?
Solved

2 VLANS on cisco 1800 series

Posted on 2009-04-19
10
Medium Priority
?
1,781 Views
Last Modified: 2012-05-06
Hi
i recently bought a router 1811 8-port switches and 2xFE ports
The network goes like this
(webserver_set_1)-----(VLAN1) ----- (FE0) 111.222.333.444
(webserver_set_2)-----(VLAN2) ----- (FE1) 444.333.222.111

I aslo assigned switch ports to their appropriate VLAN and things have been working. webserver_set_1 responds to HTTP requests, FTP requets, etc and been up for a year without me touching it! (so amazing compared to commercial linksys routers)

As for webserver_set_2 under VLAN2, they are accessible. But, they cannot access any machine of webserver_set_1 under VLAN1 via HTTP nor FTP, etc From VLAN2 and I can 111.222.33.444 (FE0), however.

Can you please help?
I think it might some internal routing issues, nevertheless I still found nothing suspicious within IOS commands

ip inspect name firewall http
ip inspect name firewall https
ip inspect name firewall tcp router-traffic
ip inspect name firewall udp router-traffic
ip inspect name firewall icmp router-traffic
ip inspect name firewall dns
ip inspect name firewall imap
ip inspect name firewall imaps
ip inspect name firewall imap3
ip inspect name firewall ftp
ip inspect name firewall ipsec-msft
!
interface FastEthernet0
ip address 111.222.333.444 255.255.255.240
ip nat outside
ip inspect firewall out
ip virtual-reassembly
speed auto
!
interface FastEthernet1
ip address 444.333.222.111 255.255.255.240
ip nat outside
ip inspect firewall out
ip virtual-reassembly
speed auto
full-duplex
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 164.62.250.108 //Defaut Gateway given by ISP for 111.222.333.444
ip route 0.0.0.0 0.0.0.0 165.49.22.139  //Default Gateway for 444.333.222.111
!
 
Gateway of last resort is 165.49.22.139 to network 0.0.0.0
 
     111.0.0.0/28 is subnetted, 1 subnets
C       111.222.333.444 is directly connected, FastEthernet0
     444.0.0.0/28 is subnetted, 1 subnets
C       444.333.222.111 is directly connected, FastEthernet1
C    192.168.0.0/24 is directly connected, Vlan1
C    192.168.1.0/24 is directly connected, Vlan2
S*   0.0.0.0/0 [1/0] via 165.49.22.139
               [1/0] via 164.62.250.108

Open in new window

0
Comment
Question by:valleytech
  • 4
  • 4
  • 2
10 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 24181130
Says each service is accessed through a separate ISP, with all defaults routes going out to the ISP in question..
So the firewall will see the destination packets originating from within and will reject on source address.
0
 
LVL 9

Expert Comment

by:Donboo
ID: 24187926
If I am guessing (but I need to see the rest of your config) that your NAT Access-lists is missing statments that deny NAT when going from Vlan 1 to vlan 2 and vice versa.
0
 

Author Comment

by:valleytech
ID: 24220704
thanks!! sorry for the late reply, i wasn't able to receive any notification emai.

2 x FE actually goes through same ISP, but with 2 different IP addresses range, as you saw in the IOS script. I though about that (source originates from source itself ), but found no way to change this. Do you know how? Thanks!!!!!

This is my NAT scripts

ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source list 2 interface FastEthernet1 overload
 
ip nat inside source static tcp 192.168.0.80 80 interface FastE0 80
 
ip nat inside source static tcp 192.168.1.80 80 interface FastE1 80
 
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255

Open in new window

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 23

Expert Comment

by:debuggerau
ID: 24220876
huh?
'missing statments that deny NAT when going from Vlan 1 to vlan 2 and vice versa'

Wouldn't you mean missing a route from one vlan to the other?

Anyways, your nat is a pnat, and for port 80 only, that needs to be expanded for a client's connection..
You'd need a whole NAT to map all ports...


0
 

Author Comment

by:valleytech
ID: 24221279
I do have more ports liek 21, 20 22, 443, basic web services port.
The syntax is just the same, so I just typed port 80 for the 2 web servers located on 2 different VLANs
, and that is the only NAT script that I have been using for a year.

I guess I'm missing something to add to complete the NAT?
a missing route from 1 VLAn to another?

thanks
0
 
LVL 9

Accepted Solution

by:
Donboo earned 2000 total points
ID: 24227863
No I dont mean route since both VLANs are connected to the same router the router obiviously knows the way to the other network.

I mean that missing deny NAT statements  from 1 VLAN to another VLAN also know as No-NAT. The reason for this is that when you add a interface to NAT with IP NAT INSIDE it will perform NAT to interfaces defined as IP NAT OUTSIDE based on the route selection.

you NAT access-lists should look like this:

ip access-list extended NAT-LIST-1
 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.0.0 0.0.0.255 any

ip access-list extended NAT-LIST-2
 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any

An your Dynamic PAT:

ip nat inside source list NAT-LIST-1 interface FastEthernet0 overload
ip nat inside source list NAT-LIST-1 interface FastEthernet0 overload

Here in this example I am using extended access-lists but the principle is the same as with standard access-lists. This will bypass NAT when going from one VLAN to the other VLAN and should solve you problem , unless you have Access-lists defined on your VLANs to deny incomming traffic that matches the traffic pattern this will create (I dont think you have but I havnt seen your entrie config to be sure).

This way does have some flaws and I suggest that you alter you dynamic NAT to use route-maps instead as these are more flexible.


0
 

Author Comment

by:valleytech
ID: 24233269
just to confirm, I only need o change the acces-list rule?
i haven't had the chance to try this yet, perhaps, Sunday 04/25
thanks!!
0
 
LVL 9

Expert Comment

by:Donboo
ID: 24233506
Yes. But you need to change the ACL to Extended as you need both source and destination to match and not just source.

0
 
LVL 9

Expert Comment

by:Donboo
ID: 24234065
Just to followup on my own post....

You need to change the ACL to Extended and also changing the matching list in the dynamic NAT, like in my example.
0
 

Author Comment

by:valleytech
ID: 24276118
I am about to try that now
and i assume my previous NAT i.e. port-forwarding is the same?
These IOS below should stay the same
ip nat inside source static tcp 192.168.0.4 8080 interface FastEthernet0 8080
ip nat inside source static tcp 192.168.0.80 80 interface FastEthernet0 80
ip nat inside source static tcp 192.168.0.2 81 interface FastEthernet0 81
ip nat inside source static tcp 192.168.0.3 82 interface FastEthernet0 82
ip nat inside source static tcp 192.168.0.5 21 interface FastEthernet0 21
ip nat inside source static tcp 192.168.0.5 20 interface FastEthernet0 20
ip nat inside source static tcp 192.168.0.5 8081 interface FastEthernet0 8081
ip nat inside source static tcp 192.168.0.80 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.0.2 3389 interface FastEthernet0 3389
ip nat inside source static tcp 192.168.0.3 3390 interface FastEthernet0 3390
ip nat inside source static tcp 192.168.0.5 3391 interface FastEthernet0 3391
ip nat inside source static tcp 192.168.0.4 3392 interface FastEthernet0 3392
ip nat inside source static tcp 192.168.1.2 80 interface FastEthernet1 80
ip nat inside source static tcp 192.168.1.2 21 interface FastEthernet1 21
ip nat inside source static tcp 192.168.1.2 20 interface FastEthernet1 20
ip nat inside source static tcp 192.168.1.2 443 interface FastEthernet1 443

Open in new window

0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question