Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1

shawntaylor17 · ‎11-20-2018

Hi All

I'm using an ISR1100 Router on a Leased Line. I'm having an issue where devices "Lan" side can communicate out to the internet via a default static route. The issue i'm experiencing is that inbound traffic to a VPN server is not getting any further than the Cisco router.

I have the following

WAN

Sub-interface 0/0/1.4094

Encapsulation dot1q 4094 (ISP use this VLAN)

IP xxx.xxx.xxx.133

IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.132

Internet access works

LAN

vlan1

IP Address: xxx.xxx.xxx.129

I have a device connected to Physical Interface 0/1/0 with the following Public Static IP: xxx.xxx.xxx.130

I'm unable to communicate with this device from the internet.

From the cisco console i can ping xxx.xxx.xxx.130

From the device itself i can ping xxx.xxx.xxx.129 and xxx.xxx.xxx.133 and internet address.

Any help with what is going on here would be greatly appreciated.

I've reset the router and have gone back to basics, the config is as follows:

!
!
multilink bundle-name authenticated
!
!
!

!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.4094
encapsulation dot1Q 4094
ip address xx.xxx.xxx.133 xxx.xxx.xxx.xxx
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
ip address xxx.xxx.xxx.129 xxx.xxx.xxx.xxx
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.132
!
!
!
!
!
!

All port are a member of vlan1.

Thank You in advanced

Georg Pauwen · ‎11-20-2018

Hello,

I dn't see any NAT on your router, not sure if you have omitted that on purpose. Either way, make sure the lines marked in bold are added to your config:

multilink bundle-name authenticated
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.4094
encapsulation dot1Q 4094
ip address xx.xxx.xxx.133 xxx.xxx.xxx.xxx
ip nat outside
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
ip address xxx.xxx.xxx.129 xxx.xxx.xxx.xxx
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.132
!
ip nat inside source list 1 interface GigabitEthernet0/0/1.4094 overload
!
access-list 1 permit xxx.xxx.xxx.xxx yyyy.yyyy.yyy.yyy --> the access list needs to specify the IP address space of Vlan1

shawntaylor17 · ‎11-20-2018

Thanks for the reply i will try this. I was under the impression that this was a no nat setup as the server behind the router will be assigned 1 of our public IP address directly, therefore i thought that no actual translation was needed.

Georg Pauwen · ‎11-20-2018

Hello,

you don't need any NAT if all of your addresses are public IP addresses. Can you indicate if that is the case, that is, all VLAN 1 IP addresses are public ?

shawntaylor17 · ‎11-20-2018

Yes all vlan1 IP addresses are public, that's correct.

Georg Pauwen · ‎11-20-2018

Hello,

so the VPN server has a public IP address from the same subnet as Vlan 1 ? Can you ping e.g. 8.8.8.8 from the VPN server ?

shawntaylor17 · ‎11-20-2018

IP on vlan1 is aaa.bbb.ccc.129

IP on VPN Server is aaa.bbb.ccc.130 with GW: aaa.bbb.ccc.129

The vpn server can ping 8.8.8.8 okay. It just seems to be inbound doesn't get passed from the WAN to aaa.bbb.ccc.130.

I can even ping aaa.bbb.ccc.129 from any internet device but not able to ping aaa.bbb.ccc.130. If im on the cisco console i can ping aaa.bbb.ccc.130 so the device does respond to ping.

Georg Pauwen · ‎11-20-2018

Hello,

post the output of 'show ip route'...

shawntaylor17 · ‎11-20-2018

Hi

S* 0.0.0.0/0 [1/0] via 87.xxx.xxx.132
83.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 83.xxx.xxx128/29 is directly connected, Vlan1
L 83.xxx.xxx.129/32 is directly connected, Vlan1
87.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 87.xxx.xxx.132/31 is directly connected, GigabitEthernet0/0/1.4094
L 87.xxx.xxx.133/32 is directly connected, GigabitEthernet0/0/1.4094

Thanks

shawntaylor17 · ‎11-20-2018

When running a traceroute i can see that the traffic hits the WAN Subinterface aaa.bbb.ccc.133 but then times out at this point. Not sure if this information is helpful.

Thanks

Georg Pauwen · ‎11-20-2018

Hello,

what is the output of 'show vlan' ?

Try and add the 'native' keyword to your ISP interface config:

encapsulation dot1Q 4094 native

shawntaylor17 · ‎11-20-2018

Hi When adding Native to the encapsulation I can no longer communicate out to the internet. Heres the show vlan VLAN Name Status Ports

1 default active Gi0/1/0, Gi0/1/1, Gi0/1/2 Gi0/1/3

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

1 enet 100001 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 0 0

1003 tr 101003 1500 - - - - - 0 0

1004 fdnet 101004 1500 - - - ieee - 0 0

1005 trnet 101005 1500 - - - ibm - 0 0

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

Thanks

Georg Pauwen · ‎11-20-2018

Hello,

try and manually create Vlan 4094:

ISR1100(config)#vlan 4094

shawntaylor17 · ‎11-20-2018

I've manually created, no difference unfortunately.

Thanks

Georg Pauwen · ‎11-20-2018

Hello,

can you ping any of the other devices on Vlan 1 ?