10-16-2011 11:00 AM - edited 03-04-2019 01:57 PM
Hello All:
If this is the wrong forum to post this please forgive me and point me to the right one.
I have bought a 861w to replace my 877w. We switched from telco(ADSL) to Cable due to faster speeds for up and down. My current physical setup is as such. Cable modem is a straight trough with 4 lan port in the back. Al lan ports are configured by the cable company for my assigned public ip’s. (24.x.x.2 through .6 – 255.255.255.x) I also have my assigned gateway as 24.x.x.1
My goal is to setup the new router same as the old one so all interfaces (e0 to e3) use a Vlan1 and Bridge Bvi1 to get the traffic go through e4 which is my WAN port on 861. I am not even concerned abt the wireless because I can’t get this to work. I am attaching the running config on the old 877 and 861 so you all can see what it was and what I am trying to do. As of now I am so confused that my head is spinning……any help is appreciated. I am able to ping out and ping e4 from outside but I am not able to connect any pc’s or node and connect to net from inside on any of e0 to e3.
Regards
Ardy
Two Attach files:
877w-adsl.txt - this is the old configuration on a 877 that I am trying to copy into 861 without the adsl stuff......
861w-V1.log - this is current ru config on the 861w.
10-16-2011 11:45 AM
Hi,
ip nat inside source list 23 pool NATPOOL overload
access-list 30 permit 192.168.1.0 0.0.0.255
As you see the ACL referenced in the nat statement is not configured but I suppose this is ACL 30 so just change 23 by 30 in the nat statement.
You can also get rid of irb config as you're using SVI instead of BVI here because you are using switch ports in the router for LAN.
Regards.
Alain.
10-16-2011 03:35 PM
Thanks for the reply........
Changed the 23 to 30 and got rid of irb. Still not working.......couple of question that might help me undrestand this.
Looking at this from the pc side when i connect the pc the dhcp server dose good it assignes the ip it also assignes the defult gate way as 192.168.1.2. which is what i told it in the cisco. now in cisco I guess it reoutes it to vlan1. the part i don't undrestand is that how vlan1 gets rounted to e4(wan) becuse all traffic should go throught it........
Attached the latest config file.....
Ardy
10-16-2011 11:57 PM
Hi,
I had missed this one : you must enable nat on interface FastEthernet4 with ip nat enable command.
And also you must replace 23 by 30 in ip http access-class 23 otherwise you won't have http access to your router.
You should also remove this from line vty 0 4:
line vty 0 4
privilege level 15
Otherwise any one with telnet/ssh access will be put immediately into privileged mode without typing any command.
Regards.
Alain.
10-17-2011 08:11 PM
Hi....
I really appriciate your help on this......OK.. I did the changes you asked me to + added couple of port translation that I need for later, I still don't have access to internet when i connect E0 to a pc. This really baffeles me. I still think that Vlan is not routing traffic through E4, but can't figure out why or how.
As for as vty 0 4, all accounts on this router have peivilage 15 so if they login that would be OK becuse they are at 15 any ways....
I have attached the latest version on sh ru.
once again thank you.
10-18-2011 12:48 AM
Hi,
1) if you are disabling domain-lookup, what's the use of putting name-servers as they won't be used by your router
as you are giving them out to your clients via dhcp then your router is not a proxy-dns so
you can get rid of these 2 lines without any problem:
no ip name-server 68.116.46.115
no ip name-server 24.205.192.61
2)ip nat pool NATPOOL 24.x.x.2 24.x.x.3 netmask 255.255.255.x
ip nat source list 100 interface Vlan1 overload
ip nat source static tcp 192.168.1.3 80 24.180.0.2 80 extendable
ip nat source static udp 192.168.1.3 80 24.180.0.2 80 extendable
ip nat inside source list 30 pool NATPOOL overload
change to this:
no ip nat pool NATPOOL 24.x.x.2 24.x.x.3 netmask 255.255.255.x
ip nat pool NATPOOL 24.x.x.3 24.x.x.3 netmask 255.255.255.x
ip nat inside source list 30 pool NATPOOL overload
no ip nat source list 100 interface Vlan1 overload
ip nat source static tcp 192.168.1.3 80 24.180.0.2 80
ip nat source static udp 192.168.1.3 80 24.180.0.2 80
What is udp port 80 ? and extendable is only needed if an inside address is statically natted to 2 different addresses which is not the case here so no need for this keyword.
4) access-list 100 permit ip any any
access-list 100 permit icmp any any
if you permit everything in first statement then no need for second one and anyway this ACL
is not needed so you can get rid of it
5)ip access-list extended ardy
permit tcp any host 24.x.x.3 eq 1723
permit gre any host 24.x.x.3
permit ip any any
this ACL isn't used anywhere and why permit specific traffic then at the end permit all ?
then the specific enties are not needed in this case.
6) Can you change ip nat enable command by ip nat inside on vlan1 and ip nat outside on f4: no ip nat enable then ip nat inside or ip nat outside
then if it still is not working:
Post following:after pinging 8.8.8.8 from a machine on your LAN
-sh ip int br
-sh ip nat translation
-sh arp
-sh run int f0
Regards.
Alain.
10-19-2011 07:10 AM
Sorry for the late reply, Had to take care of bunch of stuff.......
Done number 1. now there is something strange in regards to port translations in number two. I take out the
no ip nat source static tcp 192.168.1.3 80 24.180.0.2 80 extendable
no ip nat source static udp 192.168.1.3 80 24.180.0.2 80 extendable
Then when I place the following per your suggestion....
ip nat source static tcp 192.168.1.3 80 24.180.0.2 80
ip nat source static udp 192.168.1.3 80 24.180.0.2 80
it takes it all ok but when i run the sh ru to see the chnages are taking effect i see them back with extendable at the end.
ip nat source static tcp 192.168.1.3 80 24.180.0.2 80 extendable
ip nat source static udp 192.168.1.3 80 24.180.0.2 80 extendable
it is as the os is turning it back to the original for some reason......so I did take them out again made sure they are not ther copy the ru to st and did a reload and did a sh ru and then put them back to your suggestion but the os still turned them back with extendable at the end.........so I stoped
What do you think abt that........
Ardy
10-19-2011 07:24 AM
Hi,
don't worry about that it will still work ok.if the device is adding the keyword then it is for some good reasons but afaik the extendable was only necessary for mapping same private ip to different public ones.
taken from cisco doc:
Extendable" static translations :
10-19-2011 12:44 PM
Done with all but have question on number 6.......
This is clear
Can you change ip nat enable command by ip nat inside on vlan1 and ip nat outside on f4
Can you explain this one "no ip nat enable then ip nat inside or ip nat outside". is this on Vlan1 or E4. and do you want to ad both ip nat inside or ip nat outside or just one of them......
Ardy
10-19-2011 12:51 PM
Hi,
on int vlan1:
no ip nat enable
ip nat inside
on f4:
ip nat outside
IT's easier for me with the old way of doing NAT because I don't remember the syntax for show commands when using newer way with the NVI( ip nat enable). Otherwise you can do ip nat enable on both interfaces( vlan 1 and f4) if you prefer.
Alain.
10-19-2011 05:28 PM
Alian
It works,,,,,,,,,,,
Hay I really need you to explain to me the relation ship in Cisco's world between Vlan1 and e4. All my internal pc's have the dhcp server gives them what they need in terms of IP, Gateway and DNS. I undrestand that. The DHCP has the Vlan1 as defult route which I think is the gateway 192.168.1.2. now Vlan1 is handeling the traffic, I get lost as to how Vlan1 is routing the traffic to e4. and what is the reason for
ip nat pool NATPOOL 24.180.0.3 24.180.0.3 netmask 255.255.255.248
Can you in general terms pointing to config lines explain this please. as you can tell I am not an expert but am trying to undrestand the basics.......
Ardy
10-19-2011 11:59 PM
Hi,
VLAN1 is a logical port that all members of VLAN1(all hosts on the switch ports by default) will use for L3.So you've got 2 L3 interfaces now int VLAN1(logical) and f4(routed physical port) and the router is doing what it always does when routing: look at destination IP and find the subnet then look in its routing table for a longest match.once it has a longest match it must find how to get there( next-hop) an then how to get to next-hop( outgoing interface).Then it does a L2 rewrite and send the packet to the next-hop.
Concerning the NAT POOL: you basically tell the router that you have a pool of outside addresses, here only one address in the pool( the one assigned to outside interface) and then in your nat statement you tell him to use that pool when natting inside addresses referenced by your ACL.
Regards.
Alain.
10-20-2011 06:52 AM
Alain:
Thank you very much for your help.......I really do Appriciate it. My lan connection is up and running.
Ardy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide