cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
623
Views
5
Helpful
9
Replies

C1921 with ehwic-d-8esg

BillKing
Level 1
Level 1

I have an issue where one subnet can not access the internet but can access all other computers on the network. The affected subnet is connected to the ehwic on the router. The router is a 1921 with GI0/0 connected to the internet, GI0/1 connected to the primary lan, subnet 192.168.1.1/24. The subnet that is affected is 192.168.2.1/24 and is connected to GI0/1/7. Systems on the 2.1/24 subnet can communicate to the 1.1/24 without issue but are unable to reach the internet or anything outside. Systems on the 1.1/24 can talk to everything including the internet. Here is the router config. Any help or suggestions would be appreciated.

 

MyCiscoLab#show run
Building configuration...




Current configuration : 4133 bytes
!
! Last configuration change at 20:45:30 UTC Sun Jun 12 2022 by bking
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyCiscoLab
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.157-3.M9.bin
boot-end-marker
!
!
enable secret 5 $1$bG5e$YXfDFTvRFLyG9WXI/stzx/
!
no aaa new-model
!

!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool data
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
!
!
ip domain name ciscolab.local
ip inspect name firewall tcp
ip inspect name firewall rtsp
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet
ip inspect name firewall udp
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-271635478
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-271635478
revocation-check none
rsakeypair TP-self-signed-271635478
!
!
crypto pki certificate chain TP-self-signed-271635478
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373136 33353437 38301E17 0D323230 36303732 33323034
395A170D 33303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3237 31363335
34373830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B932FFA2 41C4B4E2 374D43B3 055C5D64 2D215A3F 12E1C582 5AFFE2C6 3035775D
228211D2 35B4B589 010140AD FBBD9A9A 9B6854CF 2504B359 01CD7DB5 764D3DF9
537E463B 77D7F9E2 D5749252 59DB48CC F196E9B7 7BD4F0CF F45F4E83 67E22048
0ACE4A42 A5611D4D EFF03618 39193092 C5EB99BE 3611A035 5D0DF7E4 91D468F7
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 16801453 C278B6F7 E503AF8D E2755391 CC3B0A9D 3B0B3030 1D060355
1D0E0416 041453C2 78B6F7E5 03AF8DE2 755391CC 3B0A9D3B 0B30300D 06092A86
4886F70D 01010505 00038181 0048B8E6 92C3E788 5D4CA6A5 CD417DC6 B7869FEB
BC71D6FA 7236BF2D 9361D7FC 1E651632 FCE93CBE 5C6740E6 C9ED0856 15875176
18252868 58746541 A8038730 124B5F7F 49600EFB C1935FD8 6A8EBDDD 9F6CB900
4DD32151 BF4BEBC3 A466FDE5 CD794A95 38497EC6 60F2553F 31D467ED 2B19865B
D90418BA 72F7F8F6 FF307C59 53
quit
license udi pid CISCO1921/K9 sn FTX1723814P
!
!
username bking privilege 15 password 0 ********
!
redundancy
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip access-group 103 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip inspect firewall in
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface GigabitEthernet0/1/4
no ip address
!
interface GigabitEthernet0/1/5
no ip address
!
interface GigabitEthernet0/1/6
no ip address
!
interface GigabitEthernet0/1/7
description Lab_Trunk
switchport access vlan 20
switchport trunk allowed vlan 1,2,20,1002-1005
switchport mode trunk
no ip address
!
interface Vlan1
no ip address
!
interface Vlan20
ip address 192.168.2.1 255.255.255.0
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip ssh version 2
!
ipv6 ioam timestamp
!
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end
1 Accepted Solution

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

Not sure what is wrong :

 

try below  see if that works :

 

no access-list 1 permit 192.168.0.0 0.0.255.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255







interface Vlan20

ip nat inside


Not related to this issue, on interface you have ACL 103, but i do not see any match for this :

 

ip access-group 103 in

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

Not sure what is wrong :

 

try below  see if that works :

 

no access-list 1 permit 192.168.0.0 0.0.255.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255







interface Vlan20

ip nat inside


Not related to this issue, on interface you have ACL 103, but i do not see any match for this :

 

ip access-group 103 in

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi

  Add this:

 

interface GigabitEthernet0/1/7

ip nat inside

 

missing config outlet interface is static route 

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp

 

BillKing
Level 1
Level 1

Thank you everyone for the responses and suggestions. The ip access-group 103 in prevents all inbound connections from the ISP where there is not an established on-network connection. This prevents them from snooping my hardware. Granted it also prevents the router from obtaining a DHCP lease on reboot, so on reboot this is removed and then put back after the lease is obtained. I know, not ideal, but it works.

 

Wouldn't this statement:

ip nat inside source list 1 interface GigabitEthernet0/0 overload

 

also cover the

GigabitEthernet0/1/7 interface 

as well?

 

As for the IP access list 192.168.0.0 0.0.255.255 that covers both subnets I am using and allows for future growth as well without having to make any modification to the access-list. Or am I wrong in this assumption? 

 

This is my first time using the ehwic switch module so not sure about how the handoff to the layer 3 interface on the router works exactly.

 

I will update the default route to add the

GigabitEthernet0/0 interface

in the statement. I will also try the IP nat inside statement on the VLAN20 config.

 

Thanks again to everyone for the help.

for me 

ip nat inside under Gi0/1/7

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp

 

solve your issue.

BillKing
Level 1
Level 1

So it was the IP NAT inside statement on the VLAN20 interface. All systems are now communicating internal and external. Thank you everyone for the help.

this success without add interface to default route ??

MHM, yes. All the systems on the primary LAN could access the internet just fine. I will update the default route statement after hours as I have to use the internet connection for work and dropping that route and adding the corrected one will cause the internet to drop, albeit only for the length of time it takes to type in the new statement. I work remotely and have a VPN session going from one of my workstations. I didn't have any issues with internet access until I added the ehwic, and that was only for VLAN20, my primary LAN still has internet with no issues. I added the ehwic to allow my lab environment to be able to access the internet. I use Spectrum for internet and it runs over cable and this configuration has been working fine for many years.

no need to try,
it clear that the default route not was Issue.
thanks a lot friend.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco