12-06-2015 07:54 PM - edited 03-05-2019 02:53 AM
Hello;
I hope someone can provide me with extreme help on getting an internal network up and running; i had one internal network up and running before; but it seems like my second network were lagging and timing out then one day at work i had a power surge when i got home that cause a major shutdown all my equipment which i was unable to save configuration on my router and switch. So at this point im kinda stuck on what else i need to do. I was able to do a test on one of my computers; and at first my dhcp on my router was unable to provide my computer an ip address; so i had to change my computer to a static ip in order to connect to my router; once it was connected to my router i wasn't unable to connect to the internet; so after reviewing my configuration on the switch and router i was unable to pinpoint the problem if it was on the switch or on the router. Hopefully someone can provide some advice on what i need to do or change in order to get my internal network up and running. Listed below is my configuration of my router and switch please help !!!!!!!!!
Router config
ersion 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
clock calendar-valid
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.0.1 10.10.0.49
ip dhcp excluded-address 10.10.0.75 10.10.0.255
!
ip dhcp pool R_POOL
import all
network 10.10.0.0 255.255.255.0
update dns
default-router 10.10.0.1
dns-server 192.168.0.1
domain-name R.com
update arp
!
interface FastEthernet0
description OUT
ip address 192.168.0.80 255.255.255.0
ip access-group 100 out
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
vlan-id dot1q 192
description OUT
pppoe enable
exit-vlan-config
!
interface FastEthernet1
ip address 10.10.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
vlan-id dot1q 10
description IN
pppoe enable
exit-vlan-config
!
interface FastEthernet1.92
description OUT
encapsulation dot1Q 192
ip address dhcp client-id FastEthernet0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
pppoe enable group global
!
interface Vlan192
no ip address
ip verify unicast source reachable-via any
ip mask-reply
ip accounting output-packets
ip nat outside
ip virtual-reassembly
!
interface Vlan10
no ip address
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 (Public IP)
!
ip nat pool pool1 192.168.0.80 192.168.0.255 netmask 0.0.0.0
ip nat inside source list 100 pool pool1
!
access-list 100 remark NAT Rule
access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq domain any
access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq www any
access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq 443 any
access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq 8080 any
access-list 100 permit ip 0.0.0.1 255.255.255.0 any
access-list 100 permit udp 0.0.0.1 255.255.255.0 any
access-list 100 permit tcp 0.0.0.1 255.255.255.0 any
Switch Config
hostname S1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
system mtu routing 1998
no ip subnet-zero
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/12
description test 192
switchport access vlan 192
switchport trunk native vlan 192
switchport trunk allowed vlan 192
switchport trunk pruning vlan 192
switchport mode trunk
switchport nonegotiate
switchport port-security mac-address sticky
shutdown
speed 100
duplex full
spanning-tree portfast trunk
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface FastEthernet0/12
description test 10
switchport access vlan 10
switchport trunk native vlan 10
switchport trunk allowed vlan 10
switchport trunk pruning vlan 10
switchport mode trunk
switchport nonegotiate
switchport port-security mac-address sticky
shutdown
speed 100
duplex full
spanning-tree portfast trunk
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface GigabitEthernet0/1
description Out-to-WAN
switchport access vlan 192
switchport trunk native vlan 192
switchport trunk allowed vlan 192
switchport trunk pruning vlan 192
switchport mode trunk
switchport nonegotiate
switchport port-security mac-address sticky
speed 1000
duplex full
spanning-tree portfast
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface GigabitEthernet0/2
description TRUNK-to-FE0/1
switchport access vlan 10
switchport trunk native vlan 10
switchport trunk allowed vlan 10
switchport trunk pruning vlan 10
switchport mode trunk
switchport nonegotiate
switchport port-security mac-address sticky
speed 100
duplex full
spanning-tree portfast
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface Vlan10
description IN
ip address 10.10.0.2 255.255.255.0
ip mask-reply
ip information-reply
ip security dedicated unclassified genser
ip security add
ip security first
no ip route-cache
spanning-tree portfast trunk
!
interface Vlan192
description OUT
ip address dhcp client-id Vlan192
ip mask-reply
ip information-reply
ip accounting output-packets
ip security dedicated unclassified genser
ip security add
ip security first
no ip route-cache
ip tcp adjust-mss 1460
spanning-tree portfast trunk
Solved! Go to Solution.
12-08-2015 04:46 PM
both router and switches configurations are empty?
I did not get your last qustion. Connect to what?
set this commans on your router. Then,
interface FastEthernet0
description OUT
ip address 192.168.0.80 255.255.255.0
ip nat outside
no sh
!
!
interface FastEthernet1
des LAN
ip address 10.10.0.1 255.255.255.0
ip nat inside
no sh
ip nat inside source list 50 interface FastEthernet0 overload
!
access-list 50 permit 10.10.0.0 0.0.255.255
ip route 0.0.0.0 0.0.0.0 192.168.0.1
Ping 10.10.0.1 from a client
ping 192.168.0.1 from router
If you have both ping, check the internet from the PC. Config IP and DNS manually on that PC.
12-08-2015 04:55 PM
Yes router and switch configurations were empty;
yes my switch has two gigabit port 0/1 and 0/2; so i was wondering do i need to connect to gigbit port 0/2 ??
Yes from the router i can ping both; but on my test laptop i can't ping 10.10.0.1
C:\Users\zzle>ping 10.10.0.1
Pinging 10.10.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.10.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
12-08-2015 04:59 PM
It does not matter. You can connect any port of switch you like.
Your laptop is connected to which port? Is it connected to one of the switch interfaces?
check ip of your laptop it must be 10.10.0.X.
Check interface FastEthernet1 . It must be up.
12-08-2015 05:06 PM
ok just curious on that addional switch gigabit port; no worries there;
My laptop is now connected to a switch port fa0/11 for testing purpose like what we doing now; Yes interface fa0/11; but sry my fault slow moment there lol;
im able to ping fa1 to my router from my laptop forgot to connect to my switch; Sry lol
Pinging 10.10.0.1 with 32 bytes of data:
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255
Ping statistics for 10.10.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
12-08-2015 05:09 PM
You must have internet on your laptop if you have set IP and default gateway and DNS on your laptop.
Can you ping 4.2.2.4
or 8.8.8.8 on your laptop?
12-08-2015 05:18 PM
Yes i can ping both ip address from my laptop; yes i internet access; but no i didn't set no ip or default gw on my laptop; my router pick it up which is strange cause i don't have dhcp on my router config yet.
Pinging 4.2.2.4 with 32 bytes of data:
Reply from 4.2.2.4: bytes=32 time=53ms TTL=53
Reply from 4.2.2.4: bytes=32 time=27ms TTL=53
Reply from 4.2.2.4: bytes=32 time=35ms TTL=53
Reply from 4.2.2.4: bytes=32 time=32ms TTL=53
Ping statistics for 4.2.2.4:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 27ms, Maximum = 53ms, Average = 36ms
C:\Users\zzle>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=28ms TTL=49
Reply from 8.8.8.8: bytes=32 time=30ms TTL=49
Reply from 8.8.8.8: bytes=32 time=44ms TTL=49
Reply from 8.8.8.8: bytes=32 time=39ms TTL=49
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 28ms, Maximum = 44ms, Average = 35ms
Building configuration...
Current configuration : 1804 bytes
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
description OUT
ip address 192.168.0.80 255.255.255.0
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
!
interface FastEthernet1
description LAN
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
full-duplex
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 50 interface FastEthernet0 overload
!
access-list 50 permit 10.10.0.0 0.0.255.255
12-08-2015 05:29 PM
I do not think your router is giving IP. Try another client.
You are all set. Only with some lines of configurations.
1- Add DHCP configuration to your router.
2- on switch
Interface VLAN 1
ip address 10.10.0.2 255.255.0.0 [ make sure this IP is available].
no shut
3- On both
IP domain-name test.com [name is not important]
ip ssh version 2
crypto key generate rsa [ several enter ]
usename xxxx secret xxxx
enable password xxxx
line vty 0 4
login local
Check internet on all your client.
check ssh to your switch and router from a PC connected to switch.
Give me the result.
12-08-2015 05:45 PM
ok;
So i able to ssh into my router from my client computer; but the configuraiton you posted for switch i don't have ip ssh version 2 or crypto key generate rsa in global configuration; but i am able to use putty to ssh onto my router on the 10.10.0.0 network from my laptop. See configuraiton for both router and switch as of now.
Switch
Building configuration...
Current configuration : 1615 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1998
ip subnet-zero
!
ip domain-name test.com
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface Vlan1
ip address 10.10.0.2 255.255.255.0
no ip route-cache
Router
hostname R1
!
boot-start-marker
boot-end-marker
!
enable password XXXXXX
!
no aaa new-model
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool R_POOL
import all
network 10.10.0.0 255.255.255.0
update dns
default-router 10.10.0.1
dns-server 192.168.0.1 8.8.8.8 8.8.4.4
domain-name R.com
update arp
!
!
ip domain name test.com
ip ssh version 2
!
!
!
username XX secret 5 $1$VebO$euV4JjlfJ3pYr2lUYy6ar/
!
interface FastEthernet0
description OUT
ip address 192.168.0.80 255.255.255.0
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
!
interface FastEthernet1
description LAN
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
full-duplex
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 50 interface FastEthernet0 overload
!
access-list 50 permit 10.10.0.0 0.0.255.255
12-08-2015 05:51 PM
Your switch probaly does not support ssh
Use telnet instead.
Telnet should work now on switch.
limit telnet and ssh access to some computers on both switch and router
access-list 40 permit host 10.10.0.X [for example your computer]
access-list 40 permit host 10.10.0.X
add more if you need
line vty 0 4 [ or 0-15]
access-class 40 in
Test with some different computers to see if access-list works
12-08-2015 06:08 PM
ok As of now; from using my test laptop I'm able to SSh and telnet my router and swtich when im on the 10.10.0.0 network
WOW !!!!!! Thanks
Is there anything else you want me to add; ill try the access-list 111 on the router and Switch Tom; seem that these easy configuration is what i need and also redoing my toplogy lol..
12-08-2015 06:25 PM
On switch you do not need to add ACL because it is L2 and it is secure now because it is behind the router.
Add access-list 111 to int fa0/0 of your router because it is connected to outside.
Work with access-list for some days. I will give you more security configuration later.
Masoud
12-08-2015 06:25 PM
ok I got you for all your work you have did for me just one ? before i go
when i set the ACL on int fa0/0 should i set the access-list going out or in; im thinking out cause that the outside connection heading to toward the ISP; if thats correct could i also set a differnet access list for my internal int fa0/1 like access-list 100 IN; just curious on what i can do i was thinking about doing something like this
Access-list 111 permit tcp any any equal 80
Access-list 111 permit tcp any any equal 443
Access-list 111 permit udp any any equal 53
Access-list 111 permit udp any any equal 8080
Access-list 100 permit udp any any equal 53
Access-list 100 permit tcp any any equal 80
Access-list 100 permit tcp any any equal 123
Access-list 100 permit tcp any any equal 143
Access-list 100 permit tcp any any equal 110
For int Fa0/0 on router
no ip address
ip access-list 111 out
int fa0/1
no ip address
ip access-list 100 in
That way i can have different ports on differnet interfaces
Thanks again
12-08-2015 06:38 PM
There is more into access-list. Access-list is stateless. It means when you allow one protocol out, you need to allow that protocol in.
For example,if you do the configuration below. your are not allowing 80 IN so you will not have access to http pages.
Access-list 111 permit udp any any equal 53
Access-list 100 permit tcp any any equal 80 (out but no in)
You need to work on access-list a little more to figure it out. Try differenet scenario
Now just use one number for in and out. We use reflexive access-list instead of RACL(you are using RACL now)
Just study a little bit about these.
1- Reflexive access-list (it is stateful just you need to allow one side)
2-port security on switch to bind your devices MAC addresses to switch.
3- DHCP snooping to secure DHCP
Masoud
12-08-2015 06:52 PM
You can try this also. As you see, for TCP you see established at the end of the command. It is for TCP only. It means if your internal network requests for webpage, it is allowed, but from outside it is only allowed if only request initiated from inside. Any request initiated from outside is not allowed.
1-HTTP request from inside is allowed by OUT ACL. Return of traffic is allowed by IN access-list and established.
2- HTTP from out to in is not allowed.
Access-list 111 permit tcp any any equal 80
Access-list 111 permit udp any any equal 53 [ UDP is the same on both ACL]
Access-list 100 permit udp any any equal 53
Access-list 100 permit tcp any any equal 80 established
\
int fa0
IP access-group 111 out
IP access-group 110 in
12-18-2015 02:51 PM
Hey Masoud;
Are you there ??
Hows it going ??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide