Solved: VLANs unable to reach outside world

Joshua Schaeffer · ‎08-16-2014

I just purchased a Cisco 1941 ISR for my home lab and I'm running into a problem with getting all my devices behind it to get to the internet. Below is a layout of my network.

I have 7 VLANs on an SG300-20 layer 3 switch. The switch is connected to my 1941 ISR. I have cable and my ISP is Comcast and they provide a cable modem/router as well. Unfortunately I cannot get rid of this device and I cannot turn off the routing functionality, however I don't actually think that this devices itself is causing any problems with the way I have it setup. I have a block of 5 static IP's from my ISP. I've used one of them as the IP address of my WAN link (G0/1), while the other interface is connected to my LAN (G0/0).

I have interVLAN networking working just fine. I'm able to ping any VLAN gateway and/or host from any other device (this includes my switch and ISR). From my switch or any device behind it, I can ping the switch (10.1.8.1), I can ping my router (10.1.8.2), and I can even ping my router's WAN link (75.148.101.25). However, I cannot ping comcast's router (75.148.101.30). What is weird is that I can ssh into my ISR (which I can do from any device) and the Cisco router can ping the Comcast router and the outside world.

If I try to ping 75.138.101.30 (Comcast external IP) from my switch or any device behind it, I get no response. If I try to ping 75.138.101.30 (Comcast external IP) from the Cisco 1941 I get a response.

To me this looks like a problem with the Cisco router. It knows where to forward traffic but is refusing to do so for anything that does not originate from the router itself.

Very lost at this point and looking for help.

Thanks,
Joshua

Tagir Temirgaliyev · ‎08-17-2014

i dont see here nat access-list witch must include all your vlans networks

View solution in original post

Tagir Temirgaliyev · ‎08-17-2014

you need nat inside and nat outside and more

Joshua Schaeffer · ‎08-17-2014

I've already done that:

interface GigabitEthernet0/0
description WAN link
ip address 75.148.101.25 255.255.255.248
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description LAN link
ip address 10.1.8.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable

zeuscyril · ‎08-17-2014

hi joshua,

can you send me your nat access list.

i believe you are not added in the nat accesslist vlan subnets.

if you provide your full config it will helpful to solve the problem easily

you are using sg300 switch or some other model.

thanks

cyril

Joshua Schaeffer · ‎08-17-2014

Sure, no problem, happy to provide the full config. I'm very new to networking and just getting started, what command do I need to run to show the nat access list

raynor#show running-config
Building configuration...

Current configuration : 1827 bytes
!
! Last configuration change at 23:18:53 UTC Sat Aug 16 2014 by jschaeffer
! NVRAM config last updated at 23:20:33 UTC Sat Aug 16 2014 by jschaeffer
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname raynor
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $6$t7$FHadfus1vHhykVc2QolPwTz/
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name harmonywave.com
ip name-server 75.75.75.75
ip name-server 75.75.75.76
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1941/K9 sn FGL172610ZP
!
!
username jschaeffer secret 5 $1$IQxQ$DtfZuO78mBeiEbsVD95Afq1
username ckrupa one-time secret 5 $1$HAnq$$faaybor7t7wqewOqFLm9u0
!
!
ip ssh version 2
!
!
!
!
interface GigabitEthernet0/0
description WAN link
ip address 75.148.101.25 255.255.255.248
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description LAN link
ip address 10.1.8.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 75.148.101.30
ip route 10.1.10.0 255.255.255.224 10.1.8.1
ip route 10.1.10.32 255.255.255.224 10.1.8.1
ip route 10.1.10.64 255.255.255.192 10.1.8.1
ip route 10.1.11.0 255.255.255.0 10.1.8.1
ip route 10.1.12.0 255.255.255.0 10.1.8.1
ip route 10.1.15.0 255.255.255.0 10.1.8.1
!
!
no cdp run

!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
scheduler allocate 20000 1000
end

Tagir Temirgaliyev · ‎08-17-2014

i dont see here nat access-list witch must include all your vlans networks

Joshua Schaeffer · ‎08-17-2014

Thanks this really helped. I followed this article to setup nat in my network: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

Specifically I followed the section titled Configuring NAT to Allow Internal Users to Access the Internet Using Overloading

I setup an access list for one of my VLANs and I was able to access the internet. I'll setup the other VLAN networks as well, but looks like this was my problem.

Thanks again,

Joshua

zeuscyril · ‎08-17-2014

hi Joshua,

here the config you need to add

access-list 101 permit ip 10.1.10.0 0.0.0.31 any
access-list 101 permit ip 10.1.10.32 0.0.0.31 any
access-list 101 permit ip 10.1.10.64 0.0.0.63 any
access-list 101 permit ip 10.1.11.0 0.0.0.255 any
access-list 101 permit ip 10.1.12.0 0.0.0.255 any
access-list 101 permit ip 10.1.15.0 0.0.0.255 any

then

ip nat inside source list 101 interface GigabitEthernet0/0 overload

thanks

cyril

Joshua Schaeffer · ‎08-17-2014

Thanks, I just did that and it worked.