Re: Ping problem to External on WinXP

markxgzhang · ‎11-12-2008

Hi All

The following is the setup

C3750 Switch

interface GigabitEthernet1/0/1

description Connect to D-Link DI-808HV

no switchport

ip address 192.168.8.2 255.255.255.252

VLAN 2

172.20.0.1/24

...

Couple of ports are assigned to VLAN 2

D-Link DI-808HV

Lan: 192.168.8.1/24

WAN: x.x.x.74/29

Gateway: x.x.x.73

Now, from CLI of the switch, I can ping everywhere, including 192.168.8.2, 192.168.8.1, and x.x.x.74, 72.14.207.104

But from winXP client, which is connected to a VLAN 2 port, can only ping 192.168.8.2, 192.168.8.1, and x.x.x.74. and cannot go beyond that. The winXP firewall is switched off.

why cannot I ping beyond x.x.x.74? Please help,

TIA

Mark

Istvan_Rabai · ‎11-12-2008

Hi Mark,

Please check:

- if you can follow up the route to the other subnets and back to the source address in the routing tables.

- that you don't have any access-lists or firewalls along the path that would block ping echo or reply packets in either direction.

Cheers:

Istvan

markxgzhang · ‎11-13-2008

Thanks Istvan. One thing I do not understand is that actually the tow pings are from the same computer, but one is from a HyperTerminal session and another is from WinXP platform on which the firewall is turned off. Why is that?

Yes, the D-Link device is a 8-Port Broadband VPN Router, and it has firewall function. but if it is on, how can the hyperterminal session go across?

Mark

markxgzhang · ‎11-13-2008

The attached is the network diagram.

Mark

vaisharm · ‎11-13-2008

Mark,

If I understand correctly, x.x.x.74/29 is the IP on the WAN interface on the D-link router and x.x.x.73 is your ISP. This looks like a NAT issue to me. Your D-link router must be natting the 192.168.8.0/24 network and it looks like its not natting the 172.20.0.0/24 network. Which is why you are able to ping the WAN interface on the D-link box but not beyond it. However, when you ping from the hyper terminal session, then you use the routed-port on the switch as the source (unlike the 172.20.0.0/24 network which is the source when you ping from the WinXP client). To confirm if this is the problem, try an extended ping beyond x.x.x.74 from the switch with interface VLAN2 as the source.

Switch#ping x.x.x.x source VLAN 2

This would most likely fail.

HTH,

Vaibhav

markxgzhang · ‎11-13-2008

Hi Vaibhav,

Yes, you are right, tried

Switch#ping x.x.x.x source VLAN 2

and it failed.

Looks like it is not a Cisco issue, but I will try here anyway. Is there a way to change the NAT behaviour on the D-Link box, so that 172.20.0.0/24 will be natted as well?

What I am trying to do is transfer all the flat network which is at the moment on 192.168.8.0/24 with no VLAN config, to a VLAN environmet with switches that configured with VLANs and Routed-port. Before transferring, I'd like to make sure that internet connection is working on those switches that has vlan configurations. As you can see, only hyper terminal session can get out to internet from the VLAN configured switch, but not on the WinXP platform. What is the way to fix it please?

Thanks

glen.grant · ‎11-13-2008

Are you running a default static route on the 3750 pointing to the 192.168.8.1 ??

markxgzhang · ‎11-13-2008

Yes. through the routed-port that has the IP of 192.168.8.2.

vaisharm · ‎11-13-2008

Mark,

I am not sure how the routing, NAT is being implemented on the D-Link router. However, I found something which might help you fix this issue. Try the following settings on your D-link router.

Under Advanced -> Firewall (from the left pane)

Firewall Rules

* Enabled

Name: Allow Internal_VLANs

Action: Allow

Source:

Intrerface: LAN

IP Start: 172.20.0.1

IP End: 172.20.0.255

Destination: I am not sure if you just leave it to * if it would allow access to all sources. But you can try this. If it does not work, try the following:

Destination:

Interface:WAN

IP Start: 0.0.0.0

IP End: 0.0.0.0

Protocol: *

Schedule: Always

Apply

Let us know how it goes.

HTH,

~Vaibhav

markxgzhang · ‎11-13-2008

did that. and it still the same, winXP can ping Router WAN port, x.x.x.74, but not beyond.

vaisharm · ‎11-13-2008

Mark,

You probably need to contact D-Link support.

HTH,

~Vaibhav

markxgzhang · ‎11-13-2008

the last rule should allow anything from Lan to WAN. Isn't it?

Allow Internal_VLANs LAN,172.20.0.1-172.20.0.255 WAN,* *,*

Allow Ping WAN port WAN,* WAN,* ICMP,*

Deny Default *,* LAN,* *,*

Allow Default LAN,* *,* *,*

vaisharm · ‎11-14-2008

That is correct. Just to check, modify or a add a new rule and enable ICMP to a specific public IP from source range 172.20.0.1-172.20.0.255 and see if ping works from the XP client to this public IP.

markxgzhang · ‎11-16-2008

Hi Guys,

It is actually an routing issue. After I put the Static Route entry in to route back to the vlans, the ping problem disapeared. I remember Jon said something about it on another thread, and tried it, and it is working now.

Thank you very much guys.