cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
724
Views
10
Helpful
4
Replies

Internet not working on Cisco Router 1800 with vlan as interface

noerdar
Level 1
Level 1

I have a Cisco Router 1800 Series and im having some trouble with access for client pc’s behind that in a double nat setup.

 

It sits behind a pfsense Router/Firewall that has the ip of 192.168.16.1. I have connected a client pc directly into the Cisco Router.

 

The Client can ping the outside interface 192.168.16.240 and the inside interface of 10.10.20.1 of the cisco router. The client pc gets a address from the DHCP pool from the cisco router.

 

The Client pc cannot contact the internet and cannot ping other host on the 192.168.16.0 network, witch the pfsense firewall/router handles.

 

The Cisco Router itself can ping things on the internet and the 192.168.16.0 network also from the 10.10.20.0 interface with the ip of 10.10.20.1. The 10.10.20.0 network are defined in vlan 1.

 

Allso the Pfsense with ip 192.168.16.1 can ping the outside interface of the Cisco Router with ip 192.168.16.240 and the inside interface of 10.10.20.1. The Pfsense has a static route to the 10.10.20.0 network with a gateway of 192.168.16.240.

 

The pfsense cannot ping the Client PC behind the Cisco Router.

 

Can anyone see what is wrong with my conf ?

 

Current configuration : 1819 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1ND
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Rx0C$eGYoDl0WYvOAWi2PqHypE/
enable password somestuff
!
no aaa new-model
!
!
dot11 syslog
no ip routing
!
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool dpool1
import all
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 8.8.8.8 1.1.1.1
domain-name ndcisco
!
!
ip domain name noerdar.local
ip name-server 192.168.16.1
ip name-server 8.8.8.8
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
ip address 192.168.16.240 255.255.255.0
ip nat outside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
no ip route-cache
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 20
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
!
interface ATM0
no ip address
no ip route-cache
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
!
ip default-gateway 192.168.16.1
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0 overload
!
!
!
!
!
!
!
control-plane
!
!
line con 0
password somestuff
line aux 0
line vty 0 4
password somestuff
login
!
end

 

Hope someone can help me. I tried to define access-list 100 permit ip any any
but it does not help

4 Replies 4

ngkin2010
Level 7
Level 7
<... omitted ...>
no ip routing
<... omitted ...>

You router has disabled routing function, you need to enable it for PC. After that, you need a default route rather than default gateway for router.

 

ip routing
no ip default-gateway
ip route 0.0.0.0 0.0.0.0 192.168.16.1

And also, I found that the access-list 100  is missing from your configuration. Please try the following NAT setting instead:

access-list 99 permit 10.10.20.0 0.0.0.255

no ip nat inside source list 100 interface FastEthernet0 overload
ip nat inside source list 99 interface FastEthernet0 overload

 

Finally, but not a critical. I see that you also disabled the Cisco CEF, it's good to enable for the performance purpose. You may enable it by:

<... omitted ...>
ip cef
<... omitted ...>

 

Thx for the awesome answer. I will try it when I get home. Thx a lot.

 

Maybe i will write if i have trouble :)

So I got it to work. But im only able to access the management from the 10.10.20.0 network and not from the 192.168.16.0 network. 

 

I can ping the ip 192.168.16.240 but i cant connect to the Cisco Router, only from the Clients on the 10.10.20.0 Network that are on that internal switch. Here is my conf

 

Current configuration : 1851 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1ND
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Rx0C$eGYoDl0WYvOAWi2PqHypE/
enable password somestuff
!
no aaa new-model
!
!
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool dpool1
import all
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 8.8.8.8 1.1.1.1
domain-name ndcisco
!
!
ip domain name noerdar.local
ip name-server 192.168.16.1
ip name-server 8.8.8.8
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
ip address 192.168.16.240 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 20
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip default-gateway 192.168.16.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.16.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 99 interface FastEthernet0 overload
!
access-list 99 permit 10.10.20.0 0.0.0.255
access-list 99 permit 192.168.16.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
line con 0
password somestuff
line aux 0
line vty 0 4
password somestuff
login
!
end

Hi,

Could you provide the source subnet and the destination subnet?

 

If you were accessing 10.10.20.0/24 from 192.168.16.0/24, you properly will fail. Because the subnet 10.10.20.0/24 is behind NAT. You either disable the NAT or configure Static NAT to allow inbound traffic (from 192.168.16.0/24 to 10.10.20.0/24)

 

I have reviewed your requirement, and I see that you already have a static route (10.10.20.0/24) on pfsense. I think you don't need the NAT setting our your Cisco router unless it's due to some specific purpose.

 

To remove the NAT setting:

 

 

no nat inside source list 99 interface FastEthernet0 overload

And clean up the config:

 

 

interface Fa0
  no ip nat outside

interface Vlan1
  no ip nat inside

no access-list 99 permit 10.10.20.0 0.0.0.255
no access-list 99 permit 192.168.16.0 0.0.0.255

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: