NAT problems from VLANs on CISCO router

I have a CISCO 1710 router and a Netgear FS526T Switch.

After a while I've been able to sort most of the configuration out but there´s something that does not quite work properly.

I use the switch to create port-based vlans All the ports but one are untagged. The last port in the switch uses 802.1q vlan tagging and belongs to all the vlans.

That port is connected to the fastethernet interface in the cisco.

Up to here, everything is fine. I can connect machines to different ports and they can all access the router, but when I try to access the internet there is a strange behaviour: The VLAN 1 works normally and at full speed. The other VLANs experience problems accessing some web sites.

I can trace a route, query a dns server, even download web pages from some sites (i.e. microsoft or cocacola), but not others (like google or altavista).

I'll paste a bit of configuration to see if anyone can find my mistake.
(I found a web page with the same problem but no solution:
http://www.groupstudy.com/archives/associate/200104/msg00325.html)

interface Ethernet0
 ip address XX.XX.XX.XX 255.255.255.248
 ip nat outside
 half-duplex
!
interface FastEthernet0
 no ip address
 ip nat inside
 speed 100
 full-duplex
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 ip address 192.168.37.1 255.255.255.0
 ip nat inside
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 ip address 172.16.22.1 255.255.255.0
 ip nat inside
!
interface FastEthernet0.3
 encapsulation dot1Q 3
 ip address 172.16.24.1 255.255.255.0
 ip nat inside
!
ip nat inside source list 110 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX
no ip http server
no ip http secure-server
!

access-list 110 permit ip 192.168.37.0 0.0.0.255 any
access-list 110 permit ip 192.168.47.0 0.0.0.255 any
access-list 110 permit ip 172.16.0.0 0.0.255.255 any
access-list 110 permit ip 172.17.0.0 0.0.255.255 any

Thanks
LVL 5
ralonsoAsked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
Correct. You'd have to add an access-list for every sub-interface

access-list 111 deny 192.168.37.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 111 deny 192.168.37.0 0.0.0.255 172.0.0.0 0.255.255.255
access-list 111 permit 192.168.37.0 0.0.0.255 any

access-list 112 deny 192.168.38.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 112 deny 192.168.38.0 0.0.0.255 172.0.0.0 0.255.255.255
access-list 112 permit 192.168.38.0 0.0.0.255 any

Interface FastEthernet 0/0.37
 ip address 192.168.37.1 255.255.255.0
 ip access-group 111 in
!
Interface FastEthernet 0/0.38
 ip address 192.168.38.1 255.255.255.0
 ip access-group 112 in
!
<etc>
0
 
lrmooreCommented:
Are you connecting to a DSL modem?

Try adjusting the MTU on the Ethernet interface

Interface ethernet 0
 mtu 1492

0
 
ralonsoAuthor Commented:
yes, ethernet 0 is connected via crossover cable to a DSL modem.

I'll probably try it on monday, but it was extremely weird when machines in vlan 1 can access everything normally, while people in the other vlans experience problems.

By the way, a quick one on ACLs.
I want all VLANs to be routed to the internet, but to no other VLAN.
what kind of acls should I set. I'm having 26 different subnets being:
192.168.37.0/24
192.168.47.0/24
and a bunch of subnetted 172.16.x.0/24 and 172.17.y.0/24

I have the vague feeling I should deny access to each one of those networks in the inside (fast ethernet) interface, but I'm not sure on how to do it.

Thanks.

0
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

 
Pascal666Commented:
Some IOSs have problems when you create a subinterface for the native vlan.  Do this instead:

interface FastEthernet0
 ip address 192.168.37.1 255.255.255.0
 ip nat inside
 speed 100
 full-duplex
!
interface FastEthernet0.2
 encapsulation dot1Q 2
etc...

-Pascal
0
 
Pascal666Connect With a Mentor Commented:
For your access lists, it would be easier to just have one access-list and use it on all interfaces, such as:

access-list 110 deny any 192.168.0.0 0.0.255.255
access-list 110 deny any 172.16.0.0 0.15.255.255
access-list 110 permit any any

Also note that not all 172.x.x.x networks are non-routable.

-Pascal
0
 
ralonsoAuthor Commented:
Pascal666, Initially I had tried what you propose:

interface FastEthernet0
 ip address 192.168.37.1 255.255.255.0
 ip nat inside
 speed 100
 full-duplex
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 ip address 172.16.22.1 255.255.255.0
 ip nat inside
!
etc...

But it didn't work.

Then I tried again with:
interface FastEthernet0
 no ip address
 speed 100
 full-duplex
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 ip address 192.168.37.1 255.255.255.0
 ip nat inside
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 ip address 172.16.22.1 255.255.255.0
 ip nat inside
!
etc...
But still the same.

While using the first option, the router was receiving untagged packets for VLAN 1 and tagged packets for all other VLANs.
I changed to an all-tagged scenario because I believed that maybe handling both tagged and untagged packets would lead it to a confusion, but it made no difference.

I'll be trying all tomorrow (the setup is in a remote site).
Regarding the MTU, I'll also try but I don't know if it will have any effect. I've seen a lot of references to it when using PPPoE, but I am using PPPoA. The DSL router does all the authentication and bridging, therefore there should be no need for it.

Cheers
0
 
ralonsoAuthor Commented:
well, some updates.

the MTU did not work.
waterfront(config)#int ethernet 0
waterfront(config-if)#mtu 1492
% Interface Ethernet0 does not support user settable mtu.

same thing for fastethernet0 or fastethernet0.2

Regarding the other suggestion, I deleted the interface fastethernet0.1 (native)
and tried with no IP address in the fastethernet0 and only subinterfaces other than 0.1 having ip address: no luck.
finally I reverted to

interface FastEthernet0
 ip address 192.168.37.1 255.255.255.0
 ip nat inside
 speed 100
 full-duplex
!
interface FastEthernet0.2
 encapsulation dot1Q 2
etc...

It definately seems to have something to do with the native vlan id.
my switch has this feature and when I tried to put all ports in VLAN 1 untagged, except for the one that links to the router, that was tagged
then set the router´s port in the switch to use as default port vlan id for untagged packets (2). Machines stopped connecting properly to the internet.
I believe that the router must be sending untagged packets to the switch.

any further ideas?
0
 
Pascal666Commented:
The correct command is "ip mtu 1492"

-Pascal
0
 
ralonsoAuthor Commented:
well, anyway I found what it was.

In the end it was nothing to do with the default vlan id or mtu's.

I had to disable route-cache in the external interface. As soon as I did it, everything started working properly.

Thanks for the help. By the way, the help with the acls came handy (saved me a lot of time).
I had to create a different access-list per subinterface, otherwise the devices in the subnet were not able to communicate with the router.

Cheers
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.