cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1587
Views
0
Helpful
5
Replies

Home lab Help

thatnaijaguy
Level 1
Level 1

Hi Everyone

First, sorry if this has already been answered. I am having problems trying to configure a seperate network within my home network.

I am using at&t uverse as my ISP and I recently got a cisco 2621 with 2 fast ethernet port from work.

I wanted to create a seperate home network (with internet access) within uverse.

This is my setup up

setup.png

I have setup a default route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 192.168.1.254 to network 0.0.0.0

C    172.16.0.0/16 is directly connected, FastEthernet0/1

C    192.168.1.0/24 is directly connected, FastEthernet0/0

S*   0.0.0.0/0 [1/0] via 192.168.1.254

I am able to ping anything device in the 172.16.0.0 network.

I set a static IP for all devices on the 172.16.0.0 network with a 172.16.1.100 gateway.

What I can't do is ping my router (192.168.1.254) or anything device in the 192168.1.0 network except (192.168.1.250) from the 172.16.0.0 network. Also I can unable to ping my AT&T gateway and I am unable to browse the internet in the 172.16.0.0 network

My routing protocol is set to RIP

Routing Protocol is "rip"

  Sending updates every 30 seconds, next due in 8 seconds

  Invalid after 180 seconds, hold down 180, flushed after 240

  Outgoing update filter list for all interfaces is not set

  Incoming update filter list for all interfaces is not set

  Redistributing: rip

  Default version control: send version 2, receive version 2

    Interface             Send  Recv  Triggered RIP  Key-chain

    FastEthernet0/0       2     2

    FastEthernet0/1       2     2

  Automatic network summarization is not in effect

  Maximum path: 4

  Routing for Networks:

    172.16.0.0

    192.168.1.0

  Routing Information Sources:

    Gateway         Distance      Last Update

  Distance: (default is 120)

Please I need to know if I am doing anything wrong

If anyone can help, it will be greatly appreciated.

I am very very new to routing protocols, this is my first quest after studying for my ccent/ccna

Thank you all

2 Accepted Solutions

Accepted Solutions

Hello Anthony,

RIP protocol is absolutely unnecesary, because you have only one router. This router does not have any other routers to exchange routes.

Your router seem to be configured correctly. But I think that problem will be that your LAN network is 172.16.0.0/16

which is unknown for AT&T device. Your traffic (f.e. ping) will arrive on AT&T router (192.168.1.254) but this router do not know where to send answer, it only knows about 192.168.1.0/24 from your direction.

Same problem is with internet traffic, I think that AT&T router is configured to NAT&ROUTE everything from 192.168.1.0/24 (subnet reserved for you) to some public IP and send to internet, but if traffic with source IP from 172.16.0.0/16 arrive, it will be dropped (unknown network and also private IP addresses).

To confirm this theory, login to router and ping some internet address from this router.

# ping 8.8.8.8

If ping will be successful, I was right.

Solution if you confirm that this is problem:

- ask AT&T to allow traffic from 172.16.0.0/16 to go to the internet -> I do not believe that AT&T will do something like that

- configure NAT (PAT), your LAN network will be NATed to router WAN IP: 192.168.1.250

ip access-list extended NAT_ACL

deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255

deny ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255

permit ip 172.16.0.0 0.15.255.255 any

deny ip any any

route-map NAT_MAP

match ip address NAT_ACL

ip nat inside source route-map NAT_MAP interface fa0/0 overload

int f0/0

ip nat outside

int f0/1

ip nat inside

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

View solution in original post

Hello Anthony,

I am glad I could help.

Your problem with ping has same reason as previous problem. Devices on 192.168.1.0/24 network do not know about 172.16.0.0/12 network except your router.

ip access-list extended NAT_ACL

deny   ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255

deny   ip 172.16.0.0 0.15.255.255 192.0.0.0 0.255.255.255

permit ip 172.16.0.0 0.15.255.255 any

deny   ip any any

ACL which you used deny to NAT traffic from 172.16.0.0/16 to 192.168.0.0/16 which includes 192.168.1.0/24.

I also found one error on your ACL, it would be probably copy&paste mistake:

192.0.0.0 0.255.255.255 -> this is not valid range for private addresses, change it to 192.168.0.0 0.0.255.255.

If you do not change it some public IPs will not be reachable for you, because you denied entire 192.0.0.0/8 network.

Change NAT_ACL this way, and everything should be working as suppose to:

ip access-list extended NAT_ACL

deny  ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
permit  ip 172.16.0.0 0.15.255.255 192.168.1.0 0.0.255

deny   ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255

permit ip 172.16.0.0 0.15.255.255 any

deny   ip any any

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

View solution in original post

5 Replies 5

Abzal
Level 7
Level 7

Hi,

Network topology diagram and router's full configuration would be helpful.

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal

Hello Anthony,

RIP protocol is absolutely unnecesary, because you have only one router. This router does not have any other routers to exchange routes.

Your router seem to be configured correctly. But I think that problem will be that your LAN network is 172.16.0.0/16

which is unknown for AT&T device. Your traffic (f.e. ping) will arrive on AT&T router (192.168.1.254) but this router do not know where to send answer, it only knows about 192.168.1.0/24 from your direction.

Same problem is with internet traffic, I think that AT&T router is configured to NAT&ROUTE everything from 192.168.1.0/24 (subnet reserved for you) to some public IP and send to internet, but if traffic with source IP from 172.16.0.0/16 arrive, it will be dropped (unknown network and also private IP addresses).

To confirm this theory, login to router and ping some internet address from this router.

# ping 8.8.8.8

If ping will be successful, I was right.

Solution if you confirm that this is problem:

- ask AT&T to allow traffic from 172.16.0.0/16 to go to the internet -> I do not believe that AT&T will do something like that

- configure NAT (PAT), your LAN network will be NATed to router WAN IP: 192.168.1.250

ip access-list extended NAT_ACL

deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255

deny ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255

permit ip 172.16.0.0 0.15.255.255 any

deny ip any any

route-map NAT_MAP

match ip address NAT_ACL

ip nat inside source route-map NAT_MAP interface fa0/0 overload

int f0/0

ip nat outside

int f0/1

ip nat inside

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Hi Blau

Thank you so much for the reply and thank you so much for the advice. It worked

After i finished using those commands, I was able to ping website ip's (8.8.8.8, 74.125.227.5) from the 172.16.0.0 network and i can browse to them now.

I am not able to ping devices in the 192.168.1.0 network from the 172.16.0.0 network, any advice on what I should be looking at for that.

This is my current conf

R1#show conf

Using 1087 out of 29688 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname R1

!

enable secret 5 $1$qCBE$Uvbqrs5nLjjVHc4w5fbZv0

enable password ccentpractise

!

clock timezone cst -6

clock summer-time CDT recurring

ip subnet-zero

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.250 255.255.255.0

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.16.1.100 255.255.0.0

ip nat inside

duplex auto

speed auto

!

router rip

version 2

network 172.16.0.0

network 192.168.1.0

no auto-summary

!

ip nat inside source route-map NAT_MAP interface FastEthernet0/0 overload

no ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.254

ip http server

ip pim bidir-enable

!

!

ip access-list extended NAT_ACL

deny   ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255

deny   ip 172.16.0.0 0.15.255.255 192.0.0.0 0.255.255.255

permit ip 172.16.0.0 0.15.255.255 any

deny   ip any any

route-map NAT_MAP permit 10

match ip address NAT_ACL NAT_ACl

!

!

line con 0

line aux 0

line vty 0 4

login

!

no scheduler allocate

end

Thank you in advance.

Hello Anthony,

I am glad I could help.

Your problem with ping has same reason as previous problem. Devices on 192.168.1.0/24 network do not know about 172.16.0.0/12 network except your router.

ip access-list extended NAT_ACL

deny   ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255

deny   ip 172.16.0.0 0.15.255.255 192.0.0.0 0.255.255.255

permit ip 172.16.0.0 0.15.255.255 any

deny   ip any any

ACL which you used deny to NAT traffic from 172.16.0.0/16 to 192.168.0.0/16 which includes 192.168.1.0/24.

I also found one error on your ACL, it would be probably copy&paste mistake:

192.0.0.0 0.255.255.255 -> this is not valid range for private addresses, change it to 192.168.0.0 0.0.255.255.

If you do not change it some public IPs will not be reachable for you, because you denied entire 192.0.0.0/8 network.

Change NAT_ACL this way, and everything should be working as suppose to:

ip access-list extended NAT_ACL

deny  ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
permit  ip 172.16.0.0 0.15.255.255 192.168.1.0 0.0.255

deny   ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255

permit ip 172.16.0.0 0.15.255.255 any

deny   ip any any

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Also, if I were you, I would configure some basic features on your router, at least protect your vty access.

!

aaa new-model

aaa authentication login default local

aaa authentication enable default enable

! set username and password for access to your router

username USER password PASSWORD

! configure ACL, where you allow IPs from which you allow access router

ip access-list extended MGMT

permit ip 172.16.0.0 0.15.255.255 any

deny ip any any

! apply ACL to vty

line vty 0 4

access-class MGMT in

! deny route private IPs to internet

ip route 10.0.0.0 255.0.0.0 Null 0

ip route 192.168.0.0 255.255.0.0 Null 0

And if your router support some firewall features, it would be nice to use them

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco