topic Re: Lan to Lan cisco 2921 router in Network Security

Lan to Lan cisco 2921 router

daniel253 — Tue, 23 Apr 2019 16:40:56 GMT

I'm trying to to configure a router cisco 2921, but I'm a beginner.

Basically I have 5 interfaces in this router, 2 of them I use for ISP links and the others I configured for independent lans with their own dhcp.

My problem is, I want interface GigabitEthernet0/0 to comunicate with interface FastEthernet0/0/0 and vice versa, but keeping their own dhcp pool.

interface GigabitEthernet0/0
description ADM

ip address 192.168.4.1 255.255.255.0
ip nat inside
no shutdown
ip virtual-reassembly in
duplex auto
speed auto

interface FastEthernet0/0/0
description USERS
ip address 192.168.2.1 255.255.255.0
ip nat inside
no shutdown
ip virtual-reassembly in
duplex auto
speed auto

interface FastEthernet0/0/1
description EXTERNAL
ip address 192.168.1.1 255.255.255.0
ip nat inside
no shutdown
ip virtual-reassembly in
duplex auto
speed auto

ip access-list extended NAT_LAN
permit ip 192.168.4.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any

route-map NAT_ISP1_Main permit 10
match ip address NAT_LAN
match interface GigabitEthernet0/1

route-map NAT_ISP2_Back-up permit 10
match ip address NAT_LAN
match interface GigabitEthernet0/2

ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
frequency 30
ip sla schedule 1 life forever start-time now
track 1 ip sla 1

ip route 0.0.0.0 0.0.0.0 X.X.X.X track 1
ip route 0.0.0.0 0.0.0.0 X.X.X.X 30

ip nat inside source route-map NAT_ISP1_Main interface GigabitEthernet0/1 overload
ip nat inside source route-map NAT_ISP2_Back-up interface GigabitEthernet0/2 overload

ip dhcp excluded-address 192.168.4.1 192.168.4.99
ip dhcp excluded-address 192.168.4.200 192.168.4.254
ip dhcp excluded-address 192.168.1.1 192.168.1.19
ip dhcp excluded-address 192.168.1.22 192.168.1.254
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.2.161 192.168.2.254

ip dhcp pool ADM
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 1.1.1.1 1.0.0.1
lease 0 4 30

ip dhcp pool EXTERNAL
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 199.85.126.30 199.85.127.30
lease 0 4 30

ip dhcp pool USERS
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 1.1.1.1 1.0.0.1
lease 0 4 30

Re: Lan to Lan cisco 2921 router

luis_cordova — Tue, 23 Apr 2019 16:55:10 GMT

Hi @daniel253 ,

Theoretically, there should be communication between networks directly connected to the same router.
Could you share the result of the show ip route command?

Regards

Re: Lan to Lan cisco 2921 router

daniel253 — Tue, 23 Apr 2019 17:37:05 GMT

hi @luis_cordova see bellow:

show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is x.x.214.73 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via x.x.214.73

x.x.0.0/16 is variably subnetted, 2 subnets, 2 masks
C x.x.214.72/29 is directly connected, GigabitEthernet0/1
L x.x.214.75/32 is directly connected, GigabitEthernet0/1
x.x.0.0/16 is variably subnetted, 2 subnets, 2 masks
C x.x.201.80/29 is directly connected, GigabitEthernet0/2
L x.x.201.86/32 is directly connected, GigabitEthernet0/2
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, FastEthernet0/0/1
L 192.168.1.1/32 is directly connected, FastEthernet0/0/1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, FastEthernet0/0/0
L 192.168.2.1/32 is directly connected, FastEthernet0/0/0
192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.4.0/24 is directly connected, GigabitEthernet0/0
L 192.168.4.1/32 is directly connected, GigabitEthernet0/0

Re: Lan to Lan cisco 2921 router

luis_cordova — Tue, 23 Apr 2019 17:40:25 GMT

Hi @daniel253 ,

By having the networks directly connected and not having an ACL that blocks communication, there should be no problem in communicating the 2 networks, keeping the DHCP separated by network.
Have you done any tests to evaluate the connection between these two networks?

Regards

Re: Lan to Lan cisco 2921 router

daniel253 — Tue, 23 Apr 2019 17:55:19 GMT

yes, these tree networks can navigate through the internet using IPS 1 or IPS2.

But I can't ping lan to lan. For example if I'm on the ge 0/0 side, i can't ping fe0/0/0.
I also tried to ping from the router but I had communication problems either.

router#ping 192.168.4.107
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.107, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
router#ping 192.168.2.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
router#ping 192.168.1.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.20, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Re: Lan to Lan cisco 2921 router

luis_cordova — Tue, 23 Apr 2019 18:19:40 GMT

Hi @daniel253 ,

Only to discard, it disables the firewalls of the final devices.
Sometimes, firewalls prevent the pings of external networks.

Regards

Re: Lan to Lan cisco 2921 router

Rob Ingram — Tue, 23 Apr 2019 18:32:43 GMT

Hi,

Perhaps these devices 192.168.1.20 and 192.168.2.100 you are attempting to ping from the router have a local firewall enabled, and blocking ping - Have you confirmed?

Can you ping the router from those client devices?

Re: Lan to Lan cisco 2921 router

daniel253 — Mon, 06 May 2019 17:36:50 GMT

Sorry! I was a little confused that I forgot about allowing ping in Windows firewall.

I did a couple of tests and it's working.

Now I'm in the middle of another problem, I need to access the CCTV when I'm not in the building.

I tried some configurations to allow port traffic but nothing with success.

I think that there's something missing. I did some research but nothing helpful.

ip nat inside source static tcp 192.168.4.100 37777 interface GigabitEthernet0/1 37777
ip nat inside source static tcp 192.168.4.100 774 interface GigabitEthernet0/1 774
ip nat inside source static tcp 192.168.4.100 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 192.168.4.100 554 interface GigabitEthernet0/1 554

ip access-list extended nat-acl
permit ip 192.168.4.0 0.0.0.255 any
permit tcp any host 192.168.4.100 eq 37777
permit tcp any host 192.168.4.100 eq 774
permit tcp any host 192.168.4.100 eq 443
permit tcp any host 192.168.4.100 eq 554

Service port: 37777
HTTP: 774
HTTPS: 443
RTSP: 554