cancelar
Mostrando los resultados de 
Buscar en lugar de 
Quiere decir: 
cancel
1231
Visitas
13
ÚTIL
18
Respuestas

No internet acces on my cisco Router

CRUZPEREZ518
Level 1
Level 1

Hello,
I am creating a small network, with a CISCO2911/K9 router and 3 Cisco 9200L switches, a fortigate firewall with 3 ISPs.
On the router I already have several VLANs created and computers connected, all of them can access the internet without problems, but when trying to ping 8.8.8.8 from my router or from a switch, it is not possible or is unreachable, any idea on how to solve it? .
Some configurations on my router are the following:

interface GigabitEthernet0/0
description LAN
ip address 192.168.9.13 255.255.255.240
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
description Admin_Switch
encapsulation dot1Q 10
ip address 10.10.10.14 255.255.255.240

interface GigabitEthernet0/1
description WAN
ip address 192.168.12.13 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

ip route 0.0.0.0 0.0.0.0 192.168.12.14

1 SOLUCIÓN ACEPTADA

Soluciones aceptadas

Hi @CRUZPEREZ518 

Because you want to reach a public IP address you can not do it since a private public address.

You need to configure a ACL and NAT on your router or your Firewall, using a public ip address in the "ouside" interface you will be able to have internet access and reach 8.8.8.8.

Please check this site and its explanation about NAT

https://www.firewall.cx/cisco/cisco-routers/cisco-router-nat-overload.html

 

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Ver la solución en mensaje original publicado

18 RESPUESTAS 18

M02@rt37
VIP
VIP

Hello @CRUZPEREZ518 

Do you add a source IP with your ping ?

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

I do it from a switch with the IP 10.10.10.x and from the router

OK @CRUZPEREZ518 and with IP LAN as source. From the Switch ?

Check on your firewall Fortigate (diagnostic sniffer packet) if your icmp is not drop, and if the NAT is ok.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Hi @CRUZPEREZ518 

Every single VLAN has internet access but the inly issue is with ping 8.8.8.8? 

Be sure that ICMP is no blocked on you firewall, and be sure that every switch has a default-gateway / default route configured

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Each switch has 10.10.10.14 as its default gateway, I have devices connected to the switches and they can navigate but I have doubts if the vlan of the switches or my router have access to the internet

Hi @CRUZPEREZ518  again.

Ok, first your can ping 8.8.8.8 with source 10.10.10.14 and see. Then if you're using Router on Stick at least for me is weird to se your physical interface with an Ip Address. Most cases Physical interface is L2 interface without IP address. May be if you move your 192.168.9.13 IP address to a sub-interface may work.

Back to the first test, be sure to source the ping, if ping is not successful be sure that you ACL nata include this segment with their right mask.  

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

I already performed the ping test to 8.8.8.8 with the source 10.10.10.14, from the firewall and it is still inaccessible.
I do not have any ACL created on my router, this is all the configuration it has:

interface GigabitEthernet0/0
description LAN
ip address 192.168.9.13 255.255.255.240
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

interface GigabitEthernet0/1
description WAN
ip address 192.168.12.13 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

ip route 0.0.0.0 0.0.0.0 192.168.12.14

and some vlans

 

Hi @CRUZPEREZ518 

Because you want to reach a public IP address you can not do it since a private public address.

You need to configure a ACL and NAT on your router or your Firewall, using a public ip address in the "ouside" interface you will be able to have internet access and reach 8.8.8.8.

Please check this site and its explanation about NAT

https://www.firewall.cx/cisco/cisco-routers/cisco-router-nat-overload.html

 

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Hi

As Daniel mentioned you have to configure a NAT sentence,

Example:

access-list 10 permit 192.168.9.0 0.0.0.255

ip nat inside source list 10 interface g0/1 overload

Regards




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hola

Si desde el firewall fortinet no tienes ping, entonces mi sospecha es que lo que detiene el ping es el firewall.

Chequea que el ping esté autorizado en el firewall.

Los equipos fortigate muchas veces tienen deshabilitado el ping por defecto.

Revisa ese detalle para descartar.

Saludos

M02@rt37
VIP
VIP

@CRUZPEREZ518 

Do you have checked as I mention icmp on your Fortigate via cli ?

diagnostic sniffer packet any 'host 8.8.8.8 and icmp' 4 0 a

Try a ping from router or switch (with valid LAN IP as source) and check if you have a drop or not, and if you have NAT also for this icmp packet.

Thanks.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

I already added ACL and NAT on my router and I still can't ping, to the outside my entire internal network communicates but from my switches and router I can't do it, possibly it's the firewall, which I'm checking although it is something complex for me. my that part.

You can set up an ACL allowing ICMP packets on the top on the Fortinet to test it.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

 

Is there something wrong with my router configuration?
This is the current configuration.

interface GigabitEthernet0/0
description LAN
ip address 192.168.9.13 255.255.255.240
ip nat inside
ip virtual-reassembly
duplex car
speed car
!
I connect this interface to a 10.10.10.1 switch, in trunk mode
-------------------------------------------------- -------------------------------------------------- ----------
interface GigabitEthernet0/1
WAN description
ip address 192.168.12.13 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex car
speed car
!
I connect this interface to the Fortigate LAN
-------------------------------------------------- -------------------------------------------------- --------------
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 192.168.12.14
!
access-list 1 permit 192.168.9.0 0.0.0.255