Solved: Router can reach the Internet, but LAN subinterfaces can't.

Wil liam · ‎02-16-2015

CME-RT(config)#do ping 172.17.1.1 source g0/0.201
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.201.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

CME-RT(config)#do ping google.com source g0/0.201
Translating "google.com"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.58.216.206, timeout is 2 seconds:
Packet sent with a source address of 10.0.201.1
.....
Success rate is 0 percent (0/5)
CME-RT(config)#do ping google.com
Translating "google.com"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.225.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/16/20 ms

Here's the running config:

CME-RT(config)#do sho run
Building configuration...

Current configuration : 5672 bytes
!
! Last configuration change at 14:24:16 UTC Mon Feb 16 2015
! NVRAM config last updated at 14:23:44 UTC Mon Feb 16 2015
! NVRAM config last updated at 14:23:44 UTC Mon Feb 16 2015
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CME-RT
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip dhcp pool DATA
network 10.0.201.0 255.255.255.0
option 150 ip 10.0.201.1
default-router 10.0.201.1
dns-server 8.8.8.8
!
ip dhcp pool VOICE
network 10.0.101.0 255.255.255.0
default-router 10.0.101.1
option 150 ip 10.0.101.1
dns-server 8.8.8.8
!
!
ip domain name ccna-vvl.local
ip name-server 8.8.8.8
ip name-server 172.17.1.1
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
voice service voip
ip address trusted list
ipv4 208.110.65.16 255.255.255.240
ipv4 173.203.199.137 255.255.255.255
ipv4 50.22.55.32 255.255.255.255
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
sip
bind control source-interface GigabitEthernet0/0.101
bind media source-interface GigabitEthernet0/0.101
registrar server
!
voice class h323 1
h225 timeout tcp establish 2
h225 timeout setup 2
!
!
voice register global
mode cme
source-address 10.0.101.1 port 5060
max-dn 50
max-pool 10
tftp-path flash:
create profile sync 0000018941564005
!
voice register dn 1
number 1001
name Will
label Line 1
!
voice register dn 2
number 1002
name Will
label Line 2
!
voice register dn 3
number 1003
name Millie
label Line 1
!
voice register dn 4
number 1004
name Millie
label Line 2
!
voice register pool 1
id mac 001E.13AF.7E1B
type 7960
number 1 dn 1
number 2 dn 2
username Will password 123456
!
voice register pool 2
id mac 001B.D4C6.C090
type 7960
number 1 dn 3
number 2 dn 4
username Millie password 123456
!
!
!
voice translation-rule 1
rule 1 /4175209020/ /1001/
!
!
voice translation-profile INCOMING
translate called 1
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2851 sn FTX1008C38V
username admin privilege 15 secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
description NATIVE
encapsulation dot1Q 1 native
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/0.101
description VOICE
encapsulation dot1Q 101
ip address 10.0.101.1 255.255.255.0
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.0.101.1
!
interface GigabitEthernet0/0.201
encapsulation dot1Q 201
ip address 10.0.201.1 255.255.255.0
!
interface GigabitEthernet0/1
ip address 172.17.1.130 255.255.255.0
duplex auto
speed auto
no cdp enable
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/1/0
no ip address
shutdown
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.17.1.1
!
!
!
!
!
!
tftp-server flash:/SIP/OS79XX.TXT alias OS79XX.TXT
tftp-server flash:/SIP/P003-8-12-00.bin alias P003-8-12-00.bin
tftp-server flash:/SIP/P003-8-12-00.sbn alias P003-8-12-00.sbn
tftp-server flash:/SIP/P0S3-8-12-00.loads alias P0S3-8-12-00.loads
tftp-server flash:/SIP/P0S3-8-12-00.sb2 alias P0S3-8-12-00.sb2
tftp-server flash:/SIP/xmlDefault.CNF.XML alias xmlDefault.cnf.xml
!
control-plane
!
!
!
!
mgcp profile default
!
!
dial-peer voice 1 voip
description *** 10 Digit Calls ***
destination-pattern [2-9]..[2-9]......
session protocol sipv2
session target sip-server
dtmf-relay rtp-nte
codec g711ulaw
no vad
!
dial-peer voice 2 voip
description *** 11 Digit Calls ***
destination-pattern 1[2-9]..[2-9]......
session protocol sipv2
session target sip-server
dtmf-relay rtp-nte
codec g711ulaw
no vad
!
dial-peer voice 3 voip
description *** Lab Extensions ***
destination-pattern 7......
session protocol sipv2
session target sip-server
dtmf-relay rtp-nte
codec g711ulaw
no vad
!
dial-peer voice 100 voip
description *** Incoming Dial-Peer ***
session protocol sipv2
session target sip-server
incoming called-number .
dtmf-relay rtp-nte
codec g711ulaw
no vad
!
dial-peer voice 4 voip
destination-pattern .T
session protocol sipv2
session target sip-server
incoming called-number .
dtmf-relay rtp-nte
codec g711ulaw
no vad
!
dial-peer voice 200 voip
description *** Incoming Dial-Peer ***
translation-profile incoming INCOMING
session protocol sipv2
session target sip-server
incoming called-number 4175209020
dtmf-relay rtp-nte
codec g711ulaw
no vad
!
!
gateway
timer receive-rtp 1200
!
sip-ua
credentials username [XXXXXX] password 7 [XXXXXXXXXX] realm sip-ua.com
authentication username [XXXXXX] password 7 [XXXXXXXXXX]
registrar dns:proxy.sip-ua.com expires 60
sip-server dns:proxy.sip-ua.com
!
!
!
telephony-service
no auto-reg-ephone
max-dn 50
ip source-address 10.0.101.1 port 2000
system message CCNA-VVL
cnf-file location flash:
load 7960-7940 P003-8-12-00
max-conferences 4 gain -6
web admin system name Will secret 5 $1$ikmm$mjKwOOhWVuq6Mon9neQi/0
transfer-system full-consult
create cnf-files version-stamp 7960 Feb 16 2015 00:33:15
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 0 0
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp master
ntp server 1.pool.ntp.org
end

AllertGen · ‎02-17-2015

Is 172.17.1.1 your home router? It looks like the problem at the outside interface of this router or at the next hop after him. Does your home router really works as NAT for your internal network 10.0.201.0/24? Is there firewall at outside interfaces of the NAT router?

Best Regards.

View solution in original post

Jon Marshall · ‎02-17-2015

Is your modem setup to do NAT for the 10.0.201.x subnet ?

It will also need to do NAT for your internal subnets as well as needing routes back to those internal subnets.

So you have added a route to the modem for 10.0.201.x which is why you can ping it using a source IP in the 10.0.201.x range.

But when you try pinging an internet IP it looks like your modem isn't doing NAT for that subnet.

Some modems will only do NAT for the directly connected subnet ie. 172.17.1.x.

If this is the case you can work around this on the router.

So have a look at the modem first and if it can't do it let us know.

Jon

View solution in original post

AllertGen · ‎02-16-2015

Hello, Wil liam.

The source of your problem that you don't have NAT, so google see that your packet comes from a 10.0.201.1 IP address. But this IP address is not reacheble at the internet.

Best Regards.

Wil liam · ‎02-17-2015

Hi AllertGen,

Thanks for looking at my config. My home router is doing NAT and has a static route to my lab router. When I connect my lab router directly to my modem and configure NAT on it, I have the same issue. I've also put NAT on my lab router and translated 10.0.0.0 to 172.17.1.130 for my home router and still have the same issue.

Will

AllertGen · ‎02-17-2015

Hi, Wil liam.

Can you show a traceroute with the source of your problem interface?

Best Regards.

Wil liam · ‎02-17-2015

CME-RT#traceroute google.com source g0/0.201
Type escape sequence to abort.
Tracing the route to google.com (216.58.216.110)
VRF info: (vrf in name/id, vrf out name/id)
1 172.17.1.1 0 msec 0 msec 0 msec
2 * * *
3 * * *
...
28 * * *
29 * * *
30 * * *

AllertGen · ‎02-17-2015

Is 172.17.1.1 your home router? It looks like the problem at the outside interface of this router or at the next hop after him. Does your home router really works as NAT for your internal network 10.0.201.0/24? Is there firewall at outside interfaces of the NAT router?

Best Regards.

Wil liam · ‎02-17-2015

You got it dudes!

I assumed that my home router was natting everything!

I added the following to my home linux-based router:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

and this happened:

CME-RT#traceroute google.com sour g0/0.201
Type escape sequence to abort.
Tracing the route to google.com (216.58.216.110)
VRF info: (vrf in name/id, vrf out name/id)
1 172.17.1.1 4 msec 4 msec 0 msec
2 10.167.48.1 8 msec 8 msec 4 msec
3 dtr01ovldmo-tge-0-3-0-6.ovld.mo.charter.com (96.34.52.100) 24 msec 8 msec 12 msec
4 bbr01olvemo-bue-4.olve.mo.charter.com (96.34.2.18) 12 msec 16 msec 8 msec
5 bbr02chcgil-bue-2.chcg.il.charter.com (96.34.0.12) 16 msec 16 msec 12 msec
6 prr01chcgil-bue-4.chcg.il.charter.com (96.34.3.11) 16 msec 16 msec 16 msec
7 96-34-152-30.static.unas.mo.charter.com (96.34.152.30) 16 msec 16 msec 16 msec
8 209.85.143.188 16 msec 24 msec 16 msec
9 72.14.238.17 16 msec 16 msec 20 msec
10 google.com (216.58.216.110) 12 msec 16 msec 24 msec

Thank you!

Wil liam · ‎02-17-2015

That also means I had to be misconfiguring NAT on my lab router. I'll have to look at that some more.

Jon Marshall · ‎02-17-2015

Is your modem setup to do NAT for the 10.0.201.x subnet ?

It will also need to do NAT for your internal subnets as well as needing routes back to those internal subnets.

So you have added a route to the modem for 10.0.201.x which is why you can ping it using a source IP in the 10.0.201.x range.

But when you try pinging an internet IP it looks like your modem isn't doing NAT for that subnet.

Some modems will only do NAT for the directly connected subnet ie. 172.17.1.x.

If this is the case you can work around this on the router.

So have a look at the modem first and if it can't do it let us know.

Jon