Prev: NAC Appliance for Wifi Guest Access
Next: I NEED - BUY CISCO ROUTERS - SWITCHES AND MORE
From: Jason on 12 Dec 2009 11:38
Hi,

I have a home lab which comprises of a few routers & 2 x 2950 switches; I
use a 2611XM router with an ADSL wic to connect to the Internet. I have
been refreshing my CCNA ICND skills in preparation for studying for the
CCNA Security exam; I have set up inter-VLAN routing on my router (and
switches) which works fine, I have 2 subinterfaces FastEthernet0/0.1 for
local subnet 192.168.1.0/24 & FastEthernet0/0.10 for local subnet
192.168.10.0/24 - clients on one subnet can ping clients on the other as
expected.

My problem is that once I have this config in place no clients on either
subnets can access the internet, however I can ping extenal addresses from
the router. If I remove subinterface FastEthernet0/0.1 and configure
address 192.168.1.0/24 directly on FastEthernet0 then clients on that
subnet can access the Internet but clients on the FastEthernet0/0.10
subinterface still can't. It seems as though subnets connected via a
subinterface can't route through the Internet, I'm guessing this is because
the correct VLAN tag can't be added to the L2 header once the packet is
received back from the Internet? I have included: 'show ver'; 'show run';
'show ip interface brief' & 'show ip route' outputs below.

Can anylone give a solution / explanation to this behaviour?

Regards, Jason

2611XM#show ver
Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4
(17), RELEASE SOFTWARE (fc1)

2611XM#show running-config
Building configuration...

Current configuration : 3891 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 2611XM
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
no ip gratuitous-arps
ip cef
!
!
no ip bootp server
no ip domain lookup
ip domain name xxxxxxxxxxxxxxx
ip name-server 4.2.2.2
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
login block-for 5 attempts 5 within 5
!
username jason password 7 xxxxxxxxxxxxxxx
archive
log config
logging enable
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface FastEthernet0/0
ip scp server enable
!
!
interface Loopback1
ip address 10.0.0.1 255.0.0.0
!
interface FastEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
no cdp enable
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
no cdp enable
!
interface Serial0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface ATM0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
interface Dialer1
ip address negotiated
ip access-group autosec_firewall_acl in
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect autosec_inspect out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
permit ip any any
!
logging trap debugging
logging facility local2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 permit udp any any eq bootpc
no cdp run
!
!
!
control-plane
banner motd ^CNo Unauthorised Access^C

!
end

2611XM#show ip interface brief

Interface IP-Address OK? Method Status
Protocol
FastEthernet0/0 unassigned YES NVRAM up
up
FastEthernet0/0.1 192.168.1.1 YES NVRAM up
up
FastEthernet0/0.10 192.168.10.1 YES NVRAM up
up
Serial0/0 unassigned YES NVRAM administratively down
down
ATM0/1 unassigned YES NVRAM up
up
FastEthernet0/1 unassigned YES NVRAM administratively down
down
NVI0 unassigned NO unset up
up
Virtual-Access1 unassigned YES unset up
up
Virtual-Access2 unassigned YES unset up
up
Dialer1 86.147.x.x YES IPCP up
up
Loopback1 10.0.0.1 YES NVRAM up
up


2611XM#show ip route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

217.47.x.x/32 is subnetted, 1 subnets
C 217.47.x.x is directly connected, Dialer1
86.0.x.x/32 is subnetted, 1 subnets
C 86.147.x.x is directly connected, Dialer1
C 192.168.10.0/24 is directly connected, FastEthernet0/0.10
C 10.0.0.0/8 is directly connected, Loopback1
C 192.168.1.0/24 is directly connected, FastEthernet0/0.1
S* 0.0.0.0/0 is directly connected, Dialer1

From: Mariusz 'BB' Trojanowski on 12 Dec 2009 12:39
Hi Jason

Simply move the ip nat inside command from the main interface to both
subinterfaces (as well as all other commands beginning from ip ... as
they have no result on the main F0/0 interface when it has no ip
address) and you'll be fine.

--
Pozdrawiam @ Mariusz Trojanowski @@@ slotyzmok @ narod!ru (s <-> z)
"- Prosz� pokaza� j�zyk. Prosz� powiedzie� trzydzie�ci trzy. Oddycha�.
Nie oddycha�. My�l�, panie rotmistrzu, �e to nie takie niebezpieczne."
[Burzliwe �ycie Lejzorka Rojtszwa�ca]


Dnia 12/12/2009 5:38 PM, Jason wrote:
> Hi,
>
> I have a home lab which comprises of a few routers & 2 x 2950 switches; I
> use a 2611XM router with an ADSL wic to connect to the Internet. I have
> been refreshing my CCNA ICND skills in preparation for studying for the
> CCNA Security exam; I have set up inter-VLAN routing on my router (and
> switches) which works fine, I have 2 subinterfaces FastEthernet0/0.1 for
> local subnet 192.168.1.0/24 & FastEthernet0/0.10 for local subnet
> 192.168.10.0/24 - clients on one subnet can ping clients on the other as
> expected.
>
> My problem is that once I have this config in place no clients on either
> subnets can access the internet, however I can ping extenal addresses from
> the router. If I remove subinterface FastEthernet0/0.1 and configure
> address 192.168.1.0/24 directly on FastEthernet0 then clients on that
> subnet can access the Internet but clients on the FastEthernet0/0.10
> subinterface still can't. It seems as though subnets connected via a
> subinterface can't route through the Internet, I'm guessing this is because
> the correct VLAN tag can't be added to the L2 header once the packet is
> received back from the Internet? I have included: 'show ver'; 'show run';
> 'show ip interface brief' & 'show ip route' outputs below.
>
> Can anylone give a solution / explanation to this behaviour?
>
> Regards, Jason
[cut]
> interface FastEthernet0/0
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
> ip virtual-reassembly
> duplex auto
> speed auto
> no mop enabled
> !
> interface FastEthernet0/0.1
> encapsulation dot1Q 1 native
> ip address 192.168.1.1 255.255.255.0
> no cdp enable
> !
> interface FastEthernet0/0.10
> encapsulation dot1Q 10
> ip address 192.168.10.1 255.255.255.0
> no cdp enable
From: Jason on 12 Dec 2009 12:49
Mariusz 'BB' Trojanowski <mariusz(a)address.in.sig> wrote in news:hg0kg3$429
$1(a)inews.gazeta.pl:

> Hi Jason
>
> Simply move the ip nat inside command from the main interface to both
> subinterfaces (as well as all other commands beginning from ip ... as
> they have no result on the main F0/0 interface when it has no ip
> address) and you'll be fine.
>

Thanks very much, your anmswer makes perfect sense.

Regadrs,
Jason
From: Lukas Schratz on 12 Dec 2009 13:37
["Followup-To:" nach comp.dcom.sys.cisco gesetzt.]
* Jason hackte in den Rechenknecht:
> Hi,
>
> My problem is that once I have this config in place no clients on either
> subnets can access the internet, however I can ping extenal addresses from
> the router. If I remove subinterface FastEthernet0/0.1 and configure
> address 192.168.1.0/24 directly on FastEthernet0 then clients on that
> subnet can access the Internet but clients on the FastEthernet0/0.10
> subinterface still can't. It seems as though subnets connected via a
[...]
> !
> interface FastEthernet0/0
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
> ip virtual-reassembly
> duplex auto
> speed auto
> no mop enabled
> !
> interface FastEthernet0/0.1
> encapsulation dot1Q 1 native
> ip address 192.168.1.1 255.255.255.0
> no cdp enable
> !
> interface FastEthernet0/0.10
> encapsulation dot1Q 10
> ip address 192.168.10.1 255.255.255.0
> no cdp enable
> !
You added the "nat inside" stanza to an interface that has no ip. Add it
to the subinterfaces (both 0/0.1 and 0/0.10) instead and it should work.

luke
--
Systemadministrator: Der wo macht, dass das Internet geht, den man aber
nix wegen Word fragen darf, weil sonst ist er sauer und dann geht das
Internet wieder nicht.
--unbekannt, gefunden bei Peter J.Holzer
 | 
Pages: 1
Prev: NAC Appliance for Wifi Guest Access
Next: I NEED - BUY CISCO ROUTERS - SWITCHES AND MORE