cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

228
Views
0
Helpful
9
Replies
Highlighted
Beginner

classical router-on-a-stick setup with VLANs cannot route outside

I cannot route out inside vlan to outside interface, it give route unreachable

any help will much appreciate it.

all interfaces are up, outside interface can ping to outside.

 

Config as shown below


!
!
interface GigabitEthernet0/0/0
ip address 172.16.10.254 255.255.255.0
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.20
encapsulation dot1Q 20
ip address 10.130.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.30
encapsulation dot1Q 30
ip address 10.30.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.111
encapsulation dot1Q 111
ip address 10.1.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.115
encapsulation dot1Q 115
ip address 10.1.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.117
encapsulation dot1Q 117
ip address 10.1.7.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip nat inside source list 111 interface GigabitEthernet0/0/0 overload
ip default-gateway 172.16.10.1
ip nat inside source static 10.1.1.10 172.16.10.210
ip nat inside source static 10.1.1.11 172.16.10.211
ip nat inside source static 10.1.1.13 172.16.10.213
ip nat inside source static 10.1.1.15 172.16.10.215
ip nat inside source static 10.1.1.20 172.16.10.220
ip nat inside source static 10.1.5.10 172.16.10.221
ip nat inside source static 10.1.5.11 172.16.10.222
ip nat inside source static 10.1.5.12 172.16.10.223

ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.10.1
!
!
access-list 111 permit ip 10.1.1.0 0.0.0.255 any
access-list 111 permit ip 10.1.5.0 0.0.0.255 any
access-list 111 permit ip 10.1.7.0 0.0.0.255 any

 

9 REPLIES 9
Highlighted
Hall of Fame Master

Re: classical router-on-a-stick setup with VLANs cannot route outside

Hello @Salehzwy60270 ,

 

I would add in global config

 

ip routing

 

then from router# you can check NAT operations with

show ip nat translations

 

Your NAT configuration looks like correct but you have also static NAT statements for doing the tests use an host that is not in a static NAT statement.

 

Hope to help

Giuseppe

 

Highlighted
Beginner

Re: classical router-on-a-stick setup with VLANs cannot route outside

Can you elaborate more regarding nat statement? 

Highlighted
VIP Mentor

Re: classical router-on-a-stick setup with VLANs cannot route outside

Hello,

 

is this the full access list 111 ?

 

You need to add:

 

access-list 111 permit ip 10.30.1.0 0.0.0.255 any

access-list 111 permit ip 10.130.1.0 0.0.0.255 any

Highlighted
Beginner

Re: classical router-on-a-stick setup with VLANs cannot route outside

Even adding this wint fix the main issue

Highlighted
VIP Mentor

Re: classical router-on-a-stick setup with VLANs cannot route outside

Hello
At present you have just the one physical interface servicing both WAN/LAN so how are your hosts and wan devices connecting to this rtr?

Where are you trying to initiate an host connection, from which vlan?
Suggest you relocate your wan device onto a separate physical interface and append the following:


no ip nat inside source list 111 interface GigabitEthernet0/0/0 overload
no ip default-gateway 172.16.10.1
no ip route 0.0.0.0 0.0.0.0 172.16.10.1

interface GigabitEthernet0/0/0
no ip address 172.16.10.254 255.255.255.0


interface GigabitEthernet0/0/1
ip address 172.16.10.254 255.255.255.0
ip nat outside
not shut

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 172.16.10.1
access-list 111 permit ip 10.30.1.0 0.0.0.255 any
access-list 111 permit ip 10.130.1.0 0.0.0.255 any
ip nat inside source list 111 interface GigabitEthernet0/0/1 overload



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Beginner

Re: classical router-on-a-stick setup with VLANs cannot route outside

Will do your solution 2moro, but keep in mind that this config is exactly copy and past from previous failed 2900 router, that was working just fine, but when copied this config into new 4221 router all stopped working.

Altough Vlans can ping their respected default gateway, but wont reach outside network. 

Highlighted
VIP Mentor

Re: classical router-on-a-stick setup with VLANs cannot route outside

Hello,

 

are the IP addresses used in the config you posted the real IP addresses ? If so, I assume the router is connected to something else (e.g. ISP modem) before it goes out to the Internet ?

 

interface GigabitEthernet0/0/0
--> ip address 172.16.10.254 255.255.255.0
ip nat outside
negotiation auto

Highlighted
VIP Advocate

Re: classical router-on-a-stick setup with VLANs cannot route outside

Hi,

Access-list 111 is not covering all LAN subnets as:

 

access-list 111 permit ip 10.1.1.0 0.0.0.255 any
access-list 111 permit ip 10.1.5.0 0.0.0.255 any
access-list 111 permit ip 10.1.7.0 0.0.0.255 any

access-list 111 permit ip 10.130.1.0 0.0.0.255 any

access-list 111 permit ip 10.130.1.0 0.0.0.255 any

 

Add those two missing subnets. 

 

Run below commands as well:

 

no ip default-gateway 172.16.10.1

ip route 0.0.0.0 0.0.0.0 172.16.10.1

 

And checking the reachability of your gateway "172.16.10.1". Is it responding to the router?

 

Also share the few command output as:

 

show ip route

show ip inter br | ex un

sho ip nat translate

 

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!
Highlighted
Beginner

Re: classical router-on-a-stick setup with VLANs cannot route outside

Thanks for your reply

I took the same router to my home lab with same network topology and it worked just fine!!!!

Does this mean cabling issues?