Cisco 877 Router - VLAN/DMZ Configuration/Problem

Discussion in 'Cisco' started by ross.leak, Feb 15, 2007.

  1. ross.leak

    ross.leak Guest

    Dear Group,

    I am trying to set up a Cisco 877 with an additional VLAN. This is to
    provide wireless clients access out on the internet using the same
    link as the corporate network but segregated from the local LAN. On a
    Cisco 877 I believe that the DMZ has to be configured via use of VLANs
    rather than on other models.

    I have created an additional VLAN on the router with an ID of 2 using
    the vlan database and this is defined as follows:

    cisco877ftc(vlan)#show
    VLAN ISL Id: 1
    Name: default
    Media Type: Ethernet
    VLAN 802.10 Id: 100001
    State: Operational
    MTU: 1500
    Translational Bridged VLAN: 1002
    Translational Bridged VLAN: 1003

    VLAN ISL Id: 2
    Name: VLAN0002
    Media Type: Ethernet
    VLAN 802.10 Id: 100002
    State: Operational
    MTU: 1500

    VLAN ISL Id: 1002
    Name: fddi-default
    Media Type: FDDI
    VLAN 802.10 Id: 101002
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Translational Bridged VLAN: 1
    Translational Bridged VLAN: 1003

    VLAN ISL Id: 1003
    Name: token-ring-default
    Media Type: Token Ring
    VLAN 802.10 Id: 101003
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Ring Number: 0
    Bridge Number: 1
    Parent VLAN: 1005
    Maximum ARE Hop Count: 7
    Maximum STE Hop Count: 7
    Backup CRF Mode: Disabled
    Translational Bridged VLAN: 1
    Translational Bridged VLAN: 1002

    VLAN ISL Id: 1004
    Name: fddinet-default
    Media Type: FDDI Net
    VLAN 802.10 Id: 101004
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Bridge Number: 1
    STP Type: IBM

    VLAN ISL Id: 1005
    Name: trnet-default
    Media Type: Token Ring Net
    VLAN 802.10 Id: 101005
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Bridge Number: 1
    STP Type: IBM


    I have then defined the FastEthernet3 interface on the router with
    "switchport access vlan 2" and configured interface "vlan2" with IP
    details etc.

    Plugged into Fe3 on the router is a 10/100 switch which has devices
    connected to it with IP addresses assigned in the 192.168.0.0/24
    range. I am not trunking out to a vlan switch.

    My problem is that I can not ping any devices in the 192.168.0.0/24
    network from the 877 and they cannot ping the 192.168.0.254 address of
    the router.

    I have attached my config at the bottom of this post. If anyone has
    any advice I would greatfully appreciate any help as this is getting
    rather frustrating.

    Regards,
    Ross




    ! NVRAM config last updated at 09:04:46 UTC Thu Feb 15 2007 by admin
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname cisco877ftc
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$UIDN$pHyk1FAPMPCeRQVConb.h/
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization network RemoteVPN local
    !
    aaa session-id common
    !
    resource policy
    !
    ip cef
    !
    !
    !
    !
    ip domain name [removed].gov.uk
    ip inspect name ios-fw cuseeme timeout 3600
    ip inspect name ios-fw ftp timeout 3600
    ip inspect name ios-fw realaudio timeout 3600
    ip inspect name ios-fw smtp timeout 3600
    ip inspect name ios-fw udp timeout 15
    ip inspect name ios-fw tcp timeout 3600
    ip inspect name ios-fw h323 timeout 3600
    !
    !
    !
    username admin password 0 [removed]
    !
    !
    !
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group RemoteVPN
    key [removed]
    dns 172.31.1.62
    wins 172.31.1.62
    domain [removed].gov.uk
    pool rvpnpool
    !
    !
    crypto ipsec transform-set TRANSFORM1 esp-3des esp-md5-hmac
    !
    crypto dynamic-map dynmap 10
    set transform-set TRANSFORM1
    !
    !
    crypto map MYSET isakmp authorization list RemoteVPN
    crypto map MYSET client configuration address respond
    crypto map MYSET 101 ipsec-isakmp dynamic dynmap
    !
    !
    !
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    description VLAN2-WLAN-DMZ
    switchport access vlan 2
    !
    interface Vlan1
    ip address 172.31.1.1 255.255.255.0
    ip access-group 122 in
    ip nat inside
    ip inspect ios-fw in
    ip virtual-reassembly
    !
    interface Vlan2
    ip address 192.168.0.254 255.255.255.0
    ip access-group 133 in
    ip nat inside
    ip inspect ios-fw in
    ip virtual-reassembly
    !
    interface Dialer1
    ip address negotiated
    ip access-group 111 in
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap callin
    ppp chap hostname [removed]@hg40.btclick.com
    ppp chap password 0 [removed]
    crypto map MYSET
    !
    ip local pool rvpnpool 172.16.1.1 172.16.1.254
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    !
    no ip http server
    no ip http secure-server
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static tcp 172.31.1.62 25 1.1.1.1 25 extendable
    !
    access-list 102 deny ip 172.31.1.0 0.0.0.255 172.16.1.0 0.0.0.255
    access-list 102 permit ip 172.31.1.0 0.0.0.255 any
    access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    access-list 111 permit ip 172.16.1.0 0.0.0.255 172.31.1.0 0.0.0.255
    access-list 111 permit tcp any host 1.1.1.1 eq smtp
    access-list 111 permit tcp any host 1.1.1.1 eq 22
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit udp any any eq non500-isakmp
    access-list 111 permit esp any any
    access-list 111 deny ip any any
    access-list 122 permit ip 172.31.1.0 0.0.0.255 any
    access-list 133 permit ip 192.168.0.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    transport input ssh
    !
    scheduler max-task-time 5000
    ntp server 81.5.136.18
    !
    webvpn context Default_context
    ssl authenticate verify all
    !
    no inservice
    !
    end

    cisco877ftc#
     
    ross.leak, Feb 15, 2007
    #1
    1. Advertisements

  2. ross.leak

    AM Guest

    I think you have already run your test after removing all ACL on VLAN 2.
    The way you are reporting the problem reminds me a problem very similar to what I got few weeks ago.
    Having the router with no configuration and giving VLAN 1 just an IP address, nothing worked.
    I disabled the STP and everything ran smoothly.
    At least try not to use the switch when you want to ping the VLAN 2 interface.

    HTH Alex

    Keep us informed
     
    AM, Feb 15, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.