Solved: Re: No inter-subnet connectivity.

b1llysand1er · ‎04-23-2013

This seems like a simple configuration but it's not working and I'm at a loss. I'm unable to ping 1.x devices on the Layer 2 Switch from the 2.x network. I can ping 192.168.1.1 though. (Gi0/0's IP).

I plugged my laptop directly into Gi0/1 (192.168.2.0/24) and it still didn't work so it's not the fault of the Apple Wireless Switch.

R1#show run
Building configuration...


Current configuration : 2813 bytes
!
! No configuration change since last restart
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable *********************************
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.2.1 192.168.2.50
ip dhcp excluded-address 192.168.2.200 192.168.2.254
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
multilink bundle-name authenticated
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
voice-card 0
!
!
!
!
!
!
!
license udi pid CISCO2921/K9 sn FTX1703AHBN
hw-module pvdm 0/0
!
!
!
username **************
!
redundancy
!
!
ip ftp ****************
ip ftp ****************
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0         //Subnet 1
 ip address 192.168.1.1 255.255.255.0
 ip access-group 103 in
 ip access-group 125 out
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1    //Subnet 2
 ip address 192.168.2.1 255.255.255.0
 ip access-group 104 in
 ip access-group 125 out
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/2
 ip address "Wan IP"
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip nat inside source list 2 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 108.162.28.169
ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0
ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/1
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 5 permit any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 103 permit ip 192.168.1.0 0.0.0.255 any   //Two inbound ACL's I'm using
access-list 104 permit ip 192.168.2.0 0.0.0.255 any

access-list 105 permit ip any any
access-list 113 permit ip any any
access-list 125 permit ip any any               //Outbound ACL
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
 shutdown
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password *****************************
 login
 transport input all
!
scheduler allocate 20000 1000
end



S*    0.0.0.0/0 [1/0] via 108.162.28.169
      108.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        108.162.28.168/29 is directly connected, GigabitEthernet0/2
L        108.162.28.171/32 is directly connected, GigabitEthernet0/2
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet0/0
L        192.168.1.1/32 is directly connected, GigabitEthernet0/0
      192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.2.0/24 is directly connected, GigabitEthernet0/1
L        192.168.2.1/32 is directly connected, GigabitEthernet0/1

Any clue why? I really don't understand why it's not working.

Muhammad Thanveer · ‎04-23-2013

Hello William,

How come your Layer 2 switch can initiate a packet for 192.168.2.0 network?

Can you please trace 192.168.2.1 or 2.2 from layer 2 switch?

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

View solution in original post

Muhammad Thanveer · ‎04-23-2013

Hello William,

How come your Layer 2 switch can initiate a packet for 192.168.2.0 network?

Can you please trace 192.168.2.1 or 2.2 from layer 2 switch?

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

b1llysand1er · ‎04-23-2013

IPv4 Address. . . . . . . . . . . : 192.168.1.43

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

C:\Users\William>tracert 192.168.2.1

Tracing route to 192.168.2.1 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.2.1

C:\Users\William>tracert 192.168.2.115

Tracing route to billy-pc.atm.local [192.168.2.115]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.1.1

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * *

Yes, I did "ip routing" in config mode.

mbroberson1 · ‎04-23-2013

Have you enabled "ip routing" ?

Sent from Cisco Technical Support iPhone App

ALIAOF_ · ‎04-23-2013

Remove the ACLs and see if it works and then start from there.

b1llysand1er · ‎04-23-2013

Why would removing the ACL work? Do Cisco routers automatically allow communication between subnets?

Muhammad Thanveer · ‎04-23-2013

Hello William,

I think there should be no issue with the ACLs you have properly put the command for both inbound and outbound traffic. I doubt with Natting let us check it.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Muhammad Thanveer · ‎04-23-2013

Hello Wiliam,

I have referd it to the expert in the field, lets hope it will get resolved ASAP.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Bilal Nawaz · ‎04-23-2013

Hello William, there are quite a few bits of config that are not required, hence I would take them all out before any troubleshooting. As Mohammad suggested too, just remove the ACL's to mitigate chances of being an ACL that is the problem. There were a couple of static routes that were not required too.

Also you have specified ip dhcp exclude addresses but I cant actually see any DHCP pool that has been created, so is this really required also?

I would do this:

ip dhcp excluded-address 192.168.2.1 192.168.2.99 ??

ip dhcp excluded-address 192.168.2.200 192.168.2.254 ??

!

ip name-server 8.8.8.8

ip name-server 8.8.4.4

!

interface GigabitEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/2

ip address "Wan IP"

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

ip nat inside source list 1 interface GigabitEthernet0/2 overload

ip route 0.0.0.0 0.0.0.0 108.162.28.169

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Muhammad Thanveer · ‎04-23-2013

Hello William,

Now after what Bilal said, I have to completly agree with him and Mohammad,

I was also a bit confused by these commands especially, (bolded one).

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 2 permit 192.168.2.0 0.0.0.255

access-list 3 permit 192.168.2.0 0.0.0.255

access-list 3 permit 192.168.1.0 0.0.0.255

access-list 4 permit 192.168.1.0 0.0.0.255

access-list 5 permit any

ip nat inside source list 1 interface GigabitEthernet0/2 overload

ip nat inside source list 2 interface GigabitEthernet0/2 overload

What actually they were trying to say is "just remove the ACL's to mitigate chances of being an ACL that is the problem."

Hello Bilal, Here the five stars.

Thanks

Thanveer

b1llysand1er · ‎04-23-2013

Thanks guys. Those access-lists aren't even applied to any interface so they don't really matter.

Anyway, it turns out that the router is fine, it was the devices (Thecus NAS Drives) on the 1.x subnet that were the problem.

Thanks again, I gave everybody 5 stars.

blau grana · ‎04-23-2013

Hello Wiliam,

Just to add, you have ACL on inside interfaces to check source IP addresses. Look at this feature which is prefered way to do it:

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions