Re: Allow Internet traffic from vlan

Dea.Loro · ‎02-22-2019

I have different vlan configured under FastEthernet 0/0 on Cisco Router 2801

vlan50 connected to new switch, and configured probably, but the devices with vlan50 can't access internet, so I need to allow internet access from vlan 50

interface FastEthernet0/0.50
description voice vlan
encapsulation dot1Q 50
ip address 10.50.100.1 255.255.255.0

Jaderson Pessoa · ‎02-22-2019

Does your router has a nat configuration for this VLAN?

Jaderson Pessoa
*** Rate All Helpful Responses ***

luis_cordova · ‎02-22-2019

Hi @Dea.Loro ,

Start with this:

1- Verify that vlan 50 is included in the trunk connection that the switch communicates with the router.

2- Verify that the router has a default route, pointing to the interface that gives you internet access.

3- Verify that the network associated with vlan 50 is included in the nat.

4- Verify that inside the subinterface f0/0.50 you have configured the command ip nat inside.

Regards

Dea.Loro · ‎02-22-2019

Please see attached running config. I changed couple of settings for security reasons.

Jaderson Pessoa · ‎02-22-2019

Hello, do this settins, please.

interface FastEthernet0/0.50
description voice vlan
encapsulation dot1Q 50
ip address 10.50.100.1 255.255.255.0

ip nat inside

ip nat pool Voice 10.16.12.248 10.16.12.248 netmask 255.255.255.0
ip nat inside source list 50 pool Voice overload

ip nat inside source list 5 interface Serial0/2/0 overload

access-list 50 permit ip 10.150.44.0 0.0.0.255 10.2.4.0 0.0.0.255

access-list 5 permit ip 10.50.100.0 0.0.0.255 any

and check connections.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Dea.Loro · ‎02-22-2019

Excellent, I will try it next week, and keep you updated. We have internal policies related to network changes, and i have follow them

Georg Pauwen · ‎02-22-2019

Hello,

your access list 50 doesn't look right, as the destination is not 'any' (the Internet), but 10.2.4.0/24.

Make the changes marked in bold:

version 12.3
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname 2801
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret ?????????????????????
!
clock timezone CDT -6
clock summer-time CDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
aaa authentication login default local
aaa authentication login vtymethod group tacacs+ line
aaa authentication login conmethod line
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default none
aaa authorization config-commands
aaa authorization exec default local group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
ip subnet-zero
ip cef
!
ip dhcp excluded-address 10.16.12.1
ip dhcp excluded-address 10.16.22.250 10.16.22.254
ip dhcp excluded-address 10.16.22.248
!
ip dhcp pool phones
network 10.16.12.0 255.255.255.0
option 150 ip 10.2.4.4
default-router 10.16.12.1
dns-server 8.8.8.8 8.8.4.4
!
ip domain name domain.com
ip multicast-routing
no ftp-server write-enable
!
voice-card 0
!
ccm-manager redundant-host 10.2.4.5
ccm-manager mgcp
ccm-manager music-on-hold
ccm-manager config server 10.2.4.4
ccm-manager config
!
username tah privilege 15 password 7 ?????????????????
username Cisco privilege 15 password 7 ????????????????
username CTS password 7 ?????????????????????????
!
class-map match-any AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
!
policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
priority percent 70
class AutoQoS-VoIP-Control-Trust
bandwidth percent 5
class class-default
fair-queue
!
buffers small permanent 100
buffers middle permanent 150
!
interface Tunnel0
description Backup to ????????????
bandwidth 768
ip address 10.151.1.134 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination ??.??.??.252
!
interface Loopback0
ip address ??.???.???.1 255.255.255.248
!
interface FastEthernet0/0
description INFO
no ip address
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/0.2
description Voice VLAN
encapsulation dot1Q 2
ip address 10.16.12.1 255.255.255.0
ip pim sparse-dense-mode
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 10.150.44.250 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.4
description DMZ (Public) VLAN
encapsulation dot1Q 4
ip nat inside
!
interface FastEthernet0/0.50
description voice vlan
encapsulation dot1Q 50
ip address 10.50.100.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
description Backup Interface
ip address 10.24.24.5 255.255.255.252
duplex auto
speed auto
!
interface Serial0/2/0
bandwidth 1536
ip address 10.300.207.2 255.255.255.252
ip pim sparse-dense-mode
ip nat outside
service-policy output AutoQoS-Policy-Trust
encapsulation ppp
load-interval 30
auto qos voip trust
!
ip local pool pptp 192.168.1.10 192.168.1.20
ip classless
ip route 0.0.0.0 0.0.0.0 10.300.207.1
ip route 10.16.12.0 255.255.255.0 10.300.207.1
ip route ??.???.??.252 255.255.255.255 ??.??.??.?85
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip pim bidir-enable
ip pim autorp listener
ip mroute 0.0.0.0 0.0.0.0 10.300.207.1
ip nat pool Voice 10.16.12.248 10.16.12.248 netmask 255.255.255.0
ip nat inside source list 50 pool Voice overload
ip nat inside source list 1 interface Serial0/2/0overload
ip tacacs source-interface FastEthernet0/0.2
!
access-list 1 permit 10.50.100.0 0.0.0.255
!
access-list 50 permit ip 10.150.44.0 0.0.0.255 10.2.4.0 0.0.0.255
snmp-server community Voice11 RW
!
tacacs-server host ??.??.??.?58
tacacs-server host ??.??.??.?4
tacacs-server timeout 2
tacacs-server directed-request
tacacs-server key 7 ?????????????????
!
control-plane
!
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
rmon alarm 33333 cbQosCMDropBitRate.1060.1055 30 absolute rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
!
line con 0
exec-timeout 240 0
password 7 ??????????????????
login authentication conmethod
line aux 0
password 7 ??????????????
line vty 0 4
password 7 ??????????????
login authentication vtymethod
transport input ssh
line vty 5 15
password 7 ????????????????
login authentication vtymethod
transport input telnet ssh
!
ntp clock-period 17178224
ntp server 216.239.35.0
end

Dea.Loro · ‎02-22-2019

Why you put the nat for "interface FastEthernet0/0.3" ? I need it only for interface FastEthernet0/0.50

Georg Pauwen · ‎02-22-2019

Type. Remove ip nat inside from that interface...

Curious to know if you get it to work....

Jaderson Pessoa · ‎02-22-2019

rsrs keep calm ^^

Jaderson Pessoa
*** Rate All Helpful Responses ***

Dea.Loro · ‎02-25-2019

Didn't work. Used IP Packet and found an issue with routing. Keep getting "unroutable"

*Feb 25 18:38:31.643: IP: tableid=0, s=10.50.100.1 (local), d=10.50.100.150 (FastEthernet0/0.100), routed via FIB
*Feb 25 18:38:31.643: IP: s=10.50.100.1 (local), d=10.50.100.150 (FastEthernet0/0.100), len 56, sending
*Feb 25 18:38:31.643:     ICMP type=3, code=1
*Feb 25 18:38:31.967: IP: tableid=0, s=10.50.100.1 (local), d=10.150.44.45 (FastEthernet0/0.3), routed via FIB
*Feb 25 18:38:31.967: IP: tableid=0, s=10.50.100.1 (local), d=10.150.44.45 (FastEthernet0/0.3), routed via FIB
*Feb 25 18:38:32.642: IP: s=10.50.100.150 (FastEthernet0/0.100), d=8.8.8.8, len 84, unroutable
*Feb 25 18:38:32.642:     ICMP type=8, code=0
*Feb 25 18:38:32.642: IP: tableid=0, s=10.50.100.1 (local), d=10.50.100.150 (FastEthernet0/0.100), routed via FIB
*Feb 25 18:38:32.642: IP: s=10.50.100.1 (local), d=10.50.100.150 (FastEthernet0/0.100), len 56, sending
*Feb 25 18:38:32.642:     ICMP type=3, code=1

10.150.44.45: Internal AD Server

Jaderson Pessoa · ‎02-25-2019

ip nat pool Voice 10.16.12.248 10.16.12.248 netmask 255.255.255.0
ip nat inside source list 50 pool Voice overload
ip nat inside source list 5 interface Serial0/2/0 overload
ip tacacs source-interface FastEthernet0/0.2
!
access-list 1 permit 10.50.100.0 0.0.0.255 any < change from 1 to 5 this access-list.
access-list 50 permit ip 10.150.44.0 0.0.0.255 10.2.4.0 0.0.0.255

Thanks in advance.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Dea.Loro · ‎02-26-2019

I just found that Serial0/2/0 Interface is down. I think the voice system is getting Internet from different interface

Dea.Loro · ‎02-25-2019

Didn't work, so i ran debug ip packet and keep getting "unroutable"

*Feb 25 18:38:31.643: IP: tableid=0, s=10.50.100.1 (local), d=10.50.100.150 (FastEthernet0/0.100), routed via FIB
*Feb 25 18:38:31.643: IP: s=10.50.100.1 (local), d=10.50.100.150 (FastEthernet0/0.100), len 56, sending
*Feb 25 18:38:31.643: ICMP type=3, code=1
*Feb 25 18:38:31.967: IP: tableid=0, s=10.50.100.1 (local), d=10.150.44.45 (FastEthernet0/0.3), routed via FIB
*Feb 25 18:38:31.967: IP: tableid=0, s=10.50.100.1 (local), d=10.150.44.45 (FastEthernet0/0.3), routed via FIB
*Feb 25 18:38:32.642: IP: s=10.50.100.150 (FastEthernet0/0.100), d=8.8.8.8, len 84, unroutable
*Feb 25 18:38:32.642: ICMP type=8, code=0
*Feb 25 18:38:32.642: IP: tableid=0, s=10.50.100.1 (local), d=10.50.100.150 (FastEthernet0/0.100), routed via FIB
*Feb 25 18:38:32.642: IP: s=10.50.100.1 (local), d=10.50.100.150 (FastEthernet0/0.100), len 56, sending
*Feb 25 18:38:32.642: ICMP type=3, code=1

10.150.44.45: Internal AD Server

Attached the latest config file

Jaderson Pessoa · ‎02-26-2019

Hello,

You applied wrong acl on nat configuration. Please just run this command below;

access-list 5 permit 10.50.100.0 0.0.0.255 any

Jaderson Pessoa
*** Rate All Helpful Responses ***