[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 589
  • Last Modified:

cisco can't route between vlans on 1801 router

hi all

i'm having a bit of a very crazy issue here.

I PC and added the PC to vlan 200 and i have a laptop and i addred to vlan 100 now i can ping both ways but i can not do any other trffic e.g remote desktop stoped working i can't conect to the PC through remote desktop. .  I can only ping.


can you please look at my configuration can let me know what i'm doing wrong.






HomeRouter# show run
Building configuration...

Current configuration : 8374 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HomeRouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable password 7 055C13572815415909
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauth local
aaa authorization exec default local
aaa authorization network groupauth local
!
!
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
!
dot11 syslog
no ip subnet-zero
no ip source-route
no ip gratuitous-arps
!
!
ip proxy-mobile enable
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.2.1
ip dhcp excluded-address 172.16.2.2
!
ip dhcp pool internal
   network 172.16.2.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4
   default-router 172.16.2.1
!
!
ip cef
ip domain name Homerouter
ip inspect name firewall cuseeme
ip inspect name firewall dns
ip inspect name firewall ftp
ip inspect name firewall h323
ip inspect name firewall https
ip inspect name firewall imap
ip inspect name firewall pop3
ip inspect name firewall netshow
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall rtsp
ip inspect name firewall sip
ip inspect name firewall esmtp
ip inspect name firewall sqlnet
ip inspect name firewall streamworks
ip inspect name firewall tftp
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall vdolive
ip inspect name firewall skinny
ip inspect name firewall ssh
ip inspect name firewall icmp
ip inspect name firewall http
no ipv6 cef
!
multilink bundle-name authenticated
!
password encryption aes
!
!
username charbles privilege 15 password 7 0559575C731D1A5B4902
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group charbles
 key 6 VQNTbeAXXEZMdYDbhKWhOIhHdNRIUVL[HAAB
 dns 194.168.4.100 194.168.X.X
 wins 194.168.X.X
 pool mypool
 acl 108
 max-users 5
 netmask 255.255.255.0
!
crypto isakmp client configuration group test
!
!
crypto ipsec transform-set HouseVPNSET esp-aes esp-sha-hmac
!
crypto dynamic-map HouseVPNDynamicMap 10
 set security-association lifetime seconds 86400
 set transform-set HouseVPNSET
 reverse-route
!
!
crypto map HouseVPNMap client authentication list userauth
crypto map HouseVPNMap isakmp authorization list groupauth
crypto map HouseVPNMap client configuration address respond
crypto map HouseVPNMap 65535 ipsec-isakmp dynamic HouseVPNDynamicMap
!
archive
 log config
  hidekeys
!
!
ip ssh version 2
!
class-map match-all AF41
 match  dscp af21
class-map match-all EF
 match  dscp ef
class-map match-all AF11
 match  dscp af11
class-map match-any SIlVER-DATA
 match protocol secure-ftp
 match protocol secure-telnet
 match protocol telnet
 match protocol ssh
 match protocol vdolive
 match protocol secure-pop3
 match protocol pcanywhere
 match protocol pop3
 match access-group name acl-data-silver
class-map match-any P2P
 match protocol bittorrent
 match protocol kazaa2
 match protocol edonkey
 match access-group name P2PDrop
 match protocol gnutella
 match protocol fasttrack
 match protocol novadigm
class-map match-any DATA-GOLD
 match protocol http
 match protocol secure-http
 match protocol ipsec
 match access-group name acl-data-gold
class-map match-any VOICE
 match protocol skype
 match protocol rtp
 match protocol rtcp
 match protocol skinny
 match protocol sip
 match protocol h323
 match access-group name acl-voice-rtp
 match access-group name acl-voice-control
 match protocol dns
class-map match-all violate-action
 match  dscp af13
!
!
policy-map LLQ
 class AF41
    police 5734000 8000 conform-action transmit  exceed-action set-dscp-transmit af11 violate-action drop
 class AF11
   police cir 1638000 bc 8000
     conform-action transmit
     exceed-action drop
     violate-action drop
 class EF
    priority 400
 class class-default
    fair-queue
policy-map MarkTraffic
 class DATA-GOLD
  set dscp af21
 class SIlVER-DATA
  set dscp af11
 class VOICE
  set dscp ef
 class P2P
   drop
 class class-default
!
!
!
!
interface Tunnel100
 ip address 10.0.33.1 255.255.255.0
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet0
 description Outside
 ip address dhcp
 ip access-group inboundacl in
 ip nbar protocol-discovery
 ip nat outside
 ip inspect firewall out
 ip virtual-reassembly
 speed auto
 half-duplex
 crypto map HouseVPNMap
 service-policy output LLQ
!
interface FastEthernet1
 switchport access vlan 100
!
interface FastEthernet2
 switchport access vlan 100
!
interface FastEthernet3
 switchport access vlan 200
!
interface FastEthernet4
 switchport access vlan 100
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$
 no ip address
 ip tcp adjust-mss 1452
 shutdown
!
interface Vlan100
 ip address 172.16.2.1 255.255.255.0
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip route-cache policy
 service-policy input MarkTraffic
!
interface Vlan200
 ip address 172.16.1.1 255.255.255.0
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip route-cache policy
 service-policy input MarkTraffic
!
ip local pool mypool 10.1.1.1 10.1.1.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip route 10.0.33.0 255.255.255.0 89.22.33.21
ip route 192.168.4.0 255.255.255.0 89.2.22.33
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 120
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat inside source route-map nat interface FastEthernet0 overload
!
ip access-list extended P2PDrop
 permit tcp any any range 1024 65535
ip access-list extended acl-data-bronze
ip access-list extended acl-data-gold
 permit tcp any any eq 4500
 permit esp any any
 permit udp any any eq isakmp
ip access-list extended acl-data-silver
 permit tcp any any eq ftp
 permit tcp any any eq 26667
 permit tcp any any eq 3128
 permit tcp any any eq 3133
 permit tcp any range 6881 6889 any
 permit udp any range 6881 6889 any
 permit tcp any any range 6881 6889
 permit udp any any range 6881 6889
ip access-list extended acl-voice-control
 permit tcp any any range 2000 2002
ip access-list extended acl-voice-rtp
 permit udp any any range 16384 32767
 permit ip any any precedence critical
 permit udp any any eq 5060
 permit udp any any eq non500-isakmp
ip access-list extended blockbit
 deny   tcp any any eq 34166
 deny   udp any any eq 34166
 permit ip any any
ip access-list extended inboundacl
 permit udp any eq bootps any eq bootpc
 permit esp any host 81.X.X.X
 permit udp any host 81.X.X.X eq isakmp
 permit udp any host 81.X.X.X eq non500-isakmp
 permit icmp any host 81.X.X.X echo-reply
 permit icmp any host 81.X.X.X time-exceeded
 permit icmp any host 81.X.X.X unreachable
 permit tcp any host 81.X.X.X eq 22
 deny   ip 172.0.0.0 0.31.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 deny   ip any any
ip access-list extended test11
 permit ip any any dscp af21
!
access-list 108 remark ****** Split Tunnel Encrypted Traffic ******
access-list 108 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 108 permit ip 172.16.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 deny   ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 deny   ip 172.16.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 deny   ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 110 deny   ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 110 permit ip 172.16.1.0 0.0.0.255 any
access-list 110 permit ip 172.16.2.0 0.0.0.255 any
no cdp run

!
!
!
!
route-map test permit 5
 match ip address test11
 set ip next-hop 172.16.1.100
!
route-map nat permit 10
 match ip address 110
!
!
!
control-plane
!
!
line con 0
line aux 0
 exec-timeout 0 0
line vty 0 4
 transport input telnet ssh
 transport output none
!
end

HomeRouter#

Open in new window

0
greekstones
Asked:
greekstones
  • 5
  • 4
  • 2
1 Solution
 
Vito_CorleoneCommented:
Hmm, please post "sh ip route" "sh ip int b" and "sh vlan" or "sh vlan-switch".
0
 
memo_tntCommented:
hi

try from one PC ping with larg packet size to the other

ping -t -l 18000 pc2.IP

what you get now
0
 
greekstonesAuthor Commented:
yes that works


C:\Documents and Settings\mihal.caro>ping -t -l 18000 172.16.1.100

Pinging 172.16.1.100 with 18000 bytes of data:

Reply from 172.16.1.100: bytes=18000 time=8ms TTL=126
Reply from 172.16.1.100: bytes=18000 time=8ms TTL=126
Reply from 172.16.1.100: bytes=18000 time=8ms TTL=126
Reply from 172.16.1.100: bytes=18000 time=8ms TTL=126
Reply from 172.16.1.100: bytes=18000 time=8ms TTL=126
Reply from 172.16.1.100: bytes=18000 time=8ms TTL=126
Reply from 172.16.1.100: bytes=18000 time=8ms TTL=126
Reply from 172.16.1.100: bytes=18000 time=8ms TTL=126
Reply from 172.16.1.100: bytes=18000 time=8ms TTL=126
Reply from 172.16.1.100: bytes=18000 time=8ms TTL=126
Reply from 172.16.1.100: bytes=18000 time=8ms TTL=126
Reply from 172.16.1.100: bytes=18000 time=8ms TTL=126
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
greekstonesAuthor Commented:

hi Vito_Corleone


VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa5, Fa6, Fa7, Fa8
100  100                              active    Fa1, Fa2, Fa4
200  200                              active    Fa3
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
100  enet  100100     1500  -      -      -        -    -        0      0
200  enet  100200     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        ibm  -        0      0
1005 trnet 101005     1500  -      -      1        ibm  -        0      0
0
 
Vito_CorleoneCommented:
Can you try this Telnetting to the PC that had RDP working?

telnet <RDP PC IP> 3389

See if any connection is made.
0
 
memo_tntCommented:
create a shared folder on one PC
and try to brows this folder from the other side ...

also, move some file to it ..
what results ??

0
 
greekstonesAuthor Commented:
nope no Luck

telnet is not working


file sharring is not working..


I can remote desktop my other PC which is the same subnet 172.16.2.101 but no 172.16.1.100 from 172.16.2.6


0
 
Vito_CorleoneCommented:
Can you try removing those service policies from the VLAN interfaces. See if that changes anything?
0
 
Vito_CorleoneCommented:
interface Vlan100
 no service-policy input MarkTraffic
!
interface Vlan200
 no service-policy input MarkTraffic

Just to test.
0
 
greekstonesAuthor Commented:
yes

that is the problem

i removed the marking and it worked.

well done

thanks

0
 
greekstonesAuthor Commented:
for your information


the issue was at the Class P2P i was blocking throught the access list.


great thanks Vito_CorleoneDate
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now