09-11-2017 01:05 PM - edited 03-05-2019 09:07 AM
Greetings,
I have two Cisco Catalyst 2960-X in a stack, and a ISR 2921attached to a switch on the corporate network on a port that gives direct access to the internet. They are cabled in the following manner:
Direct access to internet via corporate Switch | | --------------- |g0/0| Router |g0/1| |g0/2| etherchannel -------- |g1/0/1| |g2/0/1| 2960-X Switch Stack |1/0/47| ------- PC1
I can ping from the router to the internet, from my switch stack to all interfaces of my router, from PC1 to all interfaces of the switch and router, but not from switch or PC1 to the internet.
Current configs attached below:
I suspect it may have to do with my NAT config, any help would be appreciated. Thank you in advance for your time.
Solved! Go to Solution.
09-12-2017 02:15 PM
Hello,
in addition to the other posts, I am not sure if the NAT on the port channel works. Try to add the 'ip nat inside' to all the subinterfaces:
interface Port-channel1.1
encapsulation dot1Q 1 native
ip address 10.47.1.250 255.255.255.0
ip nat inside
!
interface Port-channel1.3
description ** Server INT VLAN **
encapsulation dot1Q 3
ip address 10.47.3.250 255.255.255.0
ip nat inside
!
interface Port-channel1.65
description ** Met VLAN **
encapsulation dot1Q 65
ip address 10.47.65.250 255.255.255.0
ip nat inside
!
interface Port-channel1.68
description ** Information Technology VLAN **
encapsulation dot1Q 68
ip address 10.47.68.250 255.255.255.0
ip nat inside
!
interface Port-channel1.1000
description ** Management VLAN **
encapsulation dot1Q 1000
ip address 10.47.0.250 255.255.255.0
ip nat inside
Also, can you post the output of 'show ip nat translations' ?
09-11-2017 01:34 PM
Try changing:
ip nat inside source list 100 interface Port-channel1.3 overload
To:
ip nat inside source list 100 interface Gi0/0 overload
09-11-2017 02:51 PM
I have changed this config line, it now says:
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 [routers default gateway on same subnet as its public ip address] 2
!
!
09-11-2017 02:54 PM
If you're still unable to ping, 4.2.2.1 for example, I'd recommend providing the output Flavio suggested... ipconfig, tracert, etc.
09-11-2017 01:36 PM
Hello,
First I saw this config weird. Do you put access and trunk on the same port?
interface GigabitEthernet2/0/1
description ** C0ISR01 on g0/2 **
switchport access vlan 3
switchport mode trunk
channel-group 1 mode on
!
About ping, which IP address did you put on PC ? What does traceroute says?
Where does it stops?
At first sight, NAT looks ok.
09-11-2017 02:55 PM - edited 09-11-2017 03:02 PM
Hi, I have corrected both instances (port channel) of that misconfig on the Switch:
!
interface GigabitEthernet1/0/1
description description ** C0ISR01 on g0/1 **
switchport mode trunk
channel-group 1 mode on
!
!
interface GigabitEthernet2/0/1
description ** C0ISR01 on g0/2 **
switchport mode trunk
channel-group 1 mode on
!
In reference to your question about PC1:
It's IP Address is 10.47.68.222 with a gateway of 10.47.68.1 subnet mask 255.255.255.0
Traceroute run from Linux PC1 to 8.8.8.8 says:
1?: [LOCALHOST] pmtu 1500
1: 10.47.68.1 2.31ms
1: 10.47.68.1 0.89ms
2: 10.47.3.250 0.51ms asymm 1
3: no reply
...
29: no reply
30: no reply
Too many hops: pmtu 1500
Resume: pmtu 1500
I still cannot ping 4.2.2.1 or 8.8.8.8
$ ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.
^C
--- 4.2.2.2 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7161ms
$ ping 4.2.2.1
PING 4.2.2.1 (4.2.2.1) 56(84) bytes of data.
^C
--- 4.2.2.1 ping statistics ---
28 packets transmitted, 0 received, 100% packet loss, time 27638ms
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
16 packets transmitted, 0 received, 100% packet loss, time 15337ms
IP configuration and routing table of PC1:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 28:d2:44:d5:ee:26 brd ff:ff:ff:ff:ff:ff
inet 10.47.68.222/24 brd 10.47.68.255 scope global enp0s25
valid_lft forever preferred_lft forever
inet6 fe80::b9cc:14a9:1273:6f86/64 scope link
valid_lft forever preferred_lft forever
3: wlp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 28:b2:bd:76:9e:13 brd ff:ff:ff:ff:ff:ff
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.47.68.1 0.0.0.0 UG 100 0 0 enp0s25
10.47.68.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s25
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s25
09-12-2017 08:58 AM
Might it be my VLAN config?
USNYHUB-SW01#sh vlan b
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4
Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/9, Gi1/0/10
Gi1/0/11, Gi1/0/12, Gi1/0/13
Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/20, Gi1/0/21, Gi1/0/22
Gi1/0/23, Gi1/0/24, Gi1/0/25
Gi1/0/26, Gi1/0/27, Gi1/0/28
Gi1/0/29, Gi1/0/30, Gi1/0/31
Gi1/0/32, Gi1/0/33, Gi1/0/34
Gi1/0/35, Gi1/0/36, Gi1/0/37
Gi1/0/38, Gi1/0/39, Gi1/0/40
Gi1/0/41, Gi1/0/42, Gi1/0/43
Gi1/0/44, Gi1/0/45, Gi1/0/46
Gi1/0/48, Gi1/0/49, Gi1/0/50
Gi1/0/51, Gi1/0/52, Gi2/0/2
Gi2/0/3, Gi2/0/4, Gi2/0/5
Gi2/0/6, Gi2/0/7, Gi2/0/8
Gi2/0/9, Gi2/0/10, Gi2/0/11
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
Gi2/0/12, Gi2/0/13, Gi2/0/14
Gi2/0/15, Gi2/0/16, Gi2/0/17
Gi2/0/18, Gi2/0/19, Gi2/0/20
Gi2/0/21, Gi2/0/22, Gi2/0/23
Gi2/0/24, Gi2/0/25, Gi2/0/26
Gi2/0/27, Gi2/0/28, Gi2/0/29
Gi2/0/30, Gi2/0/31, Gi2/0/32
Gi2/0/33, Gi2/0/34, Gi2/0/35
Gi2/0/36, Gi2/0/37, Gi2/0/38
Gi2/0/39, Gi2/0/40, Gi2/0/41
Gi2/0/42, Gi2/0/43, Gi2/0/44
Gi2/0/45, Gi2/0/47, Gi2/0/48
Gi2/0/49, Gi2/0/50, Gi2/0/51
Gi2/0/52
3 INT active
65 MET active Gi2/0/46
68 IT-ADMIN active Gi1/0/47
99 VLAN0099 active
1000 MGMT active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
USNYHUB-SW01#sh ip int b
Interface IP-Address OK? Method Status Protocol
Vlan1 10.47.1.1 YES manual up up
Vlan3 10.47.3.1 YES manual up up
Vlan65 10.47.65.1 YES manual up up
Vlan68 10.47.68.1 YES manual up up
Vlan1000 10.47.0.1 YES manual up up
09-12-2017 09:06 AM - edited 09-12-2017 09:09 AM
Don't think so man.
Your trace route stopped at 10.47.3.250.
Which host is this? Can you ping it?
Also,make sure comp is permitted on your firewall. Often they block icmp.
Also, try to use extended ping on router and put clan IP as source.
09-12-2017 01:24 PM
Hi Flavio,
Thanks for your time and continued insight. I appreciate it.
10.47.3.250 is the IP address of the router's sub-interface (cabled to the switch via etherchannel) for VLAN 3. The switch had a an 'ip route 0.0.0.0 0.0.0.0 10.47.3.250' command entered as the only static route. I deleted that static route and replaced it with 'ip route 0.0.0.0 0.0.0.0 10.47.68.250' but no change in connectivity.
Also we don't have a firewall in this topolgy, the network admin (that I also enlisted to help solve the issue today) told me the switchport they assigned for me (that is connected to my router's g0/0 with a public IP) goes straight out to the internet.
I can ping both sub-if IPs from the switch
USNYHUB-SW01#ping 10.47.3.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.47.3.250, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
USNYHUB-SW01#ping 10.47.68.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.47.68.250, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/17 ms
Extended traceroute from router using source IP of VLAN sub-interface on router:
USNYHUB-ISR01#traceroute ip 8.8.8.8 source 10.47.68.1
% Invalid source address- IP address not on any of our up interfaces
USNYHUB-ISR01#traceroute ip 8.8.8.8 source 10.47.68.250
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 4.68.70.54 0 msec 0 msec 4 msec
3 * * *
4 72.14.235.215 0 msec 0 msec
108.170.233.183 4 msec
5 8.8.8.8 0 msec 4 msec 0 msec
USNYHUB-ISR01#traceroute ip 8.8.8.8 source 10.47.3.250
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 4.68.70.54 0 msec 0 msec 4 msec
3 * * *
4 108.170.235.25 0 msec
72.14.235.215 4 msec
108.170.233.243 0 msec
5 8.8.8.8 4 msec 0 msec 4 msec
USNYHUB-ISR01#
09-12-2017 02:12 PM - edited 09-13-2017 07:08 AM
I think my previous reply disappeared.
Thanks again for your help.
The x.x.x.250 IPs are the IP addresses on the routers sub-interface that is connected to the switch. No firewall as the switchport the router is connected to goes directly out to the internet is what I was told by the network admin.
I can ping 10.47.3.250 from the router and the switch.
Tracerotue from router
USNYHUB-ISR01#traceroute ip 8.8.8.8 source 10.47.68.1
% Invalid source address- IP address not on any of our up interfaces
USNYHUB-ISR01#traceroute ip 8.8.8.8 source 10.47.68.250
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 [ISP next-hop] 0 msec 0 msec 4 msec
3 * * *
4 72.14.235.215 0 msec 0 msec
108.170.233.183 4 msec
5 8.8.8.8 0 msec 4 msec 0 msec
USNYHUB-ISR01#traceroute ip 8.8.8.8 source 10.47.3.250
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 [ISP next hop] 0 msec 0 msec 4 msec
3 * * *
4 108.170.235.25 0 msec
72.14.235.215 4 msec
108.170.233.243 0 msec
5 8.8.8.8 4 msec 0 msec 4 msec
09-12-2017 02:15 PM
Hello,
in addition to the other posts, I am not sure if the NAT on the port channel works. Try to add the 'ip nat inside' to all the subinterfaces:
interface Port-channel1.1
encapsulation dot1Q 1 native
ip address 10.47.1.250 255.255.255.0
ip nat inside
!
interface Port-channel1.3
description ** Server INT VLAN **
encapsulation dot1Q 3
ip address 10.47.3.250 255.255.255.0
ip nat inside
!
interface Port-channel1.65
description ** Met VLAN **
encapsulation dot1Q 65
ip address 10.47.65.250 255.255.255.0
ip nat inside
!
interface Port-channel1.68
description ** Information Technology VLAN **
encapsulation dot1Q 68
ip address 10.47.68.250 255.255.255.0
ip nat inside
!
interface Port-channel1.1000
description ** Management VLAN **
encapsulation dot1Q 1000
ip address 10.47.0.250 255.255.255.0
ip nat inside
Also, can you post the output of 'show ip nat translations' ?
09-12-2017 02:18 PM - edited 09-12-2017 02:23 PM
Hi,
Thanks for your insight and time. I made the changes that you suggested and put 'ip nat inside' on all of the sub-ifs.
edit: Wow, Georg! I think that worked!!!
Switch:
USNYHUB-SW01#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Router:
USNYHUB-ISR01(config)#do sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp [router public IP]:59 10.47.68.1:59 8.8.8.8:59 8.8.8.8:59
09-13-2017 07:16 AM
Hello,
This thread is maked as Solved. Doesn´t it?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide