 0.0.0.255 log
access-list 102 deny ip any any

no ip nat inside source list 100 pool natvlan1 overload
no ip nat inside source list 101 pool natvlan2 overload

access-list 1 permit 192.168.175.0 0.0.0.255
access-list 2 permit 192.168.176.0 0.0.0.255
ip nat inside source list 1 pool natvlan1 overload
ip nat inside source list 2 pool natvlan2 overload


ip routing


interface FastEthernet0/0
no ip address 2.1.2.1 255.255.255.248 secondary
no ip inspect CCP_LOW out
ip address 2.1.2.6 255.255.255.248 ( if applicable)
ip access-group 102 in


interface Vlan1
ip access-group 100 in
ip inspect CCP_LOW in

interface Vlan2
ip access-group 101 in
ip inspect CCP_LOW in

 

res
Paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card