Cisco 3750 routing LAN to WAN fails

[ictbus]

Hi,

We have a cisco c3750 router with ip-services image (12.50)
A cable modem maintains the fysical connection to ISP. so:

internet -> modem /ethernet out -> cisco 3750, port 24. -> other switchports -> LAN-clients

All ports are in default VLAN 1.
port 23: windows 2003 server with dns/dhcp server.(192.168.10.100, default gateway 192.168.10.1 )
port 22: PC with windows XP ( dhcp-client )
vlan 1 : ip address 192.168.10.1 (default gateway )
so no problems with LAN.

Goal: connecting PC/hosts in VLAN 1 to internet

status:
set ip routing,
WAN port (fa1/0/24) configured as a router and succesfully connected to internet.
I can reach any internet-address from the console.
Also the PC gets an ip-address from the server. problem:
PC has no connection with internet =>
routing from VLAN1 to "internet/port 24" isn't working.

What step should i take?
tried default-router /default network /default gateway stuff, nothing seems to work. According to the documentation it should work..

"show run" output=>

switch1#sh run
Building configuration...

Current configuration : 4704 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname switch1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$21eT$RJFqeLz6DrTBC40zUP2UW0
enable password ict00000
!
no aaa new-model
switch 2 provision ws-c3750-24p
system mtu routing 1500
ip subnet-zero
ip routing

!
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61

spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet2/0/1
!
interface FastEthernet2/0/2
!
interface FastEthernet2/0/3
!
interface FastEthernet2/0/4
!
interface FastEthernet2/0/5
!
interface FastEthernet2/0/7
!
interface FastEthernet2/0/8
!
interface FastEthernet2/0/9
!
interface FastEthernet2/0/10
!
interface FastEthernet2/0/11
!
interface FastEthernet2/0/12
!
interface FastEthernet2/0/13
!
interface FastEthernet2/0/14
!
interface FastEthernet2/0/15
!
interface FastEthernet2/0/16
!
interface FastEthernet2/0/17
!
interface FastEthernet2/0/18
!
interface FastEthernet2/0/19
!
interface FastEthernet2/0/20
!
interface FastEthernet2/0/21
!
interface FastEthernet2/0/22
!
interface FastEthernet2/0/23
!
interface FastEthernet2/0/24
description WAN
no switchport
ip address dhcp
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust dscp
auto qos voip trust
macro description cisco-router
spanning-tree portfast trunk
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/1
!
interface GigabitEthernet2/0/2
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
ip directed-broadcast
ip pim sparse-dense-mode
no arp arpa
!
interface Vlan2
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 82.73.10.1 254
ip route 0.0.0.0 0.0.0.0 82.73.26.1 254
ip route 0.0.0.0 0.0.0.0 82.73.26.1 254
ip route 192.168.10.0 255.255.255.0 82.73.19.239
ip http server
!
!
!
control-plane
!
!
line con 0
line vty 0 4
password xxxxxxxx
login
length 0
line vty 5 15
password xxxxxxxx
login
length 0
!
end


switch1#sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa2/0/1, Fa2/0/2, Fa2/0/3
Fa2/0/4, Fa2/0/5, Fa2/0/6
Fa2/0/7, Fa2/0/8, Fa2/0/9
Fa2/0/10, Fa2/0/11, Fa2/0/12
Fa2/0/13, Fa2/0/14, Fa2/0/15
Fa2/0/16, Fa2/0/17, Fa2/0/18
Fa2/0/19, Fa2/0/20, Fa2/0/21
Fa2/0/22, Fa2/0/23, Gi2/0/1
Gi2/0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1005 trnet 101005 1500 - - - ibm - 0 0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------


switch1#show ip int
Vlan1 is up, line protocol is up
Internet address is 192.168.10.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is enabled
Multicast reserved groups joined: 224.0.0.1 224.0.0.2 224.0.0.22 224.0.0.13
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Output features: Check hwidb
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
Vlan2 is down, line protocol is down
Internet protocol processing disabled
FastEthernet2/0/1 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/2 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/3 is down, line protocol is down
Inbound access list is not set
Inbound access list is not set
FastEthernet2/0/5 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/6 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/7 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/8 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/9 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/10 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/11 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/12 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/13 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/14 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/15 is down, line protocol is down
FastEthernet2/0/15 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/16 is up, line protocol is up
Inbound access list is not set
FastEthernet2/0/17 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/18 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/19 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/20 is up, line protocol is up
Inbound access list is not set
FastEthernet2/0/21 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/22 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/23 is down, line protocol is down
Inbound access list is not set
FastEthernet2/0/24 is up, line protocol is up
Internet address is 82.73.27.30/23
Broadcast address is 255.255.255.255
Address determined by DHCP
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Output features: Check hwidb
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
GigabitEthernet2/0/1 is down, line protocol is down
Inbound access list is not set
GigabitEthernet2/0/2 is down, line protocol is down
Inbound access list is not set


switch1#ping google.nl

Translating "google.nl"...domain server (212.54.35.25) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.77.104, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/17 ms
switch1#

 

[unclerico]

a couple of things:
1) the 3750 does not have the capability to perform NAT therefore your private addresses will not be translated to a publicly routable IP. Is there something else upstream that takes care of the NAT process??
2) what's the purpose of all of this:

ip route 0.0.0.0 0.0.0.0 82.73.10.1 254
ip route 0.0.0.0 0.0.0.0 82.73.26.1 254
ip route 0.0.0.0 0.0.0.0 82.73.26.1 254
ip route 192.168.10.0 255.255.255.0 82.73.19.239

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ictbus]

ad1) I guess/hope the cablemodem (arris tm501/b) ?

ad2) These routes are generated automatically. The ethernet (port 24) only has "ip address dhcp". i just tried a lot of times and for some reason it changes.
The last one can be removed. Was a sort of experiment of me..

So my purpose is very simple: get a PC/host to internet only with the cablemodem and the ,expensive, 3750 router.

 

[ictbus]

forgot to tell you that pinging from the console of the 3750 router to an internet address works fine. So i guess NAT is working fine from there. Only failing thing is the route between LAN ( 192.168.10 ) and WAN ( 82.73.x.y )

 

[unclerico]

So i guess NAT is working fine from there

not necessarily. your g2/0/24 has a publicly routable ip. it will source the pings from that interface unless you tell it to source the ping from the 192.168.10.1 address. i would verify that the modem does in fact perform the NATing

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ictbus]

Hi, thanks for your info.
I'm not sure about this cablemodem.Anyway it's locked by the ISP. I suppose i can only go to internet via an extra router ( f.i my draytek) before i can use the router-function of this router/switch(??). I was so close.. it even connects to the internet but no route to the LAN.
I'm wondering why we didn't by a normal switch if i still need a router to connect to internet?

 

[unclerico]

I'm wondering why we didn't by a normal switch if i still need a router to connect to internet?

It all depends on your needs. NAT support is one of the MAJOR differences between a normal router and a multilayer swtich.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[VinceWhirlwind]

What you need isn't a router, but a firewall. ASA 5505 would be ideal, and they cost nothing compared with what you've already spent on a switch.

And yes, a 2960 would have been all the switch you needed.

 

[ictbus]

Thanks for all help. I'll look for a firewall.
The choise for the 3750 has to do with a requirement for voip support. A telephonesystem will be behind this switch in a later stage.

 

[VinceWhirlwind]

As a general rule, these are the features people buy switches for:

Stackability - 3750
Layer3 - 3560, 3750
PoE - 2960,3560,3750

For me it's the stackability that makes me almost always buy 3750s, but for small regional offices which are never going to grow beyond needing a single switch a 2960 is the better choice.

 

[ictbus]

In production PoE we need for sure and on the main location it's possible we need extra ports in the future as well. Layer3 is necessary for the telephonesystem ( alcatel ) as for as i know from out supplier.

Right now we just want to make a reference site for testing puposes.

I looked at the 5505. This firewall is not very expensive but you have to buy userlicenses as well which makes it a little less attractive. Perhaps we won't need all these licenses but around 500 users will be behind this firewall..

thanks again!

 

[VinceWhirlwind]

For single-switch small branch offices, I make do with a layer-2 switch and have all inter-VLAN routing done by the local router.

As far as relatve prices go, the 3750-48PSS is twice the price of a 2960-48PS which is itself in turn twice the price of an ASA5505 10-user.
The upgrade from 10-user to unlimited-user costs just 25% of the price of the ASA.

(And that's just 10/100 switches).

 

[unclerico]

I'll thow my .02 in here as well. Look at buying refurbished equipment. You can purchase SmartNet just as you could for brand new gear but you'll be paying significantly less for the actual hardware. We have done this with quite a few switches recently and have save tons of money.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ictbus]

There is still one thing that's confusing me: Is it possible to create an ipsec vpn tunnel between 2 cisco 3750's Or will you also do this on the cisco 5505?

so:

PC - 5505 - 3750 - <internet> - 5505 - 3750 - PC
------------------------------- (tunnel a. )
------------------------------- (tunnel b. )

I was looking for an easy cisco tool to setup a tunnel from a gui, but first i need to know if it's possible at all.
( tunnel a or b ? )

I'm used to draytek where it's really a piece of cake.

 

[ictbus]

my drawing is a little damaged. But the question is simple: setup the tunnel between the 5505's or the 3750's ?

 

[unclerico]

5505's

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ictbus]

i thought so ..
Well i guess i'll close this thread and start looking for those router/firewalls.

Thanks again for your professional info!

regards,
Edwin