Solved: Thanks, that was it. Knew I

Joshua Schaeffer · ‎02-28-2016

I setup a new VLAN on my switch and I cannot access the internet from it. As far as I can tell all the routing information is correct. Machines on the VLAN can access the VLAN's gateway, my switch's IP address, and my router's IP address. They just can't access anything beyond that. Here is my setup.

I'm using a Cisco SG300-20 switch to create the VLAN. VLAN 50 uses the network 10.1.10.128/26. I have a machine with a static IP of 10.1.10.130. The management VLAN is 100 and has a network of 10.1.8.0/24. I have a Cisco 1941. The LAN link has an IP address of 10.1.8.2 and the WAN link has an IP address of 75.148.101.25. The next hop is 75.148.101.30.

Machines on VLAN 50 can successfully ping:

10.1.10.129 (VLAN gateway)
10.1.8.1 (management VLAN gateway)
10.1.8.2 (Router LAN interface)
75.148.101.25 (Router WAN interface)

But when I try to ping 75.148.101.30 I get no response. I would normally assume that this is a problem with the device using 75.148.101.30, however I have several other VLAN's with, basically, the same configuration and all of them can get out to the internet. In addition to this the Router can get out to the internet.

raynor#show running-config
Building configuration...

Current configuration : 5091 bytes
!
! Last configuration change at 18:18:16 UTC Sun Feb 28 2016 by jschaeffer
! NVRAM config last updated at 17:34:02 UTC Sun Feb 28 2016
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname raynor
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$..zL$NuZoD.s7a0dYTyL5NsgSI1
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name harmonywave.com
ip name-server 10.1.10.2
ip name-server 75.75.75.75
ip name-server 75.75.75.76
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
license udi pid CISCO1941/K9 sn FGL172610ZP
!
!
username jschaeffer secret 5 $1$lZ7l$nLZNCsYRUSJzxd.Bkb5i//
!
!
ip ssh version 2
!
!
!
!
interface GigabitEthernet0/0
description WAN link
ip address 75.148.101.25 255.255.255.248
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description LAN link
ip address 10.1.8.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool ovrld 75.148.101.25 75.148.101.25 prefix-length 24
ip nat pool web 75.148.101.26 75.148.101.26 prefix-length 24
ip nat pool ftp 75.148.101.27 75.148.101.27 prefix-length 24
ip nat inside source list 7 pool ovrld overload
ip nat inside source list 8 pool web
ip nat inside source list 9 pool ftp
ip nat inside source static tcp 10.1.10.66 51413 interface GigabitEthernet0/0 51413
ip nat inside source static 10.1.12.2 75.148.101.26
ip nat inside source static 10.1.12.34 75.148.101.27
ip route 0.0.0.0 0.0.0.0 75.148.101.30
ip route 10.1.9.0 255.255.255.128 10.1.8.1
ip route 10.1.10.0 255.255.255.224 10.1.8.1
ip route 10.1.10.32 255.255.255.224 10.1.8.1
ip route 10.1.10.64 255.255.255.192 10.1.8.1
ip route 10.1.10.128 255.255.255.192 10.1.8.1
ip route 10.1.11.0 255.255.255.0 10.1.8.1
ip route 10.1.12.0 255.255.255.0 10.1.8.1
ip route 10.1.15.0 255.255.255.0 10.1.8.1
ip route 200.0.0.0 255.255.255.128 10.1.8.1
!
access-list 7 permit 10.1.10.32 0.0.0.31
access-list 7 permit 10.1.10.0 0.0.0.31
access-list 7 permit 10.1.11.0 0.0.0.255
access-list 7 permit 10.1.12.0 0.0.0.255
access-list 7 permit 10.1.15.0 0.0.0.255
access-list 7 permit 10.1.10.64 0.0.0.63
access-list 8 permit 10.1.12.2
access-list 9 permit 10.1.12.34
access-list 100 permit tcp any any established
access-list 100 permit icmp any 75.148.101.24 0.0.0.7
access-list 100 permit udp any eq domain 75.148.101.24 0.0.0.7
access-list 100 permit udp host 208.79.253.15 eq 1194 75.148.101.24 0.0.0.7
access-list 100 permit tcp any host 75.148.101.27 eq ftp
access-list 100 permit tcp any host 75.148.101.27 eq 22
access-list 100 permit tcp any host 75.148.101.27 range 54650 54680
access-list 100 permit tcp any host 75.148.101.26 eq www
access-list 100 permit tcp any host 75.148.101.26 eq 443
access-list 100 permit tcp any any eq 51413
access-list 101 deny tcp 10.1.10.64 0.0.0.63 any eq www
access-list 101 deny tcp 10.1.10.64 0.0.0.63 any eq 443
access-list 101 deny tcp 10.1.10.64 0.0.0.63 any eq ftp
!
no cdp run

!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
scheduler allocate 20000 1000
end

I have a static route setup for VLAN 50 that is essentially identical to all my other static routes for all my other VLAN's and I can ping 75.148.101.30 and beyond that for all those VLAN's. Also I have ACL's setup, but I removed them for all interfaces in troubleshooting this problem. It didn't make any difference.

I've attached a diagram of my network as well. I'm stumped as to what could be the problem.

Thanks,

Joshua

Philip D'Ath · ‎02-28-2016

You have to tell the router to NAT the outbound traffic.

Try adding:

access-list 7 permit 10.1.10.128 255.255.255.192

View solution in original post

Philip D'Ath · ‎02-28-2016

You have to tell the router to NAT the outbound traffic.

Try adding:

access-list 7 permit 10.1.10.128 255.255.255.192

Joshua Schaeffer · ‎02-28-2016

Thanks, that was it. Knew I was missing something obvious. I removed the access-group from my WAN link and so I wasn't thinking about ACLs used for NATing.

Can't ping ISP gateway from one VLAN