cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1922
Views
0
Helpful
0
Replies
Highlighted

Routing Between TMG and VLANs ?

I have a cisco 877w and ive setup two ssids on it each with different vlans (I intend to use the zone based firewall to lock down the guest zone later) the wireless connection is working and i can ping the entire network (because of the 10.0.0.10 interface) but none of the other computers on the network can ping the wireless ssid.

Looking in the tmg firewall logs the first ping gives

Status: The operation completed successfully.
Rule: SolarWinds Polling
Source: Internal (10.0.0.1:8)
Destination: Internal WiFi (10.0.1.1)
Protocol: PING

and then

Status: A packet was dropped because its destination IP address is unreachable.
Rule: None - see Result Code
Source: Internal (10.0.0.1:2048)
Destination: Internal WiFi (10.0.1.1)
Protocol: PING

i have setup routing in tmg between the two networks (as the tmg server is the default gateway for all clients and other server including the one i pinged from).

It seems as if the first hop to 10.0.0.10 is working but after that destination IP address is unreachable. I have two free vlans & interfaces if anyone knows a simpler way to let the 10.0.1.x clients access the internal network access each other while keeping them on seperate vlans.

Show ip route gives

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer0
      10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
C        10.0.0.0/24 is directly connected, Vlan11
L        10.0.0.10/32 is directly connected, Vlan11
C        10.0.1.0/24 is directly connected, Dot11Radio0.1
L        10.0.1.1/32 is directly connected, Dot11Radio0.1
C        10.0.2.0/24 is directly connected, Dot11Radio0.2
L        10.0.2.1/32 is directly connected, Dot11Radio0.2
C        10.0.3.0/24 is directly connected, Vlan10
L        10.0.3.1/32 is directly connected, Vlan10
      86.0.0.0/32 is subnetted, 1 subnets
C        86.*.*.* is directly connected, Dialer0
      159.*.0.0/32 is subnetted, 1 subnets
C        159.*.*.* is directly connected, Dialer0

Ive made a quick diagram of my network its a single server with 2 NIC's one for the internal lan and another for the external network (direct connection to the router)

[img]http://upit.cc/i/927b5b84.png[/img]

My routers config is

version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco877W
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.0.0.3 auth-port 1645 acct-port 1646
!
aaa group server radius sdm-vpn-server-group-1
server 10.0.0.3 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
server 10.0.0.3 auth-port 1645 acct-port 1646
!
aaa group server radius rad_acct
server 10.0.0.3 auth-port 1645 acct-port 1646
!
aaa group server radius rad_admin
server 10.0.0.3 auth-port 1645 acct-port 1646
!
aaa group server radius rad_pmip
server 10.0.0.3 auth-port 1645 acct-port 1646
!
aaa group server radius dummy
!
aaa authentication login default group radius local
aaa authentication login local_authen local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec local_author local
aaa accounting network acct_methods
action-type start-stop
group rad_acct
!
!
!
!
!
!
aaa session-id common
!
!
!
dot11 syslog
!
dot11 ssid Guest Wifi
vlan 22
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
accounting acct_methods
mbssid guest-mode
!
dot11 ssid MyDomain.com
vlan 21
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
accounting acct_methods
mbssid guest-mode
!
no ip source-route
!
!
ip dhcp smart-relay
ip dhcp relay information trust-all
!
!
ip cef
no ip bootp server
ip domain name MyDomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip dhcp-server 10.0.0.1
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username LocalAdmin privilege 15 secret
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
bridge irb
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
no atm ilmi-keepalive
!
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
snmp trap link-status
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description TMG Firewall Port
switchport access vlan 10
spanning-tree portfast
!
!
interface FastEthernet1
description Internal Network Port
switchport access vlan 11
spanning-tree portfast
!
!
interface FastEthernet2
shutdown
spanning-tree portfast
!
!
interface FastEthernet3
shutdown
spanning-tree portfast
!
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
beacon period 50
beacon dtim-period 50
!
encryption vlan 21 mode ciphers aes-ccm
!
encryption vlan 22 mode ciphers aes-ccm
!
ssid Guest Wifi
!
ssid MyDomain.com
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
packet retries 100
fragment-threshold 2307
station-role root access-point
rts threshold 2306
rts retries 100
world-mode dot11d country IE indoor
!
!
interface Dot11Radio0.1
description Internal Network Radio
encapsulation dot1Q 21
ip address 10.0.1.1 255.255.255.0
ip helper-address 10.0.0.1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
interface Dot11Radio0.2
description Guest WiFi Radio
encapsulation dot1Q 22
ip address 10.0.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
interface Vlan1
no ip address
shutdown
!
!
interface Vlan10
description VLAN For TMG Network
ip address 10.0.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
interface Vlan11
description VLAN For Internal Network
ip address 10.0.0.10 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
interface Vlan21
description VLAN For Internal Wireless
ip dhcp relay information trusted
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip tcp adjust-mss 1452
!
!
interface Vlan22
description VLAN For Guest Wireless Network
ip dhcp relay information trusted
no ip address
ip helper-address 10.0.0.1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip tcp adjust-mss 1452
!
!
interface Dialer0
description ADSL Connection
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
!
!
!
router eigrp 1
network 10.0.0.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip flow-export version 9
ip flow-export destination 10.0.0.1 2055
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source list 1 interface Dialer0 overload
ip route profile
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended Guest-ACL
permit ip any any
!
logging trap debugging
logging 10.0.0.1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 1 permit 10.0.3.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
radius-server local
nas 10.0.0.3 key
!
radius-server host 10.0.0.3 auth-port 1645 acct-port 1646 key
!
control-plane
!
!
!
line con 0
login authentication local_authen
no modem enable
line aux 0
login authentication local_authen
line vty 0 4
privilege level 15
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 10.0.0.2 source FastEthernet1
end

Everyone's tags (4)
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards