09-02-2010 10:53 AM - edited 03-04-2019 09:38 AM
Hi,
I have just started studying for my CCNA at the moment and I am starting collect routers and switches for my own lab. I have just got a Cisco 1841 and I plan on using it at my main home router. However, I am having a few problems with the setup at the moment.
On the router which I am trying to use I am trying to configure FA0/0 & F0/1 for to separate networks.
Internet -- (WIC-1ASDL) - Cisco 1841 ------ FA0/0 - Wired Network - Switch
FA0/1 - Wireless Network - AP
FA0/0 (Wired Network) On a PC connected to this network I am able get out to the Internet and also ping any IP on the 192.168.0.0/24 which is all working as it should. However, on the PC I can ping the port FA0/1 (192.168.1.254/24) on the PC but not the AP within that subnet but on the router I am able to ping the AP. The AP is also is able to get a connection to the Internet but has the same problems as the PC.
Am I missing a ACL or do I have to VLAN the ports off?
Many Thanks
Solved! Go to Solution.
09-05-2010 10:08 AM
Hello,
In the Route-map based configuration, we are asking the router to apply NAT
rule only for the internet bound traffic and deny the NAT rules for local
traffic. In the earlier configuration you had, you were allowing NAT for all
traffic. You do not need to tie down the access-lists to specific ports but
just make sure that you are denying local traffic.
Regards,
NT
09-02-2010 10:59 AM
Hi,
You have two separate subnets directly connected to the 1841.
F0/0 and F0/1
If they are directly connected to the router (meaning there's no Layer 3 device in between), then you don' t need any routes because both subnets have the router as their default gateway.
So, if you want to talk from a device on F0/0 to a device on F0/1 or vice versa (the device will send the packets to the default gateway which is the interface on the router, and the router will know how to route the packets out the other interface).
You might have a NAT statement or an ACL not allowing this traffic.
If you do a ''sh ip int brief'' on the router you see the default gateway for both networks assigned to F0/0 and F0/1?
Federico.
09-02-2010 11:24 AM
Many Thanks for the quick reply, all devices are directly connected to the router. However, If I ping the IP address on the router it all works fine.
So I am guessing I am missing a ACL?
Here is the output from the #sh ip int brief
Cisco1841#sh ip int brief
Interface IP-Address OK? Method Status Prot ocol
FastEthernet0/0 192.168.0.254 YES NVRAM up up
FastEthernet0/1 192.168.1.254 YES NVRAM up up
ATM0/0/0 unassigned YES NVRAM up up
NVI0 192.168.0.254 YES unset up up
SSLVPN-VIF0 unassigned NO unset up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Dialer1 82.69.X.X YES IPCP up up
Cisco1841#
Also here is my current running config
Cisco1841#show run
Building configuration...
Current configuration : 2529 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco1841
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
no logging console
!
aaa new-model
!
!
!
!
aaa session-id common
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.0.254
!
ip dhcp pool Wired_Range
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server 212.23.3.100 212.23.6.100
lease 4
!
ip dhcp pool Wireless_Range
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 212.23.3.100 212.23.6.100
lease 4
!
!
ip cef
ip domain name home.local
ip name-server 212.23.3.100
ip name-server 212.23.6.100
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
username admin privilege 15 password 7
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description Wired Local Network
ip address 192.168.0.254 255.255.255.0
ip access-group 150 out
ip nat inside
no ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Wireless Internal Network
ip address 192.168.1.254 255.255.255.0
ip access-group 160 out
ip nat inside
no ip virtual-reassembly
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer1
description WIC1-ADSL Dialer to Zen Internet
mtu 1478
ip address negotiated
ip access-group 101 in
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp chap hostname
ppp chap password 7
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list 5 interface Dialer1 overload
!
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 5 permit 192.168.1.0 0.0.0.255
access-list 101 deny icmp any any echo
access-list 101 permit ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password 7
transport input ssh
!
scheduler allocate 20000 1000
end
09-02-2010 01:06 PM
Some comments:
Both interfaces have ACL 150 and ACL 160 applied, but they don't exist in the configuration.
Could you remove them and try again?
int fa0/0
no ip access-group 150 out
int fas 0/1
no ip access-group 160 out
I see there's NAT to get out to the Internet, but no NAT between internal interface (which is ok).
Please try again.
Federico.
09-02-2010 02:29 PM
I have removed both ACLs with no luck.
Cisco1841#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Cisco1841#
PC1:
C:\Users\Andy>ping 192.168.1.254
Pinging 192.168.1.254 with 32 bytes of data:
Reply from 192.168.1.254: bytes=32 time<1ms TTL=255
Reply from 192.168.1.254: bytes=32 time<1ms TTL=255
Reply from 192.168.1.254: bytes=32 time<1ms TTL=255
Reply from 192.168.1.254: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.1.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Users\Andy>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\Andy>
09-02-2010 02:36 PM
Do this tests:
From the router:
ping 192.168.0.x --> which is the computer on that segment
ping 192.168.1.x --> which is the computer on this other segment
Both results should be positive.
If you have any problems there make sure there's no firewall (windows firewall enabled on the PCs)
Then still from the router:
ping 192.168.0.x source 192.168.1.254
ping 192.168.1.x source 192.168.0.254
The above tests is to make sure that you can reach each subnet from the router (but from the other interface).
If you have a problem with this let us know, otherwise you should be able to PING between PCs.
Federico.
09-02-2010 03:02 PM
Here are the results from the tests, do I need to add in a ip route or acl ? i.e ip route 192.168.0.0. 0.255.255.255 fa0/0 ?
Cisco1841#ping 192.168.0.16
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.16, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Cisco1841#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Cisco1841#ping 192.168.0.16 source 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.16, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.254
.....
Success rate is 0 percent (0/5)
Cisco1841#ping 192.168.1.1 source 192.168.0.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.254
.....
Success rate is 0 percent (0/5)
Cisco1841#
09-02-2010 03:11 PM
Are you positive that the default gateway for the 192.168.0.16 is 192.168.0.254?
As well for 192.168.1.1 default gateway 192.168.1.254?
Federico.
09-02-2010 03:19 PM
I am 99% sure both gateways are correct, as both subnets have access to the internet but not each other.
09-02-2010 03:32 PM
Please attach again the following:
sh run int fa0/0
sh run int fas0/1
Also,
We can enable logs:
logging on
logging buffere 7
show log
ter mon
So, we you try communication between the two subnets, check the output of the ''show log'' to see where's the problem.
Federico.
09-02-2010 09:23 PM
Hello,
Most likely, your NAT could be interfering with the traffic. Please try the
following:
no ip nat inside source list 5 interface Dialer1 overload
no access-list 5 permit 192.168.0.0 0.0.0.255
no access-list 5 permit 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
Route-map Internet
Match ip address 101
Exit
ip nat inside source route-map Internet interface Dialer1 overload
Hope this helps.
Regards,
NT
09-03-2010 04:43 AM
Hi nagaraja,
I reckon, instead of last two below commands ,,
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
we need to put below one command
access-list 101 permit ip any any
Please correct me , if i am wrong
09-03-2010 06:05 AM
Hello Vinod,
Generally, you do not add "ip any any" in the NAT as, if the NAT function
malfunctions, it could try to NAT traffic from outside to inside as well.
So, it is a good idea to be more specific in the access-lists to be used in
NAT rules (for the routers). But, otherwise, you could use "ip any any".
Regards,
NT
09-03-2010 05:08 AM
Thanks for all the suggestions, i'll try each method out once I return home later this evening and report back.
Here is the #sh int fa0/0 & fa0/1 config
Cisco1841#sh run int fa0/0
Building configuration...
Current configuration : 172 bytes
!
interface FastEthernet0/0
description Wired Local Network
ip address 192.168.0.254 255.255.255.0
ip nat inside
no ip virtual-reassembly
duplex auto
speed auto
end
Cisco1841#sh run int fa0/1
Building configuration...
Current configuration : 178 bytes
!
interface FastEthernet0/1
description Wireless Internal Network
ip address 192.168.1.254 255.255.255.0
ip nat inside
no ip virtual-reassembly
duplex auto
speed auto
end
09-05-2010 08:14 AM
After trying most of the things in this thread.
This seems to work.....
Route-map Internet
Match ip address 101
Exit
ip nat inside source route-map Internet interface Dialer1 overload
What is the difference between the above then the old config:
ip nat inside source list 5 interface Dialer1 overload
!
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 5 permit 192.168.1.0 0.0.0.255
Just so I can understand where I when wrong? Many Thanks for all that helped
What is the best practice for ACLs that are NAT'ed? Is it worth locking it down to ports used i.e 80 443 etc.... ?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide