04-23-2013 08:00 AM - edited 03-07-2019 12:59 PM
This seems like a simple configuration but it's not working and I'm at a loss. I'm unable to ping 1.x devices on the Layer 2 Switch from the 2.x network. I can ping 192.168.1.1 though. (Gi0/0's IP).
I plugged my laptop directly into Gi0/1 (192.168.2.0/24) and it still didn't work so it's not the fault of the Apple Wireless Switch.
R1#show run
Building configuration...
Current configuration : 2813 bytes
!
! No configuration change since last restart
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable *********************************
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.2.1 192.168.2.50
ip dhcp excluded-address 192.168.2.200 192.168.2.254
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
multilink bundle-name authenticated
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
voice-card 0
!
!
!
!
!
!
!
license udi pid CISCO2921/K9 sn FTX1703AHBN
hw-module pvdm 0/0
!
!
!
username **************
!
redundancy
!
!
ip ftp ****************
ip ftp ****************
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0 //Subnet 1
ip address 192.168.1.1 255.255.255.0
ip access-group 103 in
ip access-group 125 out
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1 //Subnet 2
ip address 192.168.2.1 255.255.255.0
ip access-group 104 in
ip access-group 125 out
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
ip address "Wan IP"
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip nat inside source list 2 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 108.162.28.169
ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0
ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/1
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 5 permit any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 103 permit ip 192.168.1.0 0.0.0.255 any //Two inbound ACL's I'm using
access-list 104 permit ip 192.168.2.0 0.0.0.255 any
access-list 105 permit ip any any
access-list 113 permit ip any any
access-list 125 permit ip any any //Outbound ACL
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password *****************************
login
transport input all
!
scheduler allocate 20000 1000
end
S* 0.0.0.0/0 [1/0] via 108.162.28.169
108.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 108.162.28.168/29 is directly connected, GigabitEthernet0/2
L 108.162.28.171/32 is directly connected, GigabitEthernet0/2
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
L 192.168.1.1/32 is directly connected, GigabitEthernet0/0
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, GigabitEthernet0/1
L 192.168.2.1/32 is directly connected, GigabitEthernet0/1
Any clue why? I really don't understand why it's not working.
Solved! Go to Solution.
04-23-2013 08:54 AM
Hello William,
How come your Layer 2 switch can initiate a packet for 192.168.2.0 network?
Can you please trace 192.168.2.1 or 2.2 from layer 2 switch?
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
04-23-2013 08:54 AM
Hello William,
How come your Layer 2 switch can initiate a packet for 192.168.2.0 network?
Can you please trace 192.168.2.1 or 2.2 from layer 2 switch?
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
04-23-2013 09:32 AM
IPv4 Address. . . . . . . . . . . : 192.168.1.43
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\William>tracert 192.168.2.1
Tracing route to 192.168.2.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.2.1
C:\Users\William>tracert 192.168.2.115
Tracing route to billy-pc.atm.local [192.168.2.115]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.1.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * *
Yes, I did "ip routing" in config mode.
04-23-2013 09:08 AM
Have you enabled "ip routing" ?
Sent from Cisco Technical Support iPhone App
04-23-2013 10:14 AM
Remove the ACLs and see if it works and then start from there.
04-23-2013 11:28 AM
Why would removing the ACL work? Do Cisco routers automatically allow communication between subnets?
04-23-2013 11:52 AM
Hello William,
I think there should be no issue with the ACLs you have properly put the command for both inbound and outbound traffic. I doubt with Natting let us check it.
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
04-23-2013 11:57 AM
Hello Wiliam,
I have referd it to the expert in the field, lets hope it will get resolved ASAP.
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
04-23-2013 12:49 PM
Hello William, there are quite a few bits of config that are not required, hence I would take them all out before any troubleshooting. As Mohammad suggested too, just remove the ACL's to mitigate chances of being an ACL that is the problem. There were a couple of static routes that were not required too.
Also you have specified ip dhcp exclude addresses but I cant actually see any DHCP pool that has been created, so is this really required also?
I would do this:
ip dhcp excluded-address 192.168.2.1 192.168.2.99 ??
ip dhcp excluded-address 192.168.2.200 192.168.2.254 ??
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
ip address "Wan IP"
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
!
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 108.162.28.169
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
Hope this helps.
Please rate useful posts and remember to mark any solved questions as answered. Thank you.
04-23-2013 01:52 PM
Hello William,
Now after what Bilal said, I have to completly agree with him and Mohammad,
I was also a bit confused by these commands especially, (bolded one).
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 5 permit any
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip nat inside source list 2 interface GigabitEthernet0/2 overload
What actually they were trying to say is "just remove the ACL's to mitigate chances of being an ACL that is the problem."
Hello Bilal, Here the five stars.
Thanks
Thanveer
04-23-2013 02:48 PM
Thanks guys. Those access-lists aren't even applied to any interface so they don't really matter.
Anyway, it turns out that the router is fine, it was the devices (Thecus NAS Drives) on the 1.x subnet that were the problem.
Thanks again, I gave everybody 5 stars.
04-23-2013 03:05 PM
Hello Wiliam,
Just to add, you have ACL on inside interfaces to check source IP addresses. Look at this feature which is prefered way to do it:
http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
Best Regards
Please rate all helpful posts and close solved questions
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide