12-06-2015 07:54 PM - edited 03-05-2019 02:53 AM
Hello;
I hope someone can provide me with extreme help on getting an internal network up and running; i had one internal network up and running before; but it seems like my second network were lagging and timing out then one day at work i had a power surge when i got home that cause a major shutdown all my equipment which i was unable to save configuration on my router and switch. So at this point im kinda stuck on what else i need to do. I was able to do a test on one of my computers; and at first my dhcp on my router was unable to provide my computer an ip address; so i had to change my computer to a static ip in order to connect to my router; once it was connected to my router i wasn't unable to connect to the internet; so after reviewing my configuration on the switch and router i was unable to pinpoint the problem if it was on the switch or on the router. Hopefully someone can provide some advice on what i need to do or change in order to get my internal network up and running. Listed below is my configuration of my router and switch please help !!!!!!!!!
Router config
ersion 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
clock calendar-valid
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.0.1 10.10.0.49
ip dhcp excluded-address 10.10.0.75 10.10.0.255
!
ip dhcp pool R_POOL
import all
network 10.10.0.0 255.255.255.0
update dns
default-router 10.10.0.1
dns-server 192.168.0.1
domain-name R.com
update arp
!
interface FastEthernet0
description OUT
ip address 192.168.0.80 255.255.255.0
ip access-group 100 out
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
vlan-id dot1q 192
description OUT
pppoe enable
exit-vlan-config
!
interface FastEthernet1
ip address 10.10.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
vlan-id dot1q 10
description IN
pppoe enable
exit-vlan-config
!
interface FastEthernet1.92
description OUT
encapsulation dot1Q 192
ip address dhcp client-id FastEthernet0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
pppoe enable group global
!
interface Vlan192
no ip address
ip verify unicast source reachable-via any
ip mask-reply
ip accounting output-packets
ip nat outside
ip virtual-reassembly
!
interface Vlan10
no ip address
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 (Public IP)
!
ip nat pool pool1 192.168.0.80 192.168.0.255 netmask 0.0.0.0
ip nat inside source list 100 pool pool1
!
access-list 100 remark NAT Rule
access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq domain any
access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq www any
access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq 443 any
access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq 8080 any
access-list 100 permit ip 0.0.0.1 255.255.255.0 any
access-list 100 permit udp 0.0.0.1 255.255.255.0 any
access-list 100 permit tcp 0.0.0.1 255.255.255.0 any
Switch Config
hostname S1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
system mtu routing 1998
no ip subnet-zero
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/12
description test 192
switchport access vlan 192
switchport trunk native vlan 192
switchport trunk allowed vlan 192
switchport trunk pruning vlan 192
switchport mode trunk
switchport nonegotiate
switchport port-security mac-address sticky
shutdown
speed 100
duplex full
spanning-tree portfast trunk
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface FastEthernet0/12
description test 10
switchport access vlan 10
switchport trunk native vlan 10
switchport trunk allowed vlan 10
switchport trunk pruning vlan 10
switchport mode trunk
switchport nonegotiate
switchport port-security mac-address sticky
shutdown
speed 100
duplex full
spanning-tree portfast trunk
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface GigabitEthernet0/1
description Out-to-WAN
switchport access vlan 192
switchport trunk native vlan 192
switchport trunk allowed vlan 192
switchport trunk pruning vlan 192
switchport mode trunk
switchport nonegotiate
switchport port-security mac-address sticky
speed 1000
duplex full
spanning-tree portfast
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface GigabitEthernet0/2
description TRUNK-to-FE0/1
switchport access vlan 10
switchport trunk native vlan 10
switchport trunk allowed vlan 10
switchport trunk pruning vlan 10
switchport mode trunk
switchport nonegotiate
switchport port-security mac-address sticky
speed 100
duplex full
spanning-tree portfast
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface Vlan10
description IN
ip address 10.10.0.2 255.255.255.0
ip mask-reply
ip information-reply
ip security dedicated unclassified genser
ip security add
ip security first
no ip route-cache
spanning-tree portfast trunk
!
interface Vlan192
description OUT
ip address dhcp client-id Vlan192
ip mask-reply
ip information-reply
ip accounting output-packets
ip security dedicated unclassified genser
ip security add
ip security first
no ip route-cache
ip tcp adjust-mss 1460
spanning-tree portfast trunk
Solved! Go to Solution.
12-08-2015 06:25 PM
On switch you do not need to add ACL because it is L2 and it is secure now because it is behind the router.
Add access-list 111 to int fa0/0 of your router because it is connected to outside.
Work with access-list for some days. I will give you more security configuration later.
Masoud
12-08-2015 06:38 PM
There is more into access-list. Access-list is stateless. It means when you allow one protocol out, you need to allow that protocol in.
For example,if you do the configuration below. your are not allowing 80 IN so you will not have access to http pages.
Access-list 111 permit udp any any equal 53
Access-list 100 permit tcp any any equal 80 (out but no in)
You need to work on access-list a little more to figure it out. Try differenet scenario
Now just use one number for in and out. We use reflexive access-list instead of RACL(you are using RACL now)
Just study a little bit about these.
1- Reflexive access-list (it is stateful just you need to allow one side)
2-port security on switch to bind your devices MAC addresses to switch.
3- DHCP snooping to secure DHCP
Masoud
12-06-2015 09:25 PM
Hello,
Your config is kind of mess. Please sketch your topology.
Just try to remove some access-list and some extra commands to make you router work. Then you can add them.
interface GigabitEthernet0/2
no switchport port-security mac-address sticky
interface FastEthernet1
no ip access-group 100 in
interface FastEthernet0
no ip access-group 100 out
Remove your NAT configuration
no ip nat inside source list 100 pool pool1
no ip nat pool pool1 192.168.0.80 192.168.0.255 netmask 0.0.0.0
Add this instead
access-list 50 permit 10.10.0.0 0.0.255.255 [ add more IPs if you neet to NAT them]
ip nat inside source list 50 interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 [It should be 192.168.0.something should not be?]
Masoud
12-07-2015 03:26 PM
Hello;
Thanks for replying back to my sketcy configurations lol
I had a feeling that my configurations was alil sketcy lol; so after a few changes were made; i was able to connected to the router by DHCP; but still no internet access. Im not sure if its my router with the issue or switch. What im trying to do and would like to do is piggyback off my router since it has a dual wan port FA0 and FA1; i would like my FA0 to be a gateway out to the internet while FA1 will be my internal but also have internet access coming from FA0; i believe the term is router on a stick since i have two vlans on the switch. Listed below is my current configurations; and also attach is a paint doc of my topology on what im trying to do.
Thanks
Switch
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
no aaa new-model
system mtu routing 1998
no ip subnet-zero
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/3
description 192 OUT
switchport access vlan 192
switchport trunk native vlan 192
switchport trunk allowed vlan 192
switchport trunk pruning vlan 192
switchport mode trunk
switchport nonegotiate
shutdown
speed 100
duplex full
spanning-tree portfast trunk
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface FastEthernet0/11
description 10 IN
switchport access vlan 10
switchport trunk native vlan 10
switchport trunk allowed vlan 10
switchport trunk pruning vlan 10
switchport mode trunk
switchport nonegotiate
shutdown
speed 100
duplex full
spanning-tree portfast trunk
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface GigabitEthernet0/1
description Out-to-WAN
switchport access vlan 192
switchport trunk native vlan 192
switchport trunk allowed vlan 192
switchport trunk pruning vlan 192
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
spanning-tree portfast
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface GigabitEthernet0/2
description TRUNK-to-FE0/1
switchport access vlan 10
switchport trunk native vlan 10
switchport trunk allowed vlan 10
switchport trunk pruning vlan 10
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
spanning-tree portfast
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface Vlan10
description IN
ip address 10.10.0.2 255.255.255.0
ip mask-reply
ip information-reply
ip security dedicated unclassified genser
ip security add
ip security first
no ip route-cache
spanning-tree portfast trunk
!
interface Vlan192
description OUT
ip address dhcp client-id Vlan192
ip mask-reply
ip information-reply
ip accounting output-packets
ip security dedicated unclassified genser
ip security add
ip security first
no ip route-cache
ip tcp adjust-mss 1460
spanning-tree portfast trunk
Router
!
no aaa new-model
!
resource policy
!
clock calendar-valid
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.0.1 10.10.0.49
ip dhcp excluded-address 10.10.0.75 10.10.0.255
!
ip dhcp pool R_POOL
import all
network 10.10.0.0 255.255.255.0
update dns
default-router 10.10.0.1
dns-server 192.168.0.255
domain-name R.com
update arp
!
interface FastEthernet0
description OUT
ip address 192.168.0.80 255.255.255.0
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
vlan-id dot1q 192
description OUT
pppoe enable
exit-vlan-config
!
interface FastEthernet1
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
vlan-id dot1q 10
description IN
pppoe enable
exit-vlan-config
!
interface FastEthernet1.92
description OUT
encapsulation dot1Q 192
ip address dhcp client-id FastEthernet0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
pppoe enable group global
!
interface Vlan192
no ip address
ip verify unicast source reachable-via any
ip mask-reply
ip accounting output-packets
ip nat outside
ip virtual-reassembly
!
interface Vlan10
no ip address
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 (Public IP)
!
ip nat inside source list 100 interface FastEthernet0 overload
!
access-list 50 permit 10.10.0.0 0.0.255.255
access-list 100 remark NAT Rule
access-list 100 permit ip 0.0.0.0 255.255.255.0 any
access-list 100 permit udp 0.0.0.0 255.255.255.0 any
access-list 100 permit tcp 0.0.0.0 255.255.255.0 any
12-07-2015 03:46 PM
You did not specify your client and their ip address. I suppose they are coming from interface FastEthernet1 with IP of 10.10.0.0. Is that right?
If yes, you need to change your NAT configuratiion
ip nat inside source list 50 interface FastEthernet0 overload
Can you ping IP of your ISP from your router?
ip route 0.0.0.0 0.0.0.0 (Public IP) I do not think you have set public IP here. Is the IP here 192.168.0.X?
Masoud
12-07-2015 04:02 PM
WOW !!!!!!!
That was fast; thanks for the response
No i didn't have to specify my computer to the router; it was automatically able to get ip from the router DHCP
But yes i can ping my ISP/CM from the router all day
R#ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/12/12 ms
R#ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/8 ms
Here's my routing table with current route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.0.0 is directly connected, FastEthernet1
C 192.168.0.0/24 is directly connected, FastEthernet0
yes that my external IP from the ISP/CM
after i change my route to 0.0.0.0 0.0.0.0 Fastethernet0; heres my routing table now
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.0.0 is directly connected, FastEthernet1
C 192.168.0.0/24 is directly connected, FastEthernet0
S* 0.0.0.0/0 is directly connected, FastEthernet0
Also from Show ip cef
R#show ip cef
Prefix Next Hop Interface
0.0.0.0/0 attached FastEthernet0
0.0.0.0/32 receive
10.10.0.0/24 attached FastEthernet1
10.10.0.0/32 receive
10.10.0.1/32 receive
10.10.0.255/32 receive
192.168.0.0/24 attached FastEthernet0
192.168.0.0/32 receive
192.168.0.1/32 192.168.0.1 FastEthernet0
192.168.0.80/32 receive
192.168.0.255/32 receive
224.0.0.0/4 drop
224.0.0.0/24 receive
255.255.255.255/32 receive
i also change the nat configuration to this
ip nat inside source list 50 interface FastEthernet0 overload
access-list 50 permit 10.10.0.0 0.0.255.255
12-07-2015 04:07 PM
i Think i got it now
i change the route to 0.0.0.0 0.0.0.0 192.168.0.x and im able to connect to the network from my router as im looking at my network map now.
12-07-2015 04:09 PM
I have a ? how can i set specified port udp, tcp port like 21, 22, 23, etc etc
12-07-2015 04:13 PM
I am sorry. I did not understand your last question. Please explain more.
12-07-2015 04:11 PM
I meant the direction that client comes from. How do you test?
What is your computer IP address? Can you ping 10.10.0.1?
It should be
ip route 0.0.0.0 0.0.0.0 192.168.0.1
post your last configuration and also post the output of this command
sh ip nat translation.
Masoud
12-07-2015 04:35 PM
i connect an cable from my switch off port fa011 onto my computer; which was a way for me to test it.
Yes i can ping the router 10.10.0.1 and i can also ping my switch 10.10.0.2; also im able to ping my default gw off the 192 network 192.168.0.1
Pinging 10.10.0.2 with 32 bytes of data:
Reply from 10.10.0.2: bytes=32 time<1ms TTL=255
Reply from 10.10.0.2: bytes=32 time<1ms TTL=255
Reply from 10.10.0.2: bytes=32 time<1ms TTL=255
Reply from 10.10.0.2: bytes=32 time<1ms TTL=255
Ping statistics for 10.10.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Users\zzle>ping 10.10.0.1
Pinging 10.10.0.1 with 32 bytes of data:
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255
Ping statistics for 10.10.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Users\zzle>ping 192.168.0.1
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=2ms TTL=63
Reply from 192.168.0.1: bytes=32 time=3ms TTL=63
Reply from 192.168.0.1: bytes=32 time=2ms TTL=63
Reply from 192.168.0.1: bytes=32 time=2ms TTL=63
Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 3ms, Average = 2ms
Sh ip nat translation
R#sint
Pro Inside global Inside local Outside local Outside global
tcp 192.168.0.80:57316 10.10.0.50:57316 68.142.70.5:443 68.142.70.5:443
tcp 192.168.0.80:57317 10.10.0.50:57317 68.142.70.5:443 68.142.70.5:443
tcp 192.168.0.80:57318 10.10.0.50:57318 54.225.83.233:443 54.225.83.233:443
tcp 192.168.0.80:57320 10.10.0.50:57320 54.225.83.233:443 54.225.83.233:443
tcp 192.168.0.80:57321 10.10.0.50:57321 74.125.228.200:443 74.125.228.200:443
tcp 192.168.0.80:57323 10.10.0.50:57323 74.125.228.200:443 74.125.228.200:443
tcp 192.168.0.80:57324 10.10.0.50:57324 54.86.153.88:443 54.86.153.88:443
tcp 192.168.0.80:57325 10.10.0.50:57325 52.21.3.4:443 52.21.3.4:443
tcp 192.168.0.80:57326 10.10.0.50:57326 173.194.121.59:443 173.194.121.59:443
tcp 192.168.0.80:57327 10.10.0.50:57327 173.194.121.57:443 173.194.121.57:443
tcp 192.168.0.80:57328 10.10.0.50:57328 23.196.28.187:443 23.196.28.187:443
tcp 192.168.0.80:57331 10.10.0.50:57331 52.4.16.0:443 52.4.16.0:443
tcp 192.168.0.80:57332 10.10.0.50:57332 50.17.195.51:443 50.17.195.51:443
tcp 192.168.0.80:57333 10.10.0.50:57333 54.208.223.94:443 54.208.223.94:443
tcp 192.168.0.80:57336 10.10.0.50:57336 216.58.217.130:443 216.58.217.130:443
tcp 192.168.0.80:57337 10.10.0.50:57337 216.58.217.130:443 216.58.217.130:443
tcp 192.168.0.80:57338 10.10.0.50:57338 74.125.22.128:443 74.125.22.128:443
tcp 192.168.0.80:57339 10.10.0.50:57339 74.125.22.128:443 74.125.22.128:443
tcp 192.168.0.80:57340 10.10.0.50:57340 52.0.154.84:443 52.0.154.84:443
tcp 192.168.0.80:57342 10.10.0.50:57342 173.194.121.41:80 173.194.121.41:80
tcp 192.168.0.80:57343 10.10.0.50:57343 74.125.196.106:80 74.125.196.106:80
tcp 192.168.0.80:57344 10.10.0.50:57344 173.194.121.24:443 173.194.121.24:443
Current configurations
resource policy
!
clock calendar-valid
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.0.1 10.10.0.49
ip dhcp excluded-address 10.10.0.75 10.10.0.255
!
ip dhcp pool R_POOL
import all
network 10.10.0.0 255.255.255.0
update dns
default-router 10.10.0.1
dns-server 192.168.0.1
domain-name R.com
update arp
!
interface FastEthernet0
description OUT
ip address 192.168.0.80 255.255.255.0
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
vlan-id dot1q 192
description OUT
pppoe enable
exit-vlan-config
!
!
interface FastEthernet1
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
vlan-id dot1q 10
description IN
pppoe enable
exit-vlan-config
!
!
interface FastEthernet1.92
description OUT
encapsulation dot1Q 192
ip address dhcp client-id FastEthernet0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
pppoe enable group global
!
interface Vlan192
no ip address
ip verify unicast source reachable-via any
ip mask-reply
ip accounting output-packets
ip nat outside
ip virtual-reassembly
!
interface Vlan10
no ip address
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 24.163.122.43
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 50 interface FastEthernet0 overload
!
access-list 50 permit 10.10.0.0 0.0.255.255
What i was asking in my last ? How can specify only certain ports coming in into my internal network and also How can I specify certains ports going out to the 192 network.
12-07-2015 04:45 PM
You can permits some ports by access-list. Other ports will be blocked
Access-list 111 permit tcp any any equal 80
Access-list 111 permit tcp any any equal 443
Access-list 111 permit udp any any equal 53
add more ports as you need
Then
interface fastethernet0
ip access-group 111 in
interface FastEthernet1
ip access-group 111 in
Masoud
12-07-2015 05:00 PM
ok cool i guess i can also use ip access-111 for outgoing ports especially on my
Ex:
interface fastethernet0
ip access-group 111 in
ip access-group 111 out
interface FastEthernet1
ip access-group 111 in
Right ???
12-07-2015 05:06 PM
That is correct. Just make sure to permit all necessary ports.
Thanks for the rating
Masoud
12-07-2015 05:09 PM
OK.. cool cool; Well i think i got it from here.. i have save/copy my configuration as is just in case something would ever happen then i would have to be up here again.. lol..
Thanks for all your help; i guess with a lil changing but not alot of changing configurations it worked !!!!!!!!!!!! guess my configurations wasn't too sketcky lmao.
Thanks again for all your help !!!!!!!!!!!
12-07-2015 05:15 PM
You are most welcome. I am glad your problem was sloved.
To limit telnet or ssh access, use the below configuration.
access-list 40 permit host 10.10.0.X [for example your computer]
line vty 0 4 [ or 0-15]
access-class 40 in
Masoud
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide