cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1652
Views
0
Helpful
7
Replies

Cisco Router 1811 Dual WAN PORT Help !!!!!!!!!!!!!!!

jjizzle1985
Level 1
Level 1

Hey guys; I hope someone out there can help with me with. I'm fairly new to this router; and i having trouble setting up an internal address from FE 0/1; please can some look at my configurations and see what im missin; when i connect my laptop to the router; its not letting me talk to ppl outside the net; also when i try to troubleshoot it all im getting is that my broadband connection is not working. Please can some one assist; configurations listed below Thanks

Current configuration : 2890 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no logging on
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
ip host-routing
ip arp gratuitous local
no ip icmp rate-limit unreachable

ip icmp redirect host
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.0.1 10.1.0.2
ip dhcp excluded-address 10.1.0.100 10.1.0.255
!
ip dhcp pool Router_Pool
   import all
   network 10.1.0.0 255.255.255.0
   update dns
   dns-server 192.168.0.2
   domain-name Cisco.com
   update arp
!
!
ip domain round-robin
ip domain timeout 5
ip domain lookup source-interface FastEthernet0
ip name-server 192.168.0.2

interface FastEthernet0
 description WAN_Net
 ip address dhcp client-id FastEthernet0 hostname R1
 ip access-group 100 in
 ip nat outside
 ip nat enable
 ip irdp
 ip virtual-reassembly
 speed auto
 full-duplex
!
interface FastEthernet1
 description Internal_Net$ES_LAN$
 ip address 10.1.0.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip nat enable

 ip irdp
 ip virtual-reassembly
 speed auto
 full-duplex

ip default-gateway 192.168.0.1
ip default-network 0.0.0.0
ip forward-protocol udp echo
ip route 0.0.0.0 255.255.255.0 FastEthernet1
ip route 10.1.0.0 255.255.255.0 FastEthernet0
ip route 192.168.0.0 255.255.255.0 10.1.0.0
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet1 overload
!
access-list 100 permit ip any any
access-list 100 permit icmp any any
access-list 100 permit udp any any
access-list 100 permit tcp any any

7 Replies 7

Mark Malone
VIP Alumni
VIP Alumni

hey this below should fix it for you , do you have an ISP modem in front of that F0 yes

remove all of this and replace

ip default-gateway 192.168.0.1
ip default-network 0.0.0.0
ip forward-protocol udp echo
ip route 0.0.0.0 255.255.255.0 FastEthernet1
ip route 10.1.0.0 255.255.255.0 FastEthernet0
ip route 192.168.0.0 255.255.255.0 10.1.0.0

replace with correct default route for internet traffic

ip route 0.0.0.0 0.0.0.0 (use public ip address here you were provided on modem)

example ip route 0.0.0.0 0.0.0.0 123.1.1.1

This is too open i would remove replace again

access-list 100 permit ip any any
access-list 100 permit icmp any any
access-list 100 permit udp any any
access-list 100 permit tcp any any

replace (your overloads wrong interface should be WAN F0)

access-list 100 permit ip 10.1.0.0 0.0.0.255 any

access-list 100 remark NAT Rule

ip nat inside source list 100 interface FastEthernet0 overload

remove ip nat enable from your interfaces not required

remove ip irdp not good on internet facing device

HTH

Hey Mark;

Thanks for helping me out; it seems like that kinda fix the issue; i was able to connect to the network using the 10.1.0.0; but i was unable to view any pages ex: google.com; yahoo.com; so i earlier i went an downloaded wireshark; and i was able to caught this tcp that constantly keep retransmission; see screen shot. So then i thought about it and started opening ports to maybe see if it would resolve the issue; but it didn't; i have the same access-list on my router and switch; so i don't know what else can be causing this problem; when I'm in the 10.1. network i can ping everyone on the 192.168 network; but when im on the 192.168 network; i can't even ping back the default gateway 10.1 ; very strange and wired; nothing seen anything like that before; PLEASE HELP !!!!!!!!!!!! listed below is configurations of router 1811 and 2960 switch.

Router

Building configuration...

Current configuration : 2736 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no logging on
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
dot11 aaa csid ietf
no ip icmp rate-limit unreachable
ip icmp redirect host

ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.0.100 10.1.0.255
ip dhcp excluded-address 10.1.0.1
!
ip dhcp pool Router_Pool
   import all
   network 10.1.0.0 255.255.255.0
   update dns
   dns-server 192.168.0.1
   domain-name R1.com
   default-router 10.1.0.1
   update arp

interface FastEthernet0
 description WAN_Net
 ip address dhcp client-id FastEthernet0 hostname R1
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly
 speed auto
 full-duplex
!
interface FastEthernet1
 description Internal_Net$ES_LAN$
 ip address 10.1.0.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 speed auto
 full-duplex

ip route 0.0.0.0 0.0.0.0 (Public IP Address From ISP)
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0 overload
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 remark NAT Rule
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 permit tcp 192.168.0.0 0.0.0.255 any
access-list 100 permit tcp 10.1.0.0 0.0.0.255 any
access-list 100 permit udp 10.1.0.0 0.0.0.255 any
access-list 100 permit udp 192.168.0.0 0.0.0.255 any

Switch


Current configuration : 3957 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service udp-small-servers max-servers 5
service tcp-small-servers max-servers 5
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
no logging on
!
no aaa new-model
clock timezone EST 23 39
system mtu routing 1500
vtp domain switch/vtp.com
vtp mode transparent

no ip subnet-zero
ip icmp rate-limit unreachable 10
!
ip domain round-robin
no ip domain-lookup

spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
 name Internal_Network
!
vlan 192

192_Outside_Network
!
ip tcp path-mtu-discovery

interface GigabitEthernet0/1
 description WAN_modem
 switchport access vlan 192
 switchport mode access
 no keepalive
 duplex full
!
interface GigabitEthernet0/2
 description FA0/1 IN
 switchport access vlan 10
 switchport mode access
 no keepalive
 duplex full
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan10
 ip address 10.1.0.X 255.255.255.0
 ip access-group 100 in
 no ip route-cache
!
interface Vlan192
 ip address dhcp
 ip access-group 100 in
 no ip route-cache
!
ip http server
access-list 100 remark NAT Rule
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit tcp 192.168.0.0 0.0.0.255 any
access-list 100 permit tcp 10.1.0.0 0.0.0.255 any
access-list 100 permit udp 10.1.0.0 0.0.0.255 any
access-list 100 permit udp 192.168.0.0 0.0.0.255 any

Hey ok so thats a different setup than the first post :) i think i have what your trying to do and 2why its not working correct me if im wrong , you have 2 local vlans 10.1.0.x and 192.168.0.x correct on a switch ? you need a router on a stick setup for that or else some form of dynamic routing between the switch and the router so theres intervlan routing and everything can speak to each other locally, the sticks probably the easier option as the switch may not have ip lite image prob just lanbase for L2

1 the router needs to know about the 2 vlans so needs the switch needs to be set as a trunk and all vlans allowed up to it take one of the interfaces set it as a switch port trunk on the 2960

interface GigabitEthernet0/1
 description uplink to router
 switchport mode trunk 
 switchport trunk encapsulation dot1q

speed auto

duplex auto

2 Then the router needs to be set as a sub-interface connecting back to the switch so hes aware theres multiple vlans that need to be routed

Take a LAN interface F1

int f1

no ip address

in f1.10

encapsulation dot1q 10

ip address 10.1.0.1 255.255.255.0

ip nat inside

int f1.20

encapsulation dot1q 192

ip address 192.168.0.1 255.255.255.0

ip nat inside

Heres a guide you can use a reference if i have your design right what your trying to do

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/336-cisco-router-8021q-router-stick.html

let me know how it goes :)

Hey Mark;

How's it going; I really do apprecatie you helping with my Internal network; never thought it would be this hard; guess i was wrong lol. So as you know now i have a router and a switch both are cisco products. I woke up this morning and find out that i didn't have any network even on my primary 192.168 network after reconfiguration;after reviewing and troubleshooting; i found that it was a problem with my routing; when i was connected to the switch no access at all; but when i directly connected to the CM; i had network access; but after dealing with this cm for a long period of time; i went an got a replacement CM. Dealing with all the frustrating for a long period of time lol, etc, etc i just went ahead and erase everything on my router and switch back to default to start from scratch. Here's is where i stand as we speak with the router and switch configuration. Yes i have Two VLANS on the switch one for OUT on the 192.168(VLAN 192), and one for IN on the 10.1(VLAN 10); and yes from what im reading and seeing an intervlan routing is needed on the cisco router. Below is my current router and switch configuration, also attach is a doc of what im trying to do with this network.

Thanks again;

Router

Building configuration...

Current configuration : 2157 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy

ip cef

no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.0.1
ip dhcp excluded-address 10.1.0.100 10.1.0.255
!
ip dhcp pool R_POOL

import all
network 10.1.0.0 255.255.255.0
default-router 10.1.0.1
dns-server 192.168.0.1
domain-name R.com
update arp

interface FastEthernet0
ip address dhcp client-id Vlan192
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
vlan-id dot1q 192
description OUT
exit-vlan-config
!
vlan-id dot1q 10
description IN
exit-vlan-config
!
dot1q tunneling ethertype 0x9100
!
interface FastEthernet0.10
ip nat inside
ip virtual-reassembly
!
interface FastEthernet1
ip address 10.1.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
full-duplex
vlan-id dot1q 10
description In
exit-vlan-config
!
vlan-id dot1q 192
description WAN_OUT
exit-vlan-config
!
dot1q tunneling ethertype 0x9100

interface FastEthernet1.192
ip nat outside
ip virtual-reassembly

ip route 0.0.0.0 0.0.0.0 (Public Address from WAN)
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0 overload
!
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 remark NAT Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 any

Switch

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Switch

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

aaa session-id common

system mtu routing 1500

ip subnet-zero

!

!

!

!

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

description FE0/0 OUT

switchport access vlan 192

switchport trunk native vlan 192

switchport mode trunk

duplex full

!

interface FastEthernet0/2

description TEST

switchport access vlan 10

switchport trunk native vlan 10

switchport mode trunk

duplex full

!

interface GigabitEthernet0/1

description Trunk-to-WAN

switchport access vlan 192

switchport trunk native vlan 192

switchport mode trunk

speed 1000

duplex full

spanning-tree portfast trunk

!

interface GigabitEthernet0/2

description Trunk-to-FE0/1

switchport access vlan 10

switchport trunk native vlan 10

switchport mode trunk

speed 1000

duplex full

spanning-tree portfast trunk

!

interface Vlan10

description IN

ip address dhcp

ip access-group 100 in

no ip route-cache

spanning-tree portfast

!

interface Vlan192

description OUT

ip address dhcp

ip access-group 100 in

no ip route-cache

spanning-tree portfast

!

ip http server

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 100 remark NAT Rule

access-list 100 permit ip 10.1.0.0 0.0.0.255 any

Please let me know on what you think ?? Ill repost again after I try out the configuration

jjizzle1985 , your problem resolved ?

Hey Mark; It work; those configurations i have posted earlier worked; i guess the network had to learn its routes; at first dhcp didn't pick up; so then i static change the address; after it identified itself and test it work; so i let it sit for a min; then i change the ip address to dhcp to see if the router on fe0/1 will pick it up which it did. the only issue im dealing with now is my AP isn't working at the moment; just an amber light; i guess its looking for an ip address or it not use the 802.1q; ill see if the configurations on the ap will allow me to use vlan tagging.

I believe i got it mark; ap just takes a while to learn its new routes; but i believe im ok now; its only alerting of two dhcp servers found from the same network 192.168; which im not so sure about;everything is online on both network; the only other issue well not a issue is when im on the 192.168 network i can't ping the default-gw or the sw to the 10.1 network; strange; when im on the 10.1 network i can ping everyone on the 192.168 network; but other than that; i think im ok; just gonna wait until the morning to see if everything is still running correctly.

Please if you have any input on securing network please let me know

Thanks again for your help :-)

ah glad to hear you got it all working :)

EDIT: Take a look at this for security , harden the router as its facing internet

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html