cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2243
Views
0
Helpful
10
Replies
mnicholl2012
Beginner

892 Vlan issue

Hello everyone,

I require some assistance with a Cisco 892.  The router is running at the moment with the current setup.

Gigabit Ethernet 0 port for the ethernet internet connection.

Fast Ethernet 8 port for the internal lan.

VPN tunnel configured for a cloud based service.

The issue I have is I have a server that requires to be added, I have added a static route to the routing table, I can ping the server, from the router, but I cannot ping the server from any of the machines in the internal lan.  I can ping the vlan ip address from the internal lan.

I do not know where to go from here any help would be greatly appreciated.

Thanks

Martin

10 REPLIES 10
Muhammad Thanveer
Contributor

Hi Martin,

Have you added the static route for the server with mask 255.255.255.255?

Please share the exact network diagram anc configuration removing sensitive areas.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Hi Muhammad,

Thank you for your help with this I am really greatful as I am stumped.

I have added a static route with the mask 255.255.255.255. 

I am removing the information from the config and will upload.

Regards

Martin

mnicholl2012
Beginner

Running Config


Building configuration...

Current configuration : 8526 bytes
!
! Last configuration change at 11:03:36 UTC Mon Nov 12 2012 by xxxxxx
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXXXXXXX
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
logging buffered 51200
!
no aaa new-model
!
!
crypto pki trustpoint TP-self-signed-220241379
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-220241379
revocation-check none
rsakeypair TP-self-signed-220241379
!
!
crypto pki certificate chain TP-self-signed-220241379
certificate self-signed 01
     quit
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!

!
!
no ip domain lookup
ip domain name metrexenergy.com
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO892-K9 sn xxxxxx
!
!
username xxxxx privilege 15 secret 5 xxxxxxxxx
username xxxxx privilege 15 secret 5 xxxxxxxxx
!
redundancy
!
!
!
!
!
!
track 100 ip sla 100 reachability
!
track 200 ip sla 200 reachability
!
crypto keyring keyring-vpn-xxxxxx-0 
  local-address xxx.xxx.xxx.xxx
  pre-shared-key address xxx.xxx.xxx.xxx key xxxxxxx
crypto keyring keyring-vpn-xxxxxx-1 
  local-address xxx.xxx.xxx.xxx
  pre-shared-key address xxx.xxx.xxx.xxx key xxxxxxx
!
crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 201
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 10 10
crypto isakmp profile isakmp-vpn-xxxxxx-0
   keyring keyring-vpn-xxxxxx-0
   match identity address xxx.xxx.xxx.xxx 255.255.255.255
   local-address xxx.xxx.xxx.xxx
crypto isakmp profile isakmp-vpn-xxxxxx-1
   keyring keyring-vpn-xxxxxx-1
   match identity address xxx.xxx.xxx.xxx 255.255.255.255
   local-address xxx.xxx.xxx.xxx
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-prop-vpn-xxxxxx-0 esp-aes esp-sha-hmac
crypto ipsec transform-set ipsec-prop-vpn-xxxxxx-1 esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
!
crypto ipsec profile ipsec-vpn-xxxxx-0
set transform-set ipsec-prop-vpn-xxxxxx-0
set pfs group2
!
crypto ipsec profile ipsec-vpn-xxxxxx-1
set transform-set ipsec-prop-vpn-xxxxxx-1
set pfs group2
!
!
!
!
!
!
interface Tunnel1
description VPN Tunnel 1
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip virtual-reassembly in
ip tcp adjust-mss 1387
tunnel source xxx.xxx.xxx.xxx
tunnel mode ipsec ipv4
tunnel destination xxx.xxx.xxx.xxx
tunnel protection ipsec profile ipsec-vpn-xxxxxx-0
!
interface Tunnel2
description VPN Tunnel 2
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip virtual-reassembly in
ip tcp adjust-mss 1387
tunnel source xxx.xxx.xxx.xxx
tunnel mode ipsec ipv4
tunnel destination xxx.xxx.xxx.xxx
tunnel protection ipsec profile ipsec-vpn-xxxxxx-1
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
duplex half
speed 100
vlan-id dot1q 1
  exit-vlan-config
!
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet4
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet5
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet6
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet7
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface FastEthernet8
description $ETH-LAN$
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex full
speed 100
!
interface GigabitEthernet0
description Office WAN Port
ip address 195.xxx.xxx.xxx 255.255.255.248
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly in
duplex full
speed 100
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.11.14 255.255.255.252
ip tcp adjust-mss 1452
!
interface Vlan2
no ip address
shutdown
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip forward-protocol nd
!
!
ip nat inside source list 102 interface GigabitEthernet0 overload
ip route x.x.x.x 255.255.0.0 Tunnel1 track 100
ip route x.x.x.x 255.255.0.0 Tunnel2 track 200
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 195.x.x.x permanent
ip route 194.x.x.x 255.255.255.255 192.168.11.13
!
ip sla 100
icmp-echo x.x.x.x source-interface Tunnel1
frequency 5
ip sla schedule 100 life forever start-time now
ip sla 200
icmp-echo x.x.x.x source-interface Tunnel2
frequency 5
ip sla schedule 200 life forever start-time now
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit ip host x.x.x.x any
access-list 101 permit ip host x.x.x.x any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip any any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 permit ip host x.x.x.x any
access-list 103 permit ip host x.x.x.x any
access-list 103 permit udp any eq bootps any eq bootpc
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip any any
no cdp run
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
!
end

Hi,

in this vlan you have defined

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.11.14 255.255.255.252

ip tcp adjust-mss 1452

Valid ip range is 192.168.11.13 and 11.14 (only two ips).

interface FastEthernet8

description $ETH-LAN$

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex full

speed 100

On which port or interface and on which device have you added 194.x.x.255 server.

I mean what is the ip 192.168.11.13 refers to?

does 192.168.11.13 knows about 192.168.1.0 network?

Please dont forget to rate helpful posts

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Hi,

The vlan1 is configured for Fast Ethernet port 0 and I have given the vlan the ip address of 192.168.11.14 and this port is connected to another cisco router which is managed by a third party and the ip address of the port used is 192.168.11.13 and the server with the address 194.x.x.x 255.255.255.255.

If I remove the cable from the vlan1 and plug it in to my laptop I can ping the server with the following details.  IP address 192.168.11.14 255.255.255.252 default gateway 192.168.11.13.

I have not added anything to enable the 192.168.11.13 to know the 192.168.1.0 network as I am uncertain in the way to do this.

At the moment from the 192.168.1.0 network, I can ping the vlan1 (192.168.11.14) but not the 194.x.x.x, from the router cli I can ping the server (194.x.x.x).

Hope this information helps.

Thanks

Martin

One quick question, why have you configured f0 with half duplex? I don't think it's good, can fix that and then check?

interface FastEthernet0

no ip address

duplex half

speed 100

vlan-id dot1q 1

  exit-vlan-config

There might be duplex negotiation problem with that config.

Hope it will help.

Best regards,
Abzal

Hi Abzal,

I changed the port to half duplex as when I done a sh int fast0 it displayed half duplex 100Mbs and since I had a problem with the fast8 port and auto negotiation being set and it operated correctly when added duplex and speed manually.

I have changed the port settings to use auto negotiate and to full duplex and still not joy.

Thanks

Martin

then try to ping 192.168.11.13 from internal netwrok not from router. To check if 192.168.11.13 aware of internal network.

Abzal

Best regards,
Abzal


Hi,

At the moment from the 192.168.1.0 network, I can ping the vlan1 (192.168.11.14) but not the 194.x.x.x, from the router cli I can ping the server (194.x.x.x).

Yes you will be obviously able to ping the ip 192.168.11.14 and 194.168.x.50 from router  because router knows all the routes.

If you do sh ip route in your local router, with these routes advertised it must look like this.

#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.1.0/24 is directly connected, FastEthernet0/1
     192.168.11.0/30 is subnetted, 1 subnets
C       192.168.11.0 is directly connected, FastEthernet0/0
S    194.168.1.0/24 [1/0] via 192.168.11.2

But the router of the vendor doesnot know your local lan,the source packet which travels from your pc will have a source identification in 192.168.1.0 network, obviously vendors router will reject the packet saying I dont know this network.

Please find the identical configuration done in Packet tracer attached, if you have the software you can view it.

Please rate the helpful posts.

Thanks

Tanveer  

Hi,

You can also go with natting.

nat you entire subnet pool to a single ip and ask the vendor to allow the traffic for the same.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."