topic Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1 in Routing and SD-WAN

Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

shawntaylor17 — Tue, 20 Nov 2018 17:05:24 GMT

Hi All

I'm using an ISR1100 Router on a Leased Line. I'm having an issue where devices "Lan" side can communicate out to the internet via a default static route. The issue i'm experiencing is that inbound traffic to a VPN server is not getting any further than the Cisco router.

I have the following

WAN

Sub-interface 0/0/1.4094

Encapsulation dot1q 4094 (ISP use this VLAN)

IP xxx.xxx.xxx.133

IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.132

Internet access works

LAN

vlan1

IP Address: xxx.xxx.xxx.129

I have a device connected to Physical Interface 0/1/0 with the following Public Static IP: xxx.xxx.xxx.130

I'm unable to communicate with this device from the internet.

From the cisco console i can ping xxx.xxx.xxx.130

From the device itself i can ping xxx.xxx.xxx.129 and xxx.xxx.xxx.133 and internet address.

Any help with what is going on here would be greatly appreciated.

I've reset the router and have gone back to basics, the config is as follows:

!
!
multilink bundle-name authenticated
!
!
!

!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.4094
encapsulation dot1Q 4094
ip address xx.xxx.xxx.133 xxx.xxx.xxx.xxx
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
ip address xxx.xxx.xxx.129 xxx.xxx.xxx.xxx
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.132
!
!
!
!
!
!

All port are a member of vlan1.

Thank You in advanced

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

Georg Pauwen — Tue, 20 Nov 2018 18:08:37 GMT

Hello,

I dn't see any NAT on your router, not sure if you have omitted that on purpose. Either way, make sure the lines marked in bold are added to your config:

multilink bundle-name authenticated
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.4094
encapsulation dot1Q 4094
ip address xx.xxx.xxx.133 xxx.xxx.xxx.xxx
ip nat outside
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
ip address xxx.xxx.xxx.129 xxx.xxx.xxx.xxx
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.132
!
ip nat inside source list 1 interface GigabitEthernet0/0/1.4094 overload
!
access-list 1 permit xxx.xxx.xxx.xxx yyyy.yyyy.yyy.yyy --> the access list needs to specify the IP address space of Vlan1

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

shawntaylor17 — Tue, 20 Nov 2018 18:36:46 GMT

Thanks for the reply i will try this. I was under the impression that this was a no nat setup as the server behind the router will be assigned 1 of our public IP address directly, therefore i thought that no actual translation was needed.

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

Georg Pauwen — Tue, 20 Nov 2018 18:41:49 GMT

Hello,

you don't need any NAT if all of your addresses are public IP addresses. Can you indicate if that is the case, that is, all VLAN 1 IP addresses are public ?

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

shawntaylor17 — Tue, 20 Nov 2018 18:52:32 GMT

Yes all vlan1 IP addresses are public, that's correct.

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

Georg Pauwen — Tue, 20 Nov 2018 18:58:14 GMT

Hello,

so the VPN server has a public IP address from the same subnet as Vlan 1 ? Can you ping e.g. 8.8.8.8 from the VPN server ?

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

shawntaylor17 — Tue, 20 Nov 2018 19:04:01 GMT

IP on vlan1 is aaa.bbb.ccc.129

IP on VPN Server is aaa.bbb.ccc.130 with GW: aaa.bbb.ccc.129

The vpn server can ping 8.8.8.8 okay. It just seems to be inbound doesn't get passed from the WAN to aaa.bbb.ccc.130.

I can even ping aaa.bbb.ccc.129 from any internet device but not able to ping aaa.bbb.ccc.130. If im on the cisco console i can ping aaa.bbb.ccc.130 so the device does respond to ping.

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

Georg Pauwen — Tue, 20 Nov 2018 19:13:21 GMT

Hello,

post the output of 'show ip route'...

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

shawntaylor17 — Tue, 20 Nov 2018 19:17:11 GMT

S* 0.0.0.0/0 [1/0] via 87.xxx.xxx.132
83.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 83.xxx.xxx128/29 is directly connected, Vlan1
L 83.xxx.xxx.129/32 is directly connected, Vlan1
87.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 87.xxx.xxx.132/31 is directly connected, GigabitEthernet0/0/1.4094
L 87.xxx.xxx.133/32 is directly connected, GigabitEthernet0/0/1.4094

Thanks

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

shawntaylor17 — Tue, 20 Nov 2018 20:01:51 GMT

When running a traceroute i can see that the traffic hits the WAN Subinterface aaa.bbb.ccc.133 but then times out at this point. Not sure if this information is helpful.

Thanks

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

Georg Pauwen — Tue, 20 Nov 2018 20:38:22 GMT

Hello,

what is the output of 'show vlan' ?

Try and add the 'native' keyword to your ISP interface config:

encapsulation dot1Q 4094 native

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

shawntaylor17 — Tue, 20 Nov 2018 20:46:46 GMT

Hi When adding Native to the encapsulation I can no longer communicate out to the internet. Heres the show vlan VLAN Name Status Ports

1 default active Gi0/1/0, Gi0/1/1, Gi0/1/2 Gi0/1/3

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

1 enet 100001 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 0 0

1003 tr 101003 1500 - - - - - 0 0

1004 fdnet 101004 1500 - - - ieee - 0 0

1005 trnet 101005 1500 - - - ibm - 0 0

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

Thanks

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

Georg Pauwen — Tue, 20 Nov 2018 21:00:56 GMT

Hello,

try and manually create Vlan 4094:

ISR1100(config)#vlan 4094

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

shawntaylor17 — Tue, 20 Nov 2018 21:13:37 GMT

I've manually created, no difference unfortunately.

Thanks

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

Georg Pauwen — Tue, 20 Nov 2018 21:17:57 GMT

Hello,

can you ping any of the other devices on Vlan 1 ?

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

shawntaylor17 — Tue, 20 Nov 2018 21:23:56 GMT

Unfortunately i only have the one device connect currently. I wanting to get this working before migrating the other devices.

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

Richard Burts — Tue, 20 Nov 2018 22:26:31 GMT

This is a very interesting problem. If I am understanding correctly your device can ping addresses in the Internet successfully. This would seem to eliminate routing issues as the source of the problem. You have told us that

I can even ping aaa.bbb.ccc.129 from any internet device but not able to ping aaa.bbb.ccc.130.

So the Internet routing is correct to reach your subnet from outside.

If traffic initiated from inside to outside is successful but traffic initiated from outside to inside fails then I can think of a couple possible causes: 1) something is doing stateful inspection allowing inside traffic out and accepting response traffic but denying traffic outside to inside. 2) some type of entry is created as traffic goes out and allows response traffic, but it times out and does not allow traffic outside to inside.

1) if traffic from Internet is able to access the router interface address then it seems that it is not a stateful inspection issue. So we are looking at table entries that time out. Probably the more obvious choice might be the arp table on the router. Can you post the output of show arp (or perhaps show ip arp)?

I also wonder if you turn on debug for arp and let it run a bit what output might tell us.

It also occurs to me that it would be interesting to do a test where you coordinate between a device in the Internet and the router/server. Have the server ping the device in the Internet (we assume this would be successful) and immediately have the Internet device attempt to access the server.

HTH

Rick

Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

Georg Pauwen — Tue, 20 Nov 2018 23:13:19 GMT

What do you have as VPN server ? A Windows machine ?