03-08-2013 09:13 PM - edited 03-07-2019 12:08 PM
Hi Everyone
First, sorry if this has already been answered. I am having problems trying to configure a seperate network within my home network.
I am using at&t uverse as my ISP and I recently got a cisco 2621 with 2 fast ethernet port from work.
I wanted to create a seperate home network (with internet access) within uverse.
This is my setup up
I have setup a default route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.1.254 to network 0.0.0.0
C 172.16.0.0/16 is directly connected, FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.1.254
I am able to ping anything device in the 172.16.0.0 network.
I set a static IP for all devices on the 172.16.0.0 network with a 172.16.1.100 gateway.
What I can't do is ping my router (192.168.1.254) or anything device in the 192168.1.0 network except (192.168.1.250) from the 172.16.0.0 network. Also I can unable to ping my AT&T gateway and I am unable to browse the internet in the 172.16.0.0 network
My routing protocol is set to RIP
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 8 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2
FastEthernet0/1 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
172.16.0.0
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 120)
Please I need to know if I am doing anything wrong
If anyone can help, it will be greatly appreciated.
I am very very new to routing protocols, this is my first quest after studying for my ccent/ccna
Thank you all
Solved! Go to Solution.
03-09-2013 01:33 AM
Hello Anthony,
RIP protocol is absolutely unnecesary, because you have only one router. This router does not have any other routers to exchange routes.
Your router seem to be configured correctly. But I think that problem will be that your LAN network is 172.16.0.0/16
which is unknown for AT&T device. Your traffic (f.e. ping) will arrive on AT&T router (192.168.1.254) but this router do not know where to send answer, it only knows about 192.168.1.0/24 from your direction.
Same problem is with internet traffic, I think that AT&T router is configured to NAT&ROUTE everything from 192.168.1.0/24 (subnet reserved for you) to some public IP and send to internet, but if traffic with source IP from 172.16.0.0/16 arrive, it will be dropped (unknown network and also private IP addresses).
To confirm this theory, login to router and ping some internet address from this router.
# ping 8.8.8.8
If ping will be successful, I was right.
Solution if you confirm that this is problem:
- ask AT&T to allow traffic from 172.16.0.0/16 to go to the internet -> I do not believe that AT&T will do something like that
- configure NAT (PAT), your LAN network will be NATed to router WAN IP: 192.168.1.250
ip access-list extended NAT_ACL
deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
deny ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255
permit ip 172.16.0.0 0.15.255.255 any
deny ip any any
route-map NAT_MAP
match ip address NAT_ACL
ip nat inside source route-map NAT_MAP interface fa0/0 overload
int f0/0
ip nat outside
int f0/1
ip nat inside
Best Regards
Please rate all helpful posts and close solved questions
03-09-2013 01:05 PM
Hello Anthony,
I am glad I could help.
Your problem with ping has same reason as previous problem. Devices on 192.168.1.0/24 network do not know about 172.16.0.0/12 network except your router.
ip access-list extended NAT_ACL
deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
deny ip 172.16.0.0 0.15.255.255 192.0.0.0 0.255.255.255
permit ip 172.16.0.0 0.15.255.255 any
deny ip any any
ACL which you used deny to NAT traffic from 172.16.0.0/16 to 192.168.0.0/16 which includes 192.168.1.0/24.
I also found one error on your ACL, it would be probably copy&paste mistake:
192.0.0.0 0.255.255.255 -> this is not valid range for private addresses, change it to 192.168.0.0 0.0.255.255.
If you do not change it some public IPs will not be reachable for you, because you denied entire 192.0.0.0/8 network.
Change NAT_ACL this way, and everything should be working as suppose to:
ip access-list extended NAT_ACL
deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
permit ip 172.16.0.0 0.15.255.255 192.168.1.0 0.0.255
deny ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255
permit ip 172.16.0.0 0.15.255.255 any
deny ip any any
Best Regards
Please rate all helpful posts and close solved questions
03-08-2013 09:25 PM
Hi,
Network topology diagram and router's full configuration would be helpful.
Sent from Cisco Technical Support iPhone App
03-09-2013 01:33 AM
Hello Anthony,
RIP protocol is absolutely unnecesary, because you have only one router. This router does not have any other routers to exchange routes.
Your router seem to be configured correctly. But I think that problem will be that your LAN network is 172.16.0.0/16
which is unknown for AT&T device. Your traffic (f.e. ping) will arrive on AT&T router (192.168.1.254) but this router do not know where to send answer, it only knows about 192.168.1.0/24 from your direction.
Same problem is with internet traffic, I think that AT&T router is configured to NAT&ROUTE everything from 192.168.1.0/24 (subnet reserved for you) to some public IP and send to internet, but if traffic with source IP from 172.16.0.0/16 arrive, it will be dropped (unknown network and also private IP addresses).
To confirm this theory, login to router and ping some internet address from this router.
# ping 8.8.8.8
If ping will be successful, I was right.
Solution if you confirm that this is problem:
- ask AT&T to allow traffic from 172.16.0.0/16 to go to the internet -> I do not believe that AT&T will do something like that
- configure NAT (PAT), your LAN network will be NATed to router WAN IP: 192.168.1.250
ip access-list extended NAT_ACL
deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
deny ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255
permit ip 172.16.0.0 0.15.255.255 any
deny ip any any
route-map NAT_MAP
match ip address NAT_ACL
ip nat inside source route-map NAT_MAP interface fa0/0 overload
int f0/0
ip nat outside
int f0/1
ip nat inside
Best Regards
Please rate all helpful posts and close solved questions
03-09-2013 11:18 AM
Hi Blau
Thank you so much for the reply and thank you so much for the advice. It worked
After i finished using those commands, I was able to ping website ip's (8.8.8.8, 74.125.227.5) from the 172.16.0.0 network and i can browse to them now.
I am not able to ping devices in the 192.168.1.0 network from the 172.16.0.0 network, any advice on what I should be looking at for that.
This is my current conf
R1#show conf
Using 1087 out of 29688 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
enable secret 5 $1$qCBE$Uvbqrs5nLjjVHc4w5fbZv0
enable password ccentpractise
!
clock timezone cst -6
clock summer-time CDT recurring
ip subnet-zero
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.250 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.1.100 255.255.0.0
ip nat inside
duplex auto
speed auto
!
router rip
version 2
network 172.16.0.0
network 192.168.1.0
no auto-summary
!
ip nat inside source route-map NAT_MAP interface FastEthernet0/0 overload
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip http server
ip pim bidir-enable
!
!
ip access-list extended NAT_ACL
deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
deny ip 172.16.0.0 0.15.255.255 192.0.0.0 0.255.255.255
permit ip 172.16.0.0 0.15.255.255 any
deny ip any any
route-map NAT_MAP permit 10
match ip address NAT_ACL NAT_ACl
!
!
line con 0
line aux 0
line vty 0 4
login
!
no scheduler allocate
end
Thank you in advance.
03-09-2013 01:05 PM
Hello Anthony,
I am glad I could help.
Your problem with ping has same reason as previous problem. Devices on 192.168.1.0/24 network do not know about 172.16.0.0/12 network except your router.
ip access-list extended NAT_ACL
deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
deny ip 172.16.0.0 0.15.255.255 192.0.0.0 0.255.255.255
permit ip 172.16.0.0 0.15.255.255 any
deny ip any any
ACL which you used deny to NAT traffic from 172.16.0.0/16 to 192.168.0.0/16 which includes 192.168.1.0/24.
I also found one error on your ACL, it would be probably copy&paste mistake:
192.0.0.0 0.255.255.255 -> this is not valid range for private addresses, change it to 192.168.0.0 0.0.255.255.
If you do not change it some public IPs will not be reachable for you, because you denied entire 192.0.0.0/8 network.
Change NAT_ACL this way, and everything should be working as suppose to:
ip access-list extended NAT_ACL
deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
permit ip 172.16.0.0 0.15.255.255 192.168.1.0 0.0.255
deny ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255
permit ip 172.16.0.0 0.15.255.255 any
deny ip any any
Best Regards
Please rate all helpful posts and close solved questions
03-09-2013 01:21 PM
Also, if I were you, I would configure some basic features on your router, at least protect your vty access.
!
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
! set username and password for access to your router
username USER password PASSWORD
! configure ACL, where you allow IPs from which you allow access router
ip access-list extended MGMT
permit ip 172.16.0.0 0.15.255.255 any
deny ip any any
! apply ACL to vty
line vty 0 4
access-class MGMT in
! deny route private IPs to internet
ip route 10.0.0.0 255.0.0.0 Null 0
ip route 192.168.0.0 255.255.0.0 Null 0
And if your router support some firewall features, it would be nice to use them
Best Regards
Please rate all helpful posts and close solved questions
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide