connecting to a DVR on separate VLAN

svt11march · ‎12-30-2014

Hi I've got two VLANs 192.168.1.0/24 and 11.0/24

Problem is that I wanna watch DVR with address 192.168.11.234 from 1.0/24 VLAN, but I can't ping address on the other VLAN. In this router there are route-map and ACL commands and I will show current configuration

Cisco1#show run

Building configuration...

Current configuration : 5873 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco1

!

boot-start-marker

boot-end-marker

!

security passwords min-length 9

no logging buffered

!

aaa new-model

!

aaa authentication login default local

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-3138799855

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3138799855

revocation-check none

rsakeypair TP-self-signed-3138799855

!

crypto pki certificate chain TP-self-signed-3138799855

certificate self-signed 01

KADJSALJDLAS

quit

dot11 syslog

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.99

ip dhcp excluded-address 192.168.1.86

ip dhcp excluded-address 192.168.1.88

ip dhcp excluded-address 192.168.1.120 192.168.1.131

ip dhcp excluded-address 192.168.1.133 192.168.1.135

ip dhcp excluded-address 192.168.1.139 192.168.1.145

ip dhcp excluded-address 192.168.1.147 192.168.1.173

ip dhcp excluded-address 192.168.1.175 192.168.1.237

ip dhcp excluded-address 192.168.1.240 192.168.1.254

ip dhcp excluded-address 192.168.1.1 192.168.1.74

!

ip dhcp pool AnelLocal

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server HHH.HHH.HHH.HHH HHH.HHH.HHH.YYY 208.67.220.220 208.67.222.222

!

ip dhcp pool vlan11pool

network 192.168.11.0 255.255.255.0

default-router 192.168.11.1

dns-server HHH.HHH.HHH.HHH HHH.HHH.HHH.YYY 208.67.220.220 208.67.222.222

!

ip domain name www.anel.bg

ip name-server HHH.HHH.HHH.HHH

ip name-server HHH.HHH.HHH.YYY

ip name-server 4.4.4.4

ip name-server 8.8.8.8

!

multilink bundle-name authenticated

!

username Admin password 0

username Administrator password 0

!

archive

log config

hidekeys

!

ip ssh version 2

!

interface FastEthernet0

description ***Link to BTC***

no ip address

ip virtual-reassembly

shutdown

duplex auto

speed auto

!

interface FastEthernet0.1

description ***Internet WAN***

encapsulation dot1Q 462

ip address YYY.YYY.UUU.UUU 255.255.255.252

ip nat outside

ip virtual-reassembly

no cdp enable

!

interface FastEthernet0.2

description ***Local WAN***

encapsulation dot1Q 3904

ip address ZZZ.ZZZ.ZZZ.ZZZ 255.255.255.252

ip nat outside

ip virtual-reassembly

no cdp enable

!

interface FastEthernet1

description Link-To-Megalan-MTEL

ip address AAA.AAA.BB.CC 255.255.255.248 secondary

ip address AAA.AAA.DD.EE 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1.1

no cdp enable

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet2

!

interface FastEthernet3

shutdown

!

interface FastEthernet4

shutdown

!

interface FastEthernet5

switchport access vlan 11

!

interface FastEthernet6

switchport access vlan 11

!

interface FastEthernet7

switchport access vlan 11

!

interface FastEthernet8

switchport access vlan 11

!

interface FastEthernet9

switchport access vlan 10

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$

no ip address

ip tcp adjust-mss 1452

shutdown

!

interface Vlan10

description ***Local LAN***$ES_LAN$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan11

ip address 192.168.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 XXX.YYY.ZZZ.AAA 2

ip route 0.0.0.0 0.0.0.0 ZZZ.HHH.YYY.XXX 3

ip route 0.0.0.0 0.0.0.0 BBB.BBB.BBB.BBB 4

!

ip http server

ip http authentication local

ip http secure-server

ip dns server

ip nat pool MTEL XXX.YYY.ZZZ.AAA XXX.YYY.ZZZ.AAA netmask 255.255.255.252

ip nat pool MTEL11 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.248

ip nat inside source route-map MTEL pool MTEL overload

ip nat inside source route-map MTEL11 pool MTEL11 overload

!

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 permit ip any 192.168.1.0 0.0.0.255

access-list 110 deny ip 192.168.1.0 0.0.0.255 host 92.247.39.81

access-list 111 permit ip 192.168.11.0 0.0.0.255 any

access-list 111 permit ip any 192.168.11.0 0.0.0.255

access-list 111 deny ip 192.168.1.0 0.0.0.255 host 92.247.39.81

no cdp run

!

route-map MTEL permit 10

match ip address 110

match interface FastEthernet1

!

route-map MTEL11 permit 11

match ip address 111

match interface FastEthernet1

!

control-plane

!

line con 0

logging synchronous

line aux 0

line vty 0 4

privilege level 15

transport input ssh

line vty 5 15

privilege level 15

transport input ssh

!

end

ghostinthenet · ‎12-30-2014

Two things to check. Are systems on both VLANs able to reach the Internet? If you remove the "ip nat inside" statements from VLANs 10 and 11, are you able to ping across?

svt11march · ‎01-01-2015

Yes, they're able. I don't want to remove ip nat inside, because router is currently in operation. Thank you.

ghostinthenet · ‎01-01-2015

I suspect that something isn't quite right with the NAT configuration. Removing the "ip nat inside" statements would have confirmed or eliminated this as a possibility, but we can look into it further without doing that.

Try replacing access lists 110 and 111 with the following and see if it resolves the problem:

access-list 110 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
!
access-list 111 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 111 permit ip 192.168.0.0 0.0.255.255 any