Can't ping outside when sourcing from sub-interface

I'm having trouble bringing up a VLAN on a Cisco 2811 router.  I've created a new VLAN on the router and Catalyst switch.  I can plug into the switch and grab an IP address on the correct VLAN (VLAN 45).  From the laptop I can ping the VLAN 45 gateway of, the outside interface of the router, and the ISP router.  However, I cannot ping beyond that or get Internet access for this VLAN.  Everything else works fine.

From the router CLI I can ping an ouside DNS server.  I can source the ping from the native VLAN sub-interface of and ping an outside DNS server.  When I source the ping from the VLAN 45 sub-interface of I get no reply.

I've tried removing all access-lists from the interfaces and nothing.  Not sure what is going here.
Who is Participating?
agree with the previous poster.  Your NAT configuration has a route-map on it, which only permits traffic matching ACL 100 to use the NAT.  You need to let your new vlan also use the NAT.

The following line should do it:-

access-list 100 permit ip any
Are you sure you can ping the ISP's router from your wlan laptop?  I see you setting 'ip nat inside' on your data and wlan subinterfaces, but the nat rule 100 only allows the data vlan.  I'm still going through this slowly, but that's the 1st thing that I spotted.
jplagensAuthor Commented:
I appreciate the help.  Adding the line above worked.  

I guess I need to hit the books.  I do have a question because I'm confused on why access-list 100 was blocking the new subnet.  I was under the impression that an access-list only filtered when it was applied to an interface.  For example access-list 105 is applied to Fast Eth 0/0.  Since I didn't see access-lists 101,102, 103, and 104 applied on any interfaces I didn't think they were applicable.  Does the "ip  nat inside/outside" statement on an interface somehow assume access-list 100?  Even in the route map.  The route map is named "SDM_RMAP_1" and it's not applied anywhere that I can see.
It's your nat inside source command that links it to ACL 100:
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
That's normal.  You always need an ACL for NAT.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.