• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 345
  • Last Modified:

Why Can I not access my wireless controller from outside router???

I have a wireless controller with an ip address of 66.xxx.xxx.6 connected to Fast Ethernet 2 and I can ping it from the router but not outside? What Do i need to do to get this to work? Below is my router config.

Building configuration...

Current configuration : 5015 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MainePCS-1812
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXXXX
!
aaa new-model
!
!
!
!
aaa session-id common
!
!
ip cef
ip dhcp excluded-address 10.10.10.1
!
!
ip telnet hidden addresses
ip domain name XXXXXX
ip name-server 205.243.60.3
ip ssh time-out 60
ip ssh authentication-retries 5
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-XXXXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3XXXXXX
 revocation-check none
 rsakeypair TP-self-signed-XXXXXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXX
 certificate self-signed 01
 
  quit
!
!
username XXXXXX privilege 15 secret 5 $XXXXXX
!
!
class-map match-any Data
 match  dscp af11
 match protocol http
class-map match-any Other
 match  dscp af31
 match protocol edonkey
 match protocol gnutella
 match protocol kazaa2
class-map match-any Low
 match  dscp af21
class-map match-any Voice
 match protocol sip
 match protocol h323
 match protocol skype
 match  dscp ef
!
!
policy-map MainePCS
 class Voice
  set dscp ef
  priority 200
 class Data
  set dscp af11
  bandwidth 5000
 class Low
  set dscp af21
 class Other
  set dscp af31
  bandwidth 8
 class class-default
  set dscp default
!
!
!
!
!
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1
 description DIA-via-ONS15454
 bandwidth 10000
 ip address 66.xxx.xxx.x 255.255.255.252
 ip route-cache flow
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet2
 description Nomadix-Network-Interface
 switchport access vlan 300
!
interface FastEthernet3
!
interface FastEthernet4
 description Connected To Local GO Networks AP
 switchport mode trunk
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
 description Connected To Oxford_Network 802.1Q
 switchport trunk allowed vlan 1,2,200,1002-1005
 switchport mode trunk
!
interface FastEthernet9
 description Connect To Nomadix 802.1Q
 switchport access vlan 2
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
 ip address 10.10.10.10 255.255.255.0
 ip tcp adjust-mss 1452
!
interface Vlan200
 ip address 10.1.1.254 255.255.255.0
 arp timeout 60
!
interface Vlan300
 description Nomadix-Network-Interface
 ip address 66.xxx.xxx.5 255.255.255.252
 ip access-group 3 out
!
interface Vlan100
 no ip address
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1
ip route 10.1.55.0 255.255.255.0 10.1.9.33
ip route 10.1.105.0 255.255.255.0 10.1.9.33
ip route 192.168.11.0 255.255.255.0 10.1.10.33
!
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
no logging trap
access-list 2 permit 10.1.1.0
access-list 3 deny   10.1.1.0 0.0.0.255
access-list 3 permit any
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
!
!
!
!
control-plane
!
banner login ^CCCC
-----------------------------------------------------------------------
Unauthorized access prohibited
Violators will be prosecuted
-----------------------------------------------------------------------
^C
!
line con 0
 exec-timeout 0 0
 password 7 XXXXXX
line aux 0
line vty 0 4
 privilege level 15
 password 7 XXXXXX
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
end
0
sehughes
Asked:
sehughes
  • 13
  • 9
  • 5
1 Solution
 
ricks_vCommented:
A few options to allow this:

1. Remove access-list 3, command on cli/telnet:
no access-list 3

2. Modify access-list 3, command on cli/telnet:
no access-list 3
access-list 3 permit 10.1.1.0 0.0.0.255  (this will allow access from vlan200)
access-list 3 deny any

3. Remove acl3 from int vlan300,command on cli/telnet:
interface Vlan300
no ip access-group 3 out

0
 
sehughesAuthor Commented:
I want to be able to access from outside my network which would be through Fastethernet1
0
 
MrJemsonCommented:
Make sure your Wireless device has the default gateway configured for the route back.
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
ricks_vCommented:
I don't see any ACL stopping that.

Make sure client on fa1 has gateway of fa1 address

and wireless has gateway of vlan300 address
0
 
sehughesAuthor Commented:
The wireless gateway has a gateway address of Vlan300.
0
 
MrJemsonCommented:
Can you ping the Vlan 300 interface from outside your network?
0
 
sehughesAuthor Commented:
Below is a copy of my current configuration. This setup was working before our router dies and I had to replace it with the new one. The only change is that there use to be a Vlan100 with an address of 66.xxx.xxx.9 supporting our back office router with an ip address of 66.xxx.xxx.10. I have since added a second interface to our internet connection and put the back office router on it directly with the same ip information. If I connect to one of the wireless access points directly I can ping the controller at 66.xxx.xxx.6 and the gateway vlan on the router at 66.xxx.xxx.5 and also the routers ip of 66.xxx.xxx.2. I can not ping the routers gateway of 66.xxx.xxx.. I have double checked the wireless gateways configuration and it is setup with 66.xxx.xxx.6 as is internet address and 66.xxx.xxx.5 as its gateway. It also shows a default route of 0.0.0.0 66.xxx.xxx.5

I took this project over after a co work left the company. I have highlighted a couple of commands that I am unsure of.




version 12.4
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname MainePCS-1812
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXXX
!
aaa new-model
!
!
!
!
aaa session-id common
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip telnet hidden addresses
ip domain name XXXXX.com
ip name-server 205.243.60.3
ip name-server 64.163.60.3
ip ssh time-out 60
ip ssh authentication-retries 5
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-3900591751
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3900591751
 revocation-check none
 rsakeypair TP-self-signed-3900591751
!
!
crypto pki certificate chain TP-self-signed-3900591751
 certificate self-signed 01
  30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33393030 35393137 3531301E 170D3039 30323039 32303539
  32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39303035
  39313735 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C12D 6C8ACCC0 EDD022F4 FEEB4358 DF74B049 BB7B53D9 55B7893D 06DC434B
  24A4F403 79F3D6A4 25A04A9B 7F11EC5F 9307E6CB FD8A2218 048D63F2 B18537E4
  D1D742AF 223B39B7 E978915E 06F7891B 81CC8BEB 99E34D17 B098EDC0 6219B043
  4BD65303 A35CDEDC FF844169 03A1EBFB A7AF7BDD 2FC58CA0 192F6584 F09907F8
  EB270203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603
  551D1104 1E301C82 1A4D6169 6E655043 532D3138 31322E6D 61696E65 7063732E
  636F6D30 1F060355 1D230418 30168014 510D2C53 C9FB61C0 B195EF68 520B3D8B
  36D1169D 301D0603 551D0E04 16041451 0D2C53C9 FB61C0B1 95EF6852 0B3D8B36
  D1169D30 0D06092A 864886F7 0D010104 05000381 81007061 7FD8F048 E1B7A688
  B2B2476D A18450BF 1720B350 CEBB63C5 ABBDA8DE A4E3BB82 9D94FFA8 DD51DCFF
  26AA4CB1 7DA88167 8EB58D62 16D65D32 11A33044 8FC587AD 02B626E0 A4B46D71
  F74BF3FD 1895AC5B AEAD59CA 419D4796 7E900CFC 0EB0846A C0C699A5 E4F94C4F
  18FBE95B 612C0BE2 55B03A3B 52463A05 91F51155 2572
  quit
!
!
username admin privilege 15 secret 5 XXXXX
!
!
class-map match-any Data
 match  dscp af11
 match protocol http
class-map match-any Other
 match  dscp af31
 match protocol edonkey
 match protocol gnutella
 match protocol kazaa2
class-map match-any Low
 match  dscp af21
class-map match-any Voice
 match protocol sip
 match protocol h323
 match protocol skype
 match  dscp ef
!
!
policy-map MainePCS
 class Voice
  set dscp ef
  priority 200
 class Data
  set dscp af11
  bandwidth 5000
 class Low
  set dscp af21
 class Other
  set dscp af31
  bandwidth 8
 class class-default
  set dscp default
!
!
!
!
!
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1
 description DIA-via-ONS15454
 bandwidth 10000
 ip address 66.XXX.XXX.2 255.255.255.252
 ip route-cache flow
 duplex auto
 speed auto
 service-policy output MainePCS
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet2
 description Nomadix-Network-Interface
 switchport access vlan 300
!
interface FastEthernet3
!
interface FastEthernet4
 description Connected To Local GO Networks AP
 switchport mode trunk
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
 description Connected To Oxford_Network 802.1Q
 switchport trunk allowed vlan 1,2,200,1002-1005
 switchport mode trunk
!
interface FastEthernet9
 description Connect To Nomadix 802.1Q
 switchport access vlan 2
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
 ip address 10.10.10.10 255.255.255.0
 ip tcp adjust-mss 1452
!
interface Vlan200
 ip address 10.1.1.254 255.255.255.0
 arp timeout 60
!
interface Vlan300
 description Nomadix-Network-Interface
 ip address 66.XXX.XXX.5 255.255.255.252
 ip access-group 3 out
!
ip route 0.0.0.0 0.0.0.0 66.XXX.XXX.1
ip route 10.1.55.0 255.255.255.0 10.1.9.33ip route 10.1.105.0 255.255.255.0 10.1.9.33ip route 192.168.11.0 255.255.255.0 10.1.10.33
!
ip flow-cache timeout active 1ip flow-export source FastEthernet1ip flow-export version 5ip flow-export destination 192.168.1.11 9996ip flow-export destination 10.1.55.236 2055
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface Vlan1 overload
!
no logging trap
access-list 2 permit 10.1.1.0
access-list 3 deny   10.1.1.0 0.0.0.255
access-list 3 permit any
access-list 23 permit 10.10.10.0 0.0.0.7
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CCCC
-----------------------------------------------------------------------
Unauthorized access prohibited
Violators will be prosecuted
-----------------------------------------------------------------------
^C
privilege exec level 15 access-enable
privilege exec level 15 x28
privilege exec level 15 pad
privilege exec level 15 mtrace
privilege exec level 15 mstat
privilege exec level 15 mrinfo
privilege exec level 15 ppp
privilege exec level 15 slip
privilege exec level 15 access-profile
privilege exec level 15 udptn
privilege exec level 15 tunnel
privilege exec level 15 modemui
privilege exec level 15 who
privilege exec level 15 traceroute
privilege exec level 15 systat
privilege exec level 15 disable
privilege exec level 15 where
privilege exec level 15 resume
privilege exec level 15 name-connection
privilege exec level 15 terminal
privilege exec level 15 show
privilege exec level 15 lock
privilege exec level 15 clear
!
line con 0
 exec-timeout 0 0
 password 7 XXX
line aux 0
line vty 0 4
 privilege level 15
 password 7 XXX
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
end

MainePCS-1812#logout
0
 
sehughesAuthor Commented:
I can not ping the vlan300 interface at 66.xxx.xxx.5 from outside the network. I can only ping it when I an logged into the router or connected to one of the wifi devices
0
 
MrJemsonCommented:
If you remove access-list 3 from Vlan 300 does it work?

If so, we may have to scrap it in place of an extended acl.
0
 
sehughesAuthor Commented:
No its does not. I had removed it and it made no change so I put it back in.
0
 
ricks_vCommented:
is there any of this device connected through a different router?

if yes, you need to specify the correct route on every routers.

Im looking at:
ip route 0.0.0.0 0.0.0.0 66.XXX.XXX.1 (what address is this?, another router or vlan 300 or fa0/1)

will be great if you mention the full config so I can differentiate between fa0/1 and vlan 300)


0
 
sehughesAuthor Commented:
the full config is above???? 66.xxx.xxx.1 is the gateway address for fa1
0
 
sehughesAuthor Commented:
Does VLAN information leave my Router? I just noticed that the second router attached to my internet pipe also uses vlan1 for all connected ports. It does has a different ip address that the one on this router but is called vlan1. Could this cause a problem?
0
 
sehughesAuthor Commented:
what could cause me to be able to ping the 66.xxx.xxx.5 and 66.xxx.xxx.2 addresses from the device on vlan300 with an address of 66.xxx.xxx.6 but not through the 66.xxx.xxx.2 to internet gateway of 66.231.198.1?????
0
 
MrJemsonCommented:
Default routes would cause that.
Are you certain the routes are advertised correctly at 66.xxx.xxx.1?
I assume this is you ISP? They are not always infalible you know :)
0
 
MrJemsonCommented:
*That is, INCORRECT default routes.
0
 
sehughesAuthor Commented:
yes... from the router I can ping 66.xxx.xxx.1 which is my isp address.
0
 
sehughesAuthor Commented:
also as I had asked above... how much information on the vlans leave the router? I have a second router attached to the same isp pipe (on a separate interface and address)  but using vlan1 as well. It does have a different ip address but is called vlan1 the same as this router I am having trouble with. I guess I do not understand how the router  routes  the vlan traffic out the router seeings how I can ping the fa1 interface that is connected to the isp but not the isp.
0
 
MrJemsonCommented:
Vlan 1 in the native vlan.
Ie, It is untagged / no vlan info.

I just re-read your post regarding not being able to ping 66.xxx.xxx.1 from the wireless clients.
This is definitely an issue with the routing table at your ISP end.
The fact that you just mentioned there is another router plugged into the uplink to the ISP is key.

Basically the ISP would be routing all those IP addresses via 66.xxx.xxx.1
66.xxx.xxx.1 sends out an ARP request on that segment and gets no response therefore drops the packet.
You may need to enable a routing protocol such as RIPv2 on the router so as it forwards the route to 66.xxx.xxx.5/6 to 66.xxx.xxx.1
Check with your ISP as to what routing protocol you can use, as you will have to use the same as they are so that they will "listen to" your routing info.

The other option would be to ask the ISP to add a static route in their router (66.xxx.xxx.1) to the 66.xxx.xxx.4/30 network via 66.xxx.xxx.2

The latter is the easiest as far as configuration at your end is concerned, but some ISPs will not do any more work than they have to, so asking them to add a static route _may_ be a tall order.

Nonetheless I am 100% confident this is your issue.
0
 
ricks_vCommented:
Outside router doesnt know how to get to 66.x.x.5 255.255.252.0 network
outside router address range is 66.x.x.1-4
vlan 300 address range is 66.x.x.5-8

you will need a create a new route on the outside router (whatever router it is):

ip route 66.x.x.5 255.255.255.252 66.x.x.2



0
 
MrJemsonCommented:
Which is what I just said.
0
 
sehughesAuthor Commented:
So this will need to be added to the isp router?
0
 
ricks_vCommented:
yes, that's correct.
please provide the router details if you like us guide you with this..
0
 
MrJemsonCommented:
He would not have access to his ISP routers.
As I previously said:

Check with your ISP as to what routing protocol you can use, as you will have to use the same as they are so that they will "listen to" your routing info.

The other option would be to ask the ISP to add a static route in their router (66.xxx.xxx.1) to the 66.xxx.xxx.4/30 network via 66.xxx.xxx.2

The latter is the easiest as far as configuration at your end is concerned, but some ISPs will not do any more work than they have to, so asking them to add a static route _may_ be a tall order.
0
 
sehughesAuthor Commented:
I will contact the ISP today. We are a business partner with them so I should have no trouble getting them to add anything I need.
0
 
sehughesAuthor Commented:
We added the static route to the ISP router and everything started to work. Thanks for all your help
0
 
MrJemsonCommented:
Glad to see you got it sorted! :)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 13
  • 9
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now