Solved: Help with a simple config on 871

yannick.le_couffe-wi · ‎02-05-2014

Hi,

I'm a really basic Cisco user and I'm having issue with a simple config I'm trying to do.

Basically, I'd like to use a 871 as a bandwidth limiter.

I use a ISP modem-router with a 192.168.2.0/24 network and I'd like enter 50Mbps Internet bandwidth in one port of the 871 and give one of the Fe port with speed 10 and a 192.168.0.0/24 network. Furthermore, I'd install an access point in that port and I don't want those users to have access to the 192.168.2.0 network. I use this config right now:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname MyRouter

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.1

!

ip dhcp pool MyDhcp

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

dns-server 192.168.2.1

!

interface FastEthernet0

switchport access vlan 10

ip dhcp client hostname MyDhcp

speed 10

no cdp enable

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address dhcp

duplex auto

speed auto

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 192.168.0.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 192.168.2.1

!

no ip http server

no ip http secure-server

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

login

!

scheduler max-task-time 5000

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Here's the sh ip route:

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

C 192.168.0.0/24 is directly connected, Vlan10

C 192.168.2.0/24 is directly connected, FastEthernet4

S* 0.0.0.0/0 [1/0] via 192.168.2.1

I'm able to ping both google.ca and the pc (192.168.0.2) from the router, but from the PC I can ping 192.168.0.1 but not 192.168.2.1.

I'm also sure it's a quite simple thing for most of you guys to figure out. But again, I'm a quite basic Cisco user.

Thank you very much in advance.

Yannick.

xlhardwarestore · ‎02-05-2014

Have you tried it with NAT?

access-list 1 permit 192.168.0.0 0.0.0.255

ip nat inside source list 1 interface FastEthernet4 overload

interface vlan10

ip nat inside

interface FastEthernet4

ip nat outside

no switchport

View solution in original post

xlhardwarestore · ‎02-05-2014

Have you tried it with NAT?

access-list 1 permit 192.168.0.0 0.0.0.255

ip nat inside source list 1 interface FastEthernet4 overload

interface vlan10

ip nat inside

interface FastEthernet4

ip nat outside

no switchport

yannick.le_couffe-wi · ‎02-06-2014

Yes it works!! Thanks hundred times. I don't really understand what those functions are for but it does work! I assume that Ip nat outside means the network address translation for WAN and inside for LAN.

Do the access list above means that in slot number 1, what comes from 192.168.0.0 network is permit, and source list 1 is calling that function back and assign it to fa4? Meaning that what comes from 192.168.0.0 going to fa4 is allowed?

I'm really thankful to you Umit Sencan!

xlhardwarestore · ‎02-06-2014

Yes, basically that's correct, since you have 2 different subnet and a router, LAN side needs to be translated into WAN side. You can make the network very secure by changing access list to extented list. 1-99 is for standard, 100 and over for extended access list. Below is an example, you can control which ports to open or closed

ip access-list extended INTERNET

deny tcp any any eq 5060 log

deny udp any any eq 5060 log

deny tcp any any eq 5060 log

deny udp any any eq 2427 log

deny tcp any any eq 2428 log

deny tcp any any range 1718 1720 log

deny tcp any any eq 1731 log

deny tcp any any eq 2000 log

deny tcp any any eq 3389

deny tcp any any eq 23

deny tcp any any eq ftp

deny tcp any any eq ftp-data

deny tcp any any eq 22

permit tcp any any eq www

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL cuseeme

ip inspect name FIREWALL ftp

ip inspect name FIREWALL h323

ip inspect name FIREWALL realaudio

ip inspect name FIREWALL rtsp

ip inspect name FIREWALL pptp

ip inspect name FIREWALL sip

ip inspect name FIREWALL vdolive

ip inspect name FIREWALL streamworks

ip inspect name FIREWALL netshow

ip inspect name FIREWALL sqlnet

ip inspect name FIREWALL tftp

ip inspect name FIREWALL skinny

ip inspect name FIREWALL ntp

ip inspect name FIREWALL dns

interface FastEthernet4

ip nat outside

no switchport

ip access-group INTERNET in

ip inspect FIREWALL out