williaj2
asked on
asked on Cisco 1811 with 2 vlans, 1 vlan cannot access wan
Have Cisco 1811 router with 2 vlans
vlan10 yourcompanynamehere
vlan20 guest
Vlan10 works with no problems
vlan20 can ping the wan (f0) address but not the wan gateway.
any ideas? oh wise ones!!
since its so late I'm maxing the points. I here a bed calling ZZZZZZZZZZZZZZZZZZZ
vlan10 yourcompanynamehere
vlan20 guest
Vlan10 works with no problems
vlan20 can ping the wan (f0) address but not the wan gateway.
any ideas? oh wise ones!!
since its so late I'm maxing the points. I here a bed calling ZZZZZZZZZZZZZZZZZZZ
version 12.3
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname MY1811
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip cef
ip dhcp excluded-address 192.168.0.11 192.168.0.254
ip dhcp excluded-address X.X.X.150 X.X.X.254
!
ip dhcp pool younamehere
import all
network X.X.X.0 255.255.255.0
dns-server 4.2.2.1 4.2.2.2
default-router X.X.X.253
!
ip dhcp pool Guest
import all
network 192.168.0.0 255.255.255.0
dns-server 4.2.2.1 4.2.2.2
default-router 192.168.0.254
lease 0 4
!
!
ip tcp synwait-time 10
ip name-server 4.2.2.1
ip name-server 4.2.2.2
!
!
!
!
class-map match-any RESTRICTED
description Guest Vlan bandwidth control
match access-group 101
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group VPNClient
key yea right, like i leave the real key here.
dns 4.2.2.1 4.2.2.2
pool SDM_POOL_1
acl 100
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0
description $ETH-LAN$
ip address X.X.X.26 X.X.X.X
ip mask-reply
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface FastEthernet9
switchport access vlan 20
no ip address
random-detect
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
shutdown
!
interface Vlan10
ip address X.X.X.253 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan20
description Guest
ip address 192.168.0.254 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
!
ip local pool SDM_POOL_1 192.168.15.1 192.168.15.15
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X25
ip route X.X.X.X 255.255.255.0 X.X.X.238
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp X.X.X.221 59002 interface FastEthernet0 59002
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
logging trap debugging
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 permit 192.0.0.0 0.255.255.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit tcp any host X.X.X.221 eq 59002
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=2
access-list 102 deny ip 10.0.0.0 0.255.255.255 host 192.168.15.1
access-list 102 deny ip 10.0.0.0 0.255.255.255 host 192.168.15.2
access-list 102 deny ip 10.0.0.0 0.255.255.255 host 192.168.15.3
access-list 102 deny ip 10.0.0.0 0.255.255.255 host 192.168.15.4
access-list 102 deny ip 10.0.0.0 0.255.255.255 host 192.168.15.5
access-list 102 deny ip 10.0.0.0 0.255.255.255 host 192.168.15.6
access-list 102 deny ip 10.0.0.0 0.255.255.255 host 192.168.15.7
access-list 102 deny ip 10.0.0.0 0.255.255.255 host 192.168.15.8
access-list 102 deny ip 10.0.0.0 0.255.255.255 host 192.168.15.9
access-list 102 deny ip 10.0.0.0 0.255.255.255 host 192.168.15.10
access-list 102 deny ip 10.0.0.0 0.255.255.255 host 192.168.15.11
access-list 102 deny ip 10.0.0.0 0.255.255.255 host 192.168.15.12
access-list 102 deny ip 10.0.0.0 0.255.255.255 host 192.168.15.13
access-list 102 deny ip 10.0.0.0 0.255.255.255 host 192.168.15.14
access-list 102 deny ip 10.0.0.0 0.255.255.255 host 192.168.15.15
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
!
!
control-plane
!
RoutersNetworking
Last Comment
williaj2
ShaulMarcus
What is the network address of vlan 20? 192.168.0.x or 192.168.15.x?
ASKER
williaj2
192.168.0.0 is the guest vlan
192.168.15.0 is the vpn
192.168.15.0 is the vpn
ASKER
williaj2
with a 10.X.X.X as vlan 10
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a questionASKER
williaj2
YAWN!!!! ZZZZZZZZZZ!!!! Everybody must be asleep?!?
Istvan Kalmar
You need add the following as Kristofa mentioned:
ip access-list extended 102
permit ip 192.168.0.0 0.255.255.255 any
ip access-list extended 102
permit ip 192.168.0.0 0.255.255.255 any
Istvan Kalmar
You need add the following as Kristofa mentioned:
ip access-list extended 102
5 permit ip 192.168.0.0 0.255.255.255 any
ip access-list extended 102
5 permit ip 192.168.0.0 0.255.255.255 any
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Jimmy Larsson, CISSP, CEH
ikalmar: You keep repeating what I already recommended. I see this as an recurring approach from you.
/Kvistofta
/Kvistofta
Istvan Kalmar
Kvistofta: yep, i've missed that the last line is permit not deny....:)
Istvan Kalmar
but permit ip 192.168.0.0 0.0.0.255 any is enough
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
williaj2
YOU THE MAN.
Must be late for me to miss that one.
Now I can catch some ZZZZZZ!!!!
Thanks!!!
Must be late for me to miss that one.
Now I can catch some ZZZZZZ!!!!
Thanks!!!
ASKER
williaj2
The Best!!!!!