11-09-2015 04:49 PM - edited 03-05-2019 02:42 AM
Hey guys; I hope someone out there can help with me with. I'm fairly new to this router; and i having trouble setting up an internal address from FE 0/1; please can some look at my configurations and see what im missin; when i connect my laptop to the router; its not letting me talk to ppl outside the net; also when i try to troubleshoot it all im getting is that my broadband connection is not working. Please can some one assist; configurations listed below Thanks
Current configuration : 2890 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no logging on
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
ip host-routing
ip arp gratuitous local
no ip icmp rate-limit unreachable
ip icmp redirect host
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.0.1 10.1.0.2
ip dhcp excluded-address 10.1.0.100 10.1.0.255
!
ip dhcp pool Router_Pool
import all
network 10.1.0.0 255.255.255.0
update dns
dns-server 192.168.0.2
domain-name Cisco.com
update arp
!
!
ip domain round-robin
ip domain timeout 5
ip domain lookup source-interface FastEthernet0
ip name-server 192.168.0.2
interface FastEthernet0
description WAN_Net
ip address dhcp client-id FastEthernet0 hostname R1
ip access-group 100 in
ip nat outside
ip nat enable
ip irdp
ip virtual-reassembly
speed auto
full-duplex
!
interface FastEthernet1
description Internal_Net$ES_LAN$
ip address 10.1.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip nat enable
ip irdp
ip virtual-reassembly
speed auto
full-duplex
ip default-gateway 192.168.0.1
ip default-network 0.0.0.0
ip forward-protocol udp echo
ip route 0.0.0.0 255.255.255.0 FastEthernet1
ip route 10.1.0.0 255.255.255.0 FastEthernet0
ip route 192.168.0.0 255.255.255.0 10.1.0.0
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet1 overload
!
access-list 100 permit ip any any
access-list 100 permit icmp any any
access-list 100 permit udp any any
access-list 100 permit tcp any any
11-10-2015 01:14 AM
hey this below should fix it for you , do you have an ISP modem in front of that F0 yes
remove all of this and replace
ip default-gateway 192.168.0.1
ip default-network 0.0.0.0
ip forward-protocol udp echo
ip route 0.0.0.0 255.255.255.0 FastEthernet1
ip route 10.1.0.0 255.255.255.0 FastEthernet0
ip route 192.168.0.0 255.255.255.0 10.1.0.0
replace with correct default route for internet traffic
ip route 0.0.0.0 0.0.0.0 (use public ip address here you were provided on modem)
example ip route 0.0.0.0 0.0.0.0 123.1.1.1
This is too open i would remove replace again
access-list 100 permit ip any any
access-list 100 permit icmp any any
access-list 100 permit udp any any
access-list 100 permit tcp any any
replace (your overloads wrong interface should be WAN F0)
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 remark NAT Rule
ip nat inside source list 100 interface FastEthernet0 overload
remove ip nat enable from your interfaces not required
remove ip irdp not good on internet facing device
HTH
11-10-2015 02:35 PM
Hey Mark;
Thanks for helping me out; it seems like that kinda fix the issue; i was able to connect to the network using the 10.1.0.0; but i was unable to view any pages ex: google.com; yahoo.com; so i earlier i went an downloaded wireshark; and i was able to caught this tcp that constantly keep retransmission; see screen shot. So then i thought about it and started opening ports to maybe see if it would resolve the issue; but it didn't; i have the same access-list on my router and switch; so i don't know what else can be causing this problem; when I'm in the 10.1. network i can ping everyone on the 192.168 network; but when im on the 192.168 network; i can't even ping back the default gateway 10.1 ; very strange and wired; nothing seen anything like that before; PLEASE HELP !!!!!!!!!!!! listed below is configurations of router 1811 and 2960 switch.
Router
Building configuration...
Current configuration : 2736 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no logging on
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
dot11 aaa csid ietf
no ip icmp rate-limit unreachable
ip icmp redirect host
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.0.100 10.1.0.255
ip dhcp excluded-address 10.1.0.1
!
ip dhcp pool Router_Pool
import all
network 10.1.0.0 255.255.255.0
update dns
dns-server 192.168.0.1
domain-name R1.com
default-router 10.1.0.1
update arp
interface FastEthernet0
description WAN_Net
ip address dhcp client-id FastEthernet0 hostname R1
ip access-group 100 in
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
!
interface FastEthernet1
description Internal_Net$ES_LAN$
ip address 10.1.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
speed auto
full-duplex
ip route 0.0.0.0 0.0.0.0 (Public IP Address From ISP)
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0 overload
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 remark NAT Rule
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 permit tcp 192.168.0.0 0.0.0.255 any
access-list 100 permit tcp 10.1.0.0 0.0.0.255 any
access-list 100 permit udp 10.1.0.0 0.0.0.255 any
access-list 100 permit udp 192.168.0.0 0.0.0.255 any
Switch
Current configuration : 3957 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service udp-small-servers max-servers 5
service tcp-small-servers max-servers 5
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
no logging on
!
no aaa new-model
clock timezone EST 23 39
system mtu routing 1500
vtp domain switch/vtp.com
vtp mode transparent
no ip subnet-zero
ip icmp rate-limit unreachable 10
!
ip domain round-robin
no ip domain-lookup
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
name Internal_Network
!
vlan 192
192_Outside_Network
!
ip tcp path-mtu-discovery
interface GigabitEthernet0/1
description WAN_modem
switchport access vlan 192
switchport mode access
no keepalive
duplex full
!
interface GigabitEthernet0/2
description FA0/1 IN
switchport access vlan 10
switchport mode access
no keepalive
duplex full
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan10
ip address 10.1.0.X 255.255.255.0
ip access-group 100 in
no ip route-cache
!
interface Vlan192
ip address dhcp
ip access-group 100 in
no ip route-cache
!
ip http server
access-list 100 remark NAT Rule
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit tcp 192.168.0.0 0.0.0.255 any
access-list 100 permit tcp 10.1.0.0 0.0.0.255 any
access-list 100 permit udp 10.1.0.0 0.0.0.255 any
access-list 100 permit udp 192.168.0.0 0.0.0.255 any
11-11-2015 12:30 AM
Hey ok so thats a different setup than the first post :) i think i have what your trying to do and 2why its not working correct me if im wrong , you have 2 local vlans 10.1.0.x and 192.168.0.x correct on a switch ? you need a router on a stick setup for that or else some form of dynamic routing between the switch and the router so theres intervlan routing and everything can speak to each other locally, the sticks probably the easier option as the switch may not have ip lite image prob just lanbase for L2
1 the router needs to know about the 2 vlans so needs the switch needs to be set as a trunk and all vlans allowed up to it take one of the interfaces set it as a switch port trunk on the 2960
interface GigabitEthernet0/1
description uplink to router
switchport mode trunk
switchport trunk encapsulation dot1q
speed auto
duplex auto
2 Then the router needs to be set as a sub-interface connecting back to the switch so hes aware theres multiple vlans that need to be routed
Take a LAN interface F1
int f1
no ip address
in f1.10
encapsulation dot1q 10
ip address 10.1.0.1 255.255.255.0
ip nat inside
int f1.20
encapsulation dot1q 192
ip address 192.168.0.1 255.255.255.0
ip nat inside
Heres a guide you can use a reference if i have your design right what your trying to do
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/336-cisco-router-8021q-router-stick.html
let me know how it goes :)
11-11-2015 09:01 PM
Hey Mark;
How's it going; I really do apprecatie you helping with my Internal network; never thought it would be this hard; guess i was wrong lol. So as you know now i have a router and a switch both are cisco products. I woke up this morning and find out that i didn't have any network even on my primary 192.168 network after reconfiguration;after reviewing and troubleshooting; i found that it was a problem with my routing; when i was connected to the switch no access at all; but when i directly connected to the CM; i had network access; but after dealing with this cm for a long period of time; i went an got a replacement CM. Dealing with all the frustrating for a long period of time lol, etc, etc i just went ahead and erase everything on my router and switch back to default to start from scratch. Here's is where i stand as we speak with the router and switch configuration. Yes i have Two VLANS on the switch one for OUT on the 192.168(VLAN 192), and one for IN on the 10.1(VLAN 10); and yes from what im reading and seeing an intervlan routing is needed on the cisco router. Below is my current router and switch configuration, also attach is a doc of what im trying to do with this network.
Thanks again;
Router
Building configuration...
Current configuration : 2157 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.0.1
ip dhcp excluded-address 10.1.0.100 10.1.0.255
!
ip dhcp pool R_POOL
import all
network 10.1.0.0 255.255.255.0
default-router 10.1.0.1
dns-server 192.168.0.1
domain-name R.com
update arp
interface FastEthernet0
ip address dhcp client-id Vlan192
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
vlan-id dot1q 192
description OUT
exit-vlan-config
!
vlan-id dot1q 10
description IN
exit-vlan-config
!
dot1q tunneling ethertype 0x9100
!
interface FastEthernet0.10
ip nat inside
ip virtual-reassembly
!
interface FastEthernet1
ip address 10.1.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
full-duplex
vlan-id dot1q 10
description In
exit-vlan-config
!
vlan-id dot1q 192
description WAN_OUT
exit-vlan-config
!
dot1q tunneling ethertype 0x9100
interface FastEthernet1.192
ip nat outside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 (Public Address from WAN)
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0 overload
!
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 remark NAT Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
Switch
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
aaa session-id common
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
description FE0/0 OUT
switchport access vlan 192
switchport trunk native vlan 192
switchport mode trunk
duplex full
!
interface FastEthernet0/2
description TEST
switchport access vlan 10
switchport trunk native vlan 10
switchport mode trunk
duplex full
!
interface GigabitEthernet0/1
description Trunk-to-WAN
switchport access vlan 192
switchport trunk native vlan 192
switchport mode trunk
speed 1000
duplex full
spanning-tree portfast trunk
!
interface GigabitEthernet0/2
description Trunk-to-FE0/1
switchport access vlan 10
switchport trunk native vlan 10
switchport mode trunk
speed 1000
duplex full
spanning-tree portfast trunk
!
interface Vlan10
description IN
ip address dhcp
ip access-group 100 in
no ip route-cache
spanning-tree portfast
!
interface Vlan192
description OUT
ip address dhcp
ip access-group 100 in
no ip route-cache
spanning-tree portfast
!
ip http server
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 remark NAT Rule
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
Please let me know on what you think ?? Ill repost again after I try out the configuration
11-11-2015 10:30 PM
jjizzle1985 , your problem resolved ?
11-11-2015 11:38 PM
Hey Mark; It work; those configurations i have posted earlier worked; i guess the network had to learn its routes; at first dhcp didn't pick up; so then i static change the address; after it identified itself and test it work; so i let it sit for a min; then i change the ip address to dhcp to see if the router on fe0/1 will pick it up which it did. the only issue im dealing with now is my AP isn't working at the moment; just an amber light; i guess its looking for an ip address or it not use the 802.1q; ill see if the configurations on the ap will allow me to use vlan tagging.
I believe i got it mark; ap just takes a while to learn its new routes; but i believe im ok now; its only alerting of two dhcp servers found from the same network 192.168; which im not so sure about;everything is online on both network; the only other issue well not a issue is when im on the 192.168 network i can't ping the default-gw or the sw to the 10.1 network; strange; when im on the 10.1 network i can ping everyone on the 192.168 network; but other than that; i think im ok; just gonna wait until the morning to see if everything is still running correctly.
Please if you have any input on securing network please let me know
Thanks again for your help :-)
11-12-2015 05:51 AM
ah glad to hear you got it all working :)
EDIT: Take a look at this for security , harden the router as its facing internet
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide