Cannot Reach Host on Cisco Switch

jpanzica747 · ‎10-23-2019

Hi Folks,

I have the following general topology:

Cable Modem <--> LinkSys Router <--> Cisco Router <--> Cisco Switch

I am trying to reach a host on the Cisco switch from a host on the LinkSys router. I am able to SSH to the Cisco router and reach that no problem. I am able to then SSH to the Cisco switch from the Cisco router. But cannot SSH directly to the Cisco Switch from a host on the the LinkSys router. Also, another piece of information is that I can reach the Internet from a host on the Cisco switch.

Can anyone please help me to debug this or figure out why I cannot reach hosts from the Linksys router to the Cisco switch please?

Attached are my configs on router and switch.

jpanzica747 · ‎10-23-2019

Seb Rupik · ‎10-23-2019

Hi there,

you have dynamic NAT configure for your outbound connections which is why you have internet access.

You need to configure static NAT to allow connections from the Linksys router to hosts routed on the inside of the cisco router. This has to be done on a per-host basis:

!
ip nat inside source static <inside_host_ip> 22 <outside_interface_IP> 22
!

cheers,

Seb.

jpanzica747 · ‎10-23-2019

I was hoping for something more dynamic where I could reach any host on any port from either network. Is this not possible? Should I consider maybe making the 192.168.1.0/24 network a 10.10.0.0/16 network to make this work better?

Also, I tried creating the static nat route you suggested and it borked my setup and had to reload. I could not run the syntax you gave me, but had to do the following instead:

!
ip nat inside source static 10.10.30.248 192.168.1.128
!

It would not allow me to enter port numbers.

If I can keep the seperate 192.168.1.0/24 and 10.10.0.0/16 networks, I would prefer to. But if it is a must to be able to have them communicate with each each other, I will do that. Please let me know what you think and thank you for your help, I am still learning about a lot of this stuff.

Seb Rupik · ‎10-23-2019

ahh I forgot the transport keyword! try:

!
ip nat inside source static tcp 10.10.30.248 22 192.168.1.128 2222
!

I've adjusted it slightly so an ssh connection to the outside interface (192.168.1.128) will still get you onto the router. Now, instead from the 'outside' SSH to port TCP/2222 should NAT to 10.10.30.248:22 .

cheers,

Seb.

paul driver · ‎10-23-2019

Hello

Cisco rtr is connected to the Linksys rtr but you have nat on the Cisco - so so are you double natting?

regards the Cisco rtr config

No ip route 0.0.0.0 0.0.0.0 192.168.11.1
No access-list 1 permit any
no ip source route

As for the switch I assume your clients attaching to this switch are are on one of vlans you have defined in the Cisco router which looks like either vlan1-10-20 and they have the correct op addressing subnet and default gateway applied- can they ping their own gateway ip address?

As for the Linksys configuration you mention any detail about this?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

jpanzica747 · ‎10-27-2019

I really want the two networks to be able to talk with each other without having to manually port forward everything. Is the only way to accomplish this by making the 192.168.1.1/24 a 10.0.0.0/16 network?

Seb Rupik · ‎10-28-2019

You don't need any NAT on the cisoc router at all. The only caveat to this solution is that the Microtek router needs to be capable of configuring its routing table, either via dynamic IGP or statically.

For every subnet that is routed on the Cisco router ensure that the subnet appears in the microtek routers routing table with the next-hop address being the Cisco routers IP address used on the segment between the two routers.

eg:

ip route 10.10.10.0 255.255.255.0 <cisoc_rtrs_gi0/0_ip>
ip route 10.10.20.0 255.255.255.0 <cisoc_rtrs_gi0/0_ip>
ip route 10.10.30.0 255.255.255.0 <cisoc_rtrs_gi0/0_ip>

cheers,

Seb.