Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WAN + LAN advice needed

Hi, this belongs in a new post as it is seperate from my internet connection issue (as now I'm connected)

Basically what I would like to do is build a network out of my 7 machines (macs, pc's, and linux boxes).


I would like to have security in the network for router, wireless interface (encryption, username/password etc), a firewall.

Also because I will be running a web, vnc, and ssh-server I will need to forward ports from the WAN to my LAN.

I would like file/print sharing enabled for my machines to communicate.

I have played about with SDM-Express and have currently got MAC address filtering for my wireless. I'm guessing to forward ports I will need to do that via IP filtering. - I tried this aswell but it didn't work as I think I got the wrong settings.

Also I turned on the firewall via SDM, but it told me that it wasn't going to put it on the ATM interface? I thought the ATM interface was my adsl modem, and that the firewall should be between the LAN and the WAN on a SOHO setup?

Currently I can connect to the internet with machines but I cannot connect them to each other or even ping each other from machine to machine (it works from router though).

Any advise or guides to documentation would be really helpfull.


Hall of Fame Super Gold

Re: WAN + LAN advice needed


1. stop using SDM that produces confusing results and prevent you from learning

2. Are you sure you need firewall? You have NAT configured, nobody can access anything from outside

3. Suggest you do not use mac address filtering. If you want to protect your wireless, configure a WEP key that is much simpler.

4 what do you want to forward ? the normal command is

ip nat inside source static interface

New Member

Re: WAN + LAN advice needed

Ok I took all the SDM config off except for the MAC address filter access list which works fine, basically any non-autherized computers can't gain access to services:

access-list 700 permit 000b.6b4b.c5d0 0000.0000.0000

access-list 700 deny 0000.0000.0000 ffff.ffff.ffff

but I will read up about configuring WEP keys aswell even though I don't think it's compatible with my Mac OS9 machines?

If I wanted to forward say www port 80 form WAN to LAN the command would be:

ip nat inside source static tcp 192.x.x.x 80 interface (ATM0 or Dialer0??) 80

And then there's still the problem of my internal network because at the moment I can't use any services like ping or file sharing, netbios (samba) or apple file share. Will I need to configure NAT to open all ports on internal network to achieve this?

Basically like:

ip nat inside source static interface for all ports ranging from 1 to port limit?

New Member

Re: WAN + LAN advice needed

I managed to forward ports from WAN to LAN using the above advise and everything works fine!

Is there a way to monitor the incoming packets though via logging or show statement, and also see which ports they are associated with?

Also my LAN still needs setting up, as I have no internal network access yet! Do I need to post that in the LAN/Routing part of the forum or is the command similar to that of the above?

Hall of Fame Super Gold

Re: WAN + LAN advice needed


to see what "forwardings" are active, do show ip nat translation.

What in the lan is not working ?

New Member

Re: WAN + LAN advice needed

In the LAN, nothing is working. I can't ping other computers within the LAN, or share files, or use any other services which I need.

{From the router I can ping, but from one machine to the other)

I don't know if this is NAT issue or if I need to make an access list?

Hall of Fame Super Gold

Re: WAN + LAN advice needed


What machines are these? If win XP, be aware there is a firewall you should disable.

Are these using DHCP and getting an ip address correctly ?

New Member

Re: WAN + LAN advice needed

Hi, at the moment I've just linked my XP machines up not my linux boxes or macs.

They are connected statically even though dhcp on router is set to give addresses between 192....1 and 255

I also disabled the firewall which I put on from SDM but I still haven't even got ping function let alone netbios.

Hall of Fame Super Gold

Re: WAN + LAN advice needed


router has no role in communications for the systems on the same LAN. So the problem must be due to something else.


Re: WAN + LAN advice needed

First try this:

interface BVI1

no ip access-group 100 in

If that won't enable your local communication, try following:

Can you post your current config please?

When ports of your local machines are in one VLAN, which they are, there is nothing that switch does with packets. Are you connecting PCs over Wired or Wireless?

If you are using wireless, try wired.

Also, try pinging PCs's own IP address

And also, check if you have different MAC addresess on the PCs. I had a problem where Cable connection was cable dependant and all PCs had same MAC, so they could all communicate periodically to the internet, but not to each other.

New Member

Re: WAN + LAN advice needed

This is current config. Wired and Wireless are bridged - my machines are connected by wireless!

I can ping machine from machine but other machines "request timed out"

I have Zone Alarm firewall on individual machines which I even took down and still same problem?

New Member

Re: WAN + LAN advice needed

Thinking about the config, could it be something to do with access list 1? - That proper permissions haven't been setup?

Also I am trying to connect my macs to the network and it's fine with OSX, but in OS 9 I can't find any where to enter the base station ssid. I have tried to set the computer to connect to other instead of scanning but it won't give me any dialogs to enter ssid criteria?

Hall of Fame Super Gold

Re: WAN + LAN advice needed


No, access list 1 has nothing to do with computers not connecting locally. It might be ACL 700, but that is active for wireless only.

Not sure what you should do for the macs. Sometime these have little hidden places to do the most obvious things.

New Member

Re: WAN + LAN advice needed

Hi, I managed to fix the mac problem. It was just OS9 being wierd and old!

The ACL 700 is just a MAC layer address list and from what I know just permits services to the "allowed" addresses. I enabled it via the Wireless Management web interface through SDM, but I don't know if IP filtering ties in with it as it is a MAC filter.

I also thought that maybe it was the dhcp config clashing with the static machines, within the dhcp address region?

Using debug can I view what service is being 'allowed' on which IP address with vlan1? Perhaps that may help towards resolving my issue?

New Member

Re: WAN + LAN advice needed

Thinking about it if indeed the ACL 700 is to blame for my access issues, could it be something to do with the mask?

I read this form the help:

Entering as the mask causes the access point to accept any IP address. If you enter, the access point looks for an exact match with the IP address you entered in the IP Address field.

Does it mean that by entering 0000.0000.0000 as I have done I am only limiting myself to acces from the router? By entering 2552.5525.5255 would it mean that I will have access from everyone in the LAN?

I've tried testing it but to no effect and I'm just confused now!

Hall of Fame Super Gold

Re: WAN + LAN advice needed


ACL 700 is based on MAC and cannot use IP mask.

As I mentioned previously, I suggest you remove it and use a WEP or WPA key to control access to wireless.

After, you have no other ACL limiting traffic.

New Member

Re: WAN + LAN advice needed

I discovered this page:

and inserted this line into my config:

bridge# configure terminal

bridge(config)# configure interface dot11radio 0

bridge(config-if)# encryption vlan 1 key 2 size 128 12345678901234567890123456

bridge(config-if)# end

It hasn't taken any effect though as machines without the key in their setup can still connect?

However after removing the ACL, my network services are back online :-)

....But there's no security :-(

Hall of Fame Super Gold

Re: WAN + LAN advice needed


you also need to configure:

encryption mode ciphers

New Member

Re: WAN + LAN advice needed

Hi, I added this line:

encryption mode ciphers wep128

and now I'm locked out of my router?

I don't know if I have to put a specific cipher type or if IOS creates a default.

I added the key into my XP machines, although if I select key provided the router will send the key automatically - even though I don't have any services enabled. This is a security risk and I would like the router not to send the key either.

Also which type of key/cipher combination is compatible with mac OS9, which I have to cater for?

Hall of Fame Super Gold

Re: WAN + LAN advice needed


not sure about what sending you are talking about, the config above is wep with 128 bits static key, you need to configurethe correct key in your PC, else you can't connect. The router is not sending out anything.

New Member

Re: WAN + LAN advice needed

After these lines were added to my config:

encryption vlan 1 key 2 size 128 12345678901234567890123456

encryption vlan 1 mode ciphers wep128

I went to XP network settings and input wep key into wireless part. There is also a box saying key is provided which I checked without putting the key in and I was still able to connect to router. However similar to before with my mac access list, this config didn't give me any services available. I couldn't browse or telnet to router.

Both methods of key input and key provided resulted in no network?

New Member

Re: WAN + LAN advice needed

After checking the link above the second line is not complete as there are different types of cipher available - {[aes-ccm | ckip | cmic | ckip-cmic | tkip]}

which ones are compatible with my setup?

Hall of Fame Super Gold

Re: WAN + LAN advice needed

wep (40 or 128 bits) is already a cypher, is the basic one and ensures the most compatibility and the simpler configuration.

New Member

Re: WAN + LAN advice needed

Dear business partners & valued customers :

I am pleased to enclose it for your reference.

We can give you better price depending on the items and Qty.

Large quantity new & used Cisco and networking products that aren't

included in this catalogue. Feel free to contact us with your


50% discount of GPL!! (Original new, 1 year warranty)










60% discount of GPL!! (Original new, 1 year warranty)








CISCO1841 $630

Looking forward to receiving your enquiries soon.

Best Regards

Andy Feng