cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
811
Views
0
Helpful
9
Replies

classical router-on-a-stick setup with VLANs cannot route outside

Salehzwy60270
Level 1
Level 1

I cannot route out inside vlan to outside interface, it give route unreachable

any help will much appreciate it.

all interfaces are up, outside interface can ping to outside.

 

Config as shown below


!
!
interface GigabitEthernet0/0/0
ip address 172.16.10.254 255.255.255.0
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.20
encapsulation dot1Q 20
ip address 10.130.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.30
encapsulation dot1Q 30
ip address 10.30.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.111
encapsulation dot1Q 111
ip address 10.1.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.115
encapsulation dot1Q 115
ip address 10.1.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.117
encapsulation dot1Q 117
ip address 10.1.7.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip nat inside source list 111 interface GigabitEthernet0/0/0 overload
ip default-gateway 172.16.10.1
ip nat inside source static 10.1.1.10 172.16.10.210
ip nat inside source static 10.1.1.11 172.16.10.211
ip nat inside source static 10.1.1.13 172.16.10.213
ip nat inside source static 10.1.1.15 172.16.10.215
ip nat inside source static 10.1.1.20 172.16.10.220
ip nat inside source static 10.1.5.10 172.16.10.221
ip nat inside source static 10.1.5.11 172.16.10.222
ip nat inside source static 10.1.5.12 172.16.10.223

ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.10.1
!
!
access-list 111 permit ip 10.1.1.0 0.0.0.255 any
access-list 111 permit ip 10.1.5.0 0.0.0.255 any
access-list 111 permit ip 10.1.7.0 0.0.0.255 any

 

9 Replies 9

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @Salehzwy60270 ,

 

I would add in global config

 

ip routing

 

then from router# you can check NAT operations with

show ip nat translations

 

Your NAT configuration looks like correct but you have also static NAT statements for doing the tests use an host that is not in a static NAT statement.

 

Hope to help

Giuseppe

 

Can you elaborate more regarding nat statement? 

Hello,

 

is this the full access list 111 ?

 

You need to add:

 

access-list 111 permit ip 10.30.1.0 0.0.0.255 any

access-list 111 permit ip 10.130.1.0 0.0.0.255 any

Even adding this wint fix the main issue

Hello
At present you have just the one physical interface servicing both WAN/LAN so how are your hosts and wan devices connecting to this rtr?

Where are you trying to initiate an host connection, from which vlan?
Suggest you relocate your wan device onto a separate physical interface and append the following:


no ip nat inside source list 111 interface GigabitEthernet0/0/0 overload
no ip default-gateway 172.16.10.1
no ip route 0.0.0.0 0.0.0.0 172.16.10.1

interface GigabitEthernet0/0/0
no ip address 172.16.10.254 255.255.255.0


interface GigabitEthernet0/0/1
ip address 172.16.10.254 255.255.255.0
ip nat outside
not shut

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 172.16.10.1
access-list 111 permit ip 10.30.1.0 0.0.0.255 any
access-list 111 permit ip 10.130.1.0 0.0.0.255 any
ip nat inside source list 111 interface GigabitEthernet0/0/1 overload


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Will do your solution 2moro, but keep in mind that this config is exactly copy and past from previous failed 2900 router, that was working just fine, but when copied this config into new 4221 router all stopped working.

Altough Vlans can ping their respected default gateway, but wont reach outside network. 

Hello,

 

are the IP addresses used in the config you posted the real IP addresses ? If so, I assume the router is connected to something else (e.g. ISP modem) before it goes out to the Internet ?

 

interface GigabitEthernet0/0/0
--> ip address 172.16.10.254 255.255.255.0
ip nat outside
negotiation auto

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

Access-list 111 is not covering all LAN subnets as:

 

access-list 111 permit ip 10.1.1.0 0.0.0.255 any
access-list 111 permit ip 10.1.5.0 0.0.0.255 any
access-list 111 permit ip 10.1.7.0 0.0.0.255 any

access-list 111 permit ip 10.130.1.0 0.0.0.255 any

access-list 111 permit ip 10.130.1.0 0.0.0.255 any

 

Add those two missing subnets. 

 

Run below commands as well:

 

no ip default-gateway 172.16.10.1

ip route 0.0.0.0 0.0.0.0 172.16.10.1

 

And checking the reachability of your gateway "172.16.10.1". Is it responding to the router?

 

Also share the few command output as:

 

show ip route

show ip inter br | ex un

sho ip nat translate

 

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Thanks for your reply

I took the same router to my home lab with same network topology and it worked just fine!!!!

Does this mean cabling issues? 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: