07-28-2020 12:27 PM
I cannot route out inside vlan to outside interface, it give route unreachable
any help will much appreciate it.
all interfaces are up, outside interface can ping to outside.
Config as shown below
!
!
interface GigabitEthernet0/0/0
ip address 172.16.10.254 255.255.255.0
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.20
encapsulation dot1Q 20
ip address 10.130.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.30
encapsulation dot1Q 30
ip address 10.30.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.111
encapsulation dot1Q 111
ip address 10.1.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.115
encapsulation dot1Q 115
ip address 10.1.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.117
encapsulation dot1Q 117
ip address 10.1.7.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip nat inside source list 111 interface GigabitEthernet0/0/0 overload
ip default-gateway 172.16.10.1
ip nat inside source static 10.1.1.10 172.16.10.210
ip nat inside source static 10.1.1.11 172.16.10.211
ip nat inside source static 10.1.1.13 172.16.10.213
ip nat inside source static 10.1.1.15 172.16.10.215
ip nat inside source static 10.1.1.20 172.16.10.220
ip nat inside source static 10.1.5.10 172.16.10.221
ip nat inside source static 10.1.5.11 172.16.10.222
ip nat inside source static 10.1.5.12 172.16.10.223
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.10.1
!
!
access-list 111 permit ip 10.1.1.0 0.0.0.255 any
access-list 111 permit ip 10.1.5.0 0.0.0.255 any
access-list 111 permit ip 10.1.7.0 0.0.0.255 any
07-28-2020 01:26 PM
Hello @Salehzwy60270 ,
I would add in global config
ip routing
then from router# you can check NAT operations with
show ip nat translations
Your NAT configuration looks like correct but you have also static NAT statements for doing the tests use an host that is not in a static NAT statement.
Hope to help
Giuseppe
07-28-2020 06:23 PM
Can you elaborate more regarding nat statement?
07-28-2020 04:57 PM
Hello,
is this the full access list 111 ?
You need to add:
access-list 111 permit ip 10.30.1.0 0.0.0.255 any
access-list 111 permit ip 10.130.1.0 0.0.0.255 any
07-28-2020 06:21 PM
Even adding this wint fix the main issue
07-29-2020 12:33 AM - edited 07-29-2020 12:35 AM
Hello
At present you have just the one physical interface servicing both WAN/LAN so how are your hosts and wan devices connecting to this rtr?
Where are you trying to initiate an host connection, from which vlan?
Suggest you relocate your wan device onto a separate physical interface and append the following:
no ip nat inside source list 111 interface GigabitEthernet0/0/0 overload
no ip default-gateway 172.16.10.1
no ip route 0.0.0.0 0.0.0.0 172.16.10.1
interface GigabitEthernet0/0/0
no ip address 172.16.10.254 255.255.255.0
interface GigabitEthernet0/0/1
ip address 172.16.10.254 255.255.255.0
ip nat outside
not shut
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 172.16.10.1
access-list 111 permit ip 10.30.1.0 0.0.0.255 any
access-list 111 permit ip 10.130.1.0 0.0.0.255 any
ip nat inside source list 111 interface GigabitEthernet0/0/1 overload
07-30-2020 04:23 PM
Will do your solution 2moro, but keep in mind that this config is exactly copy and past from previous failed 2900 router, that was working just fine, but when copied this config into new 4221 router all stopped working.
Altough Vlans can ping their respected default gateway, but wont reach outside network.
07-30-2020 11:43 PM
Hello,
are the IP addresses used in the config you posted the real IP addresses ? If so, I assume the router is connected to something else (e.g. ISP modem) before it goes out to the Internet ?
interface GigabitEthernet0/0/0
--> ip address 172.16.10.254 255.255.255.0
ip nat outside
negotiation auto
07-31-2020 01:15 AM
Hi,
Access-list 111 is not covering all LAN subnets as:
access-list 111 permit ip 10.1.1.0 0.0.0.255 any
access-list 111 permit ip 10.1.5.0 0.0.0.255 any
access-list 111 permit ip 10.1.7.0 0.0.0.255 any
access-list 111 permit ip 10.130.1.0 0.0.0.255 any
access-list 111 permit ip 10.130.1.0 0.0.0.255 any
Add those two missing subnets.
Run below commands as well:
no ip default-gateway 172.16.10.1
ip route 0.0.0.0 0.0.0.0 172.16.10.1
And checking the reachability of your gateway "172.16.10.1". Is it responding to the router?
Also share the few command output as:
show ip route
show ip inter br | ex un
sho ip nat translate
07-31-2020 02:06 AM
Thanks for your reply
I took the same router to my home lab with same network topology and it worked just fine!!!!
Does this mean cabling issues?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide