My suggestion was to verify

ranasaadnoori · ‎07-31-2016

hi i have a cisco router 2900 with 1 subinterface, but hosts from the other interfaces ping fail to hosts in this subinterface

attached my configration

! Last configuration change at 09:11:50 UTC Tue Sep 15 2015

! NVRAM config last updated at 09:12:01 UTC Tue Sep 15 2015

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

no ipv6 cef

ip source-route

ip cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-377234204

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-377234204

revocation-check none

rsakeypair TP-self-signed-377234204

!

crypto pki certificate chain TP-self-signed-377234204

certificate self-signed 01

license udi pid CISCO2911/K9 sn FGL164812WN

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 10.10.10.3 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 10.30.30.1 255.255.255.0

ip access-group 30 out

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/2.1

encapsulation dot1Q 190

ip address 192.168.190.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 10 interface GigabitEthernet0/0/0 overload

ip nat inside source list 20 interface GigabitEthernet0/0/0 overload

ip route 192.168.90.0 255.255.255.0 10.10.10.2

ip route 192.168.110.0 255.255.255.0 10.30.30.2

ip route 192.168.200.0 255.255.255.0 10.10.10.1

!

access-list 10 permit 192.168.190.0 0.0.0.255

access-list 20 permit 10.30.30.0 0.0.0.255

access-list 30 permit 10.10.10.0 0.0.0.255

access-list 30 permit any

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

scheduler allocate 20000 1000

end

ahmedshoaib · ‎07-31-2016

Hi;

There is little bit confusion as I review to configuration. You enable the Nat with both interface as an inside interface (GigabitEthernet0/2.1 & GigabitEthernet0/1) There should be one interface as an nat outside interface.

Do 1 of the following thing & test:

Option 1: Remove ip nat inside from both interface (GigabitEthernet0/2.1 & GigabitEthernet0/1) & test.

Option 2: One of the interfaces configured as ip nat outside (either GigabitEthernet0/2.1 & GigabitEthernet0/1) & test.

Thanks & Best regards;

ranasaadnoori · ‎07-31-2016

they are both inside interfaces nat outside is done from gig0/0/0 i removed from the configuration as it is not the problem. the problem is when i ping a host like 192.168.190.6 from router or even from a host on the 10.30.30.0 network i get a request timed out or no reply while when i ping 192.168.190.1

i get a reply the ping succeed

ahmedshoaib · ‎07-31-2016

Hi;

As per the configuration you did, I test and verify on test setup and it's working means it's not the nating issue.

Can you also double check the routing part of your other devices?

Thanks & Best regards;

Richard Burts · ‎07-31-2016

I would suggest that a good place to start in troubleshooting this is to verify whether the subinterface is working. Would you post the output of show ip interface brief and of show arp (or perhaps show ip arp depending on platform).

HTH

Rick

HTH

Rick

ranasaadnoori · ‎08-02-2016

hi Richard,

below is my show ip interface and show arp output, i can't see any problem

also my 10.30.30.2 is firewall and i can ping 192.168.190.1 from outside but not the hosts i cant figure if theres somthing i understood wrong i am not expert on firewall

ip interface brief
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 10.10.10.3 YES NVRAM up up
GigabitEthernet0/1 10.30.30.1 YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM up up
GigabitEthernet0/2.1 192.168.190.1 YES NVRAM up up
GigabitEthernet0/0/0 X.x.x.x YES NVRAM up up
NVI0 10.10.10.3 YES unset up up

Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.1 4 acf2.c5f9.23d0 ARPA GigabitEthernet0/0
Internet 10.10.10.3 - acf2.c5ff.f700 ARPA GigabitEthernet0/0
Internet 10.30.30.1 - acf2.c5ff.f701 ARPA GigabitEthernet0/1
Internet 10.30.30.2 4 d48c.b5c2.68ca ARPA GigabitEthernet0/1
Internet x.x.x.x 0 0013.5f22.5644 ARPA GigabitEthernet0/0/0
Internet x.x.x.x - acf2.c5ff.f703 ARPA GigabitEthernet0/0/0
Internet 192.168.190.1 - acf2.c5ff.f702 ARPA GigabitEthernet0/2.1
Internet 192.168.190.6 3 24b6.fd47.0549 ARPA GigabitEthernet0/2.1
Internet 192.168.190.7 1 1803.7393.99e8 ARPA GigabitEthernet0/2.1

this is show ip route:

Gateway of last resort is X.X.X.X to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via X.X.X.X
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0
L 10.10.10.3/32 is directly connected, GigabitEthernet0/0
C 10.30.30.0/24 is directly connected, GigabitEthernet0/1
L 10.30.30.1/32 is directly connected, GigabitEthernet0/1
X.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C X.X.X.X/28 is directly connected, GigabitEthernet0/0/0
L X.X.X.X/32 is directly connected, GigabitEthernet0/0/0
S 192.168.90.0/24 [1/0] via 10.10.10.2
S 192.168.110.0/24 [1/0] via 10.30.30.2
192.168.190.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.190.0/24 is directly connected, GigabitEthernet0/2.1
L 192.168.190.1/32 is directly connected, GigabitEthernet0/2.1
S 192.168.200.0/24 [1/0] via 10.10.10.1

milan.kulik · ‎08-03-2016

Hi,

generally, I'd check if the hosts are having a correct subnet mask and default gateway configured in a case like this.

And also the VLAN tagging on the trunk used to connnect the router to the switch physically.

But as you are saying "the problem is when i ping a host like 192.168.190.6 from router ... i get a request timed out or no reply" and I see there is an ARP entry

Internet 192.168.190.6 3 24b6.fd47.0549 ARPA GigabitEthernet0/2.1

on your router, I'd guess there is something like a personal FW on your PC denying it to reply to Pings?!

Are you able to Ping from your 192.168.190.7 PC to 192.168.190.6?

Best regards,

Milan

ranasaadnoori · ‎08-03-2016

hi yes i get a reply when i ping from 192.168.190.6 to .190.7 i a also can ssh login from 190.6 to 10.30.30.2 which is my firewall outside interface but still cant bing hosts in .190.x while i get a reply from their gateway 190.1, i can't figure whats wrong either i tried access lists on interfaces but did not work

this is my switch to router trunk interface:

Name: Fa0/x
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 190
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

ahmedshoaib · ‎08-03-2016

Hi;

What I understand from your post is that:

You can ping within same subnet (192.168.190.6 to 190.7)
You can SSH from 192.168.190.6 to Firewall (10.30.30.2)
From Firewall you can ping Router interface (192.168.190.6)
But either Firewall or Router you can’t ping (If it’s true then its clearly shows the issue lies on you PC firewall not related to Router).

If my understanding is wrong please add or modify.

Thanks & Best regards;

Richard Burts · ‎08-03-2016

My suggestion was to verify whether the subinterface is working. the show ip interface brief and especially the arp results do verify that the subinterface is working. Since we are successfully getting arp responses we know that the trunking is working, that the vlan tagging is working, and that we have at least layer 2 connectivity into that subnet.

If 190.6 is able to ping 190.7 that would seem to eliminate the possibility of firewall on the PC as an issue (at least for 190.7). I like the suggestion that it might be an issue with subnet mask or gateway and would ask the original poster to post the output of ipconfig from both 190.6 and 190.7.

HTH

Rick

HTH

Rick

ranasaadnoori · ‎08-04-2016

from firewall i can ping interface 192.168.190.1 but not 192.168.190.6 but Milan.Kulik was right on pc firewall.

ranasaadnoori · ‎08-04-2016

hello All,

Thank you for your help i solved it by adding access lists to my firewall and disabling firewall on host pc which i want to reach from my firewall inside interface.

Richard Burts · ‎08-04-2016

Thanks for posting to the forum to let us know that you have worked out a solution for this problem. +5 to you for that.

HTH

Rick

HTH

Rick

ping fail between subinterface and router interfaces