cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3576
Views
0
Helpful
13
Replies

access the internet from my second network via Cisco 891

carl.allen
Level 1
Level 1

Hi Folks

Apologies if I have created this post in the wrong forum..

I have a cisco 891 ISR router. Connected to the router are a few PCs . The router manages DHCP and also has a high speed line connected to the Gigabit port. This all works well and all PC's can access the internet. We can also send images up the high speed line.

The IP range of this network is 10.88.10.0

I have recently connected a second, separate network to the Cisco 891 router, (IP range 192.168.0.0/24). This network has its own Netgear 834 router attached that acts as a gateway for the 192 network.

To do this I

1. Pysically connected a LAN cable from the 192 network to FastEthernet Port 8,(FE8) on the Cisco 891 Router.

2. Assigned an IP address of 192.168.0.235 to the FE8 port of the Cisco

3. Added the cisco FE8 port to the in-zone of the Zone based firewall

3. Setup a static route in the Netgear router do divert certain traffic to the 192.168.0.235 port of the Cisco.

I had hoped that the diverted traffic would be allowed out onto the internet via the Cisco but unfortuantely I can not get it to flow. However, I can get on to the internet with no problem if I use any of the systems on the 10.88......  network which are attached to the same router.

I cant understand where the problem lies as the 192.168.0.235 port FE8 on the cisco is in the same zone as the PC's on the 10.88.... network and hence should be subject to the exact same firewall Policy. I have also check that the appropriate protocols are listed and allowed in the Policy Maps. i.e http....Indeed if this werent the case then the PC's on the 10.88... network would not get web access using Port 80,(http).

I have tried a tracert command from the 192.168.... network using my desired Public IP as the destination. I can see on the second hop that the trace is hitting port 192.168.0.235 which is on the Cisco but this is where is stops. Somthing is stopping the traffice flowing into the router and out the high speed line on the gigabit port

Perhaps I should mention that we only want to reach the cisco so that we can avail of the high speed line attached to the cisco GE0 port. The Netgear on the 192.168.. network is connected to a normal ADSL service which hasnt a suficiently fast upload speed for the XRAY images that we need to upload.

This has me stumped .. but.. I am only new to cisco and I am sure there is something simply I am overlooking..

Any help would be appreciated as I have already gone through a pack of highlighters on this one..LOL

I am not sure what I need to include but here is my config for the  FE8 port

interface FastEthernet8

ip address 192.168.0.235 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

ip tcp adjust-mss 1460

duplex auto

speed auto

Thanks

1 Accepted Solution

Accepted Solutions

Hi Carl,

i think that you have to add this commands to your cisco router :

access-list 150 permit ip 192.168.0.0 0.0.0.255 any

ip nat inside source list 150 interface [your_outside_interface] overload

underlined objects could be a number between 100 and 199, [your_outside_interface] have to be replaced by the name of interface you use for outgoing traffic.

with this command you enable Network Address Translation to your 192.168.0.0/24 network.

Let me know!

Thanks

View solution in original post

13 Replies 13

alessandro.s
Level 1
Level 1

Hi Carl,

my question maybe stupid but somethimes solutions are simpler than we think!
have you applied NAT commands on cisco router to translate new internal addresses?

Sent from Cisco Technical Support iPad App

Hi Alessandro

I have included the command "ip nat inside' on the in-some Ethernet 8 interface and 'ip nat outside' on the out-zone Gigabit Port which is the port connected to the internet..  Is this what you mean??

Many Thanks

Hi Carl,

i think that you have to add this commands to your cisco router :

access-list 150 permit ip 192.168.0.0 0.0.0.255 any

ip nat inside source list 150 interface [your_outside_interface] overload

underlined objects could be a number between 100 and 199, [your_outside_interface] have to be replaced by the name of interface you use for outgoing traffic.

with this command you enable Network Address Translation to your 192.168.0.0/24 network.

Let me know!

Thanks

Alessandro

It appears you are a Cisco Genius.. That is fantastic... It worked perfect after I added the lines that you had suggested..

Many Thanks for your kind assistance.. I wish there was a way to repay you...

Thank you once again.. This had me baffled.. Perhaps I should consider completing the CCNA instead of reading through Cisco books..LOL

Great

Thanks

Hi carl,

i'm just happy this helped you!

You're welcome!

Hi Alessandro

Thanks again, One small thing I have noticed is that the Ping and Tracert commands dont seem to be successful from the 192.168 network.. The same pings work fine on the 10.88  network.. Both networks are using the same router and internet connection... This may be due to something at the other end of my ping, i.e someone may be blocking pings from the 192.168 network while allowing them from 10.88.. not sure yet but I am looking into it.. Could there be something else in the router I need to look at.. ??  Sorry, I should mention that although the ping fails on the 192.168 network the tracert actually gets out through the router and gets to about hop 7 or so which is the ISP servers.. So it is getting out..just never reaches the destination..  Strange..

Cheer

Carl

Hi Carl,

if it's possible post your Cisco router configuration and i'll take a look! If it's possible post also the output of ping and traceroute from your 192.168.0.0/24 network. I don't think it's an issue depending from your ISP 'cause ISP's cannot look throguh your router to see your internal LANs but just the egress IP from which this request come out.

Thankyou

Hi Alessandro

Aplogies for the delay..Ive been very busy this week with other customers..

OK. Heres where I am at..

The commands you kindly sent me fixed my initial problem of allowing traffic to flow from the 192.168 network out onto the internet. I now need to allow thew 192.168 network to initiate an exisitng VPN connection.

Basically I have a working site to site VPN tunnel between the 10.88 network and a remote server. This works perfectly from the 10.88 network. The tunnel initiates when any traffic wants to flow from 10.88 to the remote network.  I would like the tunnel to also iniate when traffic tries to flow from the 192.168 network also.  Both networks will use this same VPN tunnel as they are both trying to reach the exact same remote network. I just cant seem to get the 192.168 traffic to raise the tunnel.

Apologies, I dont see any button to add an attachment so I cant attach the config file at the moment..I only have the ability to attach an image or a video clip???

Cheers

Carl

Hi Carl,
sorry for delay of my reply!!
what type of VPN tunnel is configured?
it's cisco router that brings up VPN tunnel or another device?
what is the device which brings up VPN tunnel on the other side?
To post router config i think you can just copy and paste it in the discussion or attach a text file containing the config.

Regards

Sent from Cisco Technical Support iPad App

patrick.preuss
Level 1
Level 1

Hi

What is your NAT rule ?

Sent from Cisco Technical Support iPhone App

carl.allen
Level 1
Level 1

Hi Patrick and Alessandro

Many thanks for your replies.  I will attempt to paste the full config into this discussion  board later today.. I cannot see a way of attaching a file  which seems very strange. I know when I originally created the discussion there was an 'attach file' option that isnt available any more.

Also, on a different note.. I have been using the cisco configuration tool.  This seemed like a good idea at the beginning but it seems to have left me with a very 'messy' config file with contradictions in the ACL's. This tool never seems to remove any old unwanted code. I future I will attempt to use tools like 'Putty' etc only.

Thanks again.. will post later today..

Hi,

Have you exempted traffic from the new subnet and going through VPN tunnel from NAT ?

Did you modify the crypto ACL to define traffic from this new subnet to distant subnet as interesting traffic too?

Did you mirror this crypto ACL on the VPN peer ?

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

carl.allen
Level 1
Level 1

Hi Folks,

I have removed my full config file as I was concerned about security.. Also, it was a lot to take in.. I have pasted below the relevant sections of the config file. I believe that this is where my problem lies.  How can I work out which route map is being used by which VPN tunnel. To be honest I am slightly confused about the conflicting nature of some of the commands in the ACL's. They seem to be denying and permitting the same traffic within the same ACL..

Any help would be really appreciated... It seems like I have missed something simple but I just cant find the problem. Even with my VPN tunnel up traffic from 192.168 just wont go out the tunnel but traffic from 10.88 goes out perfectly... What am I missing..??? AAAggghh!!!

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload

ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0 overload

ip nat inside source route-map SDM_RMAP_3 interface GigabitEthernet0 overload

access-list 101 remark CCP_ACL Category=2

access-list 101 remark NWIH Connection to NIPACS

access-list 101 deny   ip 192.168.0.0 0.0.0.255 10.210.0.0 0.0.255.255

access-list 101 remark IPSec Rule

access-list 101 deny   ip 10.88.10.0 0.0.0.255 host 192.168.1.2

access-list 101 deny   icmp any any echo-reply

access-list 101 remark IPSec Rule

access-list 101 deny   ip 10.88.10.0 0.0.0.255 194.138.39.16 0.0.0.7

access-list 101 remark IPSec Rule

access-list 101 deny   ip 10.88.10.0 0.0.0.255 10.210.0.0 0.0.255.255

access-list 101 remark IPSec Rule

access-list 101 deny   ip 88.151.1.16 0.0.0.7 81.137.191.48 0.0.0.7

access-list 101 permit ip 10.88.10.0 0.0.0.255 any

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 150 remark CCP_ACL Category=16

access-list 150 remark NWIH Connection to NIPACS

access-list 150 deny   ip 192.168.0.0 0.0.0.255 10.210.0.0 0.0.255.255

access-list 150 remark IPSec Rule

access-list 150 deny   ip 10.88.10.0 0.0.0.255 10.210.0.0 0.0.255.255

access-list 150 deny   icmp any any echo-reply

access-list 150 remark IPSec Rule

access-list 150 deny   ip 10.88.10.0 0.0.0.255 host 192.168.1.2

access-list 150 remark IPSec Rule

access-list 150 deny   ip 10.88.10.0 0.0.0.255 194.138.39.16 0.0.0.7

access-list 150 permit ip 192.168.0.0 0.0.0.255 any

access-list 150 permit ip 192.168.0.0 0.0.0.255 10.210.0.0 0.0.255.255

access-list 150 permit ip 192.168.0.0 0.0.0.255 194.168.231.0 0.0.0.7

access-list 150 permit icmp any any echo-reply

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 101

!

route-map SDM_RMAP_2 permit 1

match ip address 150

!

route-map SDM_RMAP_3 permit 1

match ip address 150

Message was edited by: CARL ALLEN

Message was edited by: CARL ALLEN

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco