Can't access the Internet when subinterface is configured?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View


Hi,

I have a home lab which comprises of a few routers & 2 x 2950 switches; I
use a 2611XM router with an ADSL wic to connect to the Internet. I have
been refreshing my CCNA ICND skills in preparation for studying for the
CCNA Security exam; I have set up inter-VLAN routing on my router (and
switches) which works fine, I have 2 subinterfaces FastEthernet0/0.1 for
local subnet 192.168.1.0/24 & FastEthernet0/0.10 for local subnet
192.168.10.0/24 - clients on one subnet can ping clients on the other as
expected.

My problem is that once I have this config in place no clients on either
subnets can access the internet, however I can ping extenal addresses from
the router. If I remove subinterface FastEthernet0/0.1 and configure
address 192.168.1.0/24 directly on FastEthernet0 then clients on that
subnet can access the Internet but clients on the FastEthernet0/0.10
subinterface still can't. It seems as though subnets connected via a
subinterface can't route through the Internet, I'm guessing this is because
the correct VLAN tag can't be added to the L2 header once the packet is
received back from the Internet? I have included: 'show ver'; 'show run';
'show ip interface brief' & 'show ip route' outputs below.

Can anylone give a solution / explanation to this behaviour?

Regards, Jason

2611XM#show ver
Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4
(17), RELEASE SOFTWARE (fc1)

2611XM#show running-config
Building configuration...

Current configuration : 3891 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 2611XM
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
no ip gratuitous-arps
ip cef
!
!
no ip bootp server
no ip domain lookup
ip domain name xxxxxxxxxxxxxxx
ip name-server 4.2.2.2
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
login block-for 5 attempts 5 within 5
!
username jason password 7 xxxxxxxxxxxxxxx
archive
 log config
  logging enable
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface FastEthernet0/0
ip scp server enable
!
!
interface Loopback1
 ip address 10.0.0.1 255.0.0.0
!
interface FastEthernet0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.1.1 255.255.255.0
 no cdp enable
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 no cdp enable
!
interface Serial0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
!
interface ATM0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Dialer1
 ip address negotiated
 ip access-group autosec_firewall_acl in
 ip verify unicast source reachable-via rx allow-default 100
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect autosec_inspect out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxxxxxxx
 ppp chap password 7 xxxxxxxxxxxxxxx
 ppp pap sent-username xxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended autosec_firewall_acl
 permit udp any any eq bootpc
 permit ip any any
!
logging trap debugging
logging facility local2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 permit udp any any eq bootpc
no cdp run
!
!
!
control-plane
banner motd ^CNo Unauthorised Access^C

!
end

2611XM#show ip interface brief

Interface                  IP-Address      OK? Method Status                
Protocol
FastEthernet0/0            unassigned      YES NVRAM  up                    
up
FastEthernet0/0.1          192.168.1.1     YES NVRAM  up                    
up
FastEthernet0/0.10         192.168.10.1    YES NVRAM  up                    
up
Serial0/0                  unassigned      YES NVRAM  administratively down
down
ATM0/1                     unassigned      YES NVRAM  up                    
up
FastEthernet0/1            unassigned      YES NVRAM  administratively down
down
NVI0                       unassigned      NO  unset  up                    
up
Virtual-Access1            unassigned      YES unset  up                    
up
Virtual-Access2            unassigned      YES unset  up                    
up
Dialer1                    86.147.x.x      YES IPCP   up                    
up
Loopback1                  10.0.0.1        YES NVRAM  up                    
up


2611XM#show ip route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     217.47.x.x/32 is subnetted, 1 subnets
C       217.47.x.x is directly connected, Dialer1
     86.0.x.x/32 is subnetted, 1 subnets
C       86.147.x.x is directly connected, Dialer1
C    192.168.10.0/24 is directly connected, FastEthernet0/0.10
C    10.0.0.0/8 is directly connected, Loopback1
C    192.168.1.0/24 is directly connected, FastEthernet0/0.1
S*   0.0.0.0/0 is directly connected, Dialer1


Re: Can't access the Internet when subinterface is configured?


Hi Jason

Simply move the ip nat inside command from the main interface to both
subinterfaces (as well as all other commands beginning from ip ... as
they have no result on the main F0/0 interface when it has no ip
address) and you'll be fine.

--
Pozdrawiam @ Mariusz Trojanowski @@@ slotyzmok @ narod!ru  (s <-> z)
"- Proszę pokazać język. Proszę powiedzieć trzydzieści trzy. Oddychać.
Nie oddychać. Myślę, panie rotmistrzu, że to nie takie niebezpieczne."
[Burzliwe życie Lejzorka Rojtszwańca]


Dnia 12/12/2009 5:38 PM, Jason wrote:
Quoted text here. Click to load it
[cut]
Quoted text here. Click to load it

Re: Can't access the Internet when subinterface is configured?


["Followup-To:" nach comp.dcom.sys.cisco gesetzt.]
* Jason hackte in den Rechenknecht:
Quoted text here. Click to load it
[...]
Quoted text here. Click to load it
You added the "nat inside" stanza to an interface that has no ip. Add it
to the subinterfaces (both 0/0.1 and 0/0.10) instead and it should work.

luke
--
Systemadministrator: Der wo macht, dass das Internet geht, den man aber
nix wegen Word fragen darf, weil sonst ist er sauer und dann geht das
Internet wieder nicht.
        --unbekannt, gefunden bei Peter J.Holzer

Site Timeline