cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
403
Views
5
Helpful
8
Replies

WAN Routing Problem

Muhammad Younus
Beginner
Beginner

Dear I am new here and beginner in routing and switching. We have two office locating in different cities. We have purchased VPN connection. The ISP gave us two VLAN address pool one for Internet and one for Data Link. I have successfully entered routes on both side routers and they can ping ping both LAN facing interface but unable to access devices inside LAN. Kindly help me plz...

Thank you...

2 ACCEPTED SOLUTIONS

Accepted Solutions

I think its asymmetric nat issue. Could you please create exented NAT access list and deny lan to lan subnet in NAT as below.

ip access-list ext NAT-POOL
deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any

View solution in original post

Your reply in not clear please let me know from what IP you are able to ping which IP and from what IP you are not able to ping which IP.

are you able to ping  from any host  in subnet 192.168.10.0/24 to any host in subnet  192.168.11.0/24

are you able to ping  from any host  in subnet 192.168.11.0/24 to any host in subnet  192.168.10.0/24

View solution in original post

8 REPLIES 8

Pawan Raut
Enthusiast
Enthusiast

It look like default route is missing on our office routers. Could you please share config of both router 

Thank you for your response. I can ping LAN interfaces of both routers from either side but could not ping devices attached on both LAN side.

Here is the configuration of both sides.

Site 1 Configuration:

Building configuration...

Current configuration : 1768 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname site1
!
boot-start-marker
boot-end-marker
!
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.10.1 192.168.10.100
!
ip dhcp pool SITE1_POOL
network 192.168.10.0 255.255.255.0
dns-server 192.168.10.17 208.67.220.220
default-router 192.168.10.1
!
ip audit po max-events 100
no ip bootp server
no ip domain lookup
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1457
description Datalink
encapsulation dot1Q 1457
ip address 10.5.109.242 255.255.255.248
ip nat inside
no cdp enable
!
interface FastEthernet0/0.1458
description to Internet
encapsulation dot1Q 1458
ip address 210.2.155.114 255.255.255.248
ip nat outside
ip tcp adjust-mss 1450
no cdp enable
!
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
description to LAN
no ip unreachables
ip mtu 1450
ip nat inside
ip tcp adjust-mss 1400
duplex auto
speed auto
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
ip nat inside source list NAT-POOL interface FastEthernet0/0.1458 overload
no ip classless
ip route 0.0.0.0 0.0.0.0 210.2.154.113
ip route 10.5.109.16 255.255.255.248 10.5.109.241 (Provided by ISP)
ip route 192.168.11.0 255.255.255.0 10.5.109.241
ip http server
no ip http secure-server
!
ip access-list extended NAT-POOL
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.11.0 0.0.0.255 any
!
no cdp run
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

----------------------------------

Site 2:

Building configuration...

Current configuration : 2055 bytes
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Site2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
no network-clock-participate wic 0
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
!
no ip bootp server
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2821 sn FHK1025F2DJ
!
redundancy
!
!
controller T1 0/0/0
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.2319
description Datalink
encapsulation dot1Q 2319
ip address 10.5.109.18 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1450
!
interface GigabitEthernet0/0.2320
description to the Internet
encapsulation dot1Q 2320
ip address 210.2.154.106 255.255.255.248
no ip unreachables
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1450
!
interface GigabitEthernet0/1
description LocalLAN
ip address 192.168.11.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export version 9
ip flow-export destination 192.168.11.206 9991
ip flow-top-talkers
top 50
sort-by bytes
!
ip nat inside source list NAT-POOL interface GigabitEthernet0/0.2320 overload
ip route 0.0.0.0 0.0.0.0 210.2.155.105
ip route 10.5.109.240 255.255.255.248 10.5.109.17
ip route 192.168.10.0 255.255.255.0 10.5.109.17
!
ip access-list standard NAT-POOL
permit 192.168.11.0 0.0.0.255
permit 192.168.10.0 0.0.0.255
ip access-list standard wr
!
no cdp run

!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end

I think its asymmetric nat issue. Could you please create exented NAT access list and deny lan to lan subnet in NAT as below.

ip access-list ext NAT-POOL
deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any

Thank you for reply, I have created the list on both routers, I am amazed I can ping only device from 192.168.10.0 and router's IP. I cant ping any device on 192.168.11.0 from 192.168.11.0 except 192.168.10.1

Sorry to bothering help please.

Regards,

Your reply in not clear please let me know from what IP you are able to ping which IP and from what IP you are not able to ping which IP.

are you able to ping  from any host  in subnet 192.168.10.0/24 to any host in subnet  192.168.11.0/24

are you able to ping  from any host  in subnet 192.168.11.0/24 to any host in subnet  192.168.10.0/24

Ok Sorry for that. I am able to ping 192.168.11.1 from 192.168.10.0/24 and able to ping 192.168.10.1 from 192.168.11.0/24. Both ips are on LAN facing interface of the router. But I am unable access any machines on both LAN subnet i.e. 192.168.10.0/24 and 192.168.11.0/24. Internet is working on both sites.

I hope you got my point.

Let me create this in my test lab I will get back to you tomorrow

Thank you so much for your help bro it is working now. Your first diagnose was correct it was an Asymmetric NAT issue.

Best regards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: