Inter-vlan-routing no internet L3 switch

GBonset05 · ‎04-03-2017

Hi all,

I have setup my switch using following link:

http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html

Everything local is working fine, but when i want to access the internet it doesn't work.

My default router is 192.168.1.248, and when used as gateway on vlan1 no problem, but i als have a pc on vlan10 (192.168.50.25) with gateway 192.168.50.253 and this one has no internet access.

on the switch i have:

vlan1 192.168.1.253

vlan10 192.168.50.253

vlan20 192.168.51.253

ip route 0.0.0.0 192.168.1.248

on the router i have:

ip route 192.168.50.0 255.255.255.0 192.168.1.253

ip route 192.168.51.0 255.255.255.0 192.168.1.253

Can somebody help me out here ??????

Reza Sharifi · ‎04-03-2017

Hi,

The router needs a default route towards the provider?

Can you post "sh run" from the router?

HTH

GBonset05 · ‎04-03-2017

Ok, here it comes:

no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname GRDATA
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200
logging console critical
enable secret
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone gmt 1 0
clock summer-time GMT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
no ip domain lookup
ip domain name
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
license udi pid C881-K9 sn FCZ2005C160
!
!
username admin privilege 15 secret
username xxx password
username xxx password
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto isakmp key xxxx address xxxxx
!
crypto isakmp client configuration group xxxx
key xxxx
dns 194.151.228.34
domain xxxx
pool xxxx
acl 105
!
!
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set MySet
reverse-route
!
!
crypto map MyMap client authentication list userauthen
crypto map MyMap isakmp authorization list groupauthor
crypto map MyMap client configuration address respond
crypto map MyMap 1 ipsec-isakmp
set peer xxxxx
set security-association lifetime seconds 86400
set transform-set MySet
match address 101
crypto map MyMap 20 ipsec-isakmp dynamic dynmap
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
ip virtual-reassembly in
load-interval 30
duplex full
speed 100
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
ip address 192.168.1.248 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
ip tcp adjust-mss 1452
load-interval 30
no autostate
!
interface Dialer1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxx password xxx
crypto map MyMap
!
ip local pool ipvpnpool xxx xxx
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 102 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.50.0 255.255.255.0 192.168.1.253
ip route 192.168.51.0 255.255.255.0 192.168.1.253
!
dialer-list 1 protocol ip permit
no cdp run
!
route-map nonat permit 10
match ip address 103
!
access-list 23 remark Remote_Management
access-list 23 permit 10.x.x.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit x.x.x.x 0.0.0.248
access-list 101 remark Cryptomap-IPSEC-VPN-BM
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark nat rules
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
line con 0
logging synchronous
no modem enable
escape-character 3
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
logging synchronous
transport input ssh
escape-character 3
!
scheduler allocate 20000 1000
!
end

Reza Sharifi · ‎04-03-2017

Hi,

Access-list 102 needs to have the other 2 subnets.

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

add:

access-list 102 permit ip 192.168.50.0 0.0.0.255 any

access-list 102 permit ip 192.168.51.0 0.0.0.255 any

HTH

GBonset05 · ‎04-03-2017

Hello,

I had that two subnets added to the acess-list 102, but it didn't work. So maybe i hoped there was another solution.

Originally my 102 looked like this:

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.50.0 0.0.0.255 any
access-list 102 permit ip 192.168.51.0 0.0.0.255 any

Reza Sharifi · ‎04-03-2017

Hi,

From the router are you able to ping the interfaces for vlan 50 and 51 on the switch?

Does the switch have "ip routing" turned on?

Also, from the router, what is the output of "show ip nat translations"?

GBonset05 · ‎04-04-2017

Hi Reza,

On the switch is ip routing on, otherwise pc's in the 192.168.1.0 can't see the pc's in 192.168.50.0 and 192.168.51.0 and viseversa.

When i do sh ip nat translations, it only shows the 192.168.1.0 subnet in the inside local.

Reza Sharifi · ‎04-04-2017

Hi,

Can you add 192.168.50.0 and 51 to both access-list 102 and 103 and test again?

HTH