Re: Cannot route between WAN Subinterface with dot1q and Public IPs on Vlan1 - Page 2

shawntaylor17 · ‎11-20-2018

Hi All

I'm using an ISR1100 Router on a Leased Line. I'm having an issue where devices "Lan" side can communicate out to the internet via a default static route. The issue i'm experiencing is that inbound traffic to a VPN server is not getting any further than the Cisco router.

I have the following

WAN

Sub-interface 0/0/1.4094

Encapsulation dot1q 4094 (ISP use this VLAN)

IP xxx.xxx.xxx.133

IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.132

Internet access works

LAN

vlan1

IP Address: xxx.xxx.xxx.129

I have a device connected to Physical Interface 0/1/0 with the following Public Static IP: xxx.xxx.xxx.130

I'm unable to communicate with this device from the internet.

From the cisco console i can ping xxx.xxx.xxx.130

From the device itself i can ping xxx.xxx.xxx.129 and xxx.xxx.xxx.133 and internet address.

Any help with what is going on here would be greatly appreciated.

I've reset the router and have gone back to basics, the config is as follows:

!
!
multilink bundle-name authenticated
!
!
!

!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.4094
encapsulation dot1Q 4094
ip address xx.xxx.xxx.133 xxx.xxx.xxx.xxx
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
ip address xxx.xxx.xxx.129 xxx.xxx.xxx.xxx
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.132
!
!
!
!
!
!

All port are a member of vlan1.

Thank You in advanced

shawntaylor17 · ‎11-20-2018

Unfortunately i only have the one device connect currently. I wanting to get this working before migrating the other devices.

Richard Burts · ‎11-20-2018

This is a very interesting problem. If I am understanding correctly your device can ping addresses in the Internet successfully. This would seem to eliminate routing issues as the source of the problem. You have told us that

I can even ping aaa.bbb.ccc.129 from any internet device but not able to ping aaa.bbb.ccc.130.

So the Internet routing is correct to reach your subnet from outside.

If traffic initiated from inside to outside is successful but traffic initiated from outside to inside fails then I can think of a couple possible causes: 1) something is doing stateful inspection allowing inside traffic out and accepting response traffic but denying traffic outside to inside. 2) some type of entry is created as traffic goes out and allows response traffic, but it times out and does not allow traffic outside to inside.

1) if traffic from Internet is able to access the router interface address then it seems that it is not a stateful inspection issue. So we are looking at table entries that time out. Probably the more obvious choice might be the arp table on the router. Can you post the output of show arp (or perhaps show ip arp)?

I also wonder if you turn on debug for arp and let it run a bit what output might tell us.

It also occurs to me that it would be interesting to do a test where you coordinate between a device in the Internet and the router/server. Have the server ping the device in the Internet (we assume this would be successful) and immediately have the Internet device attempt to access the server.

HTH

Rick

HTH

Rick

Georg Pauwen · ‎11-20-2018

What do you have as VPN server ? A Windows machine ?