CISCO 887VA Inter VLAN Internet Connection

sardarrom · ‎02-15-2021

Dear all

I a newbie and I need a desperate help... pls anyone can help me really appreciated

I have a router Cisco887 I have created two Vlans "vlan10 and vlan20" my vlan 10 is connected to my ASA5505 firewall via dhcp and works great other hand i have vlan 20 created for my internal pc/host to be connected which has an ip of 172.16.2.1/28, problem is the FA3 port which is on vlan 20 sits my pc cant connect to the internet but if i switch to vlan10 it can connect to internet with no problem, please any help will be appreciated.

kind regards to all

sardarrom · ‎02-15-2021

can anyone help no??

Reza Sharifi · ‎02-15-2021

Hi,

172.16.2.1/28 is a private subnet and so in order for any device in this subnet to connect to the internet, you need to use NAT.

Can you post the output of "sh run" from the router?

HTH

sardarrom · ‎02-16-2021

ROUTER-887-05#show run
Building configuration...

Current configuration : 6154 bytes
!
! Last configuration change at 00:13:36 GMT Tue Jan 2 1900 by admin
!
version 15.5
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROUTER-887-05
!
boot-start-marker
boot system flash:c880data-universalk9-mz.155-3.M1.bin
boot system flash
boot-end-marker
!
!
no logging buffered
enable secret 4 vyWNloJMwUg6iw4Pw08A10KxqrVlq.jHGgWnD.A9BdU
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login admin local
aaa authentication login local_access local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
memory-size iomem 10
clock timezone GMT 1 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
ip dhcp excluded-address 172.16.2.1
!
ip dhcp pool VLAN20POOL
network 172.16.2.0 255.255.255.240
default-router 172.16.2.1
dns-server 192.168.2.1
!
ip dhcp pool VLAN10POOL
network 172.16.1.0 255.255.255.240
dns-server 192.168.2.1
default-router 172.16.1.1
!
!
!
no ip domain lookup
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
!
multilink bundle-name authenticated
license udi pid C-887-K9-MS sn FCZ1532C2HU
license accept end user agreement
license boot module c880-data level advipservices
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
any
!
object-group network vpn_remote_subnets
any
!
username admin privilege 15 password 7 0508091A2F584B1B
username administrator privilege 15 password 7 02050B4E05120A33
!
!
!
!
no cdp advertise-v2
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any Others_app
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol sip
match protocol ftp
match protocol dns
match protocol icmp
class-map type inspect match-all dmz-to-in-echorequest
class-map type inspect match-any Web_app
match protocol http
class-map type inspect match-all Others
match class-map Others_app
match access-group name Others_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
class type inspect Web
inspect
class type inspect Others
inspect
class class-default
drop log
policy-map type inspect dmz-to-in-policy
policy-map ccp-inspect
policy-map ccp-permit-dmzservice
policy-map ccp-permit
policy-map ccp-permit-icmpreply
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone security dmz-zone
zone security in-zone
zone security out-zone
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
zone-pair security ccp-zp-out-self source out-zone destination self
zone-pair security ccp-zp-in-out source in-zone destination out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
!
!
crypto isakmp policy 1
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
description Connessione verso FASTWEB
no ip address
shutdown
atm ilmi-keepalive
!
interface ATM0.100 point-to-point
description Collegamento WAN ADSL
shutdown
atm route-bridged ip
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0
description This Interface linked to ASA
switchport access vlan 10
no ip address
!
interface FastEthernet1
description "Interface Fa1 linked to Router-887VA-01 on Port Fa0"
switchport access vlan 20
no ip address
!
interface FastEthernet2
switchport access vlan 20
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
ip virtual-reassembly in
shutdown
!
interface Vlan10
description "Interface CONN.to ASA-FW directly"
ip address 172.16.1.2 255.255.255.240
ip nat outside
ip virtual-reassembly in
!
interface Vlan20
description "Inside Interface CONN.to Router-887VA-01 on Vlan 10 on Port Fa0"
ip address 172.16.2.1 255.255.255.240
ip nat inside
ip virtual-reassembly in
!
router rip
version 2
network 172.16.0.0
network 192.168.2.0
no auto-summary
!
no ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat pool VLAN20POOL 172.16.2.0 172.16.2.14 netmask 255.255.255.240
ip nat inside source list 1 interface FastEthernet3 overload
ip nat inside source list 100 interface Vlan20 overload
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended internet_traffic
permit ip any host 172.16.2.0
permit ip any host 172.16.0.0
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
!
!
access-list 1 permit any
access-list 100 permit ip 172.16.0.0 0.0.0.240 any
!
!
!
control-plane
!
!
banner login ^C*************RESTRICTED SYSTEM**********^C
!
line con 0
password 7 151104190A3E2E36
login authentication local_access
no modem enable
line aux 0
line vty 0 4
session-timeout 30
access-class 23 in
privilege level 15
password 7 121A0C041104
login authentication local_access
transport input telnet ssh
!
scheduler max-task-time 5000
!
end

balaji.bandi · ‎02-16-2021

Just need clarification - ASA doing NAT or This router is doing NAT.
Is ASA also doing NAT.

As the config, the switch port allocated to ASA IP address as point to point and VLAN 10

!
interface FastEthernet3
switchport access vlan 20 < if the device connected here change to VLAN 20 to work.
no ip address

Still not working post the ASA config, so we can advise both Router and ASA config.
there are some issues in the router config, we can only suggest based on ASA config

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

sardarrom · ‎02-16-2021

yes i attached the show run this is the config file on my router 887

Richard Burts · ‎02-16-2021

@Reza Sharifi correctly identifies the main issue as the requirement for address translation for vlan 20. But we need to go a bit deeper in identifying a solution. The address translation might be done on your 887 router, but it could also be done on your ASA5505. Which solution would you prefer?

