cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5363
Views
105
Helpful
50
Replies

Cisco Router 1800/Cisco Switch 2960

j_j624001
Level 1
Level 1

Hello;

I hope someone can provide me with extreme help on getting an internal network up and running; i had one internal network up and running before; but it seems like my second network were lagging and timing out then one day at work i had a power surge when i got home that cause a major shutdown all my equipment which i was unable to save configuration on my router and switch. So at this point im kinda stuck on what else i need to do. I was able to do a test on one of my computers; and at first my dhcp on my router was unable to provide my computer an ip address; so i had to change my computer to a static ip in order to connect to my router; once it was connected to my router i wasn't unable to connect to the internet; so after reviewing my configuration on the switch and router i was unable to pinpoint the problem if it was on the switch or on the router. Hopefully someone can provide some advice on what i need to do or change in order to get my internal network up and running. Listed below is my configuration of my router and switch please help !!!!!!!!!

Router config

ersion 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

clock calendar-valid

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.0.1 10.10.0.49

ip dhcp excluded-address 10.10.0.75 10.10.0.255

!

ip dhcp pool R_POOL

import all

network 10.10.0.0 255.255.255.0

update dns

default-router 10.10.0.1

dns-server 192.168.0.1

domain-name R.com

update arp

!

interface FastEthernet0

description OUT

ip address 192.168.0.80 255.255.255.0

ip access-group 100 out

ip nat outside

ip virtual-reassembly

speed auto

full-duplex

vlan-id dot1q 192

description OUT

pppoe enable

exit-vlan-config

!

interface FastEthernet1

ip address 10.10.0.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

speed 100

full-duplex

vlan-id dot1q 10

description IN

pppoe enable

exit-vlan-config

!

interface FastEthernet1.92

description OUT

encapsulation dot1Q 192

ip address dhcp client-id FastEthernet0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

pppoe enable group global

!

interface Vlan192

no ip address

ip verify unicast source reachable-via any

ip mask-reply

ip accounting output-packets

ip nat outside

ip virtual-reassembly

!

interface Vlan10

no ip address

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 (Public IP)

!

ip nat pool pool1 192.168.0.80 192.168.0.255 netmask 0.0.0.0

ip nat inside source list 100 pool pool1

!

access-list 100 remark NAT Rule

access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq domain any

access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq www any

access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq 443 any

access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq 8080 any

access-list 100 permit ip 0.0.0.1 255.255.255.0 any

access-list 100 permit udp 0.0.0.1 255.255.255.0 any

access-list 100 permit tcp 0.0.0.1 255.255.255.0 any

Switch Config

hostname S1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

system mtu routing 1998

no ip subnet-zero

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/12

description test 192

switchport access vlan 192

switchport trunk native vlan 192

switchport trunk allowed vlan 192

switchport trunk pruning vlan 192

switchport mode trunk

switchport nonegotiate

switchport port-security mac-address sticky

shutdown

speed 100

duplex full

spanning-tree portfast trunk

spanning-tree bpdufilter disable

spanning-tree bpduguard disable

!

interface FastEthernet0/12

description test 10

switchport access vlan 10

switchport trunk native vlan 10

switchport trunk allowed vlan 10

switchport trunk pruning vlan 10

switchport mode trunk

switchport nonegotiate

switchport port-security mac-address sticky

shutdown

speed 100

duplex full

spanning-tree portfast trunk

spanning-tree bpdufilter disable

spanning-tree bpduguard disable

!

interface GigabitEthernet0/1

description Out-to-WAN

switchport access vlan 192

switchport trunk native vlan 192

switchport trunk allowed vlan 192

switchport trunk pruning vlan 192

switchport mode trunk

switchport nonegotiate

switchport port-security mac-address sticky

speed 1000

duplex full

spanning-tree portfast

spanning-tree bpdufilter disable

spanning-tree bpduguard disable

!

interface GigabitEthernet0/2

description TRUNK-to-FE0/1

switchport access vlan 10

switchport trunk native vlan 10

switchport trunk allowed vlan 10

switchport trunk pruning vlan 10

switchport mode trunk

switchport nonegotiate

switchport port-security mac-address sticky

speed 100

duplex full

spanning-tree portfast

spanning-tree bpdufilter disable

spanning-tree bpduguard disable

!

interface Vlan10

description IN

ip address 10.10.0.2 255.255.255.0

ip mask-reply

ip information-reply

ip security dedicated unclassified genser

ip security add

ip security first

no ip route-cache

spanning-tree portfast trunk

!

interface Vlan192

description OUT

ip address dhcp client-id Vlan192

ip mask-reply

ip information-reply

ip accounting output-packets

ip security dedicated unclassified genser

ip security add

ip security first

no ip route-cache

ip tcp adjust-mss 1460

spanning-tree portfast trunk

2 Accepted Solutions

Accepted Solutions

On switch you do not need to add ACL because it is L2 and it is secure now because it is behind the router.

Add access-list 111 to int fa0/0 of your router because it is connected to outside.

Work with access-list for some days. I will give you more security configuration later.

Masoud

View solution in original post

There is more into access-list. Access-list is stateless. It means when you allow one protocol out, you need to allow that protocol in.

For example,if you do the configuration below. your are not allowing 80 IN so you will not have access to http pages.

Access-list 111 permit udp any any equal 53

Access-list 100 permit tcp any any equal 80 (out but no in)

You need to work on access-list a little more to figure it out. Try differenet scenario

Now just use one number for in and out. We use reflexive access-list instead of RACL(you are using RACL now)

Just study a little bit about these.

1- Reflexive access-list (it is stateful just you need to allow one side)

2-port security on switch to bind your devices MAC addresses to switch.

3- DHCP snooping to secure DHCP

Masoud

View solution in original post

50 Replies 50

Hello,

Your config is kind of mess. Please sketch your topology.

Just try to remove some access-list and some extra commands to make you router work. Then you can add them.

interface GigabitEthernet0/2

no switchport port-security mac-address sticky

interface FastEthernet1

no ip access-group 100 in

interface FastEthernet0

no ip access-group 100 out

Remove your NAT configuration

no ip nat inside source list 100 pool pool1

no ip nat pool pool1 192.168.0.80 192.168.0.255 netmask 0.0.0.0

Add this instead

access-list 50 permit 10.10.0.0 0.0.255.255  [ add more IPs if you neet to NAT them]

ip nat inside source list 50 interface FastEthernet0 overload

ip route 0.0.0.0 0.0.0.0 [It should be 192.168.0.something should not be?]

Masoud

Hello;

Thanks for replying back to my sketcy configurations lol

I had a feeling that my configurations was alil sketcy lol; so after a few changes were made; i was able to connected to the router by DHCP; but still no internet access. Im not sure if its my router with the issue or switch. What im trying to do and would like to do is piggyback off my router since it has a dual wan port FA0 and FA1; i would like my FA0 to be a gateway out to the internet while FA1 will be my internal but also have internet access coming from FA0; i believe the term is router on a stick since i have two vlans on the switch. Listed below is my current configurations; and also attach is a paint doc of my topology on what im trying to do.

Thanks

Switch

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

no aaa new-model

system mtu routing 1998

no ip subnet-zero

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/3

description 192 OUT

switchport access vlan 192

switchport trunk native vlan 192

switchport trunk allowed vlan 192

switchport trunk pruning vlan 192

switchport mode trunk

switchport nonegotiate

shutdown

speed 100

duplex full

spanning-tree portfast trunk

spanning-tree bpdufilter disable

spanning-tree bpduguard disable

!

interface FastEthernet0/11

description 10 IN

switchport access vlan 10

switchport trunk native vlan 10

switchport trunk allowed vlan 10

switchport trunk pruning vlan 10

switchport mode trunk

switchport nonegotiate

shutdown

speed 100

duplex full

spanning-tree portfast trunk

spanning-tree bpdufilter disable

spanning-tree bpduguard disable

!

interface GigabitEthernet0/1

description Out-to-WAN

switchport access vlan 192

switchport trunk native vlan 192

switchport trunk allowed vlan 192

switchport trunk pruning vlan 192

switchport mode trunk

switchport nonegotiate

speed 1000

duplex full

spanning-tree portfast

spanning-tree bpdufilter disable

spanning-tree bpduguard disable

!

interface GigabitEthernet0/2

description TRUNK-to-FE0/1

switchport access vlan 10

switchport trunk native vlan 10

switchport trunk allowed vlan 10

switchport trunk pruning vlan 10

switchport mode trunk

switchport nonegotiate

speed 100

duplex full

spanning-tree portfast

spanning-tree bpdufilter disable

spanning-tree bpduguard disable

!

interface Vlan10

description IN

ip address 10.10.0.2 255.255.255.0

ip mask-reply

ip information-reply

ip security dedicated unclassified genser

ip security add

ip security first

no ip route-cache

spanning-tree portfast trunk

!

interface Vlan192

description OUT

ip address dhcp client-id Vlan192

ip mask-reply

ip information-reply

ip accounting output-packets

ip security dedicated unclassified genser

ip security add

ip security first

no ip route-cache

ip tcp adjust-mss 1460

spanning-tree portfast trunk

Router

!

no aaa new-model

!

resource policy

!

clock calendar-valid

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.0.1 10.10.0.49

ip dhcp excluded-address 10.10.0.75 10.10.0.255

!

ip dhcp pool R_POOL

import all

network 10.10.0.0 255.255.255.0

update dns

default-router 10.10.0.1

dns-server 192.168.0.255

domain-name R.com

update arp

!

interface FastEthernet0

description OUT

ip address 192.168.0.80 255.255.255.0

ip nat outside

ip virtual-reassembly

speed auto

full-duplex

vlan-id dot1q 192

description OUT

pppoe enable

exit-vlan-config

!

interface FastEthernet1

ip address 10.10.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

speed 100

full-duplex

vlan-id dot1q 10

description IN

pppoe enable

exit-vlan-config

!

interface FastEthernet1.92

description OUT

encapsulation dot1Q 192

ip address dhcp client-id FastEthernet0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

pppoe enable group global

!

interface Vlan192

no ip address

ip verify unicast source reachable-via any

ip mask-reply

ip accounting output-packets

ip nat outside

ip virtual-reassembly

!

interface Vlan10

no ip address

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 (Public IP)

!

ip nat inside source list 100 interface FastEthernet0 overload

!

access-list 50 permit 10.10.0.0 0.0.255.255

access-list 100 remark NAT Rule

access-list 100 permit ip 0.0.0.0 255.255.255.0 any

access-list 100 permit udp 0.0.0.0 255.255.255.0 any

access-list 100 permit tcp 0.0.0.0 255.255.255.0 any

You did not specify your client and their ip address. I suppose they are coming from interface FastEthernet1 with IP of 10.10.0.0. Is that right?

If yes, you need to change your NAT configuratiion

ip nat inside source list 50 interface FastEthernet0 overload

Can you ping IP of your ISP from your router?

ip route 0.0.0.0 0.0.0.0 (Public IP) I do not think you have set public IP here. Is the IP here 192.168.0.X?

Masoud

WOW !!!!!!!

That was fast; thanks for the response

No i didn't have to specify my computer to the router; it was automatically able to get ip from the router DHCP

But yes i can ping my ISP/CM from the router all day

R#ping 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/12/12 ms
R#ping 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/8 ms

Here's my routing table with current route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.10.0.0 is directly connected, FastEthernet1
C    192.168.0.0/24 is directly connected, FastEthernet0

yes that my external IP from the ISP/CM

after i change my route to 0.0.0.0 0.0.0.0 Fastethernet0; heres my routing table now

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.10.0.0 is directly connected, FastEthernet1
C    192.168.0.0/24 is directly connected, FastEthernet0
S*   0.0.0.0/0 is directly connected, FastEthernet0

Also from Show ip cef

R#show ip cef
Prefix              Next Hop             Interface
0.0.0.0/0           attached             FastEthernet0
0.0.0.0/32          receive
10.10.0.0/24        attached             FastEthernet1
10.10.0.0/32        receive
10.10.0.1/32        receive
10.10.0.255/32      receive
192.168.0.0/24      attached             FastEthernet0
192.168.0.0/32      receive
192.168.0.1/32      192.168.0.1          FastEthernet0
192.168.0.80/32     receive
192.168.0.255/32    receive
224.0.0.0/4         drop
224.0.0.0/24        receive
255.255.255.255/32  receive

i also change the nat configuration to this

ip nat inside source list 50 interface FastEthernet0 overload
access-list 50 permit 10.10.0.0 0.0.255.255

i Think i got it now

i change the route to 0.0.0.0 0.0.0.0 192.168.0.x and im able to connect to the network from my router as im looking at my network map now.

I have a ? how can i set specified port udp, tcp port like 21, 22, 23, etc etc

I am sorry. I did not understand your last question. Please explain more.

I meant the direction that client comes from. How do you test?

What is your computer IP address? Can you ping 10.10.0.1?

It should be

ip route 0.0.0.0 0.0.0.0 192.168.0.1

post your last configuration and also post the output of this command

sh ip nat translation.

Masoud

i connect an cable from my switch off port fa011 onto my computer; which was a way for me to test it.

Yes i can ping the router 10.10.0.1 and i can also ping my switch 10.10.0.2; also im able to ping my default gw off the 192 network 192.168.0.1

Pinging 10.10.0.2 with 32 bytes of data:
Reply from 10.10.0.2: bytes=32 time<1ms TTL=255
Reply from 10.10.0.2: bytes=32 time<1ms TTL=255
Reply from 10.10.0.2: bytes=32 time<1ms TTL=255
Reply from 10.10.0.2: bytes=32 time<1ms TTL=255

Ping statistics for 10.10.0.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Users\zzle>ping 10.10.0.1

Pinging 10.10.0.1 with 32 bytes of data:
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255

Ping statistics for 10.10.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Users\zzle>ping 192.168.0.1

Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=2ms TTL=63
Reply from 192.168.0.1: bytes=32 time=3ms TTL=63
Reply from 192.168.0.1: bytes=32 time=2ms TTL=63
Reply from 192.168.0.1: bytes=32 time=2ms TTL=63

Ping statistics for 192.168.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 3ms, Average = 2ms

Sh ip nat translation

R#sint
Pro Inside global      Inside local       Outside local      Outside global
tcp 192.168.0.80:57316 10.10.0.50:57316   68.142.70.5:443    68.142.70.5:443
tcp 192.168.0.80:57317 10.10.0.50:57317   68.142.70.5:443    68.142.70.5:443
tcp 192.168.0.80:57318 10.10.0.50:57318   54.225.83.233:443  54.225.83.233:443
tcp 192.168.0.80:57320 10.10.0.50:57320   54.225.83.233:443  54.225.83.233:443
tcp 192.168.0.80:57321 10.10.0.50:57321   74.125.228.200:443 74.125.228.200:443
tcp 192.168.0.80:57323 10.10.0.50:57323   74.125.228.200:443 74.125.228.200:443
tcp 192.168.0.80:57324 10.10.0.50:57324   54.86.153.88:443   54.86.153.88:443
tcp 192.168.0.80:57325 10.10.0.50:57325   52.21.3.4:443      52.21.3.4:443
tcp 192.168.0.80:57326 10.10.0.50:57326   173.194.121.59:443 173.194.121.59:443
tcp 192.168.0.80:57327 10.10.0.50:57327   173.194.121.57:443 173.194.121.57:443
tcp 192.168.0.80:57328 10.10.0.50:57328   23.196.28.187:443  23.196.28.187:443
tcp 192.168.0.80:57331 10.10.0.50:57331   52.4.16.0:443      52.4.16.0:443
tcp 192.168.0.80:57332 10.10.0.50:57332   50.17.195.51:443   50.17.195.51:443
tcp 192.168.0.80:57333 10.10.0.50:57333   54.208.223.94:443  54.208.223.94:443
tcp 192.168.0.80:57336 10.10.0.50:57336   216.58.217.130:443 216.58.217.130:443
tcp 192.168.0.80:57337 10.10.0.50:57337   216.58.217.130:443 216.58.217.130:443
tcp 192.168.0.80:57338 10.10.0.50:57338   74.125.22.128:443  74.125.22.128:443
tcp 192.168.0.80:57339 10.10.0.50:57339   74.125.22.128:443  74.125.22.128:443
tcp 192.168.0.80:57340 10.10.0.50:57340   52.0.154.84:443    52.0.154.84:443
tcp 192.168.0.80:57342 10.10.0.50:57342   173.194.121.41:80  173.194.121.41:80
tcp 192.168.0.80:57343 10.10.0.50:57343   74.125.196.106:80  74.125.196.106:80
tcp 192.168.0.80:57344 10.10.0.50:57344   173.194.121.24:443 173.194.121.24:443

Current configurations

resource policy
!
clock calendar-valid
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.0.1 10.10.0.49
ip dhcp excluded-address 10.10.0.75 10.10.0.255
!
ip dhcp pool R_POOL
   import all
   network 10.10.0.0 255.255.255.0
   update dns
   default-router 10.10.0.1
   dns-server 192.168.0.1
   domain-name R.com
   update arp

!

interface FastEthernet0
 description OUT
 ip address 192.168.0.80 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 speed auto
 full-duplex
 vlan-id dot1q 192
  description OUT
  pppoe enable
  exit-vlan-config
 !
!
interface FastEthernet1
 ip address 10.10.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
 vlan-id dot1q 10
  description IN
  pppoe enable
  exit-vlan-config
 !
!
interface FastEthernet1.92
 description OUT
 encapsulation dot1Q 192
 ip address dhcp client-id FastEthernet0
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
 pppoe enable group global

!

interface Vlan192
 no ip address
 ip verify unicast source reachable-via any
 ip mask-reply
 ip accounting output-packets
 ip nat outside
 ip virtual-reassembly
!
interface Vlan10
 no ip address
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 24.163.122.43
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 50 interface FastEthernet0 overload
!
access-list 50 permit 10.10.0.0 0.0.255.255

What i was asking in my last ? How can specify only certain ports coming in into my internal network and also How can I specify certains ports going out to the 192 network.

You can permits some ports by access-list. Other ports will be blocked

Access-list 111 permit tcp any any equal 80

Access-list 111 permit tcp any any equal 443

Access-list 111 permit udp any any equal 53

add more ports as you need

Then

interface fastethernet0

ip access-group 111 in

interface FastEthernet1

ip access-group 111 in

Masoud

ok cool i guess i can also use ip access-111 for outgoing ports especially on my

Ex:

interface fastethernet0

ip access-group 111 in

ip access-group 111 out

interface FastEthernet1

ip access-group 111 in

Right ???

That is correct. Just make sure to permit all necessary ports.

Thanks for the rating

Masoud

OK.. cool cool; Well i think i got it from here.. i have save/copy my configuration as is just in case something would ever happen then i would have to be up here again.. lol..

Thanks for all your help; i guess with a lil changing but not alot of changing configurations it worked !!!!!!!!!!!! guess my configurations wasn't too sketcky lmao.

Thanks again for all your help !!!!!!!!!!! 

You are most welcome. I am glad your problem was sloved.

To limit telnet or ssh access, use the below configuration.

access-list 40 permit host 10.10.0.X [for example your computer]

line vty 0 4 [ or 0-15]

access-class 40 in

Masoud

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco