Problem Help needed on CISCO 877W

Discussion in 'Networks' started by murraycurtis James, Sep 25, 2011.

  1. murraycurtis James

    murraycurtis James New Member

    5
    0
    6
    Hi Guys,

    I am quite new here.
    Basically i have bought a new Cisco 877W running on the IOS Version 12.4(15)T7 (C870-ADVSECURITYK9-M).
    But I need some advice and some help setting it up :-)
    A bit of background...
    The scenario is as follows, A client of mine who has a small business had his std ADSL POTS BT broadband modem/router die on him (In at the moment he is using netgear). I thus insisted that he upgrade to somthing a bit better. Thus the Cisco...:biggrin

    Now the current setup is as follows:

    • network address on the 192.168.2.0/24 network

    • 2 Servers 1 providing DC, DHCP, DNS, File & Print services Etc...

    • other BDC, DNS, Exchange, BackupServer Etc...

    • Port forwarding onto the servers

    • Unmanaged Switch


    What I Would like is:
    View attachment 2494

    I will still need the port forwarding but, I want to add much more security thus I guess I will need 2 Vlans one Coroprate LAN and the other DMZ for unrestricted browsing.
    Since the 877 version iI have is the Wireless version. I would also like to setup Hidden Corporate WIFI Hotspot, and assign the wireless interface the corporate Vlan.

    The current Config is attached, could one of you CISCO Guru's you tell me what I should do to get it working?
    Additionaly when creating the ATM interface SDM, should I tick the box next to PAT and assign it to the Vlan for the corporate Lan, (hmm.. but will the DMZ, then not have internet access?) see attached.

    Big thanks
    James
     
    Certifications: MCT,MCITP Enterprise Messaging, MCITP Enterprise Admin, MCSE,MCSA,MCSAM,MCNPS,MCPS,MCTS(7),MCDST
  2. sahmed

    sahmed Bit Poster

    18
    0
    2
    I am quite unsure what you want to do here tbh.

    With regards to Vlans, which Vlan would you like the specific servers/ports to be part of?

    You will need to create an ACL to permit certain IP addresses to be processed by NAT. You can allow both the corporate LAN and DMZ to be translated.
     
  3. murraycurtis James

    murraycurtis James New Member

    5
    0
    6
    Thanks for the reply shamed,

    Basically what I want to achieve here is to have:

    1 corporate Lan on the 192.168.2.0/24 network .254 being the router. No DHCP as my server is doing that
    1 DMZ Lan on any class full or classless network address. With DHCP
    Wifi generated from my Cisco 877W on the corporate Lan
    Wifi generated from an access point connected to one of the Fa ports on my router on the DMZ
    I will need port forwarding on the Corporate Lan to the servers


    Regards
    James
     
    Certifications: MCT,MCITP Enterprise Messaging, MCITP Enterprise Admin, MCSE,MCSA,MCSAM,MCNPS,MCPS,MCTS(7),MCDST
  4. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  5. sahmed

    sahmed Bit Poster

    18
    0
    2
    As for DHCP you can follow this sample config:

    ip dhcp pool dhcppool

    import all

    network 192.168.1.0 255.255.255.0

    dns-server 220.233.0.4 220.233.0.3 219.127.89.34

    default-router 192.168.1.1

    Use the document on cisco website to help with the wireless configuration. Just google how to configure wireless on Cisco 877w. The forum is not letting me post links due to me being a new member.

    Hope I've helped. Let us know how it goes.
     
  6. murraycurtis James

    murraycurtis James New Member

    5
    0
    6
    Hi Shamed and craigie,

    Sorry if I offended anyone by not introducing myself.

    craigie the only way one learns cisco is by practice, packet tracer is very limited.
    Additionally, the 877W that i have needs to be installed in UK and i live in Malta, so i only have one shot at it :-)
    As for the 877W that I have, can some shed some light on the creation of the WAN interface, during the wizzard it asks if i want to perform PAT, which I do (as i need to forward certian ports to the servers). So I assign the PAT on the WAN interface to, the Vlan for the Corporate network. Guess that sounds right, no?

    I have to work on Vlans as the Fa ports work on layer 2

    What about the DMZ Vlan. How do I give this Vlan unrestricted Internet, do i have to assign it to the dialler interface?

    Regards
     
    Certifications: MCT,MCITP Enterprise Messaging, MCITP Enterprise Admin, MCSE,MCSA,MCSAM,MCNPS,MCPS,MCTS(7),MCDST
  7. sahmed

    sahmed Bit Poster

    18
    0
    2
    As for configuring PAT, I would recommend using the CLI to configure the actual router if that is possible. You will have to enable PAT on both the inside and outside interface to tell the router to translate the server's address to a public address. Also you will have to go under the WAN interface and specify that its a outiside interface. The one pointing out to the internet.

    As for unrestricted access just configure the ports into a VLAN, thus allowing local communication only.
     
  8. murraycurtis James

    murraycurtis James New Member

    5
    0
    6
    Guys I am still having issues,

    For some season I can’t ping the Vlans that I have created? Why would this be?

    I have created the Vlan 10 with an ip properly.
    I have told the interface switchport mode access & switchport access Vlan 10, with the no shutdown.

    But I still cannot ping that Vlan, from my pc, that is on the same network as the vlan, the NIC is setup properly with good ip, subnet, and the gateway is the Vlan ip in this case 192.168.2.254

    The only Vlan that will ping is the Vlan 1 (native Vlan)

    This is quite strange as I had got this working prior to resetting the device.
    this is the config:
    Current configuration : 3160 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname SilkR1
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    !
    crypto pki trustpoint TP-self-signed-973792425
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-973792425
    revocation-check none
    rsakeypair TP-self-signed-973792425
    !
    !
    crypto pki certificate chain TP-self-signed-973792425
    certificate self-signed 01
    3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 39373337 39323432 35301E17 0D303230 33303130 30353634
    365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3937 33373932
    34323530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    B52C9DE7 235772EA 431677C2 CF039053 1E364F2A DFCFFFE4 8768465C 702D8159
    085590B1 E65C012D A5E1D112 638354DB B08286B6 8F332C93 CE5036FF DE80153C
    7934200B 9F1D9616 CF73C8BE 604EF9E3 121D03DA 44CCE9FF F76330C3 29C480E2
    539E5458 3D86B0BA 121B1EA6 4F106A9A A2FAF083 68D0DF43 309E27B3 0A8FC8E5
    02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
    11040A30 08820652 6F757465 72301F06 03551D23 04183016 80149842 AAB3CC85
    0E9F4926 49198092 3D750A1C 1820301D 0603551D 0E041604 149842AA B3CC850E
    9F492649 1980923D 750A1C18 20300D06 092A8648 86F70D01 01040500 03818100
    04BEF220 E5807E3A 05199556 E1E86A71 FF9A2CC0 641DCF37 5E2E258B 87F22789
    5B698619 49998457 2BF36EE6 B798B3D5 E7D94208 4404B210 5F269A86 0AFA7B03
    A7DD6E69 0845173B 7ED6883E EDCC09B6 C396740A 31B2D020 E6AD54CC 3E8F73DC
    E79DCF53 868A8A4D BD064613 E2ED6AEC 91DC1E2C 1AEDF0D7 1B0F3F35 7B8DCE2D
    quit
    dot11 syslog
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.211.1 192.168.211.99
    ip dhcp excluded-address 192.168.211.201 192.168.211.254
    !
    ip dhcp pool sdm-pool1
    network 192.168.211.0 255.255.255.0
    default-router 192.168.211.254
    !
    !
    !
    !
    !
    username james privilege 15 password 0 cisco
    !
    !
    archive
    log config
    hidekeys
    !
    !
    !
    !
    !
    interface ATM0
    no ip address
    shutdown
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    description DMZ Interface
    switchport access vlan 10
    !
    interface FastEthernet2
    description Corporate Interface
    switchport access vlan 20
    !
    interface FastEthernet3
    description Corporate Interface
    switchport access vlan 20
    !
    interface Dot11Radio0
    no ip address
    shutdown
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    54.0
    station-role root
    !
    interface Vlan1
    ip address 10.0.0.1 255.255.255.0
    !
    interface Vlan10
    description DMZ Vlan
    ip address 192.168.211.254 255.255.255.0
    !
    interface Vlan20
    description Corporate Vlan
    ip address 192.168.2.254 255.255.255.0
    !
    ip forward-protocol nd
    !
    ip http server
    ip http authentication local
    ip http secure-server
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    login
    !
    scheduler max-task-time 5000
    end
     
    Last edited: Sep 27, 2011
    Certifications: MCT,MCITP Enterprise Messaging, MCITP Enterprise Admin, MCSE,MCSA,MCSAM,MCNPS,MCPS,MCTS(7),MCDST
  9. certnerd

    certnerd Bit Poster

    29
    0
    2
    "I have created the Vlan 10 with an ip properly.
    I have told the interface switchport mode access & switchport access Vlan 10, with the no shutdown.

    But I still cannot ping that Vlan, from my pc, that is on the same network as the vlan, the NIC is setup properly with good ip, subnet, and the gateway is the Vlan ip in this case 192.168.2.254
    "

    VLAN10 has an IP address of 192.168.211.254 according to your output.

    Best test is to see if your host PC picks up an IP address automatically via DHCP. Do "sh ip dhcp server binding" or even "debug ip dhcp server events" to see if an attempt is made by the router to respond. I assume the PC is pluged in to fa0/1?


    You still have along way to go to reach your goal as you have no PAT or static Nat in place yet.
     

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.