• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1948
  • Last Modified:

Can't ping outside when sourcing from sub-interface

I'm having trouble bringing up a VLAN on a Cisco 2811 router.  I've created a new VLAN on the router and Catalyst switch.  I can plug into the switch and grab an IP address on the correct VLAN (VLAN 45).  From the laptop I can ping the VLAN 45 gateway of 192.168.20.1, the outside interface of the router, and the ISP router.  However, I cannot ping beyond that or get Internet access for this VLAN.  Everything else works fine.

From the router CLI I can ping an ouside DNS server.  I can source the ping from the native VLAN sub-interface of 172.20.0.1 and ping an outside DNS server.  When I source the ping from the VLAN 45 sub-interface of 192.168.20.1 I get no reply.

I've tried removing all access-lists from the interfaces and nothing.  Not sure what is going here.
Router.txt
0
jplagens
Asked:
jplagens
  • 2
2 Solutions
 
theras2000Commented:
Are you sure you can ping the ISP's router from your wlan laptop?  I see you setting 'ip nat inside' on your data and wlan subinterfaces, but the nat rule 100 only allows the data vlan.  I'm still going through this slowly, but that's the 1st thing that I spotted.
0
 
unfragmentedCommented:
agree with the previous poster.  Your NAT configuration has a route-map on it, which only permits traffic matching ACL 100 to use the NAT.  You need to let your new vlan also use the NAT.

The following line should do it:-

access-list 100 permit ip 192.168.20.0 0.0.0.255 any
0
 
jplagensAuthor Commented:
I appreciate the help.  Adding the line above worked.  

I guess I need to hit the books.  I do have a question because I'm confused on why access-list 100 was blocking the new subnet.  I was under the impression that an access-list only filtered when it was applied to an interface.  For example access-list 105 is applied to Fast Eth 0/0.  Since I didn't see access-lists 101,102, 103, and 104 applied on any interfaces I didn't think they were applicable.  Does the "ip  nat inside/outside" statement on an interface somehow assume access-list 100?  Even in the route map.  The route map is named "SDM_RMAP_1" and it's not applied anywhere that I can see.
0
 
theras2000Commented:
It's your nat inside source command that links it to ACL 100:
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
That's normal.  You always need an ACL for NAT.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now