03-12-2020 12:03 PM
Hi,
I have a Cisco 897 VA.
The WAN interface is connected to my pfSense (LAN 10.0.0.0/24, the pfSense address is 10.0.0.1).
On my router, the WAN interface IP address is 10.0.0.90. I would like to have two VLAN (10 and 20) with an Internet access (with the default gateway 0.0.0.0 0.0.0.0 10.0.0.1).
Here is my Cisco config :
ip dhcp excluded-address 10.0.10.1 10.0.10.10 ip dhcp excluded-address 10.0.20.1 10.0.20.10 ! ip dhcp pool VLAN10 network 10.0.10.0 255.255.255.0 dns-server 10.0.10.1 default-router 10.0.10.1 ! ip dhcp pool VLAN20 network 10.0.20.0 255.255.255.0 default-router 10.0.20.1 dns-server 10.0.20.1 ! ! ! ip domain name home.com ip name-server 10.0.0.1 ip name-server FE80::1:1 ip cef ipv6 unicast-routing ipv6 cef ! ! vtp mode transparent ! vlan 10,20 ! ! interface GigabitEthernet0 switchport trunk allowed vlan 1,10,20,1002-1005 no ip address ! interface GigabitEthernet1 no ip address ! interface GigabitEthernet2 switchport access vlan 10 no ip address ! interface GigabitEthernet3 no ip address ! interface GigabitEthernet4 no ip address ! interface GigabitEthernet5 no ip address ! interface GigabitEthernet6 no ip address ! interface GigabitEthernet7 no ip address ! interface GigabitEthernet8 ip address 10.0.0.90 255.255.255.0 duplex auto speed auto ipv6 address x:x:x:x::1/128 ipv6 enable ! interface Vlan1 no ip address ! interface Vlan10 ip address 10.0.10.1 255.255.255.0 ! interface Vlan20 ip address 10.0.20.1 255.255.255.0 ! ! ip route 0.0.0.0 0.0.0.0 10.0.0.1 ip ssh version 2 ! ipv6 route ::/0 GigabitEthernet8 FE80::1:1
I connected a PC (10.0.10.11) on GE2, but ping to 10.0.0.1 (pfSense) is not working.
I can ping 10.0.10.1 with an other PC, but I can't ping 10.0.10.11.
There is a static route in my pfSense too :
Thanks a lot for your help.
03-13-2020 02:09 AM
Hello
@Portus92 wrote:
I connected a PC (10.0.10.11) on GE2, but ping to 10.0.0.1 (pfSense) is not working.
I can ping 10.0.10.1 with an other PC, but I can't ping 10.0.10.11.
Turn off any software firewall on pc 10.0.10.11 and test again
03-13-2020 05:05 AM
Check trace, also use an ACL and count and check if you are getting any reply for the ICMP packet.
Please share a network diagram if you have one.
03-14-2020 04:50 AM
Hi, here is a little network diagram :
I tried to deactivate the firewall on the PC, but no effect.
With ACL (applied on VLAN 10), ping to 10.0.10.11 doesn't match :
Extended IP access list 110 10 permit icmp any host 10.0.10.11 20 permit icmp any host 10.0.10.1 (37 matches) 30 permit ip any any (5442 matches)
Thank you.
03-14-2020 05:36 AM - edited 03-14-2020 05:51 AM
Hello,
what is connected to interface GigabitEthernet0 ?
Make sure your pfsense does NAT for the new networks, or use double NAT on the Cisco (changes marked in bold):
ip dhcp excluded-address 10.0.10.1 10.0.10.10
ip dhcp excluded-address 10.0.20.1 10.0.20.10
!
ip dhcp pool VLAN10
network 10.0.10.0 255.255.255.0
--> dns-server 8.8.8.8
default-router 10.0.10.1
!
ip dhcp pool VLAN20
network 10.0.20.0 255.255.255.0
default-router 10.0.20.1
--> dns-server 8.8.8.8
!
ip domain name home.com
ip name-server 10.0.0.1
ip name-server FE80::1:1
ip cef
ipv6 unicast-routing
ipv6 cef
!
vtp mode transparent
!
vlan 10,20
!
interface GigabitEthernet0
switchport trunk allowed vlan 1,10,20,1002-1005
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
switchport access vlan 10
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address 10.0.0.90 255.255.255.0
--> ip nat outside
duplex auto
speed auto
ipv6 address x:x:x:x::1/128
ipv6 enable
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.0.10.1 255.255.255.0
--> ip nat inside
!
interface Vlan20
ip address 10.0.20.1 255.255.255.0
--> ip nat inside
!
--> ip nat inside source list 1 interface GigabitEthernet8 overload
!
--> access-list 1 permit 10.0.10.0 0.0.0.255
--> access-list 1 permit 10.0.20.0 0.0.0.255
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip ssh version 2
!
ipv6 route ::/0 GigabitEthernet8 FE80::1:1
03-14-2020 08:47 AM - edited 03-14-2020 08:50 AM
There is nothing connected to GE0.
The PC is connected to GE2.
With ip nat it works, thanks ! I'm not sure I fully understand why.
There is just one problem, I can't ping 10.0.10.1 or 10.0.10.11 from another PC.
With the PC on GE2, I can ping 10.0.0.1 and all the other devices on the network :
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide