Cisco 877 Router - VLAN/DMZ Configuration/Problem

Dear Group,

I am trying to set up a Cisco 877 with an additional VLAN. This is to
provide wireless clients access out on the internet using the same
link as the corporate network but segregated from the local LAN. On a
Cisco 877 I believe that the DMZ has to be configured via use of VLANs
rather than on other models.

I have created an additional VLAN on the router with an ID of 2 using
the vlan database and this is defined as follows:

cisco877ftc(vlan)#show
VLAN ISL Id: 1
Name: default
Media Type: Ethernet
VLAN 802.10 Id: 100001
State: Operational
MTU: 1500
Translational Bridged VLAN: 1002
Translational Bridged VLAN: 1003

VLAN ISL Id: 2
Name: VLAN0002
Media Type: Ethernet
VLAN 802.10 Id: 100002
State: Operational
MTU: 1500

VLAN ISL Id: 1002
Name: fddi-default
Media Type: FDDI
VLAN 802.10 Id: 101002
State: Operational
MTU: 1500
Bridge Type: SRB
Translational Bridged VLAN: 1
Translational Bridged VLAN: 1003

VLAN ISL Id: 1003
Name: token-ring-default
Media Type: Token Ring
VLAN 802.10 Id: 101003
State: Operational
MTU: 1500
Bridge Type: SRB
Ring Number: 0
Bridge Number: 1
Parent VLAN: 1005
Maximum ARE Hop Count: 7
Maximum STE Hop Count: 7
Backup CRF Mode: Disabled
Translational Bridged VLAN: 1
Translational Bridged VLAN: 1002

VLAN ISL Id: 1004
Name: fddinet-default
Media Type: FDDI Net
VLAN 802.10 Id: 101004
State: Operational
MTU: 1500
Bridge Type: SRB
Bridge Number: 1
STP Type: IBM

VLAN ISL Id: 1005
Name: trnet-default
Media Type: Token Ring Net
VLAN 802.10 Id: 101005
State: Operational
MTU: 1500
Bridge Type: SRB
Bridge Number: 1
STP Type: IBM


I have then defined the FastEthernet3 interface on the router with
"switchport access vlan 2" and configured interface "vlan2" with IP
details etc.

Plugged into Fe3 on the router is a 10/100 switch which has devices
connected to it with IP addresses assigned in the 192.168.0.0/24
range. I am not trunking out to a vlan switch.

My problem is that I can not ping any devices in the 192.168.0.0/24
network from the 877 and they cannot ping the 192.168.0.254 address of
the router.

I have attached my config at the bottom of this post. If anyone has
any advice I would greatfully appreciate any help as this is getting
rather frustrating.

Regards,
Ross




! NVRAM config last updated at 09:04:46 UTC Thu Feb 15 2007 by admin
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco877ftc
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$UIDN$pHyk1FAPMPCeRQVConb.h/
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network RemoteVPN local
!
aaa session-id common
!
resource policy
!
ip cef
!
!
!
!
ip domain name [removed].gov.uk
ip inspect name ios-fw cuseeme timeout 3600
ip inspect name ios-fw ftp timeout 3600
ip inspect name ios-fw realaudio timeout 3600
ip inspect name ios-fw smtp timeout 3600
ip inspect name ios-fw udp timeout 15
ip inspect name ios-fw tcp timeout 3600
ip inspect name ios-fw h323 timeout 3600
!
!
!
username admin password 0 [removed]
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group RemoteVPN
key [removed]
dns 172.31.1.62
wins 172.31.1.62
domain [removed].gov.uk
pool rvpnpool
!
!
crypto ipsec transform-set TRANSFORM1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set TRANSFORM1
!
!
crypto map MYSET isakmp authorization list RemoteVPN
crypto map MYSET client configuration address respond
crypto map MYSET 101 ipsec-isakmp dynamic dynmap
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
description VLAN2-WLAN-DMZ
switchport access vlan 2
!
interface Vlan1
ip address 172.31.1.1 255.255.255.0
ip access-group 122 in
ip nat inside
ip inspect ios-fw in
ip virtual-reassembly
!
interface Vlan2
ip address 192.168.0.254 255.255.255.0
ip access-group 133 in
ip nat inside
ip inspect ios-fw in
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [removed]@hg40.btclick.com
ppp chap password 0 [removed]
crypto map MYSET
!
ip local pool rvpnpool 172.16.1.1 172.16.1.254
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 172.31.1.62 25 1.1.1.1 25 extendable
!
access-list 102 deny ip 172.31.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 102 permit ip 172.31.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 111 permit ip 172.16.1.0 0.0.0.255 172.31.1.0 0.0.0.255
access-list 111 permit tcp any host 1.1.1.1 eq smtp
access-list 111 permit tcp any host 1.1.1.1 eq 22
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq non500-isakmp
access-list 111 permit esp any any
access-list 111 deny ip any any
access-list 122 permit ip 172.31.1.0 0.0.0.255 any
access-list 133 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
!
scheduler max-task-time 5000
ntp server 81.5.136.18
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

cisco877ftc#

 

I think you have already run your test after removing all ACL on VLAN 2.
The way you are reporting the problem reminds me a problem very similar to what I got few weeks ago.
Having the router with no configuration and giving VLAN 1 just an IP address, nothing worked.
I disabled the STP and everything ran smoothly.
At least try not to use the switch when you want to ping the VLAN 2 interface.

HTH Alex

Keep us informed