cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2097
Views
5
Helpful
15
Replies

VLAN cannot access internet but can ping 8.8.8.8

chriswong62141
Level 1
Level 1

Dear all,

I got a problem. I have a cisco router connect to other site by IPsec. From the cisco, VLAN 100 works properly, but VLAN 101 not. Through VLAN 101, I can ping 8.8.8.8, but cannot resolve google.com so that cannot access to the website. 

The conf:

ip dhcp pool VLAN100
network 192.168.200.0 255.255.255.128
default-router 192.168.200.1
dns-server 172.25.36.2 172.25.36.9
lease 7
!
ip dhcp pool VLAN101
network 192.168.201.0 255.255.255.0
default-router 192.168.201.1
dns-server 172.25.36.2 172.25.36.9
lease 7

!

interface Tunnel1
ip unnumbered Vlan100
ip access-group IPsec-in in
ip access-group IPsec-out out
tunnel source 201.155.211.114
tunnel mode ipsec ipv4
tunnel destination 221.241.162.33
tunnel protection ipsec profile IPsecProfile
!

interface GigabitEthernet0/0/0
ip address 201.155.211.114 255.255.255.248
ip nat outside
speed 1000
no negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
switchport access vlan 101
switchport mode access
!
interface Vlan1
no ip address
!
interface Vlan100
ip address 192.168.200.1 255.255.255.128
ip nat inside
!
interface Vlan101
ip address 192.168.201.1 255.255.255.0
ip nat inside

!
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 202.155.211.113
ip route 172.25.36.0 255.255.255.128 Tunnel1
!
!
ip access-list extended IPsec-in
10 permit ip any 192.168.200.0 0.0.0.127
20 permit ip any 192.168.201.0 0.0.0.255
30 permit tcp host 172.25.36.68 host 192.168.200.254 eq telnet
40 permit tcp host 172.25.36.90 host 192.168.200.254 eq telnet
ip access-list extended IPsec-out
10 permit ip any any
!
ip access-list standard 1
10 permit 192.168.200.0 0.0.0.127
20 permit 192.168.201.0 0.0.0.255

 

Where did I config wrongly? Thank you very much!

1 Accepted Solution

Accepted Solutions

chriswong62141
Level 1
Level 1

Hi all,

I found the problem. I haven't set the access-list form other side properly. Thank you for all kindly help:)

View solution in original post

15 Replies 15

you can ping 8.8.8.8 but no internet. this mean you have DNS issue.

please do not forget to rate.

In fact two VLAN config is the same, however, one has problem. May I know why?

Thank you!

interface Tunnel1
ip unnumbered Vlan101
ip access-group IPsec-in in
ip access-group IPsec-out out
tunnel source 201.155.211.114
tunnel mode ipsec ipv4
tunnel destination 221.241.162.33
tunnel protection ipsec profile IPsecProfile

can you try and test with Vlan101 instead of Vlan100. as you are calling the Vlan100 is ip unumbered this could be playing up here.

please do not forget to rate.

Hi,

Interestingly the situation is the same, vlan 100 works properly while vlan 101 can ping 8.8.8.8 bat cannot access internet.

does the remote side had a route for VLAN 101? as there is a tunnel between this router and the remote router.

 

I am just thinking to get this in more depth you can setup the "monitor session" with access-list to vlan101 and see in packet capture/wireshark/tcp dumps.

 

Embedded Packet Capture for Cisco IOS and IOS-XE Configuration Example - Cisco

 

can DNS server can ping VLAN101?

please do not forget to rate.

JimWicks
Level 1
Level 1

does the other end of your IPSec tunnel have a route back to VLAN101 for the return DNS traffic to the clients ?

Hi,

The static route was set properly in the other side.

So DNS lookups from device on VLAN101 are working - from the windows command-line you issue the command "ping www.cisco.com" and you see DNS 172.25.36.2 + 172.25.36.9 returning an IP address for the ping destination ??

Hello,

 

since you are using identical settings in the DHCP pools, and since the rest of the configuration looks absolutely by the book as well, in theory, this should work. Can you post the output of 'ipconfig /all' from one of the clients ? What clients are those anyway in Vlan 101 (e.g. Windows 10/11) ?

Hi,

The ipconfig

Ethernet adapter Ethernet0:

Connection-specific DNS Suffix . : xxx
Description . . . . . . . . . . . : xxx
Physical Address. . . . . . . . . : xxx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.201.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, June 15, 2022 11:51:21 PM
Lease Expires . . . . . . . . . . : Thursday, June 16, 2022 6:51:21 PM
Default Gateway . . . . . . . . . : 192.168.201.1
DHCP Server . . . . . . . . . . . : 192.168.201.1
DNS Servers . . . . . . . . . . . : 172.25.36.2
172.25.36.9
NetBIOS over Tcpip. . . . . . . . : Enabled

 

I tried Ubuntu, Windows 10&11, still same problems.

Hi

  "interface Tunnel1
ip unnumbered Vlan100
ip access-group IPsec-in in
ip access-group IPsec-out out
tunnel source 201.155.211.114
tunnel mode ipsec ipv4
tunnel destination 221.241.162.33
tunnel protection ipsec profile IPsecProfile
!"

 

 It seems to me that what differentiate the scenarion is this config. You have a tunnel for vlan 100 but you dont have a tunnel for vlan 101.

The DNS you are using, 172.25.36.2 172.25.36.9 probably does not exist on the local network but exist on the other side of this tunnel. That way you can ping from both vlans but only have internet on the vlan 100.

What you can do for test is deliver 8.8.8.8 as DNS server for machine by change your DHCP scope to:

 

ip dhcp pool VLAN101
network 192.168.201.0 255.255.255.0
default-router 192.168.201.1
dns-server 8.8.8.8
lease 7

 

 

 

Hi,

Thank you for the reply first.

In fact I know that set the dns-server to 8.8.8.8 can solve the problem, but I'm finding the way to use own dns server.

If as you said that there is no tunnel for vlan 101, could I clone the same conf of the tunnel 1 to tunnel 2 for the vlan 101 so that I could connet to 172.25.x.x dns server?

Thank you!

That wont fix the issue either.

 

what you can do is to create a Loopback on the router and called the Loopback as ip unnumbered loopback

please do not forget to rate.

Yeah, I think you can try that. This tunnel exist for a reason.  I was wrondering if you can add the same vlan 101 to the same tunnel but you need to change the other side this tunnel as well. 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco