Second Cisco Router Behind Cisco Router

I currently have a primary cisco router which works perfect, what I want to do is add a second DMZ Range and Internal network for another division of the company (Seperate).  What Ive done is a basic router setup, all very simple stuff for the second, now when I play a switchport on the router into the primary data switch, I cant reach that subnet, however on my primary doing the same I can, really here there should be a difference, new vlan on new port plugged into switch, id think the switch acting in a dummy mode would pick it up.

Second issue is the router seems to pass all traffic off to the routable external ip, vs sending it via the vlan thats plugged into the port.  Any help would be awesome

version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec

!
hostname router2
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
!
!
!
 --More--         !
crypto pki trustpoint TP-self-signed-54008793
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-54008793
 revocation-check none
 rsakeypair TP-self-signed-54008793
!
!
crypto pki certificate chain TP-self-signed-54008793
 certificate self-signed 01
  3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 35343030 38373933 301E170D 31313034 31313136 35353337
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D353430 30383739
  3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81008B67
  F7C799CE 9EB15368 DA3E493C 013B659F C36022B4 082D83AA 738979DC 203C3967
  BEA2FB35 428360F9 83658B03 61F40FCA 5F80FA89 7D9480C1 E843EEA1 9996194C
  95383EA5 111E2F2C D8640311 F724A507 7229B80F B7CB454B FF32B958 663E6671
  C098C8CC C1C4CE24 626F7243 A63C2C89 1D7ADD11 A266FA80 DFD21874 BD4B0203
  010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 551D1104
  0B300982 07536869 66744851 301F0603 551D2304 18301680 144FBDA7 F849BD7E
  A6FF1B79 F7A227CC 660E5D03 20301D06 03551D0E 04160414 4FBDA7F8 49BD7EA6
 --More--           FF1B79F7 A227CC66 0E5D0320 300D0609 2A864886 F70D0101 04050003 81810069
  8163D685 040771AD B63DCCE8 F3BF8187 B6D66EFE AEABBCA1 D837EA76 58280AAF
  0D1BF2CC 63616E3A 83578BD8 D417AE0F 5FC63084 7D36EABE 89B7C576 A1BA67D1
  B0CA851B 06F4CF08 598C3BAE F27EBEBD 464EADD5 704D4695 E5F9FEDD ED2CEF1D
  B01C6F8A 2C19B389 80C8DC5A 3E7A062E 0771AC07 CA6FC0F3 4548DA43 90238A
        quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username
!
 --More--         !
!
!
!
!
!
!
!
interface FastEthernet0
 ip address 161.162.1.2 255.255.255.128
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
 !
!
 --More--         interface FastEthernet2
 !
!
interface FastEthernet3
 switchport access vlan 2
 !
!
interface FastEthernet4
 !
!
interface FastEthernet5
 !
!
interface FastEthernet6
 !
!
interface FastEthernet7
 !
!
interface FastEthernet8
 switchport access vlan 2
 !
!
 --More--         interface FastEthernet9
 switchport access vlan 2
 !
!
interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan2
 ip address 161.161.161.2 255.255.255.224
 !
!
interface Async1
 no ip address
 encapsulation slip
 !
!
!
router eigrp 1
 network 10.10.10.0 0.0.0.255
!
 --More--         ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source static network 10.10.10.0 161.162.1.1 /32
ip route 0.0.0.0 0.0.0.0 161.162.1.2
!
ip access-list extended InOutNat
 permit ip any any
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.31.30.0 0.0.0.255
!
!
!
!
route-map RMap1 permit 1
 match ip address InOutNat
!
!
!
 --More--         control-plane
 !
!
!
line con 0
 exec-timeout 5 0
 logging synchronous
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 exec-timeout 5 0
 login
 transport input telnet ssh
 transport output telnet ssh
!
end
LVL 1
TestMonkeyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John MeggersNetwork ArchitectCommented:
Really not sure I understand your questions, but if you really want to keep the DMZ separate for the other division, you really need either a firewall (dedicated hardware or zone-based firewall) or you need to get very creative with access-control lists. Depending on the model of router you're using, you may be able to add zone-based firewall functionality to it.  I'm really not sure what benefit I see from adding a second router, unless you're simply short on interfaces on the primary.  But it sounds like you have a switchport module in the router that provides you enough interfaces and allows you to control how many are in each VLAN.

Really not sure I understand your reachability problem, maybe you can explain it a little better.  If you connect two switchport interfaces that are in the same VLAN, and the interface VLAN IP addresses are in the same subnet, then you should have connectivity between the devices.  I would suggest if you need to connect two routers together to use the dedicated ports, not the switch ports.
TestMonkeyAuthor Commented:
It works just when I enable Nat on the second router all ping and attempts to reach servers on the new lan behind the second router stop working
John MeggersNetwork ArchitectCommented:
Sounds like you're not exchanging routes and the router doesn't know where to send return traffic.  If you NAT the traffic, then the second router sees that traffic as sourced from a directly connected interface.  But unless you advertise routes from the first router, the second router doesn't know where the source subnet is located.  What routing protocols are you running, or are you using static routes?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

TestMonkeyAuthor Commented:
ok lets skip on dmz

Why is it I cant reach the ips once I set the nat for the vlan
TestMonkeyAuthor Commented:
its suppose to be EIGRP but im guessing where the primary vlan on both rouers is vlan1 there might be a conflict though the logs dont seem to mention it

I have one switching port plugged into a switchport on the primary router and one plugged into the switch (to troubleshoot).

I notice all traffic goes through the primary interface so its kinda confusing
John MeggersNetwork ArchitectCommented:
Can you post both configs and tell us which interfaces are connected?
TestMonkeyAuthor Commented:
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec

!
hostname router2
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
!
!
!
 --More--         !
crypto pki trustpoint TP-self-signed-54008793
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-54008793
 revocation-check none
 rsakeypair TP-self-signed-54008793
!
!
crypto pki certificate chain TP-self-signed-54008793
 certificate self-signed 01
  3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 35343030 38373933 301E170D 31313034 31313136 35353337
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D353430 30383739
  3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81008B67
  F7C799CE 9EB15368 DA3E493C 013B659F C36022B4 082D83AA 738979DC 203C3967
  BEA2FB35 428360F9 83658B03 61F40FCA 5F80FA89 7D9480C1 E843EEA1 9996194C
  95383EA5 111E2F2C D8640311 F724A507 7229B80F B7CB454B FF32B958 663E6671
  C098C8CC C1C4CE24 626F7243 A63C2C89 1D7ADD11 A266FA80 DFD21874 BD4B0203
  010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 551D1104
  0B300982 07536869 66744851 301F0603 551D2304 18301680 144FBDA7 F849BD7E
  A6FF1B79 F7A227CC 660E5D03 20301D06 03551D0E 04160414 4FBDA7F8 49BD7EA6
 --More--           FF1B79F7 A227CC66 0E5D0320 300D0609 2A864886 F70D0101 04050003 81810069
  8163D685 040771AD B63DCCE8 F3BF8187 B6D66EFE AEABBCA1 D837EA76 58280AAF
  0D1BF2CC 63616E3A 83578BD8 D417AE0F 5FC63084 7D36EABE 89B7C576 A1BA67D1
  B0CA851B 06F4CF08 598C3BAE F27EBEBD 464EADD5 704D4695 E5F9FEDD ED2CEF1D
  B01C6F8A 2C19B389 80C8DC5A 3E7A062E 0771AC07 CA6FC0F3 4548DA43 90238A
        quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username
!
 --More--         !
!
!
!
!
!
!
!
interface FastEthernet0
 ip address 161.162.1.2 255.255.255.128
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
 !
!
 --More--         interface FastEthernet2
 !
!
interface FastEthernet3
 switchport access vlan 2
 !
!
interface FastEthernet4
 !
!
interface FastEthernet5
 !
!
interface FastEthernet6
 !
!
interface FastEthernet7
 !
!
interface FastEthernet8
 switchport access vlan 2
 !
!
 --More--         interface FastEthernet9
 switchport access vlan 2
 !
!
interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan2
 ip address 161.161.161.2 255.255.255.224
 !
!
interface Async1
 no ip address
 encapsulation slip
 !
!
!
router eigrp 1
 network 10.10.10.0 0.0.0.255
!
 --More--         ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source static network 10.10.10.0 161.162.1.1 /32
ip route 0.0.0.0 0.0.0.0 161.162.1.2
!
ip access-list extended InOutNat
 permit ip any any
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.31.30.0 0.0.0.255
!
!
!
!
route-map RMap1 permit 1
 match ip address InOutNat
!
!
!
 --More--         control-plane
 !
!
!
line con 0
 exec-timeout 5 0
 logging synchronous
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 exec-timeout 5 0
 login
 transport input telnet ssh
 transport output telnet ssh
!
end

The primary is fine, eigrp works with 17 routers over tunnels etc so im happy with it, on the port attached i tried no switchport, set an ip, notta, so im a bit at a loss
John MeggersNetwork ArchitectCommented:
Which physical ports are connected?
TestMonkeyAuthor Commented:
What Ive done this am was move from vlan 1 to fastethernet1 and directly assigned an ip to that interface, fastethernet0 and fastethernet3 are plugged into the switching ports on the router while fastethernet1 is plugged into the data switch, for some reason though the dataswitch doesnt seem to be doing anything with it
diepesCommented:
Can you ping the one router from the other ?
Can you ping the ip's on the switch that you assigned to the interface Fastethernet0 and 3 ?

I think we need a quick drawing.

2 routers + 3 switches ?

I would suggest that you start without NAT, and only use NAT for your exit to the internet.
The security between subnet's could be achieved by simple acl filtering not allowing any traffic.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TestMonkeyAuthor Commented:
Two Routers, 1 switch

One router is a cisco 2821 with a 16 port switching module and one 1811 with a built in switching module.

Ive change it up so that FA0 is the outside, FA1 is internal 10.10.11.1 and FA2 is part of a vlan 10.10.10.1

If i plus FA1 into a port on the switching module and set an ip on that port of the module, I can ping it, I set an ip route for the 10.10.10.1 and point it to 10.10.10.11.1 and it works, but the second I introduce nat I cant seem to get it to work.

The second issue is why I cant trunk from the router to a data switch which is acting in dummy mode
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.