Yes, and it does not work.

I have NAT configured. I can reach the outside from both inside networks, but cannot ping devices from one inside net to the other.

Hi,

if the inside machines are connected to switchports on an integrated switching module then and they are in two different vlans then you must configure an interface vlan for each vlan and assign an ip address and on your machines configure this interface IP address as the default gateway and it should work.

Can you post  sh ip int br and sh vlan-sw br output

Regards.

Alain

Corp#show ip interface brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
Embedded-Service-Engine0/0 unassigned      YES NVRAM  administratively down down

GigabitEthernet0/0         65.19.57.18     YES TFTP   up                    up

GigabitEthernet0/1         172.16.4.1      YES TFTP   up                    up

GigabitEthernet0/2         10.10.10.149    YES NVRAM  up                    up

Serial0/0/0                65.19.52.101    YES TFTP   administratively down down

NVI0                       10.10.10.149    YES unset  up                    up

I have not set up any VLANs. I want to pass all traffic between the physical networks 172.16.4.0/22 and 10.10.10.128/27.

Hello,

     It should not be a problem. Please post configuration.

Toshi

Building configuration...

Current configuration : 5666 bytes
!
! Last configuration change at 12:07:23 PCTime Thu Nov 17 2011 by admin
! NVRAM config last updated at 16:31:29 PCTime Wed Nov 16 2011 by admin
! NVRAM config last updated at 16:31:29 PCTime Wed Nov 16 2011 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Corp
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
!
no aaa new-model
clock timezone PCTime -7 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 172.16.4.1 172.16.7.199
!
ip dhcp pool Corp172
import all
network 172.16.4.0 255.255.252.0
domain-name gpgallery.com
dns-server 10.10.10.130 10.10.10.10
default-router 172.16.4.1
!
!
ip domain name gpgallery.com
ip name-server 10.10.10.130
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 10.10.10.134
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9 sn FTX1543AK3F
!
!
object-group network Corp10
10.10.10.128 255.255.255.224
!
object-group network Corp17
description overflow subnet
176.16.4.0 255.255.252.0
!
username xxxx privilege 15 secret xxxxxxxx/
!
!
no ip ftp passive
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$
ip address 65.19.57.18 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ETH-LAN$
ip address 172.16.4.1 255.255.252.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description $ETH-LAN$
ip address 10.10.10.149 255.255.255.224
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
description Cybermesa T1
ip address 65.19.52.101 255.255.255.252
ip virtual-reassembly in
encapsulation ppp
shutdown
service-module t1 timeslots 1-24
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 3 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.10.10.134 25 65.19.57.20 25 extendable
ip nat inside source static udp 10.10.10.134 25 65.19.57.20 25 extendable
ip route 0.0.0.0 0.0.0.0 65.19.57.17 permanent
ip route 10.10.10.0 255.255.255.128 10.10.10.129 permanent
ip route 10.10.10.128 255.255.255.224 GigabitEthernet0/2 2 permanent
!
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 permit 10.10.10.128 0.0.0.31
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.10.128 0.0.0.31
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 10.10.10.128 0.0.0.31
access-list 3 permit 172.16.0.0 0.0.255.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 172.16.4.1 eq telnet
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 172.16.4.1 eq 22
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 172.16.4.1 eq www
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 172.16.4.1 eq 443
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 172.16.4.1 eq cmd
access-list 100 deny   tcp any host 172.16.4.1 eq telnet
access-list 100 deny   tcp any host 172.16.4.1 eq 22
access-list 100 deny   tcp any host 172.16.4.1 eq www
access-list 100 deny   tcp any host 172.16.4.1 eq 443
access-list 100 deny   tcp any host 172.16.4.1 eq cmd
access-list 100 deny   udp any host 172.16.4.1 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 172.16.4.0 0.0.3.255 any
access-list 101 permit ip 10.10.10.128 0.0.0.31 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 172.16.4.0 0.0.3.255 any
access-list 102 permit ip 10.10.10.128 0.0.0.31 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit udp host 10.10.10.134 eq domain any
access-list 103 permit udp host 10.10.10.130 eq domain any
access-list 103 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.149 eq telnet
access-list 103 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.149 eq 22
access-list 103 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.149 eq www
access-list 103 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.149 eq 443
access-list 103 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.149 eq cmd
access-list 103 deny   tcp any host 10.10.10.149 eq telnet
access-list 103 deny   tcp any host 10.10.10.149 eq 22
access-list 103 deny   tcp any host 10.10.10.149 eq www
access-list 103 deny   tcp any host 10.10.10.149 eq 443
access-list 103 deny   tcp any host 10.10.10.149 eq cmd
access-list 103 deny   udp any host 10.10.10.149 eq snmp
access-list 103 permit ip any any
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 102 in
login local
transport input telnet
line vty 5 15
access-class 101 in
login local
transport input telnet
!
scheduler allocate 20000 1000
end

I removed ACL from Interface0/1 and from Interface0/2. Still, traffic is not passed from one internal network to the other.

Mike,

Why would they pass?  I am not seeing any routing or intervlan routing in your routers config. And are your sure you removed the ACLs, they are still present in your config posted....please post the most recent version of the running config and sh ip route might help.

Building configuration...

Current configuration : 5823 bytes
!
! Last configuration change at 17:33:44 PCTime Thu Nov 17 2011 by admin
! NVRAM config last updated at 17:24:23 PCTime Thu Nov 17 2011 by admin
! NVRAM config last updated at 17:24:23 PCTime Thu Nov 17 2011 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Corp
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
!
no aaa new-model
!
clock timezone PCTime -7 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 172.16.4.1 172.16.7.199
!
ip dhcp pool Corp172
import all
network 172.16.4.0 255.255.252.0
domain-name gpgallery.com
dns-server 10.10.10.130 10.10.10.10
default-router 172.16.4.1
!
!
ip domain name gpgallery.com
ip name-server 10.10.10.130
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 10.10.10.134
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9 sn FTX1543AK3F
license boot module c2900 technology-package securityk9
!
!
object-group network Corp10
10.10.10.128 255.255.255.224
!
object-group network Corp17
description overflow subnet
176.16.4.0 255.255.252.0
!
username xxxx privilege 15 secret xxxxxxx!
redundancy
!
!
!
!
no ip ftp passive
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$
ip address 65.19.57.18 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ETH-LAN$
ip address 172.16.4.1 255.255.252.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
bridge-group 1
!
interface GigabitEthernet0/2
description $ETH-LAN$
ip address 10.10.10.149 255.255.255.224
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
bridge-group 1
!
interface Serial0/0/0
description Cybermesa T1
ip address 65.19.52.101 255.255.255.252
ip virtual-reassembly in
encapsulation ppp
shutdown
service-module t1 timeslots 1-24
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 3 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.10.10.134 25 65.19.57.20 25 extendable
ip nat inside source static udp 10.10.10.134 25 65.19.57.20 25 extendable
ip route 0.0.0.0 0.0.0.0 65.19.57.17 permanent
ip route 10.10.10.0 255.255.255.128 10.10.10.129 permanent
ip route 10.10.10.128 255.255.255.224 GigabitEthernet0/2 permanent
ip route 172.16.4.0 255.255.252.0 GigabitEthernet0/1 permanent
!
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.10.128 0.0.0.31
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 10.10.10.128 0.0.0.31
access-list 3 permit 172.16.0.0 0.0.255.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 172.16.4.1 eq telnet
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 172.16.4.1 eq 22
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 172.16.4.1 eq www
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 172.16.4.1 eq 443
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 172.16.4.1 eq cmd
access-list 100 deny   tcp any host 172.16.4.1 eq telnet
access-list 100 deny   tcp any host 172.16.4.1 eq 22
access-list 100 deny   tcp any host 172.16.4.1 eq www
access-list 100 deny   tcp any host 172.16.4.1 eq 443
access-list 100 deny   tcp any host 172.16.4.1 eq cmd
access-list 100 deny   udp any host 172.16.4.1 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 172.16.4.0 0.0.3.255 any
access-list 101 permit ip 10.10.10.128 0.0.0.31 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 172.16.4.0 0.0.3.255 any
access-list 102 permit ip 10.10.10.128 0.0.0.31 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit udp host 10.10.10.134 eq domain any
access-list 103 permit udp host 10.10.10.130 eq domain any
access-list 103 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.149 eq telnet
access-list 103 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.149 eq 22
access-list 103 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.149 eq www
access-list 103 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.149 eq 443
access-list 103 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.149 eq cmd
access-list 103 deny   tcp any host 10.10.10.149 eq telnet
access-list 103 deny   tcp any host 10.10.10.149 eq 22
access-list 103 deny   tcp any host 10.10.10.149 eq www
access-list 103 deny   tcp any host 10.10.10.149 eq 443
access-list 103 deny   tcp any host 10.10.10.149 eq cmd
access-list 103 deny   udp any host 10.10.10.149 eq snmp
access-list 103 permit ip any any
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 102 in
login local
transport input telnet
line vty 5 15
access-class 101 in
login local
transport input telnet
!
scheduler allocate 20000 1000
end

Hi,

   They should not be in any bridge-group. Then remove it.  Please let me see how you test and post the output of "debug ip routing".

