Cisco 837 blocking subnet traffic in only one direction?

[TechnicalTim]

I have recently added a wireless access point to my home network and relocated one of my PCs onto the wireless LAN. Here is the basic rundown of my network:

Cisco 837 running as my gateway to the web via DSL. It's internal LAN IP is 10.10.10.1
One PC is physically connected to the 837's switch – manually configured LAN adapter is set to IP 10.10.10.192/24 – default gateway is 10.10.10.1
Wireless Access Point's "WAN" Ethernet (input) is plugged into a second LAN port on the 837's switch - CWRS shows the MAC address of the WAP attached to the Cisco 837 on IP 10.10.10.2.
WAP’s internal LAN (opposite side to the Cisco 837) address is 10.10.20.199
Second PC, connected via WLAN to DLink has it’s LAN adapter manually set to 10.10.20.193/24 with a default gateway of 10.10.10.1

OK, so I can browse the internet fine from both PCs and ping 10.10.10.192 and 10.10.10.1 from the WLAN connected PC (it’s IP being 10.10.20.193)

The WLAN connected PC wouldn’t resolve the hostname of the 1st hardwired PC so I added an entry to it’s hosts file and that solved that problem. All other DNS requests go via the DNS server configured in the 837 and I can ping various internet addresses and domains without any problems.

The problem I have is back at the hardwired PC (10.10.10.192). It can get to the web and can reach the 837 on 10.10.10.1. I can also ping 10.10.10.2. However, I cannot reach the DLink WAP nor the WLAN connected PC. To isolate the issue, I logged into my 837 and it also cannot get a response from pings to 10.10.20.199. Therefore, I can only transfer files to and from the hardwired LAN attached PC if I am logged on to the WLAN connected PC.

Inevitably, the question is, “Why is it so?” I would have thought if 10.10.20.193 could reach 10.10.10.192, that the Cisco and the DLink were not blocking traffic. However, it looks to me (and this is where I need help) that the Cisco may not be allowing traffic through to the 10.10.20.0 subnet if it originates exclusively from the 10.10.10.0 subnet (reasoning is that outside traffic (ie Web) traffic is allowed otherwise my WLan PC would not be able to get to the web or the 10.10.10.0 network).

I’ve played about with my ip-route commands but to no avail and this is where I get a little vague. Here is the config of my 837.. the answer is there, but I don’t know what I’ve missed or done wrong..



Router>en
Password:
Router#sh run
Building configuration...

Current configuration : 3484 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 xxxxxxxxxxxx
!
username Router password 0 xxxxxxxxxxxx
username CRWS_Kannan privilege 15 password 0 xxxxxxxxxxxxxxxx
username CRWS_Venky privilege 15 password 0 xxxxxxxxxxxxxxxxx
username CRWS_dheeraj privilege 15 password 0 xxxxxxxxxxxxxxx
no aaa new-model
ip subnet-zero
ip name-server 203.8.183.1
ip name-server 192.189.54.33
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
no crypto isakmp enable
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip mtu 1492
ip nat outside
ip inspect myfw out
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxxxxxxxxxx@xxxx.xxx.au
ppp chap password 0 xxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxx@xxxx.xxx.au password 0 xxxxxxx
ppp ipcp dns request
ppp ipcp wins request
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.10.20.0 255.255.255.0 10.10.10.2
ip http server
no ip http secure-server
ip nat inside source list 102 interface Dialer1 overload
!
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 111 deny icmp any any echo
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end


Any suggestions would save my hair from being pulled out and be gratefully received…

 

[burtsbees]

I am not familiar with the interfaces on the wireless ap, DLink...does it have an interface marked WAN and 4 marked as LAN? How did it get the IP address of 10.10.10.2? Thru DHCP?
The whole problem seems to be that the 837 has 4 "fastethernet" ports connected to the E0 interface of the router. The E0 interface in the router is a layer 3 interface, on which you can configure layer 3 information, like the IP address. The "fastethernet" ports seem to be layer 2 ports---you cannot configure an IP address on the individual ports. What is important is how the DLink got it's IP address on the port facing the 837---did you set it or did it get the IP via DHCP? Sounds strange, but it seems that they should maybe be on the same subnet>..please tell us how the DLink got the 10.10.10.2 IP...

Burt

 

[TechnicalTim]

The DLink device initally is set to a default address of 192.168.0.1 out of the box. When I set the unit up, I manually set the address to 10.10.10.199. In trying to get traffic to travel freely through the device from the other PC (10.10.10.192), that's when I thought that maybe the 837 had issues as it didn't know where to send traffic for 10.10.10.0 devices - there were two routes. hence why I set up the second subnet of 10.10.20.0 and attempted to "convince" the 837 to route traffic to the 10.10.20.199 gateway.

You are most likely right about the E0 port(s) as the 837 doesn't allow configuration of more than one ethernet port (it's a switch but a basic one by the looks of things). If that's the case, are you saying that basically, I can't route traffic to the 10.10.20.0 subnet as I can't distinguish the 837's ethernet port that is physically attached to the DLink device?


PS. Yes, the DLink has one WAN Cat 5 input and four LAN Cat 5 interfaces.