SOHO97: Internet Access for more than one subnet

Set a static route for the 192.168.4.0/24 subnet to the 192.168.1.x ip address of the WRT54G.

"ip route 192.168.4.0 255.255.255.0 192.168.1.254 permanent" if the "WAN" side of the Linksys is 192.168.1.254.

Hi Uli,

I've already got this route enabled:

ip route 192.168.4.0 255.255.255.0 Ethernet0 192.168.1.4

(the linksys WAN side is 192.168.1.4)

But I entered the command you suggested anyway, and the route didn't change.

Any other ideas, or am I doing something wrong?

R.

Uli Link wrote:

Aha! Now that's the sort of thing I thought I might need to do, however, I'm a complete Cisco novice.

Can you point me in the right direction, i.e. suggest how I can do this?

I've appended my current configuration to the end of this message.

Some thoughts:

1. Do I need to "enable" NAT for the 192.168.4.x subnet, or will it just work OK when the acl is specified correctly?

1. Is the command I'm looking for to add 192.168.4.0 0.0.0.255 to my NAT acl as simple as:

access-list 23 permit 192.168.4.0 0.0.0.255

1. I appear to have several users that I know nothing about (CRWS_Kannan, CRWS_Sangeetha, etc.). Does this suggest I've been hacked? If so, how can I prevent this? How can I delete these users?

Thanks for your help,

R.

====== Configuration follows ================== Using 5302 out of 131072 bytes ! version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname admin ! logging buffered informational enable secret 5 xxx ! username admin password 7 xxx username CRWS_Kannan privilege 15 password 7 xxx username CRWS_Sangeetha privilege 15 password 7 xxx username CRWS_Ulags privilege 15 password 7 xxx username CRWS_Srini privilege 15 password 7 xxx username CRWS_Venky privilege 15 password 7 xxx username CRWS_Shashi privilege 15 password 7 xxx ip subnet-zero no ip domain lookup ip dhcp excluded-address 192.168.1.5 ip dhcp excluded-address 192.168.1.4 ip dhcp excluded-address 192.168.1.249 ! ! ip inspect name myfw cuseeme timeout 3600 ip inspect name myfw ftp timeout 3600 ip inspect name myfw rcmd timeout 3600 ip inspect name myfw realaudio timeout 3600 ip inspect name myfw smtp timeout 3600 ip inspect name myfw tftp timeout 30 ip inspect name myfw udp timeout 15 ip inspect name myfw tcp timeout 3600 ip inspect name myfw h323 timeout 3600 no aaa new-model ! ! ! ! partition flash 2 6 2 ! ! ! ! interface Ethernet0 description CRWS Generated text. Please do not delete this:192.168.1.1-255.255.255.0 ip address 192.168.1.1 255.255.255.0 ip nat inside ip tcp adjust-mss 1452 hold-queue 100 out ! interface ATM0 no ip address atm vc-per-vp 64 no atm ilmi-keepalive pvc 0/38 pppoe-client dial-pool-number 1 ! dsl operating-mode auto ! interface Dialer1 ip address negotiated ip access-group 111 in ip mtu 1492 ip nat outside ip inspect myfw out encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer remote-name redback dialer-group 1 ppp authentication pap chap callin ppp chap hostname xxx ppp chap password 7 xxx ppp pap sent-username xxx password 7 xxx ! ip nat inside source list 102 interface Dialer1 overload ip nat inside source static tcp 192.168.1.4 8080 interface Dialer1 8080 ip nat inside source static udp 192.168.1.249 50000 interface Dialer1 50000 ip nat inside source static tcp 192.168.1.249 50000 interface Dialer1 50000 ip nat inside source static udp 192.168.1.5 53 interface Dialer1 53 ip nat inside source static tcp 192.168.1.5 53 interface Dialer1 53 ip nat inside source static tcp 192.168.1.5 143 interface Dialer1 143 ip nat inside source static tcp 192.168.1.5 585 interface Dialer1 585 ip nat inside source static tcp 192.168.1.5 993 interface Dialer1 993 ip nat inside source static tcp 192.168.1.5 22 interface Dialer1 22 ip nat inside source static tcp 192.168.1.4 1580 interface Dialer1 1580 ip nat inside source static udp 192.168.1.4 1580 interface Dialer1 1580 ip nat inside source static tcp 192.168.1.4 4662 interface Dialer1 4662 ip nat inside source static udp 192.168.1.4 4672 interface Dialer1 4672 ip nat inside source static tcp 192.168.1.5 80 interface Dialer1 80 ip nat inside source static tcp 192.168.1.5 25 interface Dialer1 25 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 192.168.4.0 255.255.255.0 Ethernet0 192.168.1.4 ip http server no ip http secure-server ! access-list 23 permit 192.168.1.0 0.0.0.255 access-list 23 permit 10.10.10.0 0.0.0.255 access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 111 permit tcp any any eq 8080 access-list 111 permit udp any any eq 50000 access-list 111 permit tcp any any eq 50000 access-list 111 permit udp any any eq domain access-list 111 permit tcp any any eq domain access-list 111 permit tcp any any eq 143 access-list 111 permit tcp any any eq 585 access-list 111 permit tcp any any eq 993 access-list 111 permit tcp any any eq 22 access-list 111 permit tcp any any eq 1580 access-list 111 permit udp any any eq 1580 access-list 111 permit tcp any any eq 4662 access-list 111 permit udp any any eq 4672 access-list 111 permit tcp any any eq www access-list 111 permit tcp any any eq smtp access-list 111 permit icmp any any administratively-prohibited access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any time-exceeded access-list 111 permit icmp any any traceroute access-list 111 permit icmp any any unreachable access-list 111 permit udp any eq bootps any eq bootpc access-list 111 permit udp any eq bootps any eq bootps access-list 111 permit udp any eq domain any access-list 111 permit esp any any access-list 111 permit udp any any eq isakmp access-list 111 permit udp any any eq 10000 access-list 111 permit tcp any any eq 1723 access-list 111 permit tcp any any eq 139 access-list 111 permit udp any any eq netbios-ns access-list 111 permit udp any any eq netbios-dgm access-list 111 permit gre any any access-list 111 deny ip any any log dialer-list 1 protocol ip permit ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 line vty 0 4 access-class 23 in exec-timeout 120 0 login local length 0 ! scheduler max-task-time 5000 ! end

Robin Bowes schrieb:

Include the 192.168.4.0 0.0.0.255 network in your NAT acl.

Thanks.

I know. That's why I'm trying to get to grips with the command-line. One of the reasons I got the SOHO97 was so I could learn some IOS but I've not had much chance yet.

I think I need to get hold of a good book or two - can you recommend any?

Thanks,

R.

Uli,

You're a star! All is now working perfectly.

Thanks again,

R.

Robin Bowes schrieb:

From the privileged exec prompt#:

conf t no access-list 102 access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 102 permit ip 192.168.4.0 0.0.0.255 any exit

After that, a packets from 192.168.4.0/24 to the rest of the world are NAT/PATed to the outside interface's ip address.

Robin Bowes schrieb:

No, you're not hacked. You've used Cisco's CRWS. You can safely remove these users from your config. The CRWS will create them when you call CRWS the next time.

to delete the user "CRWS_Sangeetha" login and type

enable conf t no username CRWS_Sangeetha (repeat for all username you wish to delete) exit

The CRWS show's only very little parts of the possibilities of your router.