Hi Georg

I have attached a jpg of my home network infrastrucure

Cheers

Hello Athol,

thanks for the drawing, that clarifies what you are running into.

You say that the wireless laptop can ping the dialer 0 interface of the 877, can you tell if the address actually gets translated when you ping something on the Internet from the wireless laptop ?

I think in order for traffic from the wireless laptop to travel through the 877 to the switch and then the firewall and then back, you would need to establish some sort of policy routing. Traffic from the wirless laptop needs to be matched and the next hop needs to be the inside IP address of the firewall (172.16.100.4, as far as I can tell from your drawing). So on your 877, the route map should look like this:

route-map WIRELESS permit 10

match ip address 1

set ip next-hop 172.16.100.4

!

access-list 1 permit 10.10.10.0 0.0.0.255

Apply the route map to the incoming (DOT1) interface of the 877, that is the interface where the wirless laptop is connected to, with the ´ip policy route-map WIRELESS´ command.

Assuming that your firewall has a route back to the 877, the traffic should now first go to the firewall, and then back to the 877...

Can you try and see if this works ?

Regards,

GP

Hi Georg

Thank you for the pointer, I have tried it to-day and I can now get out onto the internet from the wireless (DOT1) interface. The Vlan is not yet working as I cannot ping from the router at the moment. This is just "finger trouble" on my part I am sure. Your conf has worked a treat!!!

Thank you very much

Regards

Athol Reid

Hello Athol,

good to hear that you are making progress...

Where are you trying to ping to from the router ?

Keep in mind that, when you use the ´ping´ command on the router, the default source for the ping is the interface closest to the destination. You might want to try an extended ping, just type ´ping´ and hit , that will give you configurable options...

Regards,

GP

Hi Georg

I am trying from two different palaces. from a client through the wireless interface and from the router itself. If I do not Vlan the intel switch I can ping it from the router only, (bearing in mind that I was never able to ping from the wireless client). If on the other hand I vlan the switch with 802.1q encapsulation and also on the dotradio0.2 plus the vlan 2 interface on the router then I can not ping it. In writing this down it is begining to suggest a route issue ?

Kind Regards

Athol Reid

Hi Georg

I have been experimenting with the policy maps and routing, the situation that I am currently in is the same as before in that from the Windows XP Pro client ip 10.10.10.51 I can ping the gateway on 10.10.10.1 and I can also resolve web IP addresses but I can not ping 172.16.100.x devices. I have posted my conf in an attempt to be helpful and I would appreciate it if you could have a look and comment please.

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname ADSLW-ROUTER

boot-start-marker

boot-end-marker

logging buffered 52000 debugging

!

no aaa new-model

!

resource policy

!

clock timezone PCTime 12

ip subnet-zero

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1 10.10.10.49

ip dhcp excluded-address 10.10.10.100 10.10.10.254

!

ip dhcp pool wireless-1

import all

network 10.10.10.0 255.255.255.0

domain-name reid.co.nz

dns-server 203.109.252.42 203.109.252.42

default-router 10.10.10.1

!

!

no ip bootp server

no ip domain lookup

ip domain name reid.co.nz

ip name-server 203.109.252.43

ip name-server 203.109.252.42

ip ssh time-out 60

ip ssh authentication-retries 2

ip ddns update method sdm_ddns1

DDNS both

no spanning-tree vlan 1

no spanning-tree vlan 2

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.2 point-to-point

pvc 0/100

encapsulation aal5mux ppp dialer

dialer pool-member 1

interface FastEthernet2

switchport mode trunk

!

interface Dot11Radio0

no ip address

ssid ADSLW-1

vlan 2

authentication open

guest-mode

!

interface Dot11Radio0.2

encapsulation dot1Q 2

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

no cdp enable

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_OUTSIDE$

ip address 192.168.100.254 255.255.255.0

ip verify unicast reverse-path

ip nat inside

ip virtual-reassembly

!

interface Vlan2

description $FW_INSIDE$

ip address 172.16.11.14 255.255.255.0

ip nat inside

ip virtual-reassembly

fair-queue 2 256 0

!

interface Dialer0

ip ddns update sdm_ddns1

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname USERID

ppp chap password 7 PASSWORD

ppp pap sent-username USERID password

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

!

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 1 permit 10.10.10.0 0.0.0.255

dialer-list 1 protocol ip permit

snmp-server community public RO

no cdp run

route-map dotradio0.2 permit 10

match ip address 1

set ip next-hop 172.16.100.4

!

!

control-plane

!

end

Kind Regards

Athol Reid

Hello Athol,

from what I can tell from your configuration, you would need to apply the route map to your Dot11Radio0.2 and VLAN1 interfaces:

interface Dot11Radio0.2

encapsulation dot1Q 2

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

no cdp enable

--> ip policy route-map dotradio0.2

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_OUTSIDE$

ip address 192.168.100.254 255.255.255.0

ip verify unicast reverse-path

ip nat inside

--> ip policy route-map dotradio0.2

ip virtual-reassembly

Can you try this and see if that makes a difference ?

Regards,

GP

Hi Georg

I have put the commands in but they have not had the desired effect yet. I did a sh vlans dot1q and the results are below

ADSLW-ROUTER#sh vlans dot1q

Total statistics for 802.1Q VLAN 1:

0 packets, 0 bytes input

0 packets, 0 bytes output

Total statistics for 802.1Q VLAN 2:

7865 packets, 853292 bytes input

11718 packets, 14695364 bytes output

Kind Regards

Athol Reid

Hello Athol,

I hope that I am not just adding to the confusion, but your VLAN 1 interface has an IP address of 192.168.100.254, and the inside interface of your firewall, which is in VLAN 1 as well, has an IP address of 172.16.100.4. If you have an IP address available form the 172.16.100.0/24 range, can you try and put it on the VLAN 1 interface of your router as a secondary address ?

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_OUTSIDE$

ip address 192.168.100.254 255.255.255.0

--> ip address 172.16.100.1 255.255.255.0 secondary

ip verify unicast reverse-path

ip nat inside

ip virtual-reassembly

Regards,

GP

Hi Georg

I have done as you suggested but it stopped all comms at the 192.168.100.254 interface. I added an access-list of 192.168.100.0 0.0.0.255 and tried again but to no avail. I removed the entries in the meantime so that I could respond.

Kind Regards

Athol Reid

Hello,

all right...I think I made a mistake in the first place by adding the 192.168.100.0/24 subnet to the route map. Can you take this out of access list 1, and also take the route map off interface VLAN 1 ? So your config would look like this:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname ADSLW-ROUTER

boot-start-marker

boot-end-marker

logging buffered 52000 debugging

!

no aaa new-model

!

resource policy

!

clock timezone PCTime 12

ip subnet-zero

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1 10.10.10.49

ip dhcp excluded-address 10.10.10.100 10.10.10.254

!

ip dhcp pool wireless-1

import all

network 10.10.10.0 255.255.255.0

domain-name reid.co.nz

dns-server 203.109.252.42 203.109.252.42

default-router 10.10.10.1

!

!

no ip bootp server

no ip domain lookup

ip domain name reid.co.nz

ip name-server 203.109.252.43

ip name-server 203.109.252.42

ip ssh time-out 60

ip ssh authentication-retries 2

ip ddns update method sdm_ddns1

DDNS both

no spanning-tree vlan 1

no spanning-tree vlan 2

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.2 point-to-point

pvc 0/100

encapsulation aal5mux ppp dialer

dialer pool-member 1

interface FastEthernet2

switchport mode trunk

!

interface Dot11Radio0

no ip address

ssid ADSLW-1

vlan 2

authentication open

guest-mode

!

interface Dot11Radio0.2

encapsulation dot1Q 2

ip address 10.10.10.1 255.255.255.0

ip nat inside

-->ip policy route-map dotradio0.2

ip virtual-reassembly

no snmp trap link-status

no cdp enable

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_OUTSIDE$

ip address 192.168.100.254 255.255.255.0

ip verify unicast reverse-path

ip nat inside

ip virtual-reassembly

!

interface Vlan2

description $FW_INSIDE$

ip address 172.16.11.14 255.255.255.0

ip nat inside

ip virtual-reassembly

fair-queue 2 256 0

!

interface Dialer0

ip ddns update sdm_ddns1

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname USERID

ppp chap password 7 PASSWORD

ppp pap sent-username USERID password

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

!

access-list 1 permit 10.10.10.0 0.0.0.255

dialer-list 1 protocol ip permit

snmp-server community public RO

no cdp run

route-map dotradio0.2 permit 10

match ip address 1

set ip next-hop 172.16.100.4

!

!

control-plane

!

end

Regards,

GP

Hi Georg

Thank you for that. I removed everything back to the last conf you uploaded. once this was done and I tried to ping the DNS server I was not able to get through from any network. I added another access-list to allow coms to the outside world and I have listed it below.

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2

access-list 2 remark From Vlan1 to outside

access-list 2 permit any

dialer-list 1 protocol ip permit

snmp-server community public RO

no cdp run

route-map dotradio0.2 permit 10

match ip address 1

set ip next-hop 172.16.100.4

I guess I am confused about the routing and also if Tagging is actually working, as I said before I pulled the cable that directly connects the router to the switch on port 6 and data flow stopped. Now I am just confused as to how that actually worked in the first place or was I mistaken and it never worked.???

Georg I appreciate your advice and any scraps you wish to throw my way are gratefully received and hopefully assimulated.

Kind Regards

Athol Reid

Hello Athol,

I will try to set this up in a lab and see if I can make it work. I'll let you know...

Due to the time difference (it is about 11PM over here, you might get this tomorrow).

Regards,

GP