Can't access the Internet when subinterface is configured?

Hi,

I have a home lab which comprises of a few routers & 2 x 2950 switches; I use a 2611XM router with an ADSL wic to connect to the Internet. I have been refreshing my CCNA ICND skills in preparation for studying for the CCNA Security exam; I have set up inter-VLAN routing on my router (and switches) which works fine, I have 2 subinterfaces FastEthernet0/0.1 for local subnet 192.168.1.0/24 & FastEthernet0/0.10 for local subnet

192.168.10.0/24 - clients on one subnet can ping clients on the other as expected.

My problem is that once I have this config in place no clients on either subnets can access the internet, however I can ping extenal addresses from the router. If I remove subinterface FastEthernet0/0.1 and configure address 192.168.1.0/24 directly on FastEthernet0 then clients on that subnet can access the Internet but clients on the FastEthernet0/0.10 subinterface still can't. It seems as though subnets connected via a subinterface can't route through the Internet, I'm guessing this is because the correct VLAN tag can't be added to the L2 header once the packet is received back from the Internet? I have included: 'show ver'; 'show run'; 'show ip interface brief' & 'show ip route' outputs below.

Can anylone give a solution / explanation to this behaviour?

Regards, Jason

2611XM#show ver Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4 (17), RELEASE SOFTWARE (fc1)

2611XM#show running-config Building configuration...

Current configuration : 3891 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname 2611XM ! boot-start-marker boot-end-marker ! security authentication failure rate 10 log security passwords min-length 6 logging buffered 4096 debugging logging console critical enable secret 5 xxxxxxxxxxxxxxx enable password 7 xxxxxxxxxxxxxxx ! aaa new-model ! ! aaa authentication login local_auth local ! aaa session-id common no network-clock-participate slot 1 no network-clock-participate wic 0 no ip source-route no ip gratuitous-arps ip cef ! ! no ip bootp server no ip domain lookup ip domain name xxxxxxxxxxxxxxx ip name-server 4.2.2.2 ip inspect audit-trail ip inspect udp idle-time 1800 ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 login block-for 5 attempts 5 within 5 ! username jason password 7 xxxxxxxxxxxxxxx archive log config logging enable ! ! ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh source-interface FastEthernet0/0 ip scp server enable ! ! interface Loopback1 ip address 10.0.0.1 255.0.0.0 ! interface FastEthernet0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly duplex auto speed auto no mop enabled ! interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address 192.168.1.1 255.255.255.0 no cdp enable ! interface FastEthernet0/0.10 encapsulation dot1Q 10 ip address 192.168.10.1 255.255.255.0 no cdp enable ! interface Serial0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown ! interface ATM0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp no atm ilmi-keepalive dsl operating-mode auto pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex auto speed auto no mop enabled ! interface Dialer1 ip address negotiated ip access-group autosec_firewall_acl in ip verify unicast source reachable-via rx allow-default 100 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect autosec_inspect out ip virtual-reassembly encapsulation ppp dialer pool 1 ppp authentication chap callin ppp chap hostname xxxxxxxxxxxxxxx ppp chap password 7 xxxxxxxxxxxxxxx ppp pap sent-username xxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxx ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer1 ! ! ip http server no ip http secure-server ip nat inside source list 1 interface Dialer1 overload ! ip access-list extended autosec_firewall_acl permit udp any any eq bootpc permit ip any any ! logging trap debugging logging facility local2 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.10.0 0.0.0.255 access-list 100 permit udp any any eq bootpc no cdp run ! ! ! control-plane banner motd ^CNo Unauthorised Access^C

! end

2611XM#show ip interface brief

Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES NVRAM up up FastEthernet0/0.1 192.168.1.1 YES NVRAM up up FastEthernet0/0.10 192.168.10.1 YES NVRAM up up Serial0/0 unassigned YES NVRAM administratively down down ATM0/1 unassigned YES NVRAM up up FastEthernet0/1 unassigned YES NVRAM administratively down down NVI0 unassigned NO unset up up Virtual-Access1 unassigned YES unset up up Virtual-Access2 unassigned YES unset up up Dialer1 86.147.x.x YES IPCP up up Loopback1 10.0.0.1 YES NVRAM up up

2611XM#show ip route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

217.47.x.x/32 is subnetted, 1 subnets C 217.47.x.x is directly connected, Dialer1 86.0.x.x/32 is subnetted, 1 subnets C 86.147.x.x is directly connected, Dialer1 C 192.168.10.0/24 is directly connected, FastEthernet0/0.10 C 10.0.0.0/8 is directly connected, Loopback1 C 192.168.1.0/24 is directly connected, FastEthernet0/0.1 S* 0.0.0.0/0 is directly connected, Dialer1
Reply to
Jason
Loading thread data ...

Hi Jason

Simply move the ip nat inside command from the main interface to both subinterfaces (as well as all other commands beginning from ip ... as they have no result on the main F0/0 interface when it has no ip address) and you'll be fine.

Reply to
Mariusz 'BB' Trojanowski
["Followup-To:" nach comp.dcom.sys.cisco gesetzt.]
  • Jason hackte in den Rechenknecht:

You added the "nat inside" stanza to an interface that has no ip. Add it to the subinterfaces (both 0/0.1 and 0/0.10) instead and it should work.

luke

Reply to
Lukas Schratz

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.