cisco 1811, two lan and routing

[VasiliyP]

Hi,
I've replaced my old flaky 831 with 1811. I'm trying to acomplish one thing, which will allow me to get rid of extra routers on the network. I'm new to Cisco, so have no idea how to do this.

I've got following setup:

cable modem (fe0) -> cisco 1811 -> (fe2) office lan 192.168.10.1/24  
                          ||  
                          \/  
                         (fe1)  
                     another network  
                     192.168.99.1/24

cable modem (fe0) -> cisco 1811 -> (fe2) office lan 192.168.10.1/24 || \/ (fe1) another network 192.168.99.1/24
I've assigned IP address 192.168.99.7 to fe1 port, and from router can ping any host on 192.168.99.0/24 network. But from my computers in the LAN I can't ping anything. I suspect, I'm mising route, but have no idea which one. The only default route I have is to my WAN connection of Cable Modem.

Please help.
Thank you.

 

[North323]

post a config of your 1811

 

[VasiliyP]

!This is the running config of the router: 192.168.10.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname rt84
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$jcFZ$wCIIGCQIh300sFynXogOe0
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.19
ip dhcp excluded-address 192.168.10.81 192.168.10.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.10.0 255.255.255.0
   dns-server 208.67.220.220 208.67.222.222 
   default-router 192.168.10.1 
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name mydomain.com
ip name-server 208.67.220.220
ip name-server 208.67.222.222
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-1334614806
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1334614806
 revocation-check none
 rsakeypair TP-self-signed-1334614806
!
!
crypto pki certificate chain TP-self-signed-1334614806
 certificate self-signed 01
	 deleted
  quit
username mwfw privilege 15 secret 5 **********************
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key password address 209.*.*.66
crypto isakmp key password address 209.*.*.*
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to209.*.*.66
 set peer 209.*.*.66
 set security-association lifetime seconds 28800
 set transform-set ESP-3DES-SHA 
 set pfs group2
 match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp 
 description Tunnel to 209.*.*.* 
 set peer 209.*.*.*
 set security-association lifetime seconds 28800
 set transform-set ESP-3DES-SHA 
 match address 101
!
!
!
!
interface FastEthernet0
 description $ES_WAN$$FW_OUTSIDE$
 ip address 24.*.*.44 255.255.255.240
 ip access-group 102 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet1
 description $ETH-LAN$
 ip address 192.168.99.7 255.255.255.0
 ip access-group 105 out
 speed 100
 full-duplex
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 192.168.10.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 24.*.*.*
ip route 192.168.99.0 255.255.255.0 192.168.99.5 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.10.93 22 interface FastEthernet0 22
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 24.*.*.0 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip host 192.168.10.11 host 192.*.*.*.142
access-list 101 permit ip host 192.168.10.121 host 192.*.*.*.142
access-list 102 remark Outbound rules
access-list 102 remark SDM_ACL Category=1
access-list 102 remark IPSec Rule
access-list 102 permit ip host 192.*.*.* host 192.168.10.11
access-list 102 permit ip host 192.*.*.*.142 host 192.168.10.121
access-list 102 permit udp host 209.*.*.* host 24.*.*.44 eq non500-isakmp
access-list 102 permit udp host 209.*.*.* host 24.*.*.44 eq isakmp
access-list 102 permit esp host 209.*.*.* host 24.*.*.44
access-list 102 permit ahp host 209.*.*.* host 24.*.*.44
access-list 102 remark Auto generated by SDM for NTP (123) pool.ntp.org
access-list 102 permit udp host 216.14.97.75 eq ntp host 24.*.*.44 eq ntp
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 permit udp host 209.*.*.66 host 24.*.*.44 eq non500-isakmp
access-list 102 permit udp host 209.*.*.66 host 24.*.*.44 eq isakmp
access-list 102 permit esp host 209.*.*.66 host 24.*.*.44
access-list 102 permit ahp host 209.*.*.66 host 24.*.*.44
access-list 102 permit udp host 208.67.222.222 eq domain host 24.*.*.44
access-list 102 permit udp host 208.67.220.220 eq domain host 24.*.*.44
access-list 102 deny   ip 192.168.10.0 0.0.0.255 any
access-list 102 permit tcp host 68.*.*.* host 24.*.*.44 eq 443
access-list 102 permit tcp host 68.*.*.* host 24.*.*.44 eq 22
access-list 102 permit tcp host 68.*.*.* host 24.*.*.44 eq cmd
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.10.0 0.0.0.255 10.0.20.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip host 192.168.10.11 host 192.*.*.*.142
access-list 104 deny   ip host 192.168.10.121 host 192.*.*.*.142
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.255 10.0.20.0 0.0.0.255
access-list 104 permit ip 192.168.10.0 0.0.0.255 any
access-list 105 remark Access list for Carteret
access-list 105 remark SDM_ACL Category=17
access-list 105 permit tcp host 192.168.10.11 192.168.99.0 0.0.0.255 log
access-list 105 permit icmp any any log
access-list 105 deny   ip any any log
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 104
!
!
!
!
control-plane
!
banner exec ^C
Welcome to the Router
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17180135
ntp update-calendar
ntp server 216.14.97.75 source FastEthernet0
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

 

[VasiliyP]

just to correct original diagram. here is more full diagram.

 cable modem (fe0) -> cisco 1811 -> (fe2) office lan 192.168.10.1/24
                         ||
                         \/
                        (fe1)
                    another network
                     192.168.99.7
                            |
                            |very long ethernet 
                            |connection
                            |
                      192.168.99.5
                          ||
                          \/
                         rest of 
                   192.168.99.0/24 network

 

[burtsbees]

You do not have to put any routes in, since they are all directly connected. Can we assume that for your two internal networks you are using switches, if so, what kind? Also, can you get out to the internet fine with "another network"? Can you ping any hosts in the LAN from the "another network"? Can you ping any hosts in the LAN from the router? Can the router ping anything in the LAN? What is the airspeed velocity of an unlaiden swallow?

Burt

 

[VasiliyP]

>Can we assume that for your two internal networks you are using switches, if so, what kind?
I'm connected directly to the 1811 via switchport. So far, I'm the only computer on 192.168.10.x network.
As to 192.168.99.x network, there is soho 91 router, and i'm connected to one of the switch ports on other end.

>Also, can you get out to the internet fine with "another network"?
There is separate internet connection for that network.

>Can you ping any hosts in the LAN from the "another network"?
No.

>Can you ping any hosts in the LAN from the router?
yes. I can ping both 192.168.10.x and 192.168.99.x hosts from the router.

>What is the airspeed velocity of an unlaiden swallow?
Do you mean I need to use Google?

 

[unclerico]

Do you have a route in the soho91 router for the .10 network??

burt, I giggled like a third grade school girl at this one mayn

What is the airspeed velocity of an unlaiden swallow?

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

Get rid of this...

ip route 192.168.99.0 255.255.255.0 192.168.99.5 permanent

Also, after that, ping again and check your logs (sh logg), since you're logging the attempts with acl 105...

NI!

ickyickyickyickyzimbambapponWOOMneewom...

Burt the Shrubber

 

[VasiliyP]

acl105 allows ping to go through, but I don't receive respond.
I've tried adding that route - it didn't make any change, since .5 is just a system on other end (ie we using switchport on soho 91).

I've put my laptop with wireshark on other end, set it to 99.5 and started pinging it. i see ping coming in to .5, but it never makes back to my system.

 

[madwok]

Hi, I am a newbee but venture to say that on 1811, fe2 to fe9 are probably L2 switch ports on VLAN1 while fe0 and fe1 are being L3 "routing" ports ?

It might be easier to see if this assumption is valid by, perhaps, building a bare config with fe0, fe1, fe2 ( without acl ) and see what is truely going on .

Regards,

 

[burtsbees]

I said get RID of that static route!

Burt

 

[VasiliyP]

I've figured out what's the problem: by rule 105 I allowed packets to come through, but never allowed for them to return. As soon as I allowed that - everything started to work.
In any case, thank you for your help.
This thread is another sample of what can go wrong, when you're in hurry

 

[unclerico]

in response to a question posed by burt, you said:

There is separate internet connection for that network.

Do the hosts on this network have their gateway set to this other device providing Internet connectivity??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)