Can't ping outside when sourcing from sub-interface

Posted on 2012-09-07
Last Modified: 2012-09-12
I'm having trouble bringing up a VLAN on a Cisco 2811 router.  I've created a new VLAN on the router and Catalyst switch.  I can plug into the switch and grab an IP address on the correct VLAN (VLAN 45).  From the laptop I can ping the VLAN 45 gateway of, the outside interface of the router, and the ISP router.  However, I cannot ping beyond that or get Internet access for this VLAN.  Everything else works fine.

From the router CLI I can ping an ouside DNS server.  I can source the ping from the native VLAN sub-interface of and ping an outside DNS server.  When I source the ping from the VLAN 45 sub-interface of I get no reply.

I've tried removing all access-lists from the interfaces and nothing.  Not sure what is going here.
Question by:jplagens
    LVL 14

    Assisted Solution

    Are you sure you can ping the ISP's router from your wlan laptop?  I see you setting 'ip nat inside' on your data and wlan subinterfaces, but the nat rule 100 only allows the data vlan.  I'm still going through this slowly, but that's the 1st thing that I spotted.
    LVL 7

    Accepted Solution

    agree with the previous poster.  Your NAT configuration has a route-map on it, which only permits traffic matching ACL 100 to use the NAT.  You need to let your new vlan also use the NAT.

    The following line should do it:-

    access-list 100 permit ip any
    LVL 4

    Author Comment

    I appreciate the help.  Adding the line above worked.  

    I guess I need to hit the books.  I do have a question because I'm confused on why access-list 100 was blocking the new subnet.  I was under the impression that an access-list only filtered when it was applied to an interface.  For example access-list 105 is applied to Fast Eth 0/0.  Since I didn't see access-lists 101,102, 103, and 104 applied on any interfaces I didn't think they were applicable.  Does the "ip  nat inside/outside" statement on an interface somehow assume access-list 100?  Even in the route map.  The route map is named "SDM_RMAP_1" and it's not applied anywhere that I can see.
    LVL 14

    Expert Comment

    It's your nat inside source command that links it to ACL 100:
    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
    That's normal.  You always need an ACL for NAT.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
    Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now