Cisco 1921 Router – LAN Network Can’t Access WAN Routes

ciscorouting

Cisco clueless here.
I have a 1921 router that connects to multiple external networks using subinterfaces on G0/0 and has a LAN network on G0/1:

Interface                  IP-Address      OK? Method Status                
Protocol
Embedded-Service-Engine0/0 unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/0         unassigned      YES NVRAM  up                    up      
GigabitEthernet0/0.1       10.10.0.1       YES NVRAM  up                    up      
GigabitEthernet0/0.2       10.20.0.2       YES NVRAM  up                    up      
GigabitEthernet0/0.3       172.60.74.102   YES NVRAM  up                    up      
GigabitEthernet0/1         192.168.2.252   YES NVRAM  up                    up      
NVI0                       10.10.0.1       YES unset  up                    up

I am trying to allow the LAN network 192.168.2.0/24 network reach any routes that are on each sub-interface.

Ive tried running ip default-network and ip route 0.0.0.0 0.0.0.0 192.168.2.0 but they don't help.

Each LAN IP address can reach all the external subnetwork IP addresses, but cannot reach any of the networks that those subinterfaces can reach.

Please what am I doing wrong?

My router configuration:

    ip dhcp excluded-address 10.10.10.1
!         
!         
!         
ip domain name usiswe.com
ip cef    
no ipv6 cef
!         
multilink bundle-name authenticated
!         
cts logging verbose
!         
crypto pki trustpoint TP-self-signed-1652834681
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1652834681
 revocation-check none
 rsakeypair TP-self-signed-1652834681
ip ssh rsa keypair-name mem.usiswe.com
ip ssh version 2
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
interface Embedded-Service-Engine0/0
 no ip address
 shutdown 
!         
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 no ip address
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!         
interface GigabitEthernet0/0.1
 encapsulation dot1Q 10
 ip address 10.10.0.1 255.255.255.0
!         
interface GigabitEthernet0/0.2
 encapsulation dot1Q 20
  ip address 10.20.0.2 255.255.255.0
!         
interface GigabitEthernet0/0.3
 encapsulation dot1Q 802
 ip address 172.60.74.102 255.255.255.252
!         
interface GigabitEthernet0/1
 description QriosLAN
 ip address 192.168.2.252 255.255.255.0
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!         
ip forward-protocol nd
!         
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!         
ip nat inside source list 10 interface GigabitEthernet0/1 overload
ip route 172.18.254.90 255.255.255.255 172.60.74.101
ip route 172.26.4.21 255.255.255.255 172.60.74.101
ip route 172.26.90.5 255.255.255.255 172.60.74.101
ip route 172.26.90.6 255.255.255.255 172.60.74.101
ip route 172.26.96.62 255.255.255.255 172.60.74.101
ip route 172.26.96.64 255.255.255.255 172.60.74.101
ip route 172.26.96.74 255.255.255.255 172.60.74.101
ip route 172.26.98.155 255.255.255.255 172.60.74.101
ip route 172.26.98.157 255.255.255.255 172.60.74.101
ip route 172.26.98.167 255.255.255.255 172.60.74.101
ip route 172.26.176.229 255.255.255.255 172.60.74.101
!         
!         
!         
access-list 10 permit 192.168.2.0 0.0.0.255
!         
control-plane
!

Best Answer

You don't have NAT correctly configured. You have the outside NAT applied to an interface (GigabitEthernet0/0) which has no assigned network, and on which no traffic will be routed.

I think you are trying to set all the subinterfaces as outside NAT interfaces, but I don't see much of a reason to NAT on all the subinterfaces, which you must do individually. The GigabitEthernet0/0.3 interface is the only one with a public IPv4 address, so it makes sense to have it as an outside NAT interface, but I don't see a reason to have the other subinterfaces using NAT unless they are inside interfaces.

The router will route between all the interfaces, as long as you have ip routing configured.

If you do want all the subinterfaces to be outside NAT interfaces, then you need to do something like this:

interface GigabitEthernet0/0
 no ip nat outside
!         
interface GigabitEthernet0/0.1
 ip nat outside
!         
interface GigabitEthernet0/0.2
 ip nat outside
!         
interface GigabitEthernet0/0.3
 ip nat outside
!         
interface GigabitEthernet0/1
 ip address 192.168.2.252 255.255.255.0
 ip nat inside
!         
ip nat inside source list 10 interface GigabitEthernet0/1.1 overload
ip nat inside source list 10 interface GigabitEthernet0/1.2 overload
ip nat inside source list 10 interface GigabitEthernet0/1.3 overload
!
access-list 10 permit 192.168.2.0 0.0.0.255
!

One problem with NAT is that all the conversations must be initiated from the inside. For example, you will not be able to ping from an outside network to your inside network.

Also, for the network to be able to get to all the networks on the other side of those interfaces, the router must be told about how to reach those networks. Routers learn about routes in three ways:

  • Directly connected networks
  • Statically configured routes
  • Dynamic routing protocols

You can really only use a single default route (0.0.0.0/0) because it is the route used when there are not other routes to the destination. Normally, you use a default route toward the public Internet because the Internet routing table is so large that many routers simply cannot handle all the routes.

Static routes don't scale.

The ideal way is to run a routing protocol between your router and the neighboring routers.

Related Topic