Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Subnet Routing Issue

Status
Not open for further replies.

dunninth

IS-IT--Management
Jan 26, 2009
10
CA
I need some help since I am not very fluent with Cisco routers. I'm sure there is an easy fix for this.

I have a Cisco 1811 running 12.4. We are set up inside with 192.168.5.x IP addresses. All of the other 192.168.x.x subnets do not seem to be visible. It appears that the packets are being sent to our internet interface.

What can I do to access the other subnets from 192.168.5.x?

Thanks...
 
are these other subnets available via L2L VPN connections or do they exist within the same LAN?? either way you need to use static routes or a routing protocol to tell the 1811 where to forward the traffic.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
The subnets are all on the same internal LAN. Here is the running config (with sensitive info X'd out).


Building configuration...

Current configuration : 8320 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1800
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $1$vJzs$nO74jvnZhpp4PXDESr.RM1
!
aaa new-model
!
!
aaa authentication login vpnclient group radius local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 group radius local
aaa authorization network authorize_vpn_list local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
ip domain name Reillyww.com
ip name-server X.X.X.X
ip name-server X.X.X.X
!
!
crypto pki trustpoint TP-self-signed-649839349
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-649839349
revocation-check none
rsakeypair TP-self-signed-649839349
!
!
crypto pki certificate chain TP-self-signed-649839349
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36343938 33393334 39301E17 0D303930 31323531 33333633
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3634 39383339
33343930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
CD4B56D9 EBAAAF94 5962063A A56C2CC9 F1E12F9D DEE2D156 5F10F2DB 267AF5BF
35025518 EB65069C CD3DE155 A852E547 62D50EC6 6A34AEB9 B9F310B9 EC74F16D
E8AEBD81 51BF0972 E2EDDF41 221DED80 05C98496 056AE8DA 9D491B17 A18B0144
B979D21E 05AF46CF 42EEEB70 5E8CF540 1CDF1EC3 BA20D10B 683A7B5D F5139F01
02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
11041A30 18821643 6973636F 31383030 2E526569 6C6C7977 772E636F 6D301F06
03551D23 04183016 8014A9CA 3D658F86 A0141F5E 7335B5F1 29C1336B 605E301D
0603551D 0E041604 14A9CA3D 658F86A0 141F5E73 35B5F129 C1336B60 5E300D06
092A8648 86F70D01 01040500 03818100 4AB46FB1 9FF6F247 734B01A5 FE5A5D45
1B5071A7 A989E276 1C4C7BA3 0302FD25 819802E0 AC7424AA 566C96FD EFB5CE3E
E0B03786 C9F0FAC2 6E8CB759 24BA1577 96CA5BA0 FD40520E A378D1D3 3FB76043
53D4C5DA E36ED4A3 50959188 68D4389C 3D7CFEC2 DFEE602A CEBDE3F7 39F8C9D8
6E599FCF 0C0DE2BE 4563EA96 9ADE6FCD
quit
username XXX privilege 15 secret 5 $1$z41X$1Ap1Bv/lmXbE6GxvkQfmN.
username XXX privilege 15 secret 5 $1$w4Wt$qfn3ez23WL8iGuBjL8rjw/
username XXX secret 5 $1$u.TE$BNlmq19uEHbnlgbJD0shG1
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 20 3
!
crypto isakmp client configuration group rww_vpn_group
key rwwvpn
dns 192.168.5.12
domain XXX.com
pool VPN_pool
acl 100
firewall are-u-there
include-local-lan
max-logins 9
crypto isakmp profile sdm-ike-profile-1
match identity group rww_vpn_group
client authentication list vpnclient
isakmp authorization list authorize_vpn_list
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set rww_transform_set esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map VPN_dynamic_map 10
set transform-set rww_transform_set
!
!
crypto map VPN_static_map client authentication list vpnclient
crypto map VPN_static_map isakmp authorization list authorize_vpn_list
crypto map VPN_static_map client configuration address respond
crypto map VPN_static_map 1000 ipsec-isakmp dynamic VPN_dynamic_map
!
!
!
!
interface FastEthernet0
description $ETH-LAN$
ip address X.X.X.X 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip local pool VPN_pool 192.168.5.30 192.168.5.39
ip route 0.0.0.0 0.0.0.0 X.X.X.X
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 60000
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool NAS_Pool 192.168.5.249 192.168.5.249 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.5.251 80 X.X.X.X 80 extendable
ip nat inside source static tcp 192.168.5.251 143 X.X.X.X 143 extendable
ip nat inside source static tcp 192.168.5.251 443 X.X.X.X 443 extendable
ip nat inside source static 192.168.5.251 X.X.X.X
ip nat inside source static tcp 192.168.5.9 21 X.X.X.X 21 extendable
ip nat inside source static tcp 192.168.5.251 80 X.X.X.X 80 extendable
ip nat inside source static tcp 192.168.5.251 110 X.X.X.X 110 extendable
ip nat inside source static tcp 192.168.5.251 143 X.X.X.X 143 extendable
ip nat inside source static tcp 192.168.5.251 443 X.X.X.X 443 extendable
ip nat inside source static tcp 192.168.5.251 587 X.X.X.X 587 extendable
ip nat inside source static tcp 192.168.5.251 993 X.X.X.X 993 extendable
ip nat inside source static tcp 192.168.5.253 50000 X.X.X.X 50000 extendable
ip nat inside source static tcp 192.168.5.252 50001 X.X.X.X 50001 extendable
ip nat inside source static tcp 192.168.5.241 80 X.X.X.X 50002 extendable
ip nat inside source static tcp 192.168.5.240 80 X.X.X.X 50003 extendable
ip nat inside source static tcp 192.168.5.5 51020 X.X.X.X 51020 extendable
!
ip access-list extended NAS_Dest_List
permit tcp any any range 33000 45000
ip access-list extended sdm_vlan1_out
remark SDM_ACL Category=1
permit ip any any
ip access-list extended splitremote
remark SDM_ACL Category=16
permit ip 192.168.5.0 0.0.0.255 any
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
no cdp run
!
!
!
!
!
radius-server host 192.168.5.12 auth-port 1645 acct-port 1646 key CiscoRadius
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to -----------------------------------------------------------------------
^C
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
!
webvpn gateway gateway_1
ip address X.X.X.X port 443
http-redirect port 80
ssl trustpoint TP-self-signed-649839349
inservice
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
!
webvpn context ReillySSL
title-color #CCCC66
secondary-color white
text-color black
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "VPN_pool"
svc default-domain "reillyww.com"
svc keep-client-installed
svc dns-server primary 192.168.5.12
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_2
gateway gateway_1
max-users 100
inservice
!
end
 
All of the other 192.168.x.x subnets do not seem to be visible

Your router config only has 192.168.5.0/24 ?
and im guessing fa0/0 is used for Connection to outside? (WAN not LAN)?

so is the issue that you can't ping/access other 192.168.5.x IP addresses?

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
All clients/devices are on 192.168.5.x. Can not ping to anything on 192.168.x.x except the 192.168.5.x.

Tracert shows those attempted connections going out through our ISP's router to the internet.
 
thats because there are no routes to 192.168.x.x network.

From what I see on your config your router currently knows two things:

1) vlan1 is 192.168.5.0/24 so anything matching that will go there.

ip route 0.0.0.0 0.0.0.0 X.X.X.X
2) anything else will match 0.0.0.0 0.0.0.0 and go out your WAN interface (I'm assuming X.X.X.X is the IP address of your WAN interface)

so I guess what you need to figure out is what interface are these 192.168.x.x are connected to ?

if you are using a router on a stick configuration then you probably need to define the rest of your VLANS and a proper Trunk.

If 192.168.6.x[example] is connected to say fa2 then you would need to configure that for your router to know whats going on.


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Well, given the fact that he is using a /24 then the network will only be 192.168.5.xxx, if there is any other traffic involved then it will go to the default route (0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx)

If there is 192.168.6.xxx traffic then that is a different network and a route will need to be in place for this or indeed any other network or it will be routed through the default.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top