Solved: Cisco C921 Router VLAN / Internet Access

AlexM445 · ‎05-16-2023

Hello All,

I am continuing a project to learn to program a Cisco router (C921-4P).

Problem: The computers connected two ports, GIG0 (Vlan 20) and GIG2 (VLAN 40). Both fail when pinging 8.8.8.8. Both ports have their respective DHCP Pools running and are obtaining their address. My thought is that it has something to do with the access lists. The running config is posted below.

I would like to have a good explanation in the errors I have made since I am a beginner trying to learn.

Thank You,

AM

*May 16 21:36:11.688: %SYS-5-CONFIG_I: Configured from console by consolen
Building configuration...

Current configuration : 2699 bytes
!
! Last configuration change at 21:36:11 UTC Tue May 16 2023
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.150.60 192.168.150.62
ip dhcp excluded-address 192.168.150.188 192.168.150.190
!
ip dhcp pool PublicInternet-Pool
network 192.168.150.0 255.255.255.192
dns-server 8.8.8.8
default-router 192.168.150.62
domain-name MHHPublic.com
!
ip dhcp pool PublicWork-Pool
network 192.168.150.128 255.255.255.192
default-router 192.168.150.190
dns-server 8.8.8.8
domain-name MHHWorkConnect.com
!
!
!
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid C921-4P sn PSZ27011KMG
!
!
!
redundancy
!
!
!
!
!
!
interface GigabitEthernet0
description Vlan 20 Test
switchport access vlan 20
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
description Vlan 40 test
switchport access vlan 40
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet5
description Uplink To ISP
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan20
ip address 192.168.150.60 255.255.255.192
ip nat inside
ip virtual-reassembly in
!
!
interface Vlan40
ip address 192.168.150.188 255.255.255.192
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat source list 1 interface GigabitEthernet5 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet5 dhcp
ip ssh version 2
!
!
!
access-list 1 permit 192.168.150.0 0.0.0.63
access-list 1 permit 192.168.150.128 0.0.0.63
!
control-plane
!
!
line con 0
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

Flavio Miranda · ‎05-16-2023

Hi

I think I found out the mistake

You are using

ip nat source list 1 interface GigabitEthernet5 overload

It should be

ip nat inside source list 1 interface GigabitEthernet5 overload

View solution in original post

Flavio Miranda · ‎05-16-2023

Hi

Your ACL. As your mask is 255.255.255.192

it should be

access-list 1 permit 192.168.150.0 0.0.0.127
access-list 1 permit 192.168.150.128 0.0.0.127

AlexM445 · ‎05-16-2023

The solution unfortunately did not work. In a previous post I learned that I needed to use the wildcard for the access list (0.0.0.63) and it worked, until I added the second VLAN and DHCP Pool.

Flavio Miranda · ‎05-16-2023

But was you using 255.255.255.192 as subnet mask?

AlexM445 · ‎05-16-2023

Yes, In both cases the configurations mask is 255.255.255.192. This is what i have tried for the Access list. Nothing has been updated elsewhere.

!
ip nat source list 1 interface GigabitEthernet5 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet5 dhcp
ip ssh version 2
!
!
access-list 1 permit 192.168.150.0 0.0.0.127
access-list 1 permit 192.168.150.128 0.0.0.127

Flavio Miranda · ‎05-16-2023

I am wrong. It should be 0.0.0.63. Sorry.

/26	255.255.255.192	0.0.0.63
/25	255.255.255.128	0.0.0.127

Flavio Miranda · ‎05-16-2023

Try to use two access list instead

access-list 1 permit 192.168.150.0 0.0.0.63
access-list 2 permit 192.168.150.128 0.0.0.63

Then create 2 nat statement

ip nat source list 1 interface GigabitEthernet5 overload

ip nat source list 2 interface GigabitEthernet5 overload

AlexM445 · ‎05-16-2023

The ping from the computer still fails. I am able to ping from the CLI 8.8.8.8 and 8.8.4.4. So I do know for a fact that the router is receiving data from the ISP. I will link the updated running config.

Building configuration...

Current configuration : 3103 bytes
!
! Last configuration change at 00:18:34 UTC Wed May 17 2023
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.150.60 192.168.150.62
ip dhcp excluded-address 192.168.150.188 192.168.150.190
!
ip dhcp pool PublicWork-Pool
network 192.168.150.128 255.255.255.192
default-router 192.168.150.190
dns-server 8.8.8.8
domain-name MHHWorkConnect.com
!
ip dhcp pool PublicInternet-Pool
network 192.168.150.0 255.255.255.192
default-router 192.168.150.62
dns-server 8.8.8.8
!
!
!
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid C921-4P sn PSZ27011KMG
!
!
!
redundancy
!
!
!
!
!
!
interface GigabitEthernet0
description Vlan 20 Test
switchport access vlan 20
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
description Vlan 40 test
switchport access vlan 40
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet5
description Uplink To ISP
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan20
ip address 192.168.150.60 255.255.255.192
ip nat inside
ip virtual-reassembly in
!
interface Vlan40
ip address 192.168.150.188 255.255.255.192
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat source list 1 interface GigabitEthernet5 overload
ip nat source list 2 interface GigabitEthernet5 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet5 dhcp
ip ssh version 2
!
!
!
access-list 1 permit 192.168.150.0 0.0.0.63
access-list 2 permit 192.168.150.128 0.0.0.63
!
control-plane
!
!
line con 0
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

Flavio Miranda · ‎05-16-2023

But ping from router using source interface

ping 8.8.8.8 source-interface vlan40

And, does the PC has default gateway?

AlexM445 · ‎05-16-2023

Router#ping 8.8.8.8 source vlan 40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.150.188
.....
Success rate is 0 percent (0/5)

This was the answer given. I also checked the interface status and (to my inexperienced knowledge) it looks okay:

Vlan40 is up, line protocol is up
Hardware is EtherSVI, address is ecf4.0c3f.b564 (bia ecf4.0c3f.b564)
Internet address is 192.168.150.188/26
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:01, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2000 bits/sec, 2 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
231 packets input, 45798 bytes, 0 no buffer
Received 91 broadcasts (48 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
5 packets output, 876 bytes, 0 underruns
0 output errors, 1 interface resets
48 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

Flavio Miranda · ‎05-16-2023

Run the ping and after run show ip nat translation

Share here please

Flavio Miranda · ‎05-16-2023

Hi

I think I found out the mistake

You are using

ip nat source list 1 interface GigabitEthernet5 overload

It should be

ip nat inside source list 1 interface GigabitEthernet5 overload

AlexM445 · ‎05-16-2023

Router#ping 8.8.8.8 source vlan 40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.150.188
.....
Success rate is 0 percent (0/5)
Router#show ip nat translation
Router#

The ip nat translation command gets accepted but gives not output.

Flavio Miranda · ‎05-16-2023

Then the NAT is not happening. Probably that why does not ping from the PC

It seesm does not work with two NAT and 2 ACL

Try one more thing. Use one NAT as you did befoe and use one ACL like

access-list 1 permit ip 192.168.0.0 0.0.255.255

AlexM445 · ‎05-16-2023

Thank you very much for all the help. Unfortunately, it still failed. I am thinking that it might need a good reset and try to build it up from scratch again. Unless there is any other ideas to try to troubleshoot it?