Routing Problem with Cisco 887

Joachim.Geiger · ‎03-17-2011

Hello @ all,

i have a problem with the configuration of a 887. I tried all what i could find, but without any positive result.

The situation is the following:

and this is the running-config of the Cisco 887:

version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 $1$dVpM$wuXK8tLkNpBiGnKCvOBwj/
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3512942905
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3512942905
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-3512942905
certificate self-signed 01
........ (deleted)
quit
no ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ1448C1AZ
!
!
!
!
!
!
controller VDSL 0
operating mode vdsl2
!
!
!
!
!
!
!
!
interface Ethernet0
ip address 172.16.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
description Net2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.0.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http secure-server
!
ip nat inside source list acl1 interface Vlan1 overload
ip route 0.0.0.0 0.0.0.0 172.16.1.1

!
logging esm config
access-list 1 permit any
!
!
!
!
!
control-plane
!
!
line con 0
password admin
login
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
password admin
login
transport input all
!
end

Pingtests:

Testclient 1 -> 172.16.1.1 OK

Testclient 1 -> 192.168.0.1 OK

Testclient 1 -> 172.16.1.2 OK

Testclient 1 -> 192.168.0.3 OK

Testclient 1 -> 192.168.0.4 - Failure Overtime -

Testclient 2 -> Testclient 1 OK

Testclient 2 -> 172.16.1.1 OK

Testclient 2 -> 192.168.0.1 - Failure Overtime -

Router A -> 192.168.0.3 OK

Router A -> 192.168.0.4 - Failure Overtime -

So I am at the end of my knowing! :-)

I hope anybody can helb me!

Sebastian Fernandez · ‎03-17-2011

Hi Joachim,

I see a few problem in the configuration of 887.

1. "ip nat inside source list acl1 interface Vlan1 overload"

We are natting the source IP to VLAN1 and VLAN1 is designated as NAT inside. This is incorrect as we NAT to the "outside" interface.

2. source list used is "acl1" where else it should "1", as that is what you have created.

access-list 1 permit any

Change the nat statement to

"ip nat inside source list 1 interface ethernet 0 overload"

Post if you still face any issue and rate the helpfulness please.

--

Regards,

Sebastian

Joachim.Geiger · ‎03-17-2011

Do I really need a NAT?

I think it´s possible to do this with only a route or is that wrong? Whenn I take Wireshark, the packets who came on at Eth0 have the Source-IP for example from the Testclient 0.

Sebastian Fernandez · ‎03-17-2011

Well NAT is necessary as you are using overlapping subnet on either side seperated by another L3 network boundary. To explain lets say Testclient2 wants to talk to testclient0 both are configured in common subnet of 192.168.0.x/24. Testclient2 initates an ARP for testclient1(as they are in same network) but ARP will fail as router cannot forward broadcast outside the layer 3 boundary in which it was initiated. Hence no arp , no ping.

We need to be able to change the source address of the traffic ariving in VLAN1 when going out.

-

Regards,

Sebastian.

Joachim.Geiger · ‎03-17-2011

Oh sorry I think i have forgotten something!

Testclient 1 is only for some tests or for Wireshark an Management

In reality I only want to connect the Testclient 2 to the Testclient 0!

Sebastian Fernandez · ‎03-17-2011

Joachim,

Well yes Testclient 2 and 0 are per diagram are in 192.168.0.0/24 subnet, however the two are seperated by another subnet. Hence they will not be able to discover eachother over layer2. So NAT becomes necessary in lieu to my explanation in earlier post.

-

Sebastian

Joachim.Geiger · ‎03-18-2011

1. I changed the nat statement to

"ip nat inside source list 1 interface ethernet 0 overload"

But now I´m not able to manage the router over the Eth 0 interface.

2. I have a question. Is it possible to give the Eth0 interface two vlans? So I can say, no 1 is for management and no 2 is for the traffic from testclient 0 to testclient 2.

Sebastian Fernandez · ‎03-18-2011

Well eth cannot be a part of two vlans, since this was an L3 interface, however we can have two IP addresses on it using secondary command.

int eth0

ip add x.x.x.x 255.255.255.0

ip add y.y.y.y 255.255.255.0 secondary

--

Sebastian

Joachim.Geiger · ‎03-18-2011

ok. I thought so. bad ....

but when i configure eth0 with 192.168.0.3 /24 secondary and 172.16.1.2/24, then i can delete the ip address of the vlan interface. Now it should be possible to communicate between Testclient 0 and Testclient 2 right?? edit: this doesn´t work!

Thanks a lot for your help!

So I tried to configure a route again, so the testclient 2 can ping the testclient 0. Everything is good, but if i want to ping from testclient 0 to testclient 2, it doesn´t work. When i start wireshark on the testclient 2, the ping request are here but the testclient 2 doesn´t send it back. ???

Config static IP: 192.168.0.4 / 24 GW: 192.168.0.3

The following run-config is active:

Building configuration...

(deleted)

no ip source-route

!

ip cef

no ipv6 cef

!

license udi pid CISCO887VA-K9 sn FCZ1448C1AZ

!

controller VDSL 0

operating mode vdsl2

sync mode itu

!

interface Ethernet0

ip address 172.16.1.2 255.255.255.0

ip virtual-reassembly in

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

description Net

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-PPP1

no ip address

!

interface Vlan1

ip address 192.168.0.3 255.255.255.0

!

interface Dialer0

no ip address

!

ip forward-protocol nd

no ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 172.16.1.1

!

logging esm config

(deleted)

end