Sharing Internet Connection Across Vlans

Discussion in 'Cisco' started by felixherve@gmail.com, Oct 8, 2008.

  1. Guest

    Hello,

    I'm trying to set up multiple vlans at work and I'm fairly new to IOS.
    I've managed to create the different vlans and my DHCP server is
    handling the addresses just fine. I can access the network from all of
    them, but no internet connection.

    The setup is as follows:

    Internet
    (A series of tubes)
    |
    Modem
    (T3 line)
    |
    PIX
    (Cisco 2600)
    |
    Router
    (Cisco 1800)
    |
    Switches...
    (Cisco 2560)
    (Cisco 3560)
    (Cisco 3560G)
    ... 6 in total <--- My test machine is plugged in here
    somewhere...
    (Cisco 3560G)

    The router is setup with virtual interfaces so I have:

    interface FastEthernet0/1.1
    description " connect to local lan "
    encapsulation dot1Q 1 native
    ip address 10.40.2.253 255.255.255.0
    ip helper-address 10.40.2.1
    !
    interface FastEthernet0/1.3
    description "IT"
    encapsulation dot1Q 3
    ip address 10.40.3.253 255.255.255.0
    ip helper-address 10.40.2.1

    and so on... with vlans setup on interfaces FaEth0/1.3~16
    (vlans 14 to 16 are being used by VoIP which works just fine)

    All the vlans are on the same eigrp:

    router eigrp 100
    network 10.40.2.0 0.0.0.255
    network 10.40.3.0 0.0.0.255
    network 10.40.4.0 0.0.0.255
    etc...

    and my default route is setup with:

    ip route 0.0.0.0 0.0.0.0 10.40.2.254



    The router ip are:
    10.40.X.253 where X is the number of the Vlan

    The PIX is at:
    10.40.2.254

    The DHCP is:
    10.40.2.1


    My test machine is plugged into a switch with the following on the
    interface:

    !
    interface FastEthernet0/18
    switchport access vlan 3
    switchport voice vlan 14
    no cdp enable
    end

    and gets the ip:
    10.40.3.1

    it can ping
    10.40.2.253 (router interface 0/1.1)
    and anywhere inside of the network, as far as I can tell.

    but it times out on:
    10.40.2.254 (pix)


    I'm guessing I'm missing something on the router that'll have all
    vlans go through FaEth0/1.1 for internet connection or I have to setup
    the PIX to allow traffic from 10.40.3.0, 10.40.4.0, etc... or maybe
    I'm completely off and barking up the wrong tree.

    As you can tell, I'm a bit confused at this point, I hope my
    explanations aren't too messed up as a result. I'm probably missing
    something fairly simple due to my lack of understanding in network
    engineering. If anyone can help me better understand what it is I'm
    getting wrong, I'd greatly appreciate it.
     
    , Oct 8, 2008
    #1
    1. Advertising

  2. Trendkill Guest

    On Oct 8, 11:51 am, wrote:
    > Hello,
    >
    > I'm trying to set up multiple vlans at work and I'm fairly new to IOS.
    > I've managed to create the different vlans and my DHCP server is
    > handling the addresses just fine. I can access the network from all of
    > them, but no internet connection.
    >
    > The setup is as follows:
    >
    > Internet
    >   (A series of tubes)
    >  |
    > Modem
    >   (T3 line)
    >  |
    > PIX
    >   (Cisco 2600)
    >  |
    > Router
    >   (Cisco 1800)
    >  |
    > Switches...
    >   (Cisco 2560)
    >   (Cisco 3560)
    >   (Cisco 3560G)
    >   ... 6 in total          <--- My test machine is plugged in here
    > somewhere...
    >   (Cisco 3560G)
    >
    > The router is setup with virtual interfaces so I have:
    >
    > interface FastEthernet0/1.1
    >  description " connect to local lan "
    >  encapsulation dot1Q 1 native
    >  ip address 10.40.2.253 255.255.255.0
    >  ip helper-address 10.40.2.1
    > !
    > interface FastEthernet0/1.3
    >  description "IT"
    >  encapsulation dot1Q 3
    >  ip address 10.40.3.253 255.255.255.0
    >  ip helper-address 10.40.2.1
    >
    > and so on... with vlans setup on interfaces FaEth0/1.3~16
    > (vlans 14 to 16 are being used by VoIP which works just fine)
    >
    > All the vlans are on the same eigrp:
    >
    > router eigrp 100
    >  network 10.40.2.0 0.0.0.255
    >  network 10.40.3.0 0.0.0.255
    >  network 10.40.4.0 0.0.0.255
    > etc...
    >
    > and my default route is setup with:
    >
    > ip route 0.0.0.0 0.0.0.0 10.40.2.254
    >
    > The router ip are:
    > 10.40.X.253 where X is the number of the Vlan
    >
    > The PIX is at:
    > 10.40.2.254
    >
    > The DHCP is:
    > 10.40.2.1
    >
    > My test machine is plugged into a switch with the following on the
    > interface:
    >
    > !
    > interface FastEthernet0/18
    >  switchport access vlan 3
    >  switchport voice vlan 14
    >  no cdp enable
    > end
    >
    > and gets the ip:
    >   10.40.3.1
    >
    > it can ping
    >   10.40.2.253 (router interface 0/1.1)
    > and anywhere inside of the network, as far as I can tell.
    >
    > but it times out on:
    >   10.40.2.254 (pix)
    >
    > I'm guessing I'm missing something on the router that'll have all
    > vlans go through FaEth0/1.1 for internet connection or I have to setup
    > the PIX to allow traffic from 10.40.3.0, 10.40.4.0, etc... or maybe
    > I'm completely off and barking up the wrong tree.
    >
    > As you can tell, I'm a bit confused at this point, I hope my
    > explanations aren't too messed up as a result. I'm probably missing
    > something fairly simple due to my lack of understanding in network
    > engineering. If anyone can help me better understand what it is I'm
    > getting wrong, I'd greatly appreciate it.


    Do you have a route on the pix pointing back to the router interface
    for the networks that are behind the router? Else how does it know
    where to send traffic destined for those networks? Is your NAT setup
    properly?
     
    Trendkill, Oct 8, 2008
    #2
    1. Advertising

  3. Guest

    On Oct 8, 12:35 pm, Trendkill <> wrote:
    > On Oct 8, 11:51 am, wrote:
    >
    >
    >
    > > Hello,

    >
    > > I'm trying to set up multiple vlans at work and I'm fairly new to IOS.
    > > I've managed to create the different vlans and my DHCP server is
    > > handling the addresses just fine. I can access the network from all of
    > > them, but no internet connection.

    >
    > > The setup is as follows:

    >
    > > Internet
    > >   (A series of tubes)
    > >  |
    > > Modem
    > >   (T3 line)
    > >  |
    > > PIX
    > >   (Cisco 2600)
    > >  |
    > > Router
    > >   (Cisco 1800)
    > >  |
    > > Switches...
    > >   (Cisco 2560)
    > >   (Cisco 3560)
    > >   (Cisco 3560G)
    > >   ... 6 in total          <--- My test machine is plugged in here
    > > somewhere...
    > >   (Cisco 3560G)

    >
    > > The router is setup with virtual interfaces so I have:

    >
    > > interface FastEthernet0/1.1
    > >  description " connect to local lan "
    > >  encapsulation dot1Q 1 native
    > >  ip address 10.40.2.253 255.255.255.0
    > >  ip helper-address 10.40.2.1
    > > !
    > > interface FastEthernet0/1.3
    > >  description "IT"
    > >  encapsulation dot1Q 3
    > >  ip address 10.40.3.253 255.255.255.0
    > >  ip helper-address 10.40.2.1

    >
    > > and so on... with vlans setup on interfaces FaEth0/1.3~16
    > > (vlans 14 to 16 are being used by VoIP which works just fine)

    >
    > > All the vlans are on the same eigrp:

    >
    > > router eigrp 100
    > >  network 10.40.2.0 0.0.0.255
    > >  network 10.40.3.0 0.0.0.255
    > >  network 10.40.4.0 0.0.0.255
    > > etc...

    >
    > > and my default route is setup with:

    >
    > > ip route 0.0.0.0 0.0.0.0 10.40.2.254

    >
    > > The router ip are:
    > > 10.40.X.253 where X is the number of the Vlan

    >
    > > The PIX is at:
    > > 10.40.2.254

    >
    > > The DHCP is:
    > > 10.40.2.1

    >
    > > My test machine is plugged into a switch with the following on the
    > > interface:

    >
    > > !
    > > interface FastEthernet0/18
    > >  switchport access vlan 3
    > >  switchport voice vlan 14
    > >  no cdp enable
    > > end

    >
    > > and gets the ip:
    > >   10.40.3.1

    >
    > > it can ping
    > >   10.40.2.253 (router interface 0/1.1)
    > > and anywhere inside of the network, as far as I can tell.

    >
    > > but it times out on:
    > >   10.40.2.254 (pix)

    >
    > > I'm guessing I'm missing something on the router that'll have all
    > > vlans go through FaEth0/1.1 for internet connection or I have to setup
    > > the PIX to allow traffic from 10.40.3.0, 10.40.4.0, etc... or maybe
    > > I'm completely off and barking up the wrong tree.

    >
    > > As you can tell, I'm a bit confused at this point, I hope my
    > > explanations aren't too messed up as a result. I'm probably missing
    > > something fairly simple due to my lack of understanding in network
    > > engineering. If anyone can help me better understand what it is I'm
    > > getting wrong, I'd greatly appreciate it.

    >
    > Do you have a route on the pix pointing back to the router interface
    > for the networks that are behind the router?  Else how does it know
    > where to send traffic destined for those networks?  Is your NAT setup
    > properly?


    Should the PIX point back to all of the different virtual interfaces
    (10.40.3.253, 10.40.4.253, 10.40.5.253, etc.)?

    To be honest with you, I haven't touched the PIX at all. The situation
    is that someone from Chicago is suppose to take care of the switches
    and routers (we're in Montreal) but we decided to step in because we
    don't like having hardware in our server room we can't troubleshoot
    ourselves. Plus, with all the corporate paperwork, the work wasn't
    getting done quickly enough for our liking. As a result my knowledge
    of IOS is limited to James Booney's "IOS in a Nutshell" published by
    O'Reilly and reading up on various forums. I don't have any
    engineering training.

    I'd rather not play too much on the PIX for now, out of fear of
    screwing something up during work hours, but I will probably come in
    on Sunday to check it out. If I have to setup routing back and forth
    between my pix and router-on-a-stick interfaces, how exactly would I
    do that? Also, if you could give a bit of vulgarization on why I have
    to do those things, that'd be greatly appreciated as I don't like the
    idea of having things that work without knowing why exactly, even if
    that would be an improvement...

    Thanks a lot in advance.
     
    , Oct 9, 2008
    #3
  4. Trendkill Guest

    On Oct 9, 8:33 am, wrote:
    > On Oct 8, 12:35 pm, Trendkill <> wrote:
    >
    >
    >
    > > On Oct 8, 11:51 am, wrote:

    >
    > > > Hello,

    >
    > > > I'm trying to set up multiple vlans at work and I'm fairly new to IOS..
    > > > I've managed to create the different vlans and my DHCP server is
    > > > handling the addresses just fine. I can access the network from all of
    > > > them, but no internet connection.

    >
    > > > The setup is as follows:

    >
    > > > Internet
    > > >   (A series of tubes)
    > > >  |
    > > > Modem
    > > >   (T3 line)
    > > >  |
    > > > PIX
    > > >   (Cisco 2600)
    > > >  |
    > > > Router
    > > >   (Cisco 1800)
    > > >  |
    > > > Switches...
    > > >   (Cisco 2560)
    > > >   (Cisco 3560)
    > > >   (Cisco 3560G)
    > > >   ... 6 in total          <--- My test machine is plugged in here
    > > > somewhere...
    > > >   (Cisco 3560G)

    >
    > > > The router is setup with virtual interfaces so I have:

    >
    > > > interface FastEthernet0/1.1
    > > >  description " connect to local lan "
    > > >  encapsulation dot1Q 1 native
    > > >  ip address 10.40.2.253 255.255.255.0
    > > >  ip helper-address 10.40.2.1
    > > > !
    > > > interface FastEthernet0/1.3
    > > >  description "IT"
    > > >  encapsulation dot1Q 3
    > > >  ip address 10.40.3.253 255.255.255.0
    > > >  ip helper-address 10.40.2.1

    >
    > > > and so on... with vlans setup on interfaces FaEth0/1.3~16
    > > > (vlans 14 to 16 are being used by VoIP which works just fine)

    >
    > > > All the vlans are on the same eigrp:

    >
    > > > router eigrp 100
    > > >  network 10.40.2.0 0.0.0.255
    > > >  network 10.40.3.0 0.0.0.255
    > > >  network 10.40.4.0 0.0.0.255
    > > > etc...

    >
    > > > and my default route is setup with:

    >
    > > > ip route 0.0.0.0 0.0.0.0 10.40.2.254

    >
    > > > The router ip are:
    > > > 10.40.X.253 where X is the number of the Vlan

    >
    > > > The PIX is at:
    > > > 10.40.2.254

    >
    > > > The DHCP is:
    > > > 10.40.2.1

    >
    > > > My test machine is plugged into a switch with the following on the
    > > > interface:

    >
    > > > !
    > > > interface FastEthernet0/18
    > > >  switchport access vlan 3
    > > >  switchport voice vlan 14
    > > >  no cdp enable
    > > > end

    >
    > > > and gets the ip:
    > > >   10.40.3.1

    >
    > > > it can ping
    > > >   10.40.2.253 (router interface 0/1.1)
    > > > and anywhere inside of the network, as far as I can tell.

    >
    > > > but it times out on:
    > > >   10.40.2.254 (pix)

    >
    > > > I'm guessing I'm missing something on the router that'll have all
    > > > vlans go through FaEth0/1.1 for internet connection or I have to setup
    > > > the PIX to allow traffic from 10.40.3.0, 10.40.4.0, etc... or maybe
    > > > I'm completely off and barking up the wrong tree.

    >
    > > > As you can tell, I'm a bit confused at this point, I hope my
    > > > explanations aren't too messed up as a result. I'm probably missing
    > > > something fairly simple due to my lack of understanding in network
    > > > engineering. If anyone can help me better understand what it is I'm
    > > > getting wrong, I'd greatly appreciate it.

    >
    > > Do you have a route on the pix pointing back to the router interface
    > > for the networks that are behind the router?  Else how does it know
    > > where to send traffic destined for those networks?  Is your NAT setup
    > > properly?

    >
    > Should the PIX point back to all of the different virtual interfaces
    > (10.40.3.253, 10.40.4.253, 10.40.5.253, etc.)?
    >
    > To be honest with you, I haven't touched the PIX at all. The situation
    > is that someone from Chicago is suppose to take care of the switches
    > and routers (we're in Montreal) but we decided to step in because we
    > don't like having hardware in our server room we can't troubleshoot
    > ourselves. Plus, with all the corporate paperwork, the work wasn't
    > getting done quickly enough for our liking. As a result my knowledge
    > of IOS is limited to James Booney's "IOS in a Nutshell" published by
    > O'Reilly and reading up on various forums. I don't have any
    > engineering training.
    >
    > I'd rather not play too much on the PIX for now, out of fear of
    > screwing something up during work hours, but I will probably come in
    > on Sunday to check it out. If I have to setup routing back and forth
    > between my pix and router-on-a-stick interfaces, how exactly would I
    > do that? Also, if you could give a bit of vulgarization on why I have
    > to do those things, that'd be greatly appreciated as I don't like the
    > idea of having things that work without knowing why exactly, even if
    > that would be an improvement...
    >
    > Thanks a lot in advance.


    It's very tough for us to diagnose your exact situation without
    diagrams and configs, but in essence, you can't just turn up new non-
    public subnets (10.x, 192.168.x) behind your router and not do
    anything to the pix if you desire to have those get to the internet.
    If you are running a routing protocol between the pix and the router,
    then as long as the new subnets are placed in that protocol so that
    the pix knows how to get to those subnets, then you would be fine.

    If however you are using statics between the router and the pix, and
    you turn up a new subnet behind the router, then the traffic from the
    new subnet will go into the router, out to the pix, and out to the
    internet (presuming you have NAT setup to reflect the new subnets).
    But when the traffic comes back, the pix will not know where to send
    the traffic internally to route back to the subnet. Of course all of
    this is off the table if you are running NAT on the router and not the
    pix, but you would have to provide that information.
     
    Trendkill, Oct 14, 2008
    #4
  5. Guest

    On Oct 14, 7:19 am, Trendkill <> wrote:
    > On Oct 9, 8:33 am, wrote:
    >
    >
    >
    > > On Oct 8, 12:35 pm, Trendkill <> wrote:

    >
    > > > On Oct 8, 11:51 am, wrote:

    >
    > > > > Hello,

    >
    > > > > I'm trying to set up multiple vlans at work and I'm fairly new to IOS.
    > > > > I've managed to create the different vlans and my DHCP server is
    > > > > handling the addresses just fine. I can access the network from all of
    > > > > them, but no internet connection.

    >
    > > > > The setup is as follows:

    >
    > > > > Internet
    > > > >   (A series of tubes)
    > > > >  |
    > > > > Modem
    > > > >   (T3 line)
    > > > >  |
    > > > > PIX
    > > > >   (Cisco 2600)
    > > > >  |
    > > > > Router
    > > > >   (Cisco 1800)
    > > > >  |
    > > > > Switches...
    > > > >   (Cisco 2560)
    > > > >   (Cisco 3560)
    > > > >   (Cisco 3560G)
    > > > >   ... 6 in total          <--- My test machine is plugged in here
    > > > > somewhere...
    > > > >   (Cisco 3560G)

    >
    > > > > The router is setup with virtual interfaces so I have:

    >
    > > > > interface FastEthernet0/1.1
    > > > >  description " connect to local lan "
    > > > >  encapsulation dot1Q 1 native
    > > > >  ip address 10.40.2.253 255.255.255.0
    > > > >  ip helper-address 10.40.2.1
    > > > > !
    > > > > interface FastEthernet0/1.3
    > > > >  description "IT"
    > > > >  encapsulation dot1Q 3
    > > > >  ip address 10.40.3.253 255.255.255.0
    > > > >  ip helper-address 10.40.2.1

    >
    > > > > and so on... with vlans setup on interfaces FaEth0/1.3~16
    > > > > (vlans 14 to 16 are being used by VoIP which works just fine)

    >
    > > > > All the vlans are on the same eigrp:

    >
    > > > > router eigrp 100
    > > > >  network 10.40.2.0 0.0.0.255
    > > > >  network 10.40.3.0 0.0.0.255
    > > > >  network 10.40.4.0 0.0.0.255
    > > > > etc...

    >
    > > > > and my default route is setup with:

    >
    > > > > ip route 0.0.0.0 0.0.0.0 10.40.2.254

    >
    > > > > The router ip are:
    > > > > 10.40.X.253 where X is the number of the Vlan

    >
    > > > > The PIX is at:
    > > > > 10.40.2.254

    >
    > > > > The DHCP is:
    > > > > 10.40.2.1

    >
    > > > > My test machine is plugged into a switch with the following on the
    > > > > interface:

    >
    > > > > !
    > > > > interface FastEthernet0/18
    > > > >  switchport access vlan 3
    > > > >  switchport voice vlan 14
    > > > >  no cdp enable
    > > > > end

    >
    > > > > and gets the ip:
    > > > >   10.40.3.1

    >
    > > > > it can ping
    > > > >   10.40.2.253 (router interface 0/1.1)
    > > > > and anywhere inside of the network, as far as I can tell.

    >
    > > > > but it times out on:
    > > > >   10.40.2.254 (pix)

    >
    > > > > I'm guessing I'm missing something on the router that'll have all
    > > > > vlans go through FaEth0/1.1 for internet connection or I have to setup
    > > > > the PIX to allow traffic from 10.40.3.0, 10.40.4.0, etc... or maybe
    > > > > I'm completely off and barking up the wrong tree.

    >
    > > > > As you can tell, I'm a bit confused at this point, I hope my
    > > > > explanations aren't too messed up as a result. I'm probably missing
    > > > > something fairly simple due to my lack of understanding in network
    > > > > engineering. If anyone can help me better understand what it is I'm
    > > > > getting wrong, I'd greatly appreciate it.

    >
    > > > Do you have a route on the pix pointing back to the router interface
    > > > for the networks that are behind the router?  Else how does it know
    > > > where to send traffic destined for those networks?  Is your NAT setup
    > > > properly?

    >
    > > Should the PIX point back to all of the different virtual interfaces
    > > (10.40.3.253, 10.40.4.253, 10.40.5.253, etc.)?

    >
    > > To be honest with you, I haven't touched the PIX at all. The situation
    > > is that someone from Chicago is suppose to take care of the switches
    > > and routers (we're in Montreal) but we decided to step in because we
    > > don't like having hardware in our server room we can't troubleshoot
    > > ourselves. Plus, with all the corporate paperwork, the work wasn't
    > > getting done quickly enough for our liking. As a result my knowledge
    > > of IOS is limited to James Booney's "IOS in a Nutshell" published by
    > > O'Reilly and reading up on various forums. I don't have any
    > > engineering training.

    >
    > > I'd rather not play too much on the PIX for now, out of fear of
    > > screwing something up during work hours, but I will probably come in
    > > on Sunday to check it out. If I have to setup routing back and forth
    > > between my pix and router-on-a-stick interfaces, how exactly would I
    > > do that? Also, if you could give a bit of vulgarization on why I have
    > > to do those things, that'd be greatly appreciated as I don't like the
    > > idea of having things that work without knowing why exactly, even if
    > > that would be an improvement...

    >
    > > Thanks a lot in advance.

    >
    > It's very tough for us to diagnose your exact situation without
    > diagrams and configs, but in essence, you can't just turn up new non-
    > public subnets (10.x, 192.168.x) behind your router and not do
    > anything to the pix if you desire to have those get to the internet.
    > If you are running a routing protocol between the pix and the router,
    > then as long as the new subnets are placed in that protocol so that
    > the pix knows how to get to those subnets, then you would be fine.
    >
    > If however you are using statics between the router and the pix, and
    > you turn up a new subnet behind the router, then the traffic from the
    > new subnet will go into the router, out to the pix, and out to the
    > internet (presuming you have NAT setup to reflect the new subnets).
    > But when the traffic comes back, the pix will not know where to send
    > the traffic internally to route back to the subnet.  Of course all of
    > this is off the table if you are running NAT on the router and not the
    > pix, but you would have to provide that information.


    I've managed to get the access set up simply by adding the following
    routes

    name 10.40.3.0 VLAN3
    route inside VLAN3 255.255.255.0 10.40.2.253 1

    and so on for every VLAN

    where 10.40.2.253 is the address of the interface handling the default
    vlan on the router.
    I think i might have deleted the original message by accident...
    sorry.

    Thanks for your help.
     
    , Oct 14, 2008
    #5
  6. Trendkill Guest

    On Oct 14, 1:48 pm, wrote:
    > On Oct 14, 7:19 am, Trendkill <> wrote:
    >
    >
    >
    > > On Oct 9, 8:33 am, wrote:

    >
    > > > On Oct 8, 12:35 pm, Trendkill <> wrote:

    >
    > > > > On Oct 8, 11:51 am, wrote:

    >
    > > > > > Hello,

    >
    > > > > > I'm trying to set up multiple vlans at work and I'm fairly new to IOS.
    > > > > > I've managed to create the different vlans and my DHCP server is
    > > > > > handling the addresses just fine. I can access the network from all of
    > > > > > them, but no internet connection.

    >
    > > > > > The setup is as follows:

    >
    > > > > > Internet
    > > > > >   (A series of tubes)
    > > > > >  |
    > > > > > Modem
    > > > > >   (T3 line)
    > > > > >  |
    > > > > > PIX
    > > > > >   (Cisco 2600)
    > > > > >  |
    > > > > > Router
    > > > > >   (Cisco 1800)
    > > > > >  |
    > > > > > Switches...
    > > > > >   (Cisco 2560)
    > > > > >   (Cisco 3560)
    > > > > >   (Cisco 3560G)
    > > > > >   ... 6 in total          <--- My test machine is plugged in here
    > > > > > somewhere...
    > > > > >   (Cisco 3560G)

    >
    > > > > > The router is setup with virtual interfaces so I have:

    >
    > > > > > interface FastEthernet0/1.1
    > > > > >  description " connect to local lan "
    > > > > >  encapsulation dot1Q 1 native
    > > > > >  ip address 10.40.2.253 255.255.255.0
    > > > > >  ip helper-address 10.40.2.1
    > > > > > !
    > > > > > interface FastEthernet0/1.3
    > > > > >  description "IT"
    > > > > >  encapsulation dot1Q 3
    > > > > >  ip address 10.40.3.253 255.255.255.0
    > > > > >  ip helper-address 10.40.2.1

    >
    > > > > > and so on... with vlans setup on interfaces FaEth0/1.3~16
    > > > > > (vlans 14 to 16 are being used by VoIP which works just fine)

    >
    > > > > > All the vlans are on the same eigrp:

    >
    > > > > > router eigrp 100
    > > > > >  network 10.40.2.0 0.0.0.255
    > > > > >  network 10.40.3.0 0.0.0.255
    > > > > >  network 10.40.4.0 0.0.0.255
    > > > > > etc...

    >
    > > > > > and my default route is setup with:

    >
    > > > > > ip route 0.0.0.0 0.0.0.0 10.40.2.254

    >
    > > > > > The router ip are:
    > > > > > 10.40.X.253 where X is the number of the Vlan

    >
    > > > > > The PIX is at:
    > > > > > 10.40.2.254

    >
    > > > > > The DHCP is:
    > > > > > 10.40.2.1

    >
    > > > > > My test machine is plugged into a switch with the following on the
    > > > > > interface:

    >
    > > > > > !
    > > > > > interface FastEthernet0/18
    > > > > >  switchport access vlan 3
    > > > > >  switchport voice vlan 14
    > > > > >  no cdp enable
    > > > > > end

    >
    > > > > > and gets the ip:
    > > > > >   10.40.3.1

    >
    > > > > > it can ping
    > > > > >   10.40.2.253 (router interface 0/1.1)
    > > > > > and anywhere inside of the network, as far as I can tell.

    >
    > > > > > but it times out on:
    > > > > >   10.40.2.254 (pix)

    >
    > > > > > I'm guessing I'm missing something on the router that'll have all
    > > > > > vlans go through FaEth0/1.1 for internet connection or I have to setup
    > > > > > the PIX to allow traffic from 10.40.3.0, 10.40.4.0, etc... or maybe
    > > > > > I'm completely off and barking up the wrong tree.

    >
    > > > > > As you can tell, I'm a bit confused at this point, I hope my
    > > > > > explanations aren't too messed up as a result. I'm probably missing
    > > > > > something fairly simple due to my lack of understanding in network
    > > > > > engineering. If anyone can help me better understand what it is I'm
    > > > > > getting wrong, I'd greatly appreciate it.

    >
    > > > > Do you have a route on the pix pointing back to the router interface
    > > > > for the networks that are behind the router?  Else how does it know
    > > > > where to send traffic destined for those networks?  Is your NAT setup
    > > > > properly?

    >
    > > > Should the PIX point back to all of the different virtual interfaces
    > > > (10.40.3.253, 10.40.4.253, 10.40.5.253, etc.)?

    >
    > > > To be honest with you, I haven't touched the PIX at all. The situation
    > > > is that someone from Chicago is suppose to take care of the switches
    > > > and routers (we're in Montreal) but we decided to step in because we
    > > > don't like having hardware in our server room we can't troubleshoot
    > > > ourselves. Plus, with all the corporate paperwork, the work wasn't
    > > > getting done quickly enough for our liking. As a result my knowledge
    > > > of IOS is limited to James Booney's "IOS in a Nutshell" published by
    > > > O'Reilly and reading up on various forums. I don't have any
    > > > engineering training.

    >
    > > > I'd rather not play too much on the PIX for now, out of fear of
    > > > screwing something up during work hours, but I will probably come in
    > > > on Sunday to check it out. If I have to setup routing back and forth
    > > > between my pix and router-on-a-stick interfaces, how exactly would I
    > > > do that? Also, if you could give a bit of vulgarization on why I have
    > > > to do those things, that'd be greatly appreciated as I don't like the
    > > > idea of having things that work without knowing why exactly, even if
    > > > that would be an improvement...

    >
    > > > Thanks a lot in advance.

    >
    > > It's very tough for us to diagnose your exact situation without
    > > diagrams and configs, but in essence, you can't just turn up new non-
    > > public subnets (10.x, 192.168.x) behind your router and not do
    > > anything to the pix if you desire to have those get to the internet.
    > > If you are running a routing protocol between the pix and the router,
    > > then as long as the new subnets are placed in that protocol so that
    > > the pix knows how to get to those subnets, then you would be fine.

    >
    > > If however you are using statics between the router and the pix, and
    > > you turn up a new subnet behind the router, then the traffic from the
    > > new subnet will go into the router, out to the pix, and out to the
    > > internet (presuming you have NAT setup to reflect the new subnets).
    > > But when the traffic comes back, the pix will not know where to send
    > > the traffic internally to route back to the subnet.  Of course all of
    > > this is off the table if you are running NAT on the router and not the
    > > pix, but you would have to provide that information.

    >
    > I've managed to get the access set up simply by adding the following
    > routes
    >
    >   name 10.40.3.0 VLAN3
    >   route inside VLAN3 255.255.255.0 10.40.2.253 1
    >
    > and so on for every VLAN
    >
    > where 10.40.2.253 is the address of the interface handling the default
    > vlan on the router.
    > I think i might have deleted the original message by accident...
    > sorry.
    >
    > Thanks for your help.


    No problem, I was out of town for a few days on business, so sorry for
    the slow reply. Sounds like you figured it all out, glad to hear you
    are up and running.
     
    Trendkill, Oct 14, 2008
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jack Taugher
    Replies:
    2
    Views:
    4,594
  2. punisher
    Replies:
    2
    Views:
    2,104
    Charles Deling
    Nov 17, 2005
  3. punisher
    Replies:
    0
    Views:
    652
    punisher
    Nov 17, 2005
  4. amfony
    Replies:
    6
    Views:
    8,534
    Walter Roberson
    May 2, 2006
  5. cashxx

    Make mDNS work across VLANs

    cashxx, Aug 30, 2006, in forum: Cisco
    Replies:
    0
    Views:
    1,950
    cashxx
    Aug 30, 2006
Loading...

Share This Page