Hello! An Internet modem is connected to the FastEthernet4 interface of the Cisco 881-SEC-K9 router, a VPN modem is connected to the FastEthernet1 interface, and an unmanaged LAN switch is connected to the FastEthernet0 interface. It is necessary to that the computer connected to the switch have the Internet and access certain resources via a VPN modem. The IP address of the Internet modem is 10.41.196.2 (DHCP is enabled on the modem), the VPN modem is 172.26.66.171. The Cisco configuration is as follows:
snmp-server host 10.96.16.2 version 2c zabbix_mos_admin
!
!
!
control-plane
!
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class admin in
exec-timeout 60 0
password 7 **********************
logging synchronous
transport input ssh
!
ntp source Vlan30
ntp update-calendar
ntp server 10.96.16.2
!
end
There is Internet on the computers of the local network. The IP address 172.26.66.173 of the Vlan30 port bound to the FastEthernet1 interface to which the VPN modem is connected is pinged from the LAN computer (if the mask of the additional IP address of the computer 172.26.66.177 is 255.255.255.248, if the mask is 255.255.255.0, then no). The IP addresses of the 172.266.66.XXX network and the IP addresses specified in the Cisco "ip route" commands are pinged from the Cisco console. But all these addresses are not pinged from the LAN computer, only 172.266.66.173 (Vlan30 address). I tried to enable routing on my computer:
Nothing has changed, the address 10.128.217.12 did not ping after that. Question: what should I do to make the IP addresses of the 172.26.66.xxx network and those specified in the "ip route" commands on Cisco "visible" from the computer?
First, you need to remove the NAT outside on vlan 30
conf t
int vlan 30
no ip nat outside
You dont need to do NAT on this interface. The NAT is only for internet access as per your route map
Second, I see on the interface FastEthernet 4 as "shutdown". You should see this and run "no shutdown" on the interface if that is the case
interface FastEthernet4
description WAN
ip address dhcp client-id FastEthernet4
ip nat outside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
You dont nee to add route on the PC. The PC need to have IP address on the network 10.40.169.0 255.255.255.0 and default gateway as 10.40.169.3
Flavio Miranda, thanks for the reply! I disabled NAT on the Vlan 30 interface, Cisco rebooted, and checked the NAT shutdown. The FastEthernet4 interface is enabled, otherwise there would be no internet. I posted the configuration before enabling it. The computer's IP address is 10.40.169.234, mask is 255.255.255.0, gateway is 10.40.169.3, there are no additional IP addresses. The routes on the computer have been deleted. Unfortunately, it didn't help. The address 172.26.66.173 is pinged, the rest of the addresses from the network 172.26.66.0 are not, the IP addresses specified in the "ip route" commands on Cisco are not either (Waiting interval for request has been exceeded). What other reasons could there be?
I believe the problem can be in the fact that the DHCP is the modem. Clients is getting IP address from the modem and probably using the modem as default gateway and not the router.
Can you create a DHCP scopo on the router and use the router as DHCP server instead? Then, the router will be the gateway to your PCs?
The modem's DHCP operates on the 10.41.169.0 network, where the range of assigned addresses is 10.41.169.4 - 10.41.169.255. In fact, the modem's DHCP assign an IP address only to the Cisco FastEthernet4 interface. All computers are on the 10.40.169.0 network, and they all have static IP addresses. There is no DHCP on the 10.40.169.0 network.
881_Router#sh running-config Building configuration...
Current configuration : 3620 bytes ! ! No configuration change since last restart ! version 15.5 no service pad service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption ! hostname 881_Router ! boot-start-marker boot system flash:c880data-universalk9-mz.155-3.M10.bin boot-end-marker ! ! logging buffered 65536 enable secret 5 ****************************** ! aaa new-model ! ! ! ! ! ! ! aaa session-id common ethernet lmi ce memory-size iomem 10 clock timezone EAT 1 0 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !
ip port-map http port tcp from 1 to 65535 list 1 ! ! ! ! ip domain name ***************** ip inspect name CSM_INSPECT_1 http ip cef no ipv6 cef ! ! multilink bundle-name authenticated license udi pid CISCO881-SEC-K9 sn *********** ! ! archive log config logging enable logging size 200 hidekeys object-group service RDP tcp eq 3389 ! username ********* privilege 15 secret 5 ****************************** ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0 description lan switchport access vlan 20 no ip address ! interface FastEthernet1 description vpn switchport access vlan 30 no ip address ! interface FastEthernet2 description lan switchport access vlan 20 no ip address ! interface FastEthernet3 description lan switchport access vlan 20 no ip address ! interface FastEthernet4 description WAN ip address dhcp client-id FastEthernet4 ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface Vlan1 no ip address no ip redirects no ip proxy-arp ip virtual-reassembly in ! interface Vlan20 description lan ip address 10.40.169.3 255.255.255.0 ip access-group Inbound in ip access-group Outbound out ip nat inside ip virtual-reassembly in ! interface Vlan30 description vpn ip address 172.26.66.173 255.255.255.248 ip access-group Inbound in ip virtual-reassembly in ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip dns server ip nat inside source route-map RMAP_NAT_FastEthernet4 interface FastEthernet4 overload ip route 10.96.16.0 255.255.255.0 172.26.66.169 ip route 10.128.217.12 255.255.255.255 172.26.66.169 ip route 10.254.11.31 255.255.255.255 172.26.66.169 ip route 81.30.80.63 255.255.255.255 172.26.66.169 ip route 172.26.0.0 255.255.0.0 172.26.66.169 ip route 172.30.1.242 255.255.255.255 172.26.66.169 ip route 192.168.110.0 255.255.255.0 172.26.66.169 ip route 192.168.120.0 255.255.255.0 172.26.66.169 ip route 192.168.144.0 255.255.240.0 172.26.66.169 ip route 192.168.201.0 255.255.255.0 172.26.66.169 ip route 0.0.0.0 0.0.0.0 dhcp ip ssh version 2 ! ip access-list standard SNMP_ACCESS_RO permit 10.96.16.2 ip access-list standard admin permit 10.96.16.91 permit 10.96.16.32 permit 10.40.169.234 permit 10.40.169.115 deny any log ! ip access-list extended ACL_NAT permit ip 10.40.169.0 0.0.0.255 any ip access-list extended Inbound permit icmp any any permit udp any any permit tcp any any ip access-list extended Outbound permit icmp any any permit udp any any permit tcp any any ! ! route-map RMAP_NAT_FastEthernet4 permit 10 match ip address ACL_NAT match interface FastEthernet4 ! snmp-server community zabbix_mos_admin RO SNMP_ACL snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server host 10.96.16.2 version 2c zabbix_mos_admin ! ! ! control-plane ! ! line con 0 logging synchronous no modem enable line aux 0 line vty 0 4 access-class admin in exec-timeout 60 0 password 7 ********************** logging synchronous transport input ssh ! ntp source Vlan30 ntp update-calendar ntp server 10.96.16.2 ! end
881_Router#
I will also give you the information provided by some other teams:
881_Router#show ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0 unassigned YES unset up up FastEthernet1 unassigned YES unset up up FastEthernet2 unassigned YES unset down down FastEthernet3 unassigned YES unset down down FastEthernet4 10.41.169.4 YES DHCP up up NVI0 unassigned YES unset up up Vlan1 unassigned YES unset down down Vlan20 10.40.169.3 YES NVRAM up up Vlan30 172.26.66.173 YES NVRAM up up
881_Router#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 10.41.169.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.41.169.2 10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks C 10.40.169.0/24 is directly connected, Vlan20 L 10.40.169.3/32 is directly connected, Vlan20 C 10.41.169.0/24 is directly connected, FastEthernet4 L 10.41.169.4/32 is directly connected, FastEthernet4 S 10.96.16.0/24 [1/0] via 172.26.66.169 S 10.128.217.12/32 [1/0] via 172.26.66.169 S 10.254.11.31/32 [1/0] via 172.26.66.169 81.0.0.0/32 is subnetted, 1 subnets S 81.30.80.63 [1/0] via 172.26.66.169 172.26.0.0/16 is variably subnetted, 3 subnets, 3 masks S 172.26.0.0/16 [1/0] via 172.26.66.169 C 172.26.66.168/29 is directly connected, Vlan30 L 172.26.66.173/32 is directly connected, Vlan30 172.30.0.0/32 is subnetted, 1 subnets S 172.30.1.242 [1/0] via 172.26.66.169 S 192.168.110.0/24 [1/0] via 172.26.66.169 S 192.168.120.0/24 [1/0] via 172.26.66.169 S 192.168.144.0/20 [1/0] via 172.26.66.169 S 192.168.201.0/24 [1/0] via 172.26.66.169 881_Router#
check the config and my conclusion is that the problem may not be one your side.
I see one config on the router that does not make sense to me and you can remove, although I dont thing this is the problem.
ip port-map http port tcp from 1 to 65535 list 1
This port-map is pointing to an access-list 1 and you dont have access-list 1.
But, the connectivity problem should not existe.
I believe you might be sending the traffic towards your VPN peer but the destination is not replying to you.
Maybe you do need NAT on the vlan30 in order to leave towards the VPN modem with the router´s vlan IP address but then, if that is really the case, the NAT must be configured differently. It is not enough to just add "ip nat outside" as it was priviouly.
interface Vlan30 description vpn ip address 172.26.66.173 255.255.255.248 ip access-group Inbound in ip virtual-reassembly in !
Most of the information you must get with the other side. They need to tell you if you can get there if your original IP address or you must translate to a different IP.
If translation is required, then, the NAT needs to be configured properly.
But the internal network addresses 172.26.66.0 (for example, 172.26.66.171 or 172.26.66.172) and the addresses specified in the "ip route" commands on Cisco (for example, 10.128.217.12) are pinged from the Cisco console. At least, they pinged before disabling NAT on the Vlan 30 interface. After disabling NAT, I do not know, I did not look, I will check tomorrow. This means that there is (or was) access from the other side
I looked at the network settings of the VPN modem yesterday (IP address, mask, gateway). The IP address there is 172.26.66.171, the mask is 255.255.255.0. The gateways tried to specify 10.40.169.3, 172.26.66.173, there is no ping of this modem from the computer (IP address 10.40.169.234), unfortunately, in any case. The problem is definitely on the internal network, and not on the service provider's side, since even the VPN modem itself (IP address 172.26.66.171), which is located on the internal network, does not ping from the computer. For clarity, I drew a diagram of the network:
Interestingly, the computer that is connected via the VPN modem port (IP-address 172.26.66.170) is pinged, by the modem itself is not. Pings from the computer's command line (IP address 10.40.169.234):
Pings from the Cisco console:
In the future, instead of a VPN modem, I will try to connect a computer with the same IP address, mask and gateway and with delete routes and see if there will be a ping. Based on the results, it will be possible to judge whether the problem is in the VPN modem or not.
