Solved: Data Vlan to Wan connection (can't reach other router)

drotheahit · ‎04-03-2013

Still new to this and having a hard time figuring this out. I've got a 2851 router running CME w/ latest IOS.

Gig 0/0 trunks to 3560 Switch for both Data and Voice Vlans (working fine)

Gig 0/0.10 Data

Gig 0/0.200 Voice

Gig 0/1 is to be the WAN connection to another router (and the outside world)

I've setup Gig 0/1 as 192.168.0.2 and the default route router to 192.168.0.1

Also have configured the default route:

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.0.1

10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks

C 10.1.10.0/24 is directly connected, GigabitEthernet0/0.10

L 10.1.10.1/32 is directly connected, GigabitEthernet0/0.10

C 10.1.200.0/24 is directly connected, GigabitEthernet0/0.200

L 10.1.200.1/32 is directly connected, GigabitEthernet0/0.200

S 10.1.200.2/32 is directly connected, Service-Engine1/0

192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.0.0/24 is directly connected, GigabitEthernet0/1

L 192.168.0.2/32 is directly connected, GigabitEthernet0/1

From the router, I can ping 192.168.0.1 & 2 fine. Can't ping 192.168.0.1 (default route router) from a workstation connected through a phone, but can ping 192.168.0.2 (2851 gig 0/1 int). Workstation can ping everything else fine.

How do I allow data access (not voice) to the WAN? I've read this can be done with Policy-based routing, but this is completely new to me...

kcnajaf · ‎04-03-2013

Hi Doug,

Everything matters mate :-)

What device is 192.168.0.1? Do you know if it has a route back to the your workstation subnet (i.e. 10.1.10.x network). If not you will have to enable NAT on your router. Please try below configuration.

interface GigabitEthernet0/0.10

ip nat inside

!

interface GigabitEthernet0/1

ip nat outside

!

access-list 1 permit 10.1.10.0 0.0.0.255

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

View solution in original post

kcnajaf · ‎04-03-2013

Hi Doug,

Could you please share the router configuration and also let us what ip address you are using on workstation?

Regards

Najaf

drotheahit · ‎04-03-2013

Not sure why the workstation IP (10.1.10.100) matters, it's assigned via dhcp by the router on the data vlan...

The config is attached - thanks!

kcnajaf · ‎04-03-2013

Hi Doug,

Everything matters mate :-)

What device is 192.168.0.1? Do you know if it has a route back to the your workstation subnet (i.e. 10.1.10.x network). If not you will have to enable NAT on your router. Please try below configuration.

interface GigabitEthernet0/0.10

ip nat inside

!

interface GigabitEthernet0/1

ip nat outside

!

access-list 1 permit 10.1.10.0 0.0.0.255

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

drotheahit · ‎04-04-2013

Thanks for the response!

192.168.0.1 is a Comcast gateway (router/flat switch), so it will not have any route back to a VLAN. So that makes sense now (thanks to your explanation) why the router can ping it from vlan 1, but the workstation can't from 10.

I'll give your suggestion a shot when a get a chance (only get to work on this setup at the location one to two times per week)

So, let me see if I understand this right: ip nat inside on gig 0/0.10 and ip nat outside on gig 0/1 enable these two interfaces to communicate via network address translation, while access-list 1 permit 10.1.10.0 0.0.0.255 limits nat the to 10.1.10.x subnet. And ip nat inside source list 1 interface GigabitEthernet0/1 overload applies source list 1 to gig 0/1. But still trying to get my head around the overload keyword. I just read: "The keyword overload... ...allows NAT to translate multiple inside devices to the single address in the pool(/interface)". Obviously I'm going to need to spend some more time reading up on this.

kcnajaf · ‎04-04-2013

Hi Doug,

Overload is PAT (Port Address Translation). With overload command we can have multiple LAN ip address (10.1.10.x) natted to single public/outside ip address (which on on gi0/1) using various random ports. Otherwise we will have to have multiple public/outside for each LAN ip address which want to speak to external world.

Hope that helps.

Najaf

Please rate when applicable or helpful !!!

drotheahit · ‎04-04-2013

Oh! . Well, THAT'S good to know... PAT I can understand.

Sure would've been nice if that Cisco article I glanced at would've mentioned "PAT" in the same context with overload.

Sakun Sharma · ‎04-03-2013

Hi Douglas,

The device (192.168.0.1) will not have route to your 10.x.x.x network, due to which, packet will be dropped at 192.168.0.1 device. If you don't have access to 192.168.0.1 device, in that case you have to use natting as Najaf has suggested.