While we wait for clarification about which solution you prefer I do have some comments about the configuration that you posted:

- the configuration has several references to 192.168.2.x. But I do not find that network on any interface. Either you need to define that network in the config or you need to remove those references to it.

- you have a dhcp excluded address for vlan 20

ip dhcp excluded-address 172.16.2.1

but no excluded address for vlan 10 (and you should exclude both .1 and .2 in that subnet)

- the config includes some parameters used for zone based firewall. But I do not see ZBF being implemented, and since your 887 connects to an ASA which provides firewall services I would suggest that you remove anything on the 887 related to ZBF.

- you have configured router rip. Is there some device in this network that we do not know about that will run rip and communicate with the 887? If not what purpose does this serve?

- the config defines ip nat pool VLAN20POOL but does make any use of it. If it is not used it should be removed.

- the config has this

ip nat inside source list 1 interface FastEthernet3 overload

but FA3 is an access port in vlan 20. It makes no sense to attempt NAT on an access port. remove this.

- The config has this

ip nat inside source list 100 interface Vlan20 overload

It appears that vlan 20 is an inside subnet. why are you attempting NAT using this interface?

- the config contains 3 static default routes

ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route 0.0.0.0 0.0.0.0 dhcp

I have already suggested removing any reference to 192.168.2 which would include the first one.

I do not see any interface which uses dhcp so the static default route specifying dhcp should be removed.

- your comment in the original post indicates that the 887 connects to ASA with dhcp for vlan 10. But the config for vlan 10 has a hard coded IP address. Which is it supposed to be? If vlan 10 should use dhcp then keep the third static default route and remove the second static default route. If vlan 10 should have configured IP address then remove the static default route using dhcp.

HTH

Rick

sardarrom · ‎02-16-2021

sir on my router 887 the vlan 10 has an assigned static ip comes from dhcp pool of the asa firewall.

-- all i want to access internet using vlan 20 of the router on port fa3 which is on different subnet(172.16.2.1/28)

balaji.bandi · ‎02-16-2021

we need ASA config also, along with a new Router config to understand better.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

sardarrom · ‎02-16-2021

thank you so much for a quick response sir, i have taken out all the nat related statements and still working as my port fa3 now sitas on vlan 10 it is connected to internet the moment i move that to vlan 20 no more internet connection.

ok i will issue all the instruction as u posted above and i will get back to you asap sir.

sardarrom · ‎02-16-2021

you have configured router rip. Is there some device in this network that we do not know about that will run rip and communicate with the 887? If not what purpose does this serve?

--response to above> yes my asa firewall is running RIPV2

i have removed all commands as u suggested.

sardarrom · ‎02-16-2021

sir I have posted the ASA firewall 5505 config as you asked for

ASA Version 9.2(4)
!
hostname ASA-03-TEST
enable password AZWE6yvp4O/LTMJ2 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd AZWE6yvp4O/LTMJ2 encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
duplex full
!
interface Ethernet0/3
switchport access vlan 10
shutdown
!
interface Ethernet0/4
switchport access vlan 10
shutdown
!
interface Ethernet0/5
switchport access vlan 10
shutdown
!
interface Ethernet0/6
switchport access vlan 10
shutdown
!
interface Ethernet0/7
switchport access vlan 10
shutdown
!
interface Vlan1
shutdown
no nameif
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.2.21 255.255.255.0
!
interface Vlan10
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.240
!
boot system disk0:/asa924-k8.bin
ftp mode passive
object network internal_lan3
subnet 172.16.1.0 255.255.255.240
access-list deny-flow-max 1
access-list internalnetwork_access_in extended permit ip any any
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
access-list inside_in extended permit ip any any
access-list outsidenetwork_access_in extended permit ip any any
access-list internalnetwork_access-in extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network internal_lan3
nat (inside,outside) dynamic interface
router rip
network 172.16.0.0
network 192.168.2.0
version 2
no auto-summary
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 172.16.1.0 255.255.255.240 inside
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 192.168.2.1
!
dhcpd address 172.16.1.7-172.16.1.14 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password tzEgZPGUUV7rG0Vv encrypted
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0f42607ae91687c3834a4969e60b972d
: end

balaji.bandi · ‎02-16-2021

Looks like your ASA doing NAT too, do you need Double NAT like Your Router do the NAT and ASA also do the NAT

in a real-world example, you do not need Double NAT for any other reason here.

So what you like to do make decision for us to advise both the config.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

sardarrom · ‎02-16-2021

dear sir thank you so much for a quick response...ok as you said i do not need 2 NAT but i want to access to internet using vlan 20 of my router 887, and how can i do that

i am posting you the config for the
ROUTER-887-05(config)#do show ip int brie
Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM administratively down down
ATM0.100 unassigned YES unset administratively down down
BRI0 unassigned YES NVRAM administratively down down
BRI0:1 unassigned YES unset administratively down down
BRI0:2 unassigned YES unset administratively down down
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up up
NVI0 unassigned YES unset administratively down down
Vlan1 unassigned YES unset administratively down down
Vlan10 172.16.1.2 YES manual up up
Vlan20 172.16.2.1 YES NVRAM up up

all i am trying to do is access internet on vlan 20 putting my FA3 port on vblan 20 and connect my pc to it.

pls help

balaji.bandi · ‎02-16-2021

Not sure what is the latest configuration on both devices: let's see quick config fix your issue

On ASA add below the bold line (make sure you keep track of all changes, so you can revert back if something goes wrong)

i mean take the config backup out of the box.

object network internal_lan3
subnet 172.16.1.0 255.255.255.240

subnet 172.16.2.0 255.255.255.240

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help