Toshi

I added the bridge group as an experiment. It is now removed.

Here is my current running config. With this config, I can access the internet from both interface 0/1 and 0/2. However, devices on the 0/1 internal net cannot access devices on the 0/2 net, and vice versa. I want to essentially combine the two physical internal nets so that devices on one can talk to devices on the other.

The reason I am doing this is because I ran out of IP addresses on the 10.10.10.128/27 net and I do not want to renumber. So I am adding a second physical network.

Building configuration...

Current configuration : 5627 bytes
!
! Last configuration change at 10:14:53 PCTime Fri Nov 18 2011 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Corp
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
!
no aaa new-model
!
clock timezone PCTime -7 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 172.16.4.1 172.16.7.199
!
ip dhcp pool Corp172
import all
network 172.16.4.0 255.255.252.0
domain-name gpgallery.com
dns-server 10.10.10.130 10.10.10.10
default-router 172.16.4.1
!
!
ip domain name gpgallery.com
ip name-server 10.10.10.130
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 10.10.10.134
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9 sn FTX1543AK3F
license boot module c2900 technology-package securityk9
!
!
object-group network Corp10
10.10.10.128 255.255.255.224
!
object-group network Corp17
description overflow subnet
176.16.4.0 255.255.252.0
!
username xxxxx privilege 15 secret xxxxxxx!
redundancy
!
!
!
!
no ip ftp passive
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$
ip address 65.19.57.18 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ETH-LAN$
ip address 172.16.4.1 255.255.252.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description $ETH-LAN$
ip address 10.10.10.149 255.255.255.224
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
description Cybermesa T1
ip address 65.19.52.101 255.255.255.252
ip virtual-reassembly in
encapsulation ppp
shutdown
service-module t1 timeslots 1-24
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 3 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.10.10.134 25 65.19.57.20 25 extendable
ip nat inside source static udp 10.10.10.134 25 65.19.57.20 25 extendable
ip route 0.0.0.0 0.0.0.0 65.19.57.17 10 permanent
ip route 10.10.10.0 255.255.255.128 10.10.10.129 permanent
ip route 10.10.10.128 255.255.255.224 GigabitEthernet0/2 permanent
ip route 172.16.4.0 255.255.252.0 GigabitEthernet0/1 permanent
!
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.10.128 0.0.0.31
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 10.10.10.128 0.0.0.31
access-list 3 permit 172.16.0.0 0.0.255.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 172.16.4.1 eq telnet
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 172.16.4.1 eq 22
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 172.16.4.1 eq www
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 172.16.4.1 eq 443
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 172.16.4.1 eq cmd
access-list 100 deny   tcp any host 172.16.4.1 eq telnet
access-list 100 deny   tcp any host 172.16.4.1 eq 22
access-list 100 deny   tcp any host 172.16.4.1 eq www
access-list 100 deny   tcp any host 172.16.4.1 eq 443
access-list 100 deny   tcp any host 172.16.4.1 eq cmd
access-list 100 deny   udp any host 172.16.4.1 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 172.16.4.0 0.0.3.255 any
access-list 101 permit ip 10.10.10.128 0.0.0.31 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 172.16.4.0 0.0.3.255 any
access-list 102 permit ip 10.10.10.128 0.0.0.31 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit udp host 10.10.10.134 eq domain any
access-list 103 permit udp host 10.10.10.130 eq domain any
access-list 103 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.149 eq telnet
access-list 103 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.149 eq 22
access-list 103 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.149 eq www
access-list 103 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.149 eq 443
access-list 103 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.149 eq cmd
access-list 103 deny   tcp any host 10.10.10.149 eq telnet
access-list 103 deny   tcp any host 10.10.10.149 eq 22
access-list 103 deny   tcp any host 10.10.10.149 eq www
access-list 103 deny   tcp any host 10.10.10.149 eq 443
access-list 103 deny   tcp any host 10.10.10.149 eq cmd
access-list 103 deny   udp any host 10.10.10.149 eq snmp
access-list 103 permit ip any any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 102 in
login local
transport input telnet
line vty 5 15
access-class 101 in
login local
transport input telnet
!
scheduler allocate 20000 1000
end

Hello,

    Please test connections from hosts on G0/1 to G0/2 and vise versa and also post "debug ip routing" output.

Toshi