cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7587
Views
0
Helpful
62
Replies

Cisco 1841 ip routing problem

mmunoz2000
Level 1
Level 1

Hello everyone!

I'm completely lost here, since I'm a newbie on this networking area.

I recently had a problem with a cisco router 1841 that lost all configuration after a power outage. Long story short, i've been able to restore most of it, but i'm still having issues with the ip routing. This is the scenario:

I have 2 internal VLANS (1010 and 3040) configured in a ZyXEL switch.
1010 has an ip 192.168.170.1
3040 has an ip 192.168.160.1

I have a Sonicwall on the other end that acts as a gateway with ip 192.168.168.1

On the router I have interface 0/0 as outside with ip 192.168.168.54
I also have 2 subinterfaces for the vlans with the ips mentioned before.

Everything works fine on the internal network, which is 192.168.168.x

I want traffic from VLANS to go outside to the internet
I want traffic to go inside to those VLANS from the internet

So far, from the router, i can ping all the gateways and the internet.

PC inside the 192.168.170.x network can reach the internet, but no one can reach that computer from the outside.

Please help me, i've been trying to figure this out a week from now, but no clue what am i missing!!!

See my current configuration:


!
interface FastEthernet0/0
ip address 192.168.168.54 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip nat inside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1010
ip address 192.168.170.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 3040
ip address 192.168.160.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.168.1
!
!
no ip http server
no ip http secure-server
ip nat source list 1 interface FastEthernet0/0 overload
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.170.0 0.0.0.255
access-list 1 permit 192.168.160.0 0.0.0.255
!
!
!


I would really appreciate any insight on this matter, since i need to have these up and running in a couple of days.

I hope you guys can help!

62 Replies 62

I was able to get it to work by doing a reload.

 

These are the results:

1) rtr can ping all the subnets

2) rtr cannot ping the internet

3) pc on the 192.168.168.x subnet can ping all the subinterfaces (192.168.170.1 and 192.168.160.1)

4) the same applies for a pc on the 192.168.170.x subnet (can ping its own gateway and other pcs on the network)

 

 

Here is the updated configuration:

 

interface FastEthernet0/0
ip address 192.168.168.54 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1010
ip address 192.168.170.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 3040
ip address 192.168.160.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
!
!
no ip http server
no ip http secure-server
!
access-list 1 deny 192.168.168.0 0.0.0.255
access-list 1 permit 192.168.170.0 0.0.0.255
access-list 1 permit 192.168.160.0 0.0.0.255

 

Any other ideas?

 

Thank you for the assistance though!!

Hello

remove the deny statement in nat acl

 When did you put that in -as it wasn’t in your OP ?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi,

 

The deny was there because of a suggestion from someone else on this post.

 

I still see the same results.

 

I have removed it and this is the updated configuration:

 

interface FastEthernet0/0
ip address 192.168.168.54 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1010
ip address 192.168.170.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 3040
ip address 192.168.160.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
!
!
no ip http server
no ip http secure-server
!
access-list 1 permit 192.168.170.0 0.0.0.255
access-list 1 permit 192.168.160.0 0.0.0.255

 

Any other suggestions?

 

Thanks!


Hello

i don’t see this nat statement anymore

“ip nat inside source list 1 interface FastEthernet0/0 overload”

 

if you don’t have in now please reapply it 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi,

 

I have applied the change and now I see NAT translation happening.

 

Still cannot access from one subnet to the other.

 

here is the updated configuration:

 

interface FastEthernet0/0
ip address 192.168.168.54 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1010
ip address 192.168.170.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 3040
ip address 192.168.160.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.170.0 0.0.0.255
access-list 1 permit 192.168.160.0 0.0.0.255

 

Any other suggestions?

Hello

 

3) pc on the 192.168.168.x subnet can ping all the subinterfaces (192.168.170.1 and 192.168.160.1)

 

4) the same applies for a pc on the 192.168.170.x subnet (can ping its own gateway and other pcs on the network)

 

Thought you said you had connectivity between vlans. 

 

Okay just for clarifuxation  post the full configuration of that rtr please 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Sorry ir I wasn't clear, but the PCs can see each other on their own subnet.

The problem I'm trying to solve is that the vlans cannot see each other.

I cannot ping computers from 192.168.168.x to 192.168.170.x

They both have internet, but they cannot see each other.

Any other suggestions? I feel there is something in the NAT that I'm missing.

Hello

Nat really shouldn’t have anything to do with it 

 

can you confirm-

1) do clients from either vlans have a default gateway of their respective Rtr L3 ip address ?

 

2) make sure the switchport on the switch connecting to the rtr is in a trunk

 

3) post the full configuration of the rtr - 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Clients have their own gateway pointing to the subinterfaces.

 

I will be able to validate the switchports tomorrow, since I do not have physical access to the switches right now.

 

how do i get the full configuration?

 

Hello

 


@mmunoz2000 wrote:

 how do i get the full configuration? 


 

On the rtr 

sh running-configuration 

 

copy and post the output

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi,

 

Here is the full configuration:

 

AP-CISCO-01#sh running-config
Building configuration...

Current configuration : 1172 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AP-CISCO-01
!
boot-start-marker
boot config flash:last-router-confg
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.168.54 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1010
ip address 192.168.170.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 3040
ip address 192.168.160.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.170.0 0.0.0.255
access-list 1 permit 192.168.160.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end

 

Let me know if you see anything that needs to be changed.

 

Thanks!!

 

Hello

you are missing a default route towards your Fw Which again was on your OP but now isn’t?

 

Please apply

conf t

ip routing 

ip route 0.0.0.0 0.0.0.0 fa0/0 192.168.168.1 

end

wr

 

(assuming that ipaddress above is the Fw lan ip address )

 

what’s the reasoning vlan numbering is quite sporadic- why do you have  1010 and  3040 which would indicate extended vlan as I am not familiar with that type of switch it could something to look into but not yet

 

lastly - when you get the chance confirm the switchport mode of the port connecting to the rtr 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I added the ip route to the Fw and now the rtr can ping the internet.

 

The VLANs were already configured this was and I really don't know if there is a reason for it.

 

I will be able to check the port connectivity tomorrow morning at around 7am EST. I was able to access the switch and verify that the ports are configured correctly, but I cannot guarantee that they are physically connected to those ports.

 

Is there any other way to validate that the trunk is working the way it should?

 

Thanks for all your help!

 

Another thing I noticed is that a PC on the 192.168.168.x network cannot ping the subinterface 192.168.170.1 or the 192.168.160.1

 

Not sure if this might help diagnose the problem.

 

Thanks!!

Hello

you shouldn’t have any pc on 192.168.168.0/24 that’s your Fw subnet not a lan subnet


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul