Solved: Re: Unable to ping gateway of last resort from clients 3850 Ipbase

stonent01 · ‎10-28-2024

At home I'm trying to configure a physical 3850-48U running IPBase to have a few vlans to route out the internet connection and also within each other. I can get clients in vlan 20 to ping clients in vlan 30 and also 30 can ping 20.

All clients can ping their own gateway, as well as the SVI gateway ip (192.168.2.2) on the switch to the upstream connection. But cannot ping the internet gateway (192.168.1.1) which is the gateway of last resort that goes to the internet (an upstream home wireless router)

I've also tried a version of this where I set gi1/0/1 as no swtichport with a static IP connected directly to it but with the same results.

Switch 192.168.1.2 can ping upstream router 192.168.1.1
VLAN 20 PC (192.168.20.3 via DHCP) Can ping VLAN 30 PC (192.168.30.2 via DHCP), and 192.168.1.2, but not 192.168.1.1

VLAN 30 PC (192.168.30.2 via DHCP) Can ping VLAN 20 PC (192.168.20.3 via DHCP), and 192.168.1.2, but not 192.168.1.1

I recreated the scenario in Packet Tracer with this config, and attached the file.
Here is the text config. I know I haven't set up the DNS yet because I can't even get the outside routing to work.

no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
no logging console
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.30.1
!
ip dhcp pool VLAN20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
ip dhcp pool VLAN30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
!
no ip cef
ip routing
!
no ipv6 cef
!
spanning-tree mode rapid-pvst
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 30
switchport mode access
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
mac-address 00e0.f9a3.2301
ip address 192.168.1.2 255.255.255.0
!
interface Vlan20
mac-address 00e0.f9a3.2302
ip address 192.168.20.1 255.255.255.0
!
interface Vlan30
mac-address 00e0.f9a3.2303
ip address 192.168.30.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

Switch#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

C 192.168.1.0/24 is directly connected, Vlan10

C 192.168.20.0/24 is directly connected, Vlan20

C 192.168.30.0/24 is directly connected, Vlan30

S* 0.0.0.0/0 [1/0] via 192.168.1.1

balaji.bandi · ‎10-28-2024

The switch can not do NAT so its forwarding packets ,. but router does not know where to route back.

as per i know cat 3850 does not support NAT.

So you can use ASA FW between ISP router and Switch, so Firewall can do the NAT for you ( you can use both Router and Firewall)

i prefer fiewall it also have protection, some router have WAN Througput issue. (again depends on your comfort)

ISE Router---ASA--Cat 3850

below guide help you setup ASA :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Richard Burts · ‎10-28-2024

Will you post the output of these commands:

show interface status

show arp

show ip interface brief

HTH

Rick

stonent01 · ‎10-28-2024

Switch#show int status

Port Name Status Vlan Duplex Speed Type

Gig1/0/1 connected 10 auto auto 10/100BaseTX

Gig1/0/2 connected 20 auto auto 10/100BaseTX

Gig1/0/3 connected 30 auto auto 10/100BaseTX

Gig1/0/4 notconnect 1 auto auto 10/100BaseTX

Gig1/0/5 notconnect 1 auto auto 10/100BaseTX

Gig1/0/6 notconnect 1 auto auto 10/100BaseTX

Gig1/0/7 notconnect 1 auto auto 10/100BaseTX

Gig1/0/8 notconnect 1 auto auto 10/100BaseTX

Gig1/0/9 notconnect 1 auto auto 10/100BaseTX

Gig1/0/10 notconnect 1 auto auto 10/100BaseTX

Gig1/0/11 notconnect 1 auto auto 10/100BaseTX

Gig1/0/12 notconnect 1 auto auto 10/100BaseTX

Gig1/0/13 notconnect 1 auto auto 10/100BaseTX

Gig1/0/14 notconnect 1 auto auto 10/100BaseTX

Gig1/0/15 notconnect 1 auto auto 10/100BaseTX

Gig1/0/16 notconnect 1 auto auto 10/100BaseTX

Gig1/0/17 notconnect 1 auto auto 10/100BaseTX

Gig1/0/18 notconnect 1 auto auto 10/100BaseTX

Gig1/0/19 notconnect 1 auto auto 10/100BaseTX

Gig1/0/20 notconnect 1 auto auto 10/100BaseTX

Gig1/0/21 notconnect 1 auto auto 10/100BaseTX

Gig1/0/22 notconnect 1 auto auto 10/100BaseTX

Gig1/0/23 notconnect 1 auto auto 10/100BaseTX

Gig1/0/24 notconnect 1 auto auto 10/100BaseTX

Gig1/1/1 notconnect 1 auto auto 10/100BaseTX

Gig1/1/2 notconnect 1 auto auto 10/100BaseTX

Gig1/1/3 notconnect 1 auto auto 10/100BaseTX

Gig1/1/4 notconnect 1 auto auto 10/100BaseTX

Switch# show ip int br

Interface IP-Address OK? Method Status Protocol

GigabitEthernet1/0/1 unassigned YES unset up up

GigabitEthernet1/0/2 unassigned YES unset up up

GigabitEthernet1/0/3 unassigned YES unset up up

GigabitEthernet1/0/4 unassigned YES unset down down

GigabitEthernet1/0/5 unassigned YES unset down down

GigabitEthernet1/0/6 unassigned YES unset down down

GigabitEthernet1/0/7 unassigned YES unset down down

GigabitEthernet1/0/8 unassigned YES unset down down

GigabitEthernet1/0/9 unassigned YES unset down down

GigabitEthernet1/0/10 unassigned YES unset down down

GigabitEthernet1/0/11 unassigned YES unset down down

GigabitEthernet1/0/12 unassigned YES unset down down

GigabitEthernet1/0/13 unassigned YES unset down down

GigabitEthernet1/0/14 unassigned YES unset down down

GigabitEthernet1/0/15 unassigned YES unset down down

GigabitEthernet1/0/16 unassigned YES unset down down

GigabitEthernet1/0/17 unassigned YES unset down down

GigabitEthernet1/0/18 unassigned YES unset down down

GigabitEthernet1/0/19 unassigned YES unset down down

GigabitEthernet1/0/20 unassigned YES unset down down

GigabitEthernet1/0/21 unassigned YES unset down down

GigabitEthernet1/0/22 unassigned YES unset down down

GigabitEthernet1/0/23 unassigned YES unset down down

GigabitEthernet1/0/24 unassigned YES unset down down

GigabitEthernet1/1/1 unassigned YES unset down down

GigabitEthernet1/1/2 unassigned YES unset down down

GigabitEthernet1/1/3 unassigned YES unset down down

GigabitEthernet1/1/4 unassigned YES unset down down

Vlan1 unassigned YES unset administratively down down

Vlan10 192.168.1.2 YES manual up up

Vlan20 192.168.20.1 YES manual up up

Vlan30 192.168.30.1 YES manual up up

Switch# show arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.1.1 82 0060.5C02.9C32 ARPA Vlan10

Internet 192.168.1.2 - 00E0.F9A3.2301 ARPA Vlan10

Internet 192.168.20.1 - 00E0.F9A3.2302 ARPA Vlan20

Internet 192.168.20.3 72 0002.1690.724A ARPA Vlan20

Internet 192.168.30.1 - 00E0.F9A3.2303 ARPA Vlan30

Internet 192.168.30.2 73 0060.2FC4.877B ARPA Vlan30

Richard Burts · ‎10-28-2024

Thank you for the outputs that I requested. They would certainly seem to indicate that traffic from your devices would be forwarded toward the outside destinations. This suggests that the issue is not in your configuration, but is with the ISP device. Based on this output and the other posts that have added to the discussion, it seems that there are 2 (related) issues.

The first issue is that for traffic from your subnets to get to the Internet they would have to be translated from your private addresses to public addresses (NAT).

The second issue is that if your traffic did get translated and got to the Internet, then the response coming back would get to the ISP and they would need to know how to forward it to your inside subnets.

One solution to this would be to request additional services from the ISP. They could translate your private addresses and could forward to your private subnets, but there would be costs for that. The other (and I believe better) solution would be for you to obtain a layer 3 device (router or firewall/ASA) and have it do those things.

HTH

Rick

chrihussey · ‎10-28-2024

Hello,

The problem may be that the 192.168.1.1 router does not have routes to the 192.168.20 & 30 pointing to 192.168.1.2. You would need to configure that too.

Hope this helps.

balaji.bandi · ‎10-28-2024

what port connected to uplink (you have configure access port vlan 10 ?) - i am in guess - interface GigabitEthernet1/0/1 (if you looking only vlan 10 here, or if you looking more vlan, then use Trunk and allowed required vlan in that trunk.

Do you route back from uplink Router or firewall back to 192.168.1.2 ? IP example - 192.168.20.0/24 and 192.168.30.0/24

on the router : test it (make sure that also added to NAT for internet access)

ip route 192.168.20.0 255.255.255.0 192.168.1.2

ip route 192.168.30.0 255.255.255.0 192.168.1.2

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

stonent01 · ‎10-28-2024

The vlan 10 uplink is gi1/0/1.
The router is unfortunately a ISP provided consumer one, but I can see what you're getting at. Would that prevent the pings from replying back? I was thinking that the ISP router would see the ping came through 192.168.1.2 and respond back to 1.2 and then the 3850 would then forward back to VLAN 20 and 30. Perhaps that's not the case.

In this setup I would be ok with devices on VLAN 10 not being able to reach VLAN 20 and 30 as long as VLAN 20 and 30 could get out to the internet via 192.168.1.1 if that's even possible.

I do have some other equipment that I could try to integrate into this if needed. I have an ASA 5525-X and a Cisco 891FW router.
I could also set up a PFSense VM, but was hoping I could accomplish the entirety of this on just the 3850 for now.