cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6752
Views
0
Helpful
12
Replies

Can ping from router to internet but not from VLANs on a Switch

Anaximander
Level 1
Level 1

Greetings, 

 

I have two Cisco Catalyst 2960-X in a stack, and a ISR 2921attached to a switch on the corporate network on a port that gives direct access to the internet. They are cabled in the following manner:

 

Direct access to internet via corporate Switch | | ---------------  |g0/0| Router |g0/1| |g0/2| etherchannel  -------- |g1/0/1| |g2/0/1| 2960-X Switch Stack |1/0/47| ------- PC1 

 

I can ping from the router to the internet, from my switch stack to all interfaces of my router,  from PC1 to all interfaces of the switch and router, but not from switch or PC1 to the internet. 

 

Current configs attached below: 

 

I suspect it may have to do with my NAT config, any help would be appreciated. Thank you in advance for your time.

1 Accepted Solution

Accepted Solutions

Hello,

in addition to the other posts, I am not sure if the NAT on the port channel works. Try to add the 'ip nat inside' to all the subinterfaces:

 

interface Port-channel1.1
encapsulation dot1Q 1 native
ip address 10.47.1.250 255.255.255.0

ip nat inside
!
interface Port-channel1.3
description ** Server INT VLAN **
encapsulation dot1Q 3
ip address 10.47.3.250 255.255.255.0

ip nat inside
!
interface Port-channel1.65
description ** Met VLAN **
encapsulation dot1Q 65
ip address 10.47.65.250 255.255.255.0

ip nat inside
!
interface Port-channel1.68
description ** Information Technology VLAN **
encapsulation dot1Q 68
ip address 10.47.68.250 255.255.255.0

ip nat inside
!
interface Port-channel1.1000
description ** Management VLAN **
encapsulation dot1Q 1000
ip address 10.47.0.250 255.255.255.0

ip nat inside

 

Also, can you post the output of 'show ip nat translations' ?

View solution in original post

12 Replies 12

BradEast1
Level 3
Level 3

Try changing:

 

ip nat inside source list 100 interface Port-channel1.3 overload

 

To:

 

ip nat inside source list 100 interface Gi0/0 overload

I have changed this config line, it now says:

 

!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 [routers default gateway on same subnet as its public ip address] 2
!
!

If you're still unable to ping, 4.2.2.1 for example, I'd recommend providing the output Flavio suggested... ipconfig, tracert, etc.

 

Hello,

 

 First I saw this config weird. Do you put access and trunk on the same port?

 

interface GigabitEthernet2/0/1
description ** C0ISR01 on g0/2 **
switchport access vlan 3
switchport mode trunk

channel-group 1 mode on
!

 

 

About ping, which IP address did you put on PC ?  What does traceroute says?

Where does it stops?

 

At first sight, NAT looks ok.

Hi, I have corrected both instances (port channel) of that misconfig on the Switch: 

!
interface GigabitEthernet1/0/1
description description ** C0ISR01 on g0/1 **
switchport mode trunk
channel-group 1 mode on
!

!
interface GigabitEthernet2/0/1
description ** C0ISR01 on g0/2 **
switchport mode trunk
channel-group 1 mode on
!

 

 

 

In reference to your question about PC1:

It's IP Address is 10.47.68.222 with a gateway of 10.47.68.1 subnet mask 255.255.255.0 

Traceroute run from Linux PC1 to 8.8.8.8 says: 

1?: [LOCALHOST] pmtu 1500

1: 10.47.68.1 2.31ms

1: 10.47.68.1 0.89ms

2: 10.47.3.250 0.51ms asymm 1

3: no reply

...

29: no reply 

30: no reply

Too many hops: pmtu 1500

Resume: pmtu 1500

 

I still cannot ping 4.2.2.1 or 8.8.8.8 

$ ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.
^C
--- 4.2.2.2 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7161ms

$ ping 4.2.2.1
PING 4.2.2.1 (4.2.2.1) 56(84) bytes of data.
^C
--- 4.2.2.1 ping statistics ---
28 packets transmitted, 0 received, 100% packet loss, time 27638ms

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
16 packets transmitted, 0 received, 100% packet loss, time 15337ms

 

 

IP configuration and routing table of PC1: 

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 28:d2:44:d5:ee:26 brd ff:ff:ff:ff:ff:ff
inet 10.47.68.222/24 brd 10.47.68.255 scope global enp0s25
valid_lft forever preferred_lft forever
inet6 fe80::b9cc:14a9:1273:6f86/64 scope link
valid_lft forever preferred_lft forever
3: wlp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 28:b2:bd:76:9e:13 brd ff:ff:ff:ff:ff:ff
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.47.68.1 0.0.0.0 UG 100 0 0 enp0s25
10.47.68.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s25
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s25

Might it be my VLAN config? 

 

USNYHUB-SW01#sh vlan b

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4
Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/9, Gi1/0/10
Gi1/0/11, Gi1/0/12, Gi1/0/13
Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/20, Gi1/0/21, Gi1/0/22
Gi1/0/23, Gi1/0/24, Gi1/0/25
Gi1/0/26, Gi1/0/27, Gi1/0/28
Gi1/0/29, Gi1/0/30, Gi1/0/31
Gi1/0/32, Gi1/0/33, Gi1/0/34
Gi1/0/35, Gi1/0/36, Gi1/0/37
Gi1/0/38, Gi1/0/39, Gi1/0/40
Gi1/0/41, Gi1/0/42, Gi1/0/43
Gi1/0/44, Gi1/0/45, Gi1/0/46
Gi1/0/48, Gi1/0/49, Gi1/0/50
Gi1/0/51, Gi1/0/52, Gi2/0/2
Gi2/0/3, Gi2/0/4, Gi2/0/5
Gi2/0/6, Gi2/0/7, Gi2/0/8
Gi2/0/9, Gi2/0/10, Gi2/0/11

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
Gi2/0/12, Gi2/0/13, Gi2/0/14
Gi2/0/15, Gi2/0/16, Gi2/0/17
Gi2/0/18, Gi2/0/19, Gi2/0/20
Gi2/0/21, Gi2/0/22, Gi2/0/23
Gi2/0/24, Gi2/0/25, Gi2/0/26
Gi2/0/27, Gi2/0/28, Gi2/0/29
Gi2/0/30, Gi2/0/31, Gi2/0/32
Gi2/0/33, Gi2/0/34, Gi2/0/35
Gi2/0/36, Gi2/0/37, Gi2/0/38
Gi2/0/39, Gi2/0/40, Gi2/0/41
Gi2/0/42, Gi2/0/43, Gi2/0/44
Gi2/0/45, Gi2/0/47, Gi2/0/48
Gi2/0/49, Gi2/0/50, Gi2/0/51
Gi2/0/52
3 INT active
65 MET active Gi2/0/46
68 IT-ADMIN active Gi1/0/47
99 VLAN0099 active
1000 MGMT active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
USNYHUB-SW01#sh ip int b
Interface IP-Address OK? Method Status Protocol
Vlan1 10.47.1.1 YES manual up up
Vlan3 10.47.3.1 YES manual up up
Vlan65 10.47.65.1 YES manual up up
Vlan68 10.47.68.1 YES manual up up
Vlan1000 10.47.0.1 YES manual up up

Don't think so man.

Your trace route stopped at 10.47.3.250.

Which host is this? Can you ping it?

Also,make sure comp is permitted on your firewall. Often they block icmp.

Also, try to use extended ping on router and put clan IP as source.

Hi Flavio, 

 

Thanks for your time and continued insight. I appreciate it.

 

10.47.3.250 is the IP address of the router's sub-interface (cabled to the switch via etherchannel) for VLAN 3. The switch had a an 'ip route 0.0.0.0 0.0.0.0 10.47.3.250' command entered as the only static route. I deleted that static route and replaced it with 'ip route 0.0.0.0 0.0.0.0 10.47.68.250' but no change in connectivity. 

 

Also we don't have a firewall in this topolgy, the network admin (that I also enlisted to help solve the issue today) told me the switchport they assigned for me (that is connected to my router's g0/0 with a public IP) goes straight out to the internet. 

 

I can ping both sub-if IPs from the switch
USNYHUB-SW01#ping 10.47.3.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.47.3.250, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

USNYHUB-SW01#ping 10.47.68.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.47.68.250, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/17 ms

 

Extended traceroute from router using source IP of VLAN sub-interface on router: 

USNYHUB-ISR01#traceroute ip 8.8.8.8 source 10.47.68.1
% Invalid source address- IP address not on any of our up interfaces
USNYHUB-ISR01#traceroute ip 8.8.8.8 source 10.47.68.250
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 4.68.70.54 0 msec 0 msec 4 msec
3 * * *
4 72.14.235.215 0 msec 0 msec
108.170.233.183 4 msec
5 8.8.8.8 0 msec 4 msec 0 msec
USNYHUB-ISR01#traceroute ip 8.8.8.8 source 10.47.3.250
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 4.68.70.54 0 msec 0 msec 4 msec
3 * * *
4 108.170.235.25 0 msec
72.14.235.215 4 msec
108.170.233.243 0 msec
5 8.8.8.8 4 msec 0 msec 4 msec
USNYHUB-ISR01#

I think my previous reply disappeared.

Thanks again for your help.

The x.x.x.250 IPs are the IP addresses on the routers sub-interface that is connected to the switch. No firewall as the switchport the router is connected to goes directly out to the internet is what I was told by the network admin.

I can ping 10.47.3.250 from the router and the switch.

Tracerotue from router
USNYHUB-ISR01#traceroute ip 8.8.8.8 source 10.47.68.1
% Invalid source address- IP address not on any of our up interfaces
USNYHUB-ISR01#traceroute ip 8.8.8.8 source 10.47.68.250
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 [ISP next-hop] 0 msec 0 msec 4 msec
3 * * *
4 72.14.235.215 0 msec 0 msec
108.170.233.183 4 msec
5 8.8.8.8 0 msec 4 msec 0 msec
USNYHUB-ISR01#traceroute ip 8.8.8.8 source 10.47.3.250
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 [ISP next hop] 0 msec 0 msec 4 msec
3 * * *
4 108.170.235.25 0 msec
72.14.235.215 4 msec
108.170.233.243 0 msec
5 8.8.8.8 4 msec 0 msec 4 msec

Hello,

in addition to the other posts, I am not sure if the NAT on the port channel works. Try to add the 'ip nat inside' to all the subinterfaces:

 

interface Port-channel1.1
encapsulation dot1Q 1 native
ip address 10.47.1.250 255.255.255.0

ip nat inside
!
interface Port-channel1.3
description ** Server INT VLAN **
encapsulation dot1Q 3
ip address 10.47.3.250 255.255.255.0

ip nat inside
!
interface Port-channel1.65
description ** Met VLAN **
encapsulation dot1Q 65
ip address 10.47.65.250 255.255.255.0

ip nat inside
!
interface Port-channel1.68
description ** Information Technology VLAN **
encapsulation dot1Q 68
ip address 10.47.68.250 255.255.255.0

ip nat inside
!
interface Port-channel1.1000
description ** Management VLAN **
encapsulation dot1Q 1000
ip address 10.47.0.250 255.255.255.0

ip nat inside

 

Also, can you post the output of 'show ip nat translations' ?

Hi,

Thanks for your insight and time. I made the changes that you suggested and put 'ip nat inside' on all of the sub-ifs.

 

edit: Wow, Georg! I think that worked!!! 

 

Switch: 

USNYHUB-SW01#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms


Router:

USNYHUB-ISR01(config)#do sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp [router public IP]:59 10.47.68.1:59 8.8.8.8:59 8.8.8.8:59

 

 



 

 

 

Hello,

 

 This thread is maked as Solved. Doesn´t it?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco