Questions

help on Cisco 2800 router

Tags:
+
0 Votes
Locked

help on Cisco 2800 router

racheng
I try to configure to 2801 to replace the 2600. It is a gateway router with 3 i/f. One is a uplink to my ISP, one goes to Firewall and the third one is for public wireless network. This i/f has a 4-port switch and vlan is enable. The switch has a wireless AP which is a dhcp server passing out 192.168.250.0 address. There is no switch on this network - just a hub.

My problem is any hosts directly connected to this switch or via the hub could not get on Internet by name or IP, though it could ping any internal host or http to my inside web server. It received the dhcp IP, dns etc. Trace route showed it stopped at 250.254(gateway address). There was a NAT entry for it. There was no difference if I put a static translation with one of the hosts.

I suspect it has something to do with the vlan since this is the only difference between the two routers.

Here is the running config


Current configuration : 6106 bytes
!
! Last configuration change at 11:41:17 ET Sun May 27 2007 by uhls
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname uh2800
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
clock timezone ET -5
clock summer-time ET recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
ip domain name uhls.lib.ny.us
ip name-server 192.168.99.203
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
description TimeWarner Telecom DLI: LR521297
ip address 66.195.77.146 255.255.255.252
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description Firewall
ip address 192.168.100.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/3/0
switchport access vlan 250
no ip address
!
interface FastEthernet0/3/1
switchport access vlan 250
no ip address
!
interface FastEthernet0/3/2
switchport access vlan 250
no ip address
!
interface FastEthernet0/3/3
switchport access vlan 250
no ip address
!
interface Vlan1
no ip address
!
interface Vlan250
ip address 192.168.250.254 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 66.195.77.145
ip route 192.168.0.0 255.255.192.0 192.168.100.253
ip route 192.168.99.0 255.255.255.0 192.168.100.253
ip route 192.168.101.0 255.255.255.0 192.168.100.253
ip route 192.168.102.0 255.255.255.0 192.168.100.253
ip route 192.168.103.0 255.255.255.0 192.168.100.253
ip route 192.168.104.0 255.255.255.0 192.168.100.253
ip route 192.168.105.0 255.255.255.0 192.168.100.253
ip route 192.168.230.0 255.255.255.0 192.168.30.253
ip http server
ip http access-class 99
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation tcp-timeout 180
ip nat pool pool01 66.192.112.201 66.192.112.201 netmask 255.255.255.192
ip nat pool pool05 66.192.112.205 66.192.112.205 netmask 255.255.255.192
ip nat pool pool11 66.192.112.211 66.192.112.211 netmask 255.255.255.192
ip nat pool pool20 66.192.112.220 66.192.112.220 netmask 255.255.255.192
ip nat pool pool26 66.192.112.226 66.192.112.226 netmask 255.255.255.192
ip nat pool pool29 66.192.112.229 66.192.112.229 netmask 255.255.255.192
ip nat pool pool30 66.192.112.230 66.192.112.230 netmask 255.255.255.192
ip nat inside source list 1 pool pool01 overload
ip nat inside source list 5 pool pool05 overload
ip nat inside source list 11 pool pool11 overload
ip nat inside source list 20 pool pool20 overload
ip nat inside source list 26 pool pool26 overload
ip nat inside source list 29 pool pool29 overload
ip nat inside source list 30 pool pool30 overload
ip nat inside source static 192.168.99.31 66.192.112.192
ip nat inside source static 192.168.1.200 66.192.112.193
< some static translations are deleted >
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.101.0 0.0.0.255
access-list 1 permit 192.168.102.0 0.0.0.255
access-list 1 permit 192.168.103.0 0.0.0.255
access-list 1 permit 192.168.104.0 0.0.0.255
access-list 1 permit 192.168.105.0 0.0.0.255
access-list 1 permit 192.168.108.0 0.0.0.255
access-list 1 permit 192.168.31.0 0.0.0.255
access-list 5 permit 192.168.5.0 0.0.0.255
access-list 5 permit 192.168.35.0 0.0.0.255
access-list 11 permit 192.168.11.0 0.0.0.255
access-list 20 permit 192.168.20.0 0.0.0.255
access-list 26 permit 192.168.26.0 0.0.0.255
access-list 26 permit 192.168.56.0 0.0.0.255
access-list 29 permit 192.168.29.0 0.0.0.255
access-list 30 permit 192.168.30.0 0.0.0.255
access-list 30 permit 192.168.250.0 0.0.0.255 ! this is the nat for wirless network
access-list 30 permit 192.168.109.0 0.0.0.255
access-list 30 permit 192.168.99.0 0.0.0.255
access-list 99 permit 192.168.30.0 0.0.0.63
access-list 101 permit tcp any host 192.168.250.129 eq 3389
access-list 101 permit tcp any host 192.168.250.129 eq 1723
access-list 101 permit tcp any host 192.168.250.129 eq 47
access-list 101 permit tcp any any established
access-list 101 permit ip 192.168.30.0 0.0.0.63 192.168.250.0 0.0.0.255
snmp-server community public RO
snmp-server enable traps tty
!
control-plane
!
banner login ^C
This is a restricted site. Any unauthorized access is prohibited and
will be reported to authority
^C
!
line con 0
login local
line aux 0
line vty 0 4
access-class 99 in
exec-timeout 0 0
privilege level 15
password xxxx
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login
transport input telnet
!
ntp clock-period 17208510
ntp server 192.5.41.41
ntp server 192.5.41.40
end
  • +
    0 Votes
    plymouth

    What does the 192.168.30 network do?
    Looks like it is defined differently:

    access-list 30 permit 192.168.30.0 0.0.0.255
    access-list 99 permit 192.168.30.0 0.0.0.63

    different masks

    +
    0 Votes
    richard.binns

    I think the problem is that the VLAn is not ip nat inside - if you add this to the VLAN interface the router will know that the VLAN is now an inside source for NAT translations.

    +
    0 Votes
    ipcbcory

    Thanks for the configuration example, it's helpful. Here's another good resource for info on the Cisco 2800 <a href="http://www.ciscobuy.com/cisco-routers/cisco-2800">Cisco 2800</a>

  • +
    0 Votes
    plymouth

    What does the 192.168.30 network do?
    Looks like it is defined differently:

    access-list 30 permit 192.168.30.0 0.0.0.255
    access-list 99 permit 192.168.30.0 0.0.0.63

    different masks

    +
    0 Votes
    richard.binns

    I think the problem is that the VLAn is not ip nat inside - if you add this to the VLAN interface the router will know that the VLAN is now an inside source for NAT translations.

    +
    0 Votes
    ipcbcory

    Thanks for the configuration example, it's helpful. Here's another good resource for info on the Cisco 2800 <a href="http://www.ciscobuy.com/cisco-routers/cisco-2800">Cisco 2800</a>