Cisco 1841 ip routing problem - Page 4

mmunoz2000 · ‎09-03-2018

Hello everyone!

I'm completely lost here, since I'm a newbie on this networking area.

I recently had a problem with a cisco router 1841 that lost all configuration after a power outage. Long story short, i've been able to restore most of it, but i'm still having issues with the ip routing. This is the scenario:

I have 2 internal VLANS (1010 and 3040) configured in a ZyXEL switch.
1010 has an ip 192.168.170.1
3040 has an ip 192.168.160.1

I have a Sonicwall on the other end that acts as a gateway with ip 192.168.168.1

On the router I have interface 0/0 as outside with ip 192.168.168.54
I also have 2 subinterfaces for the vlans with the ips mentioned before.

Everything works fine on the internal network, which is 192.168.168.x

I want traffic from VLANS to go outside to the internet
I want traffic to go inside to those VLANS from the internet

So far, from the router, i can ping all the gateways and the internet.

PC inside the 192.168.170.x network can reach the internet, but no one can reach that computer from the outside.

Please help me, i've been trying to figure this out a week from now, but no clue what am i missing!!!

See my current configuration:

!
interface FastEthernet0/0
ip address 192.168.168.54 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip nat inside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1010
ip address 192.168.170.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 3040
ip address 192.168.160.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.168.1
!
!
no ip http server
no ip http secure-server
ip nat source list 1 interface FastEthernet0/0 overload
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.170.0 0.0.0.255
access-list 1 permit 192.168.160.0 0.0.0.255
!
!
!

I would really appreciate any insight on this matter, since i need to have these up and running in a couple of days.

I hope you guys can help!

paul driver · ‎09-04-2018

Hello

Can you share the ip configuration of a host on each vlan please

ip address/subnet mask/default-gateway

And just for validation purposes can you attach a laptop to either vlan 1010 or 3040 and perform a ping test between each of these vlans

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mmunoz2000 · ‎09-04-2018

Attached a screenshot of PC on 192.168.170.0/24 network

On this 192.168.170.2 computer, these are the ping results:

ping 192.168.168.1 success (FW)

ping 192.168.170.1 success (rtr subinterface 0/1.1)

ping 192.168.168.68 success (a PC on the 192.168.168.0/24 network)

ping 8.8.8.8 success

ping 192.168.160.1 sucess (rtr subinterface 0/1.2)

ping 192.168.160.110 unsuccessful (pc on the 1010 vlan)

Host on VLAN 3040 will be similar, but those are cameras, and i don't have access to them at the moment. But the gateway configured on those is 192.168.160.1

Georg Pauwen · ‎09-04-2018

Hello,

I am not sure if I have read everything in this post, but what is the native VLAN on your switch ? Have you posted the full config of the switch somewhere here already and if not, can you ?

mmunoz2000 · ‎09-04-2018

The switch is a ZyXEL GS 1920.

My rtr is connected 0/0 on port 20 and 0/1 on port 46

Here is the config:

GS1920# sh running-config
Building configuration...

Current configuration:

