topic Re: Cisco 1841 ip routing problem in Routing and SD-WAN

Cisco 1841 ip routing problem

mmunoz2000 — Mon, 03 Sep 2018 09:34:36 GMT

Hello everyone!

I'm completely lost here, since I'm a newbie on this networking area.

I recently had a problem with a cisco router 1841 that lost all configuration after a power outage. Long story short, i've been able to restore most of it, but i'm still having issues with the ip routing. This is the scenario:

I have 2 internal VLANS (1010 and 3040) configured in a ZyXEL switch.
1010 has an ip 192.168.170.1
3040 has an ip 192.168.160.1

I have a Sonicwall on the other end that acts as a gateway with ip 192.168.168.1

On the router I have interface 0/0 as outside with ip 192.168.168.54
I also have 2 subinterfaces for the vlans with the ips mentioned before.

Everything works fine on the internal network, which is 192.168.168.x

I want traffic from VLANS to go outside to the internet
I want traffic to go inside to those VLANS from the internet

So far, from the router, i can ping all the gateways and the internet.

PC inside the 192.168.170.x network can reach the internet, but no one can reach that computer from the outside.

Please help me, i've been trying to figure this out a week from now, but no clue what am i missing!!!

See my current configuration:

!
interface FastEthernet0/0
ip address 192.168.168.54 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip nat inside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1010
ip address 192.168.170.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 3040
ip address 192.168.160.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.168.1
!
!
no ip http server
no ip http secure-server
ip nat source list 1 interface FastEthernet0/0 overload
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.170.0 0.0.0.255
access-list 1 permit 192.168.160.0 0.0.0.255
!
!
!

I would really appreciate any insight on this matter, since i need to have these up and running in a couple of days.

I hope you guys can help!

Re: Cisco 1841 ip routing problem

paul driver — Mon, 03 Sep 2018 09:54:40 GMT

Hello

@mmunoz2000 wrote:

I want traffic to go inside to those VLANS from the internet

By default of any Firewall all connections from outside will be negate from initiating communication, May I ask what is your intention for outside users to be able to reach your internal users?

Re: Cisco 1841 ip routing problem

mmunoz2000 — Mon, 03 Sep 2018 10:50:06 GMT

Thank you for your response.

Maybe I didn't explain myself the right way...what I mean is that I want the users from the 192.168.168.x network to be able to reach the computers on the 192.168.170.x network.

I have a PC on the 168.x network and they cannot ping another pc on the 170.x network.

I hope this clarifies my requirement.

Re: Cisco 1841 ip routing problem

pieterh — Mon, 03 Sep 2018 14:12:59 GMT

in your current acl matches all internal trafic, so all is NAtted.

as a result the path back is blocked.

you must add a rule to "deny" traffic between the local subnets from being NATted.

these denies must come before the permit

Re: Cisco 1841 ip routing problem

mmunoz2000 — Mon, 03 Sep 2018 14:43:43 GMT

You mean add something like this:

AP-CISCO-01#sh access-list
Standard IP access list 1
10 deny 192.168.168.0, wildcard bits 0.0.0.255
20 permit 192.168.170.0, wildcard bits 0.0.0.255 (157611 matches)
30 permit 192.168.160.0, wildcard bits 0.0.0.255 (28 matches)

Please confirm.

Thanks!

Re: Cisco 1841 ip routing problem

paul driver — Mon, 03 Sep 2018 14:52:03 GMT

Hello

Maybe I have missed something in you topology but you mention a switch with vlans and then show this 1841 rtr config -

As it’s inter- vlan communication being troubleshooted I can see you have ip routing enabled on the rtr and any traffic between these two vlans should be routed by this rtr -

So do you have a trunk between this rtr and the switch and the l2 vlans created in the switch or something else

Your topology as I understand it is

Fw - rtr - switch - users

Re: Cisco 1841 ip routing problem

mmunoz2000 — Mon, 03 Sep 2018 14:55:43 GMT

Paul,

Thank you for the suggestion!

Honestly I don't know, but nothing has changed on the switch or any other device, and this was working before. So my assumption would be that it is enabled as it was before.

I believe there might be some issue with the NAT somewhere, but I don't have the knowledge to identify it.

Thanks for the advice.

Re: Cisco 1841 ip routing problem

mmunoz2000 — Mon, 03 Sep 2018 14:59:44 GMT

Yes, you are absolutely right, that's the topology I have!

How do I know if there is a trunk between the rtr and the switch and the vlans?

Re: Cisco 1841 ip routing problem

paul driver — Mon, 03 Sep 2018 15:08:27 GMT

Hello

Can you gain access to the switch and check the port details?

also from a client from each vlan try and ping the L3 interface of the rtr regards it alternative vlan does it work or fail?

do the clients have the correct subnet mask and default gateway defined?

Fyi - the clients shouldn’t even reach the Fw for inter- vlan communication unless they are configured to do so.

Lastly can you remove the “ip nat enable” from the interfaces

Re: Cisco 1841 ip routing problem

mmunoz2000 — Mon, 03 Sep 2018 15:25:23 GMT

What port details do you need from the ports on the switch. I do have them, i just don't know what to post.

Clients on the 192.168.170.x have access to the internet

Clients on the 192.168.160.x have access to the internet

Clients on the 192.168.168.x have access to the internet

ping from each vlan to its own gateway works.

all the clients have the subnet mask 255.255.255.0 and 192.168.168.1 gateway

How do i go about removing the "ip nat enable" from the interfaces?

Thanks again!

Re: Cisco 1841 ip routing problem

paul driver — Mon, 03 Sep 2018 15:33:35 GMT

Hello

1) the port detais of the port on the switch that is connecting to your rtr

2) Note - also your clients default gateway should be the L3 ip address of its corresponding vlan specified on the the rtr not the Fw ip address

3) on the rtr in each interface

conf t

int x/x

no ip nat enable

end

Re: Cisco 1841 ip routing problem

mmunoz2000 — Mon, 03 Sep 2018 16:11:49 GMT

Hi Paul,

1) I don't know where to get these. This is a ZyXEL GS1920 and there is not a whole lot of documentation on how to get the port details. I do know these were connected to ports 21 and 45 respectively. But there is also another ZyXEL switch in place, which trunks with the Sonicwall.

2) I do have a client on the 192.168.170.x network with a gateway 192.168.170.1

3) i did the no ip nat enable on each interface and now there is no access to the internet from the 170.x network and from the 160.x network.

Any clues?

Thanks for the assistance.

Re: Cisco 1841 ip routing problem

mmunoz2000 — Mon, 03 Sep 2018 16:17:55 GMT

I forgot to mention...I can ping computers inside any of the subnets from the rtr.

So...if i ping 192.168.170.x from the rtr, I get response

If i ping 8.8.8.8 from the rtr, no reponse (this was working earlier)

Best!

Re: Cisco 1841 ip routing problem

paul driver — Mon, 03 Sep 2018 16:26:05 GMT

Hello

Make sure you have “ip nat outside” still applied to your fa0/0

and “ip nat inside “ applied to your sub- interfaces

Then and remove this nat statement also:

conf t

no ip nat source list 1 interface FastEthernet0/0 overload

end

clear arp

clear ip nat translations *

test again

Re: Cisco 1841 ip routing problem

mmunoz2000 — Mon, 03 Sep 2018 16:40:12 GMT

I'm getting this message when trying to remove the nat source list:

AP-CISCO-01(config)#no ip nat source list 1 interface fas0/0 overload

Dynamic mapping in use, do you want to delete all entries? [no]: y
%Error: Dynamic mapping still in use, cannot remove

Any ideas?

Re: Cisco 1841 ip routing problem

mmunoz2000 — Mon, 03 Sep 2018 18:11:04 GMT

I was able to get it to work by doing a reload.

These are the results:

1) rtr can ping all the subnets

2) rtr cannot ping the internet

3) pc on the 192.168.168.x subnet can ping all the subinterfaces (192.168.170.1 and 192.168.160.1)

4) the same applies for a pc on the 192.168.170.x subnet (can ping its own gateway and other pcs on the network)

Here is the updated configuration:

interface FastEthernet0/0
ip address 192.168.168.54 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1010
ip address 192.168.170.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 3040
ip address 192.168.160.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
!
!
no ip http server
no ip http secure-server
!
access-list 1 deny 192.168.168.0 0.0.0.255
access-list 1 permit 192.168.170.0 0.0.0.255
access-list 1 permit 192.168.160.0 0.0.0.255

Any other ideas?

Thank you for the assistance though!!

Re: Cisco 1841 ip routing problem

paul driver — Mon, 03 Sep 2018 18:37:37 GMT

Hello

remove the deny statement in nat acl

When did you put that in -as it wasn’t in your OP ?

Re: Cisco 1841 ip routing problem

mmunoz2000 — Mon, 03 Sep 2018 19:41:12 GMT

Hi,

The deny was there because of a suggestion from someone else on this post.

I still see the same results.

I have removed it and this is the updated configuration:

interface FastEthernet0/0
ip address 192.168.168.54 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1010
ip address 192.168.170.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 3040
ip address 192.168.160.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
!
!
no ip http server
no ip http secure-server
!
access-list 1 permit 192.168.170.0 0.0.0.255
access-list 1 permit 192.168.160.0 0.0.0.255

Any other suggestions?

Thanks!

Re: Cisco 1841 ip routing problem

paul driver — Mon, 03 Sep 2018 20:20:02 GMT

Hello

i don’t see this nat statement anymore

“ip nat inside source list 1 interface FastEthernet0/0 overload”

if you don’t have in now please reapply it

Re: Cisco 1841 ip routing problem

mmunoz2000 — Mon, 03 Sep 2018 20:20:13 GMT

Hi,

I have applied the change and now I see NAT translation happening.

Still cannot access from one subnet to the other.

here is the updated configuration:

interface FastEthernet0/0
ip address 192.168.168.54 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1010
ip address 192.168.170.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 3040
ip address 192.168.160.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.170.0 0.0.0.255
access-list 1 permit 192.168.160.0 0.0.0.255

Any other suggestions?