12-05-2016 10:17 AM - edited 03-08-2019 08:26 AM
OK guys, well I am back again to bask in the pool of your infinite knowledge. I am working with an 891w trying to get some simple routing done. I am no genius with it, and right now am more harm than good. I have 2 vlans, the default (1) and then a second one (20). 1 is going to be for internal business traffic and 2 is going to be used for guest network access. I have the ACL's configured where 20 can't see or talk to one and both are getting DHCP, so from that standpoint things are doing OK. The issue i have is routing them both out the Gi0 WAN port. vlan 1 can ping computers on the other side of the WAN but cannot do things like hit web pages or maintain a consistent RDP session to a windows machine. Vlan 20 can't do squat outside itself. I am sure i am doing something wrong and had mentioned to me that i might need to use a sub interface on the setup, but following the instructions i found on Cisco's site didn't get me far. I have attached the config below in hopes someone might be able to lend an ear and assistance.
STA-Cisco-891-w#sh run
Building configuration...
Current configuration : 8595 bytes
!
! Last configuration change at 12:03:24 PCTime Mon Dec 5 2016 by sta
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname STA-Cisco-891-w
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
!
no aaa new-model
!
clock timezone PCTime -6 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
service-module wlan-ap 0 bootimage autonomous
crypto pki token default removal timeout 0
!
no ip source-route
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 172.20.10.1
!
ip dhcp pool ccp-pool1
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
!
ip dhcp pool Guest
network 172.20.10.0 255.255.255.0
default-router 172.20.10.1
dns-server 8.8.8.8
!
!
ip cef
no ip bootp server
ip domain name domain.com
ip name-server 8.8.8.8
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ipv6 cef
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO891W-AGN-A-K9 sn FTX153680C9
!
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
spanning-tree portfast
interface FastEthernet4
no ip address
spanning-tree portfast
!
interface FastEthernet5
no ip address
spanning-tree portfast
!
interface FastEthernet6
no ip address
spanning-tree portfast
!
interface FastEthernet7
no ip address
spanning-tree portfast
!
interface FastEthernet8
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
!
interface GigabitEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id GigabitEthernet0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly in
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan20
ip address 172.20.10.1 255.255.255.0
ip access-group 120 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
interface GMPLS0
no ip address
no fair-queue
no keepalive
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface GigabitEthernet0 overload
ip nat inside source list 2 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 254
ip route 0.0.0.0 0.0.0.0 192.168.1.254 254
!
logging trap debugging
access-list 1 remark CCP_ACL Category=18
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark INSIDE_IF=Vlan1
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 2 permit 172.20.10.0 0.0.0.255
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
access-list 120 deny ip host 255.255.255.255 any
access-list 120 deny ip 127.0.0.0 0.255.255.255 any
access-list 120 deny ip 10.10.10.0 0.0.0.255 172.20.10.0 0.0.0.255
access-list 120 permit ip host 10.10.10.1 172.20.10.0 0.0.0.255
access-list 120 permit udp any host 10.10.10.1
access-list 120 permit udp any host 172.20.10.1
access-list 120 permit udp any host 172.20.10.1 eq bootps
access-list 120 permit udp any host 10.10.10.1 eq bootps
access-list 120 permit udp any host 255.255.255.255 eq bootps
access-list 120 permit udp any host 10.10.10.1 eq bootpc
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Virtual Office (CVO) is installed on this device and it provides the
default username "cisco".
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler interval 500
end
STA-Cisco-891-w#
Solved! Go to Solution.
12-05-2016 04:23 PM
So if you want to allow VLAN 20 access to anything except VLAN 1:
access-list 120 deny ip any 10.10.10.0 0.0.0.255
access-list 120 permit ip any any
then apply it inbound to interface VLAN 20.
As far as the WAN interface is concerned, I haven't done this in some time, but don't understand why you have two instances for "ip nat inside" where only one should suffice, meaning the second one that has both networks in the ACL.
12-05-2016 11:09 AM
Not sure how the default route is working here, but instead of the two statics:
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 254
ip route 0.0.0.0 0.0.0.0 192.168.1.254 254
How about:
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 dhcp 254
Might make for cleaner routing.
12-05-2016 11:43 AM
First off, thanks for the reply. I tried removing the route by issuing the no ip route 0.0.0.0 0.0.0.0 192.168.1.254 254 and i get a "No matching route to delete"
Even issuing a no ip route * still leaves the route to the above IP
12-05-2016 12:01 PM
Hmmm, not familiar with that one. Did you initially enter these routes or were they auto generated?
12-05-2016 12:11 PM
They were auto generated
12-05-2016 12:25 PM
So after another look, ACL 120 on the VLAN 20 seems a bit skewed. Consider the VLAN interface as an ethernet interface in that the inbound ACL would have the 172.20.10.x as source packets and not the destination.
Also, short of what was allowed, there is no ending permit statement at the end of ACL 120. Keep in mind there is an implicit deny all at the end of an ACL so whatever isn't allowed is dropped.
12-05-2016 12:32 PM
NOW you've hit some pay dirt. I removed the access-group from the VLAN and i can ping outside the internal vlan. Of course i can ping the other vlan as well which I need to block off, but is there a statement i can issue to allow all traffic from that WAN interface?
12-05-2016 04:23 PM
So if you want to allow VLAN 20 access to anything except VLAN 1:
access-list 120 deny ip any 10.10.10.0 0.0.0.255
access-list 120 permit ip any any
then apply it inbound to interface VLAN 20.
As far as the WAN interface is concerned, I haven't done this in some time, but don't understand why you have two instances for "ip nat inside" where only one should suffice, meaning the second one that has both networks in the ACL.
12-06-2016 06:08 AM
Done and done, i deleted the existing access-list and used the one you gave me above and it worked like a charm.
Thanks for taking the time to help me with this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide