Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
599
Views
0
Helpful
10
Replies

Inter Vlan Routing

jbrind
Level 1
Level 1

‎03-08-2004 08:09 AM - edited ‎03-02-2019 02:07 PM

Help,

Problem with intervlan routing and default route to Broadband internet via a pix.

SetUP: 2900 switch, 2621 router, Pix 515.

Switch has 5 vlans 1-5 and a Dot1q trunk to the 2621 where this router has sub interfaces for the InterVlan Routing. This router also has a default route of 0.0.0.0 to the Pix ( as shown in config ) The switch also has a connection via Vlan 1 to the Pix, and the Pix is aware of all vlan subnets and routes back to the 2621 router !

The problem i have is all users on the switch apart from Vlan 1 which is on the same subnet as the Pix cannot use/route to the internet.

Please see config's as below, i cant work out why this doesn't work !!!

2950 config :

sh run

Building configuration...

Current configuration:

!

version 12.0

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch

!

!

!

!

!

!

!

ip subnet-zero

!

!

!

interface FastEthernet0/1

description sales

switchport access vlan 253

!

interface FastEthernet0/2

description accounts

switchport access vlan 252

!

interface FastEthernet0/3

description H&R

switchport access vlan 251

!

i

!

interface FastEthernet0/23

description Connection To PIX

!

interface FastEthernet0/24

description Trunk To Router

switchport trunk encapsulation dot1q

switchport mode trunk

2621 Router :

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

enable secret 5 xxxxx

enable password xxxx

!

ip subnet-zero

!

!

no ip domain lookup

!

!

!

!

!

!

!

mta receive maximum-recipients 0

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed 100

!

interface FastEthernet0/0.1

description Management

encapsulation dot1Q 1 native

ip address 192.168.254.254 255.255.255.0

!

!

interface FastEthernet0/0.251

description H&R

encapsulation dot1Q 251

ip address 192.168.251.254 255.255.255.0

!

interface FastEthernet0/0.252

description accounts

encapsulation dot1Q 252

ip address 192.168.252.254 255.255.255.0

!

interface FastEthernet0/0.253

description sales

encapsulation dot1Q 253

ip address 192.168.253.254 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.254.253

no ip http server

!

!

!

!

Pix.

pix inside add 192.168.254.253 255.255.255.0

Labels:
0 Helpful
10 Replies 10

thisisshanky
Level 11
Level 11

‎03-08-2004 08:45 AM

I think this is a routing issue related to the PIX.

As long as each vlan can communicate with each other inter vlan routing is working properly.

On the PIX have you added static routes for all those subnets/vlans.

The commands would look like this.

ip route inside 192.168.251.0 255.255.255.0 192.168.254.254

ip route inside 192.168.252.0 255.255.255.0 192.168.254.254

ip route inside 192.168.253.0 255.255.255.0 192.168.254.254

This way the PIX knows where to route traffic coming from the internet to the appropriate subnet.

Hope this helps.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

jbrind
Level 1
Level 1
In response to thisisshanky

‎03-10-2004 10:53 AM

yep

i put these routes into the pix ! but the only subnet that could get out onto the internet was the same subnet the pix interface is on ie : 192.168.254.0

0 Helpful

thisisshanky
Level 11
Level 11
In response to jbrind

‎03-10-2004 11:36 AM

How about your NAT statement

does it look like nat (inside) 1 0 0 ? or is it restricted to a particular subnet ?

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

maiweiquan
Level 1
Level 1

‎03-10-2004 07:33 PM

Add this to 2621 Router and try again:

router rip

network 192.168.251.0

network 192.168.252.0

network 192.168.253.0

network 192.168.254.0

ip route 0.0.0.0 192.168.254.253

0 Helpful

maiweiquan
Level 1
Level 1
In response to maiweiquan

‎03-11-2004 01:04 AM

Add this to 2621 Router and try again:

router rip

network 192.168.251.0

network 192.168.252.0

network 192.168.253.0

network 192.168.254.0

ip default-gateway 192.168.254.253

0 Helpful

terry.knight
Level 1
Level 1
In response to maiweiquan

‎03-12-2004 07:11 AM

Hi,

I'm not entirely sure why Maiweiguan is telling you to run RIP as this won't achieve anything. The fact that you have only posted 1 line of your PIX config makes it very difficult to troubleshoot this. As mentioned by the previous poster, this could be a NAT problem, a routing problem or even an ACL problem, the fact is we won't know until you post your full configs.

One thing to try in the mean time is a 'show log' on the PIX (make sure your logging level for the internal buffer is set to debug first). This will tell you if traffic is being droppped by an ACL or if there is no valid NAT statement for the particular host addresses. It will also tell you if there is 'No route to host'.

Good luck

Teggs

0 Helpful

jbrind
Level 1
Level 1
In response to terry.knight

‎03-14-2004 02:47 PM

Here's my PIX comfig. The config for the 2900 swicth and 2621 router is on the first thread !!

PIX CONFIG :

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 inside security99

enable password encrypted

passwd encrypted

hostname xxx

domain-name xxxxx

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

no fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inside_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.224

access-list inside_access_in remark xxxx

access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 any

access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.224

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xxxxxxxxxx

ip address inside 192.168.1.253 255.255.255.0

ip address inside int2 192.168.254.253 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool xxxxx 192.168.5.1-192.168.5.20

pdm location 192.168.1.51 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.0 inside

pdm location 192.168.5.0 255.255.255.224 outside

pdm location 10.1.200.0 255.255.255.0 inside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 217.37.238.126 1

route inside 10.1.200.0 255.255.255.0 192.168.1.254 1

route inside 10.2.200.0 255.255.255.0 192.168.1.254 1

route inside 192.168.253.0 255.255.255.0 192.168.254.254 1

route inside 192.168.252.0 255.255.255.0 192.168.254.254 1

route inside 192.168.251.0 255.255.255.0 192.168.254.254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http xxxxxxx 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup drdvpn address-pool xxxxx

vpngroup drdvpn dns-server 192.168.1.4

vpngroup drdvpn wins-server 192.168.1.4 192.168.1.1

vpngroup drdvpn default-domain xxxxx

vpngroup drdvpn idle-time 1800

vpngroup drdvpn password ********

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.40-192.168.1.49 inside

dhcpd dns xxxxxxxxx

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain xxxxxxxx

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx

: end

[OK]

0 Helpful

thisisshanky
Level 11
Level 11
In response to jbrind

‎03-14-2004 10:06 PM

Why is intf2 also named as inside ?

The following access-list

access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 any

has been applied to the inside interface using the following command:

access-group inside_access_in in interface inside

You need to permit all the remaining subnets in this access-list, so that these subnets have access to internet.

Hope that helps.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

jbrind
Level 1
Level 1
In response to thisisshanky

‎03-15-2004 08:36 AM

Sorry guys, here's my actuall pix config. The one i posted earlier was and old version.

It doesn't look like there is any ACL stopping the subnets from accessing the internet.

Pix Config

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security99

enable password encrypted

passwd encrypted

hostname pix

domain-name xxxxxx

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

no fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 192.168.1.9 exch2003

access-list inside_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.224

access-list 101 permit tcp any host xxxxxxx eq smtp

access-list 101 permit tcp any host xxxxxxxx eq www

access-list 101 remark ActiveSync

access-list 101 permit tcp any host xxxxxxxx eq 990

access-list 101 remark ActiveSync

access-list 101 permit tcp any host xxxxxxxx eq 999

access-list 101 remark ActiveSync

access-list 101 permit tcp any host xxxxxxxx eq 5678

access-list 101 remark ActiveSync

access-list 101 permit tcp any host xxxxxxxxxx eq 5679

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside xxxxxxxxxxx

ip address inside 192.168.1.253 255.255.255.0

ip address intf2 192.168.254.253 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool xxxxxxxxx 192.168.5.1-192.168.5.20

pdm location 192.168.1.51 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.0 inside

pdm location 192.168.5.0 255.255.255.224 outside

pdm location 10.1.200.0 255.255.255.0 inside

pdm location 10.2.200.0 255.255.255.0 inside

pdm location exch2003 255.255.255.255 inside

pdm location 192.168.200.0 255.255.255.0 inside

pdm location 192.168.1.4 255.255.255.255 inside

pdm location 192.168.0.0 255.255.255.0 inside

pdm location 192.168.2.0 255.255.255.0 inside

pdm location 192.168.3.0 255.255.255.0 inside

pdm location 192.168.50.0 255.255.255.0 inside

pdm location 192.168.253.0 255.255.255.0 inside

pdm location 192.168.251.0 255.255.255.0 inside

pdm location 192.168.252.0 255.255.255.0 inside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

nat (intf2) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) xxxxxxxx exch2003 netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxx 1

route inside 10.1.200.0 255.255.255.0 192.168.1.254 1

route inside 10.2.200.0 255.255.255.0 192.168.1.254 1

route inside 192.168.200.0 255.255.255.0 192.168.1.254 1

route inside 192.168.251.0 255.255.255.0 192.168.254.254 1

route inside 192.168.252.0 255.255.255.0 192.168.254.254 1

route inside 192.168.253.0 255.255.255.0 192.168.254.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

0 Helpful

terry.knight
Level 1
Level 1
In response to jbrind

‎03-17-2004 01:36 AM

Hi,

You need to change:

route inside 192.168.251.0 255.255.255.0 192.168.254.254 1

route inside 192.168.252.0 255.255.255.0 192.168.254.254 1

route inside 192.168.253.0 255.255.255.0 192.168.254.254 1

to:

route intf2 192.168.251.0 255.255.255.0 192.168.254.254 1

route intf2 192.168.252.0 255.255.255.0 192.168.254.254 1

route intf2 192.168.253.0 255.255.255.0 192.168.254.254 1

This is purely because the host 192.168.254.254 hangs off of the intf2 interface.

Good Luck

Teggs

0 Helpful
Customers Also Viewed These Support Documents