Cisco 1841 ip routing problem - Page 3

mmunoz2000 · ‎09-03-2018

Hello everyone!

I'm completely lost here, since I'm a newbie on this networking area.

I recently had a problem with a cisco router 1841 that lost all configuration after a power outage. Long story short, i've been able to restore most of it, but i'm still having issues with the ip routing. This is the scenario:

I have 2 internal VLANS (1010 and 3040) configured in a ZyXEL switch.
1010 has an ip 192.168.170.1
3040 has an ip 192.168.160.1

I have a Sonicwall on the other end that acts as a gateway with ip 192.168.168.1

On the router I have interface 0/0 as outside with ip 192.168.168.54
I also have 2 subinterfaces for the vlans with the ips mentioned before.

Everything works fine on the internal network, which is 192.168.168.x

I want traffic from VLANS to go outside to the internet
I want traffic to go inside to those VLANS from the internet

So far, from the router, i can ping all the gateways and the internet.

PC inside the 192.168.170.x network can reach the internet, but no one can reach that computer from the outside.

Please help me, i've been trying to figure this out a week from now, but no clue what am i missing!!!

See my current configuration:

!
interface FastEthernet0/0
ip address 192.168.168.54 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip nat inside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1010
ip address 192.168.170.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 3040
ip address 192.168.160.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.168.1
!
!
no ip http server
no ip http secure-server
ip nat source list 1 interface FastEthernet0/0 overload
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.170.0 0.0.0.255
access-list 1 permit 192.168.160.0 0.0.0.255
!
!
!

I would really appreciate any insight on this matter, since i need to have these up and running in a couple of days.

I hope you guys can help!

mmunoz2000 · ‎09-03-2018

Not sure I'm following you....all my clients are on this network.

Is there anything I'm missing here?

paul driver · ‎09-03-2018

Hello

your clients should be on vlans 1010 =192.168.170.0/24 or 3040 = 192.168.160.0/24

you even confirmed this is previous posts?

no clients should be on 192.168.168.0/24 subnet

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mmunoz2000 · ‎09-03-2018

1010 is a vlan for VoIP and 3040 is a vlan for cameras.

The PCs, servers, etc., are on the 192.168.168.0/24<> network

paul driver · ‎09-03-2018

Hello

It seems you haven’t told the fully story and as such Weber been going around in circles!

anywa that’s your problem is

192.168.168.0/24 isn’t routable from the Switch and rtr for inter- vlan communiction

So to clarify

at present not clients on any vlan be it voip - cameras or this 192.168.168.0/24 can speak to each other correct or it is just the 192.168.168.0/24?

But they all have internet connectivity?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mmunoz2000 · ‎09-03-2018

That is correct...they all have internet access, but they cannot see each other.

Sorry for all the confusion and if I wasn't clear from the beginning.

paul driver · ‎09-03-2018

Hello

have you applied that last configuration I posted?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mmunoz2000 · ‎09-03-2018

I did apply all the changes you suggested.

Here is the full configuration:

AP-CISCO-01#sh running-config
Building configuration...

Current configuration : 1227 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AP-CISCO-01
!
boot-start-marker
boot config flash:last-router-confg
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.168.54 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1010
ip address 192.168.170.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 3040
ip address 192.168.160.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 192.168.168.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.170.0 0.0.0.255
access-list 1 permit 192.168.160.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end

Thanks!

paul driver · ‎09-03-2018

Hello

So as it stands - 192.168.168.0/24 users will not be able to speak to the other vlan users. But for the vlan 1010 - 3040 these users should be able to communicate with each other unless the switch is configured incorrectly

The switch needs a trunk connection on the port connecting the rtr and it needs to have ip routing disabled if it is enabled please confirm that then we can work on the 192.168.168.0/24 users

Lasty I would like to query the actual physical connections:
Does this rtr and FW directly connect to each other or its via the switch?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mmunoz2000 · ‎09-03-2018

Assuming that the ports are configured correctly on the switch...what would be the next step?

Thanks!

pieterh · ‎09-03-2018

no the access-list

Standard IP access list 1
10 deny 192.168.168.0, wildcard bits 0.0.0.255
20 permit 192.168.170.0, wildcard bits 0.0.0.255 (157611 matches)
30 permit 192.168.160.0, wildcard bits 0.0.0.255 (28 matches)

is still in error

the deny is not between the two subnets!!!!

traffic from .160 to outside must be natted, and from .160 to .170 NOT

traffic from .170 to outside must be natted, and from .170 to .160 NOT

you need to switch from standard access-list to extended-access-list

an extended access-list use a number 100+ or a name

no ip access-list 1

no ip nat inside source list 1 interface FastEthernet0/0 overload

access-list 101 deny ip 192.168.160.0 0.0.0.255 192.168.167.0 0.0.0.255 any

access-list 101 deny ip 192.168.170.0 0.0.0.255 192.168.160.0 0.0.0.255 any

access-list 101 permit ip 192.168.160.0 0.0.0.255 any

access-list 101 permit ip 192.168.170.0 0.0.0.255 any

ip nat inside source list 101 interface FastEthernet0/0 overload

paul driver · ‎09-04-2018

Hello

@pieterh wrote:

no the access-list

Standard IP access list 1
10 deny 192.168.168.0, wildcard bits 0.0.0.255
20 permit 192.168.170.0, wildcard bits 0.0.0.255 (157611 matches)
30 permit 192.168.160.0, wildcard bits 0.0.0.255 (28 matches)

is still in error

the deny is not between the two subnets!!!!

traffic from .160 to outside must be natted, and from .160 to .170 NOT

traffic from .170 to outside must be natted, and from .170 to .160 NOT

you need to switch from standard access-list to extended-access-list

an extended access-list use a number 100+ or a name

no ip access-list 1

no ip nat inside source list 1 interface FastEthernet0/0 overload

access-list 101 deny ip 192.168.160.0 0.0.0.255 192.168.167.0 0.0.0.255 any

access-list 101 deny ip 192.168.170.0 0.0.0.255 192.168.160.0 0.0.0.255 any

access-list 101 permit ip 192.168.160.0 0.0.0.255 any

access-list 101 permit ip 192.168.170.0 0.0.0.255 any

ip nat inside source list 101 interface FastEthernet0/0 overload

@pieterh there should be no requirement for any NAT access-list to deny or allow inter-vlan communication nat should not even be touched

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mmunoz2000 · ‎09-04-2018

Hi,

I tested the ACL with the deny subnets suggestion and it didn't work. I removed the changes and it is the way it was originally, only with 2 entries.

@paul driver said:

"The switch needs a trunk connection on the port connecting the rtr and it needs to have ip routing disabled if it is enabled please confirm that then we can work on the 192.168.168.0/24 users"

what is the port that needs the trunk connection? 0/0 or 0/1?

Thanks!

mmunoz2000 · ‎09-04-2018

@paul driver

I have confirmed that the interface 0/1 is connected to the port in the switch and marked as VLAN trunking

Also, the rtr and the FW are connected through a switch.

Any ideas?

BTW: I really appreciate the help with this issue

paul driver · ‎09-04-2018

Hello

So the lan facing interface of the rtr is connected to the switch vIa trunk <-- good

Once we sort the inter-vlan routing out then we can concentrate on the 192.168.168.0/24 users

So staying with the switch -

1) Is the switch performing any routing , by that does it have routing enable
2) does it have vlan 1010 and 3040 created and are access ports assigned to these vlans?
3) does it have any access-list applied to it?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mmunoz2000 · ‎09-04-2018

1) The switch is not performing any routing...the FW is (see attached image of routing on the Sonicwall)

2) The switch has the vlan 1010 and 3040 access ports assigned to these vlans

3) There are no access-lists applied to it.

Thanks!