vlan 1
name 1
normal ""
fixed 1-2,4-5,7-50
forbidden 3,6
untagged 1-45,47-50
ip address default-management 192.168.168.26 255.255.255.0
ip address default-gateway 192.168.168.1
exit
vlan 1010
name VoIP
normal 49-50
fixed 1-4,6,10,12-14,16-17,21-23,25,30,33-34,37,39,45-48
forbidden 5,7-9,11,15,18-20,24,26-29,31-32,35-36,38,40-44
untagged 1-3,5,7-9,11,15,18-20,24,26-29,31-32,35-36,38,40-44
exit
vlan 3040
name Cameras
normal 1-9,12-16,18-23,25-45,49-50
fixed 17,24,46-48
forbidden 10-11
untagged 10-11,24
exit
interface vlan 1
exit
interface vlan 1010
exit
interface vlan 3040
exit
interface port-channel 1
name "PBX"
pvid 1010
exit
interface port-channel 2
name "VoIP Gateway"
pvid 1010
exit
interface port-channel 3
name "Paging system"
pvid 1010
exit
interface port-channel 4
name Shanaya
exit
interface port-channel 10
pvid 1010
exit
interface port-channel 12
pvid 1010
exit
interface port-channel 14
name Troy
exit
interface port-channel 17
vlan-trunking
exit
interface port-channel 20
name " "
exit
interface port-channel 21
name Even
exit
interface port-channel 22
name Ron
exit
interface port-channel 23
name recieving
exit
interface port-channel 24
pvid 3040
exit
interface port-channel 34
name "Conf. room"
exit
interface port-channel 37
name " "
exit
interface port-channel 46
name " "
vlan-trunking
exit
interface port-channel 47
vlan-trunking
exit
interface port-channel 48
vlan-trunking
exit
time timezone -500
time daylight-saving-time
time daylight-saving-time start-date first sunday march 0
time daylight-saving-time end-date first sunday november 0
timesync server 130.207.244.240
timesync ntp
snmp-server location "Server room 1"
service-control http 80 60
rmon statistics etherstats 1 port-channel 1
rmon statistics etherstats 2 port-channel 2
rmon statistics etherstats 3 port-channel 3
rmon statistics etherstats 4 port-channel 4
rmon statistics etherstats 5 port-channel 5
rmon statistics etherstats 6 port-channel 6
rmon statistics etherstats 7 port-channel 7
rmon statistics etherstats 8 port-channel 8
rmon statistics etherstats 9 port-channel 9
rmon statistics etherstats 10 port-channel 10
rmon statistics etherstats 11 port-channel 11
rmon statistics etherstats 12 port-channel 12
rmon statistics etherstats 13 port-channel 13
rmon statistics etherstats 14 port-channel 14
rmon statistics etherstats 15 port-channel 15
rmon statistics etherstats 16 port-channel 16
rmon statistics etherstats 17 port-channel 17
rmon statistics etherstats 18 port-channel 18
rmon statistics etherstats 19 port-channel 19
rmon statistics etherstats 20 port-channel 20
rmon statistics etherstats 21 port-channel 21
rmon statistics etherstats 22 port-channel 22
rmon statistics etherstats 23 port-channel 23
rmon statistics etherstats 24 port-channel 24
rmon statistics etherstats 25 port-channel 25
rmon statistics etherstats 26 port-channel 26
rmon statistics etherstats 27 port-channel 27
rmon statistics etherstats 28 port-channel 28
rmon statistics etherstats 29 port-channel 29
rmon statistics etherstats 30 port-channel 30
rmon statistics etherstats 31 port-channel 31
rmon statistics etherstats 32 port-channel 32
rmon statistics etherstats 33 port-channel 33
rmon statistics etherstats 34 port-channel 34
rmon statistics etherstats 35 port-channel 35
rmon statistics etherstats 36 port-channel 36
rmon statistics etherstats 37 port-channel 37
rmon statistics etherstats 38 port-channel 38
rmon statistics etherstats 39 port-channel 39
rmon statistics etherstats 40 port-channel 40
rmon statistics etherstats 41 port-channel 41
rmon statistics etherstats 42 port-channel 42
rmon statistics etherstats 43 port-channel 43
rmon statistics etherstats 44 port-channel 44
rmon statistics etherstats 45 port-channel 45
rmon statistics etherstats 46 port-channel 46
rmon statistics etherstats 47 port-channel 47
rmon statistics etherstats 48 port-channel 48
rmon statistics etherstats 49 port-channel 49
rmon statistics etherstats 50 port-channel 50
voice-vlan 1010

Georg Pauwen · ‎09-04-2018

Hello,

--> My rtr is connected 0/0 on port 20 and 0/1 on port 46

What do you mean by that ? FastEthernet0/0 is connected to the SonicWall and 0/1 to the Zyxel switch ?

mmunoz2000 · ‎09-04-2018

Both ports are connected to the switch, and the switch is connected with the sonicwall.

Georg Pauwen · ‎09-04-2018

Hello,

as I said, I might have missed something in this post, but I don't see how this setup is going to work. Try and connect the switch to FastEthernet0/0 and FastEthernet0/0 to the SonicWall...

Switch --> Router --> SonicWall

mmunoz2000 · ‎09-04-2018

At this point all I'm looking for is for the 192.168.168.0/24 network to be able to see the VLANS.

Do you think this is possible?

paul driver · ‎09-05-2018

Hello

Okay this seem okay to me so thanks would you check if your pcs have any software firewall enabled to negate icmp echo?

Easiest thing to do to just disable any software firewall on the pcs and test ping again

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎09-05-2018

Hello

The 192.168.168.0/24 network wont at this time becasue it default gateway is of the FW and not the router and you dont have a subinterface for that vlan - This can easliery rectified but lets sort out the inter-vlan communication first for vlan 1010-3040

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎09-05-2018

On a side note, are all VLANs on the trunk port of the Zyxel switch tagged ? I am not sure how the Zyxel works with Cisco, but I think the default is TX tag/Untag_pvid. You might want to change that to tag_all.

paul driver · ‎09-05-2018

@georg

At this time i am reluctant to change anything other than focusing of retrieving as much information from the OP as possible through various troubleshooting steps and relaying on them to provide this information.

However just to give you some background information - The OP stated that they had lost the Original rtr configuration nothing more , and prior to that everything was working, so the focus had been not to touch anything of the original physical setup.

The physical setup has the FW and the RT with switch handoffs between each other which isnt a bad thing.

Now two things were not working ( NAT and inter-vlan routing)

However NAT is now working although after seeing the FW routing for the first time not sure nat should be and today also for the first time we have seen the switch config.

The rtr config for inter vlan routing and the pings confirms this should now be working accordingly, however at his time pc to pc across these two vlans isnt

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mmunoz2000 · ‎09-05-2018

I looked into the firewall settings on the host and everything looks fine. I even disabled it to make a test and still no ping response.

I did notice on my switch that the port 20 (where the rtr 0/1 interface is connected) is not a vlan trunk, while the port 46 (where the 0/0 interface is connected) is a vlan trunk. Do you think this might have something to do?

Thanks!

Georg Pauwen · ‎09-05-2018

The port needs to be a trunk, you need to carry multiple Vlans to the router...

pieterh · ‎09-05-2018

Hi Mmunoz,

earlier you gave this info: My rtr is connected 0/0 on port 20 and 0/1 on port 46

your answer to Paul says different, could you please check?

whith the info My rtr is connected 0/0 on port 20 and 0/1 on port 46

I read your config as

- the outside interface 0/0 of your router is connected to switch port 20

- the switch accepts untagged packets as vlan-1 (network 192.168.168.0/24) and can forward this to

your firewall for internet access.

->this port behaves as an access port on vlan-1

- the inside interface has two subinterfaces on the inside 0/1 that send tagged packets to the switch connected to port 46

- vlan 1010 is "fixed" on port 46

- vlan 3040 is "fixed" on port 46

->port 46 behaves as a vlan "trunk"

also do i understand correctly?

- untagged means the switch sends packets for this vlan untagged out of this port

- fixed means this vlan send packets for this vlan untagged out of this port

- forbidden means the switch does NOT accept tagged packets for this vlan

- but what behaviour is "normal"?

I don't understand how this works:

vlan 1
untagged 1-45,47-50

vlan 1010
untagged 1-3,5,7-9,11,15,18-20,24,26-29,31-32,35-36,38,40-44

untagged packets for both vlan 1 AND vlan 1010 on overlapping ports?