el 10-30-2023 01:27 PM
Hello,
I am creating a small network, with a CISCO2911/K9 router and 3 Cisco 9200L switches, a fortigate firewall with 3 ISPs.
On the router I already have several VLANs created and computers connected, all of them can access the internet without problems, but when trying to ping 8.8.8.8 from my router or from a switch, it is not possible or is unreachable, any idea on how to solve it? .
Some configurations on my router are the following:
interface GigabitEthernet0/0
description LAN
ip address 192.168.9.13 255.255.255.240
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
description Admin_Switch
encapsulation dot1Q 10
ip address 10.10.10.14 255.255.255.240
interface GigabitEthernet0/1
description WAN
ip address 192.168.12.13 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 192.168.12.14
¡Resuelto! Ir a solución.
el 10-30-2023 02:41 PM
Because you want to reach a public IP address you can not do it since a private public address.
You need to configure a ACL and NAT on your router or your Firewall, using a public ip address in the "ouside" interface you will be able to have internet access and reach 8.8.8.8.
Please check this site and its explanation about NAT
https://www.firewall.cx/cisco/cisco-routers/cisco-router-nat-overload.html
el 10-30-2023 01:34 PM
Hello @CRUZPEREZ518
Do you add a source IP with your ping ?
el 10-30-2023 01:42 PM
I do it from a switch with the IP 10.10.10.x and from the router
10-30-2023 01:46 PM - editado 10-30-2023 01:50 PM
OK @CRUZPEREZ518 and with IP LAN as source. From the Switch ?
Check on your firewall Fortigate (diagnostic sniffer packet) if your icmp is not drop, and if the NAT is ok.
el 10-30-2023 01:45 PM
Every single VLAN has internet access but the inly issue is with ping 8.8.8.8?
Be sure that ICMP is no blocked on you firewall, and be sure that every switch has a default-gateway / default route configured
el 10-30-2023 01:53 PM
Each switch has 10.10.10.14 as its default gateway, I have devices connected to the switches and they can navigate but I have doubts if the vlan of the switches or my router have access to the internet
el 10-30-2023 02:07 PM
Hi @CRUZPEREZ518 again.
Ok, first your can ping 8.8.8.8 with source 10.10.10.14 and see. Then if you're using Router on Stick at least for me is weird to se your physical interface with an Ip Address. Most cases Physical interface is L2 interface without IP address. May be if you move your 192.168.9.13 IP address to a sub-interface may work.
Back to the first test, be sure to source the ping, if ping is not successful be sure that you ACL nata include this segment with their right mask.
el 10-30-2023 02:16 PM
I already performed the ping test to 8.8.8.8 with the source 10.10.10.14, from the firewall and it is still inaccessible.
I do not have any ACL created on my router, this is all the configuration it has:
interface GigabitEthernet0/0
description LAN
ip address 192.168.9.13 255.255.255.240
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface GigabitEthernet0/1
description WAN
ip address 192.168.12.13 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 192.168.12.14
and some vlans
el 10-30-2023 02:41 PM
Because you want to reach a public IP address you can not do it since a private public address.
You need to configure a ACL and NAT on your router or your Firewall, using a public ip address in the "ouside" interface you will be able to have internet access and reach 8.8.8.8.
Please check this site and its explanation about NAT
https://www.firewall.cx/cisco/cisco-routers/cisco-router-nat-overload.html
10-30-2023 03:10 PM - editado 10-30-2023 03:11 PM
Hi
As Daniel mentioned you have to configure a NAT sentence,
Example:
access-list 10 permit 192.168.9.0 0.0.0.255
ip nat inside source list 10 interface g0/1 overload
Regards
el 10-30-2023 04:04 PM
Hola
Si desde el firewall fortinet no tienes ping, entonces mi sospecha es que lo que detiene el ping es el firewall.
Chequea que el ping esté autorizado en el firewall.
Los equipos fortigate muchas veces tienen deshabilitado el ping por defecto.
Revisa ese detalle para descartar.
Saludos
10-31-2023 12:07 AM - editado 10-31-2023 12:08 AM
Do you have checked as I mention icmp on your Fortigate via cli ?
diagnostic sniffer packet any 'host 8.8.8.8 and icmp' 4 0 a
Try a ping from router or switch (with valid LAN IP as source) and check if you have a drop or not, and if you have NAT also for this icmp packet.
Thanks.
el 10-31-2023 08:17 AM
I already added ACL and NAT on my router and I still can't ping, to the outside my entire internal network communicates but from my switches and router I can't do it, possibly it's the firewall, which I'm checking although it is something complex for me. my that part.
el 10-31-2023 08:27 AM
You can set up an ACL allowing ICMP packets on the top on the Fortinet to test it.
el 10-31-2023 09:23 AM
Is there something wrong with my router configuration?
This is the current configuration.
interface GigabitEthernet0/0
description LAN
ip address 192.168.9.13 255.255.255.240
ip nat inside
ip virtual-reassembly
duplex car
speed car
!
I connect this interface to a 10.10.10.1 switch, in trunk mode
-------------------------------------------------- -------------------------------------------------- ----------
interface GigabitEthernet0/1
WAN description
ip address 192.168.12.13 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex car
speed car
!
I connect this interface to the Fortigate LAN
-------------------------------------------------- -------------------------------------------------- --------------
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 192.168.12.14
!
access-list 1 permit 192.168.9.0 0.0.0.255
Descubra y salve sus notas favoritas. Vuelva a encontrar las respuestas de los expertos, guías paso a paso, temas recientes y mucho más.
¿Es nuevo por aquí? Empiece con estos tips. Cómo usar la comunidad Guía para nuevos miembros
Navegue y encuentre contenido personalizado de la comunidad