Solved: Like as explain in the PNG,

thomas_lille · ‎04-08-2016

Hi

I'd like to configure my cisco 881 to permit diablog between FastEthernet 1 and FastEthernet 2

I've configured my cisco like this : (conf is join)

FastEthernet 4 => public IP (INTERNET)

FastEthernet 1 => VLAN 2 > ip address 192.168.153.253 255.255.255.0

FastEthernet 2 => VLAN 3 > ip address 10.247.192.187 255.255.255.0

Configuration seems OK, people directly connected to FasEthernet1 or FastEthernet2 can access to internet

But I'd like also to permit the IP : 192.168.153.152 directly connected to Fastethernet1 , to dialog with the IP : 10.247.192.200 (directly connected to Fast Ethernet2 )

How can I do please ?

(My configuration is join on this message)

thank you.

Mark Malone · ‎04-08-2016

ok usually everything would be connected to a router and the FW sits in from of the router and the traffic just routes through but your telling the 1 pc he has to got to the ASA first so if that's the case the ASA must know how to get back to the 881 router to reach the other subnet if you want them to be able to speak to each other , its a bit of a round trip not a good design traffic will have to come back down the pipe its been sent over

Is there a reason why the pc has to go this way , why don't you just have PC as gateway to the vlan interface and then have the 881 route through the ASA so all vlans get the benefit of the security or use a pbr route-map on the F4 881 interface with extended matched acl and redirect traffic as the next-hop to the ASA that way the 881 is still routing for both subnets but it will send any traffic for that pc to the ASA to get outbound if that's the requirement , doing that both vlans will still route on the 881 and get to each other but pbr will kick in an redirect whats required

View solution in original post

Mark Malone · ‎04-08-2016

Hi Thomas

Unless your blocking it which I don't see any access-lists, its allowed by default intervlan communication so it should be working already , if 192.168.153.253 can already ping 10.247.192.187 it will work there's nothing on the router that's blocking between these subnets

thomas_lille · ‎04-08-2016

Hi

thank you for your answer.

I'don't have any bloking access-list, and IP routing is activate

from 192.168.153.152, I can ping 10.247.192.187, but not the 10.247.192.200

maybe I should add an ip nat source ? from 10.247.192.187 to 10.247.192.200 ?

I tried to activate an : ip nat inside source 10.247.192.187 10.247.192.200

192.168.153.152 can now ping 10.247.192.200, but 10.247.192.200 seems having network pb , like network loop

I Join a MAP, maybe it will be helpfull

Mark Malone · ‎04-08-2016

Hi

if you can ping between the vlan ip interfaces you should be able to reach any other ip in the subnets , is there a firewall/antivirus on the pc 10.247.192.200 turn them off temporarily incase its blocking icmp traffic

there is no requirement for NAT on the lan side , that's only for the wan

thomas_lille · ‎04-08-2016

there's no firewall on the 10.247.192.200

I think I've just find a solution. I've added in the route table of the windows pc 10.247.192.200 :

route add 192.168.153.152 mask 255.255.255.255 10.247.192.187

And now I can ping from 192.168.153.152 to 10.247.192.200

Mark Malone · ‎04-08-2016

But the pc should be able to talk to the other subnet once it has the right gateway set and ip range if the vlan interfaces can already talk to each other as there connected to the same router ? you shouldn't require static routing on pc side , if you have to set that theres something else wrong

thomas_lille · ‎04-08-2016

I've try on différent pc (10.247.192.200, and 10.247.192.100)

each of them haven't any firewall option activated

theirs configurations is:

-ip :10.247.192.200

-mask : 255.255.255.0

- gw : 10.247.192.131 (CiSCO ASA)

Maybe i've got a pb on my cisco 881 configuration

Mark Malone · ‎04-08-2016

Hi

Your gateway for the pc should be the vlan interface on the router not the ASA , id say that's whats happening , the vlan interface the first layer 3 interface it hits, the 881 is doing the routing not the ASA

thomas_lille · ‎04-08-2016

Like as explain in the PNG, network 10.247.192.X had is own gateway (cisco ASA)

That's why I add in computer : 10.247.192.200 :

route add 192.168.153.152 mask 255.255.255.255 10.247.192.187

the goal was to find a way, for 10.247.192.200 and 193.1686.153.152 can dialog together.

(maybe access-list forget)

Once again, thank you for your help !

Mark Malone · ‎04-08-2016

where is the ASA in that png I cant see it only the router ? where does it physically connect , is it in between router and pc , if your sending the traffic for that pc to the ASA then the ASA needs to know how to route to the 881 router

thomas_lille · ‎04-08-2016

I've just add the ASA on this PNG,

Mark Malone · ‎04-08-2016

ok usually everything would be connected to a router and the FW sits in from of the router and the traffic just routes through but your telling the 1 pc he has to got to the ASA first so if that's the case the ASA must know how to get back to the 881 router to reach the other subnet if you want them to be able to speak to each other , its a bit of a round trip not a good design traffic will have to come back down the pipe its been sent over

Is there a reason why the pc has to go this way , why don't you just have PC as gateway to the vlan interface and then have the 881 route through the ASA so all vlans get the benefit of the security or use a pbr route-map on the F4 881 interface with extended matched acl and redirect traffic as the next-hop to the ASA that way the 881 is still routing for both subnets but it will send any traffic for that pc to the ASA to get outbound if that's the requirement , doing that both vlans will still route on the 881 and get to each other but pbr will kick in an redirect whats required

thomas_lille · ‎04-08-2016

thanks a lot !

Cisco 881 routing Vlan