in your current acl matches all internal trafic, so all is NAtted.

as a result the path back is blocked.

you must add a rule to "deny" traffic between the local subnets from being NATted.

these denies must come before the permit

You mean add something like this:

AP-CISCO-01#sh access-list
Standard IP access list 1
10 deny 192.168.168.0, wildcard bits 0.0.0.255
20 permit 192.168.170.0, wildcard bits 0.0.0.255 (157611 matches)
30 permit 192.168.160.0, wildcard bits 0.0.0.255 (28 matches)

Please confirm.

Thanks!

Hello

Maybe I have missed something in you topology but you mention a switch with vlans and then show this 1841 rtr config -

As it’s inter- vlan communication being troubleshooted I can see you  have ip routing enabled on the rtr and any traffic between these two vlans should be routed by this rtr -  

So do you have a trunk between this rtr and the switch and the l2 vlans created in the switch or something else 

Your topology as I understand it is

Fw  - rtr - switch - users 

Paul,

Thank you for the suggestion!

Honestly I don't know, but nothing has changed on the switch or any other device, and this was working before. So my assumption would be that it is enabled as it was before.

I believe there might be some issue with the NAT somewhere, but I don't have the knowledge to identify it.

Thanks for the advice.

Yes, you are absolutely right, that's the topology I have!

How do I know if there is a trunk between the rtr and the switch and the vlans?

Hello

Can you gain access to the switch and check the port details?

also from a client from each vlan try and ping the L3 interface of the rtr regards it alternative vlan does it work or fail?

do the clients have the correct subnet mask and default gateway defined? 

Fyi - the clients shouldn’t  even reach the Fw for inter- vlan communication unless they are configured to do so. 

Lastly can you  remove the “ip nat enable” from the interfaces

What port details do you need from the ports on the switch. I do have them, i just don't know what to post.

Clients on the 192.168.170.x have access to the internet

Clients on the 192.168.160.x have access to the internet

Clients on the 192.168.168.x have access to the internet

ping from each vlan to its own gateway works.

all the clients have the subnet mask 255.255.255.0 and 192.168.168.1 gateway

How do i go about removing the "ip nat enable" from the interfaces?

Thanks again!

Hello

1) the port detais of the port on the switch that is connecting to your rtr 

2) Note - also your clients default gateway should be the L3 ip address of its corresponding vlan specified on the the rtr not the Fw ip address 

3) on the rtr in each interface 

conf t

int x/x

no ip nat enable

end

Hi Paul,

1) I don't know where to get these. This is a ZyXEL GS1920 and there is not a whole lot of documentation on how to get the port details. I do know these were connected to ports 21 and 45 respectively. But there is also another ZyXEL switch in place, which trunks with the Sonicwall.

2) I do have a client on the 192.168.170.x network with a gateway 192.168.170.1

3) i did the no ip nat enable on each interface and now there is no access to the internet from the 170.x network and from the 160.x network.

Any clues?

Thanks for the assistance.

I forgot to mention...I can ping computers inside any of the subnets from the rtr.

So...if i ping 192.168.170.x from the rtr, I get response

If i ping 8.8.8.8 from the rtr, no reponse (this was working earlier)

Best!

Hello

Make sure you have “ip nat outside” still applied to your fa0/0

and “ip nat inside “ applied to your sub- interfaces 

Then and remove this nat statement also:

conf t

no ip nat source list 1 interface FastEthernet0/0 overload

end

clear arp

clear ip nat translations *

test again 

I'm getting this message when trying to remove the nat source list:

AP-CISCO-01(config)#no ip nat source list 1 interface fas0/0 overload

Dynamic mapping in use, do you want to delete all entries? [no]: y
%Error: Dynamic mapping still in use, cannot remove

Any ideas?