11-26-2012 08:42 AM - edited 03-07-2019 10:15 AM
Hi Folks
Apologies if I have created this post in the wrong forum..
I have a cisco 891 ISR router. Connected to the router are a few PCs . The router manages DHCP and also has a high speed line connected to the Gigabit port. This all works well and all PC's can access the internet. We can also send images up the high speed line.
The IP range of this network is 10.88.10.0
I have recently connected a second, separate network to the Cisco 891 router, (IP range 192.168.0.0/24). This network has its own Netgear 834 router attached that acts as a gateway for the 192 network.
To do this I
1. Pysically connected a LAN cable from the 192 network to FastEthernet Port 8,(FE8) on the Cisco 891 Router.
2. Assigned an IP address of 192.168.0.235 to the FE8 port of the Cisco
3. Added the cisco FE8 port to the in-zone of the Zone based firewall
3. Setup a static route in the Netgear router do divert certain traffic to the 192.168.0.235 port of the Cisco.
I had hoped that the diverted traffic would be allowed out onto the internet via the Cisco but unfortuantely I can not get it to flow. However, I can get on to the internet with no problem if I use any of the systems on the 10.88...... network which are attached to the same router.
I cant understand where the problem lies as the 192.168.0.235 port FE8 on the cisco is in the same zone as the PC's on the 10.88.... network and hence should be subject to the exact same firewall Policy. I have also check that the appropriate protocols are listed and allowed in the Policy Maps. i.e http....Indeed if this werent the case then the PC's on the 10.88... network would not get web access using Port 80,(http).
I have tried a tracert command from the 192.168.... network using my desired Public IP as the destination. I can see on the second hop that the trace is hitting port 192.168.0.235 which is on the Cisco but this is where is stops. Somthing is stopping the traffice flowing into the router and out the high speed line on the gigabit port
Perhaps I should mention that we only want to reach the cisco so that we can avail of the high speed line attached to the cisco GE0 port. The Netgear on the 192.168.. network is connected to a normal ADSL service which hasnt a suficiently fast upload speed for the XRAY images that we need to upload.
This has me stumped .. but.. I am only new to cisco and I am sure there is something simply I am overlooking..
Any help would be appreciated as I have already gone through a pack of highlighters on this one..LOL
I am not sure what I need to include but here is my config for the FE8 port
interface FastEthernet8
ip address 192.168.0.235 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1460
duplex auto
speed auto
Thanks
Solved! Go to Solution.
11-28-2012 08:30 AM
Hi Carl,
i think that you have to add this commands to your cisco router :
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
ip nat inside source list 150 interface [your_outside_interface] overload
underlined objects could be a number between 100 and 199, [your_outside_interface] have to be replaced by the name of interface you use for outgoing traffic.
with this command you enable Network Address Translation to your 192.168.0.0/24 network.
Let me know!
Thanks
11-27-2012 12:23 PM
Hi Carl,
my question maybe stupid but somethimes solutions are simpler than we think!
have you applied NAT commands on cisco router to translate new internal addresses?
Sent from Cisco Technical Support iPad App
11-28-2012 08:19 AM
Hi Alessandro
I have included the command "ip nat inside' on the in-some Ethernet 8 interface and 'ip nat outside' on the out-zone Gigabit Port which is the port connected to the internet.. Is this what you mean??
Many Thanks
11-28-2012 08:30 AM
Hi Carl,
i think that you have to add this commands to your cisco router :
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
ip nat inside source list 150 interface [your_outside_interface] overload
underlined objects could be a number between 100 and 199, [your_outside_interface] have to be replaced by the name of interface you use for outgoing traffic.
with this command you enable Network Address Translation to your 192.168.0.0/24 network.
Let me know!
Thanks
11-29-2012 02:00 AM
Alessandro
It appears you are a Cisco Genius.. That is fantastic... It worked perfect after I added the lines that you had suggested..
Many Thanks for your kind assistance.. I wish there was a way to repay you...
Thank you once again.. This had me baffled.. Perhaps I should consider completing the CCNA instead of reading through Cisco books..LOL
Great
Thanks
11-29-2012 02:38 AM
Hi carl,
i'm just happy this helped you!
You're welcome!
11-29-2012 03:06 AM
Hi Alessandro
Thanks again, One small thing I have noticed is that the Ping and Tracert commands dont seem to be successful from the 192.168 network.. The same pings work fine on the 10.88 network.. Both networks are using the same router and internet connection... This may be due to something at the other end of my ping, i.e someone may be blocking pings from the 192.168 network while allowing them from 10.88.. not sure yet but I am looking into it.. Could there be something else in the router I need to look at.. ?? Sorry, I should mention that although the ping fails on the 192.168 network the tracert actually gets out through the router and gets to about hop 7 or so which is the ISP servers.. So it is getting out..just never reaches the destination.. Strange..
Cheer
Carl
11-29-2012 03:15 AM
Hi Carl,
if it's possible post your Cisco router configuration and i'll take a look! If it's possible post also the output of ping and traceroute from your 192.168.0.0/24 network. I don't think it's an issue depending from your ISP 'cause ISP's cannot look throguh your router to see your internal LANs but just the egress IP from which this request come out.
Thankyou
12-03-2012 06:41 AM
Hi Alessandro
Aplogies for the delay..Ive been very busy this week with other customers..
OK. Heres where I am at..
The commands you kindly sent me fixed my initial problem of allowing traffic to flow from the 192.168 network out onto the internet. I now need to allow thew 192.168 network to initiate an exisitng VPN connection.
Basically I have a working site to site VPN tunnel between the 10.88 network and a remote server. This works perfectly from the 10.88 network. The tunnel initiates when any traffic wants to flow from 10.88 to the remote network. I would like the tunnel to also iniate when traffic tries to flow from the 192.168 network also. Both networks will use this same VPN tunnel as they are both trying to reach the exact same remote network. I just cant seem to get the 192.168 traffic to raise the tunnel.
Apologies, I dont see any button to add an attachment so I cant attach the config file at the moment..I only have the ability to attach an image or a video clip???
Cheers
Carl
12-09-2012 10:55 AM
Hi Carl,
sorry for delay of my reply!!
what type of VPN tunnel is configured?
it's cisco router that brings up VPN tunnel or another device?
what is the device which brings up VPN tunnel on the other side?
To post router config i think you can just copy and paste it in the discussion or attach a text file containing the config.
Regards
Sent from Cisco Technical Support iPad App
12-09-2012 01:07 PM
Hi
What is your NAT rule ?
Sent from Cisco Technical Support iPhone App
12-10-2012 12:38 AM
Hi Patrick and Alessandro
Many thanks for your replies. I will attempt to paste the full config into this discussion board later today.. I cannot see a way of attaching a file which seems very strange. I know when I originally created the discussion there was an 'attach file' option that isnt available any more.
Also, on a different note.. I have been using the cisco configuration tool. This seemed like a good idea at the beginning but it seems to have left me with a very 'messy' config file with contradictions in the ACL's. This tool never seems to remove any old unwanted code. I future I will attempt to use tools like 'Putty' etc only.
Thanks again.. will post later today..
12-10-2012 01:52 AM
Hi,
Have you exempted traffic from the new subnet and going through VPN tunnel from NAT ?
Did you modify the crypto ACL to define traffic from this new subnet to distant subnet as interesting traffic too?
Did you mirror this crypto ACL on the VPN peer ?
Regards.
Alain
Don't forget to rate helpful posts.
12-10-2012 07:26 AM
Hi Folks,
I have removed my full config file as I was concerned about security.. Also, it was a lot to take in.. I have pasted below the relevant sections of the config file. I believe that this is where my problem lies. How can I work out which route map is being used by which VPN tunnel. To be honest I am slightly confused about the conflicting nature of some of the commands in the ACL's. They seem to be denying and permitting the same traffic within the same ACL..
Any help would be really appreciated... It seems like I have missed something simple but I just cant find the problem. Even with my VPN tunnel up traffic from 192.168 just wont go out the tunnel but traffic from 10.88 goes out perfectly... What am I missing..??? AAAggghh!!!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0 overload
ip nat inside source route-map SDM_RMAP_3 interface GigabitEthernet0 overload
access-list 101 remark CCP_ACL Category=2
access-list 101 remark NWIH Connection to NIPACS
access-list 101 deny ip 192.168.0.0 0.0.0.255 10.210.0.0 0.0.255.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.88.10.0 0.0.0.255 host 192.168.1.2
access-list 101 deny icmp any any echo-reply
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.88.10.0 0.0.0.255 194.138.39.16 0.0.0.7
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.88.10.0 0.0.0.255 10.210.0.0 0.0.255.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 88.151.1.16 0.0.0.7 81.137.191.48 0.0.0.7
access-list 101 permit ip 10.88.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 remark CCP_ACL Category=16
access-list 150 remark NWIH Connection to NIPACS
access-list 150 deny ip 192.168.0.0 0.0.0.255 10.210.0.0 0.0.255.255
access-list 150 remark IPSec Rule
access-list 150 deny ip 10.88.10.0 0.0.0.255 10.210.0.0 0.0.255.255
access-list 150 deny icmp any any echo-reply
access-list 150 remark IPSec Rule
access-list 150 deny ip 10.88.10.0 0.0.0.255 host 192.168.1.2
access-list 150 remark IPSec Rule
access-list 150 deny ip 10.88.10.0 0.0.0.255 194.138.39.16 0.0.0.7
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 permit ip 192.168.0.0 0.0.0.255 10.210.0.0 0.0.255.255
access-list 150 permit ip 192.168.0.0 0.0.0.255 194.168.231.0 0.0.0.7
access-list 150 permit icmp any any echo-reply
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
route-map SDM_RMAP_2 permit 1
match ip address 150
!
route-map SDM_RMAP_3 permit 1
match ip address 150
Message was edited by: CARL ALLEN
Message was edited by: CARL ALLEN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide