Can't access the internet from my vlan router 1921

Jaskaran B · ‎07-29-2023

Hello, I'm having connectivity issue's with my router and switch.

I'm unable, from the 1921 router ping my computer which is in a vlan, without taking the firewall offline.

I'm also unable to ping the internet from the computer on the vlan, but I can ping the internet from the router.

I'm able to ping both sides of my vlan's on the sub interfaces though.

Router#sh ip int br
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 192.15.10.1 YES NVRAM up up
GigabitEthernet0/0.1 192.10.5.1 YES NVRAM up up
GigabitEthernet0/0.2 172.8.10.1 YES NVRAM up up
GigabitEthernet0/1 10.0.0.2 YES NVRAM up up
Serial0/1/0 unassigned YES NVRAM administratively down down
NVI0 192.15.10.1 YES unset up up

Router#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.0.0.1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.0.0.0/24 is directly connected, GigabitEthernet0/1
L 10.0.0.2/32 is directly connected, GigabitEthernet0/1
L 10.0.0.20/32 is directly connected, GigabitEthernet0/1
L 10.0.0.30/32 is directly connected, GigabitEthernet0/1
172.8.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.8.0.0/16 is directly connected, GigabitEthernet0/0.2
L 172.8.10.1/32 is directly connected, GigabitEthernet0/0.2
192.10.5.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.10.5.0/24 is directly connected, GigabitEthernet0/0.1
L 192.10.5.1/32 is directly connected, GigabitEthernet0/0.1
192.15.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.15.10.0/30 is directly connected, GigabitEthernet0/0
L 192.15.10.1/32 is directly connected, GigabitEthernet0/0

M02@rt37 · ‎07-29-2023

Hello @Jaskaran B,

It seems that Router on A Stick is configured on your 1921.

Do the VLAN ping their own Gateway?

Please share the 1921 config.

Thanks.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Jaskaran B · ‎07-29-2023

Pinging 192.10.5.1 with 32 bytes of data:
Reply from 192.10.5.1: bytes=32 time<1ms TTL=255
Reply from 192.10.5.1: bytes=32 time<1ms TTL=255
Reply from 192.10.5.1: bytes=32 time<1ms TTL=255
Reply from 192.10.5.1: bytes=32 time<1ms TTL=255

Ping statistics for 192.10.5.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Jaskaran B · ‎07-29-2023

interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.15.10.1 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 10
ip address 192.10.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 20
ip address 172.8.10.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
ip address 10.0.0.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/1/0
no ip address
shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source static 192.10.5.10 10.0.0.20
ip nat inside source static 172.8.10.5 10.0.0.30
ip route 0.0.0.0 0.0.0.0 10.0.0.1

M02@rt37 · ‎07-29-2023

Thanks for the config @Jaskaran B

Check you ACL. Two IP only NATed?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Jaskaran B · ‎07-29-2023

Router#sh running-config
Building configuration...

Current configuration : 1708 bytes
!
! Last configuration change at 13:06:06 UTC Sat Jul 29 2023
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!

!
no aaa new-model
!
ip cef
!
!
!
!

!
!
!
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FGL1831239H
license accept end user agreement
!
!

!
redundancy
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.15.10.1 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 10
ip address 192.10.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 20
ip address 172.8.10.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
ip address 10.0.0.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/1/0
no ip address
shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source static 192.10.5.10 10.0.0.20
ip nat inside source static 172.8.10.5 10.0.0.30
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
!
!
!
control-plane
!
!
!
line con 0

login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4

login
transport input all
!
scheduler allocate 20000 1000
!
end

Jaskaran B · ‎07-29-2023

Pro Inside global Inside local Outside local Outside global
--- 10.0.0.30 172.8.10.5 --- ---
--- 10.0.0.20 192.10.5.10 --- ---

Flavio Miranda · ‎07-29-2023

Hi @Jaskaran B

Disable the firewall on the machine to reply ping is expected. Unless you config the firewall do allow icmp.

Now, the way your router is configured, only 2 IPs is able to access the internet. You should have a config like this

Ip nat inside source list 100 interface GigabitEthernet0/1 overload

Ip access-list extend 100

Permit 192.10.0.0 0.0.255.255 any

Permit 172.8.0.0 0.0..255.255 any

And remove IP from interface GigabitEthernet0/0

Interface GigabitEthernet0/0

no ip add