Cisco clueless here.
I have a 1921 router that connects to multiple external networks using subinterfaces on G0/0
and has a LAN network on G0/1
:
Interface IP-Address OK? Method Status
Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 unassigned YES NVRAM up up
GigabitEthernet0/0.1 10.10.0.1 YES NVRAM up up
GigabitEthernet0/0.2 10.20.0.2 YES NVRAM up up
GigabitEthernet0/0.3 172.60.74.102 YES NVRAM up up
GigabitEthernet0/1 192.168.2.252 YES NVRAM up up
NVI0 10.10.0.1 YES unset up up
I am trying to allow the LAN network 192.168.2.0/24
network reach any routes that are on each sub-interface.
Ive tried running ip default-network
and ip route 0.0.0.0 0.0.0.0 192.168.2.0
but they don't help.
Each LAN IP address can reach all the external subnetwork IP addresses, but cannot reach any of the networks that those subinterfaces can reach.
Please what am I doing wrong?
My router configuration:
ip dhcp excluded-address 10.10.10.1
!
!
!
ip domain name usiswe.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-1652834681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1652834681
revocation-check none
rsakeypair TP-self-signed-1652834681
ip ssh rsa keypair-name mem.usiswe.com
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 10
ip address 10.10.0.1 255.255.255.0
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 20
ip address 10.20.0.2 255.255.255.0
!
interface GigabitEthernet0/0.3
encapsulation dot1Q 802
ip address 172.60.74.102 255.255.255.252
!
interface GigabitEthernet0/1
description QriosLAN
ip address 192.168.2.252 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 10 interface GigabitEthernet0/1 overload
ip route 172.18.254.90 255.255.255.255 172.60.74.101
ip route 172.26.4.21 255.255.255.255 172.60.74.101
ip route 172.26.90.5 255.255.255.255 172.60.74.101
ip route 172.26.90.6 255.255.255.255 172.60.74.101
ip route 172.26.96.62 255.255.255.255 172.60.74.101
ip route 172.26.96.64 255.255.255.255 172.60.74.101
ip route 172.26.96.74 255.255.255.255 172.60.74.101
ip route 172.26.98.155 255.255.255.255 172.60.74.101
ip route 172.26.98.157 255.255.255.255 172.60.74.101
ip route 172.26.98.167 255.255.255.255 172.60.74.101
ip route 172.26.176.229 255.255.255.255 172.60.74.101
!
!
!
access-list 10 permit 192.168.2.0 0.0.0.255
!
control-plane
!
Best Answer
You don't have NAT correctly configured. You have the outside NAT applied to an interface (
GigabitEthernet0/0
) which has no assigned network, and on which no traffic will be routed.I think you are trying to set all the subinterfaces as outside NAT interfaces, but I don't see much of a reason to NAT on all the subinterfaces, which you must do individually. The
GigabitEthernet0/0.3
interface is the only one with a public IPv4 address, so it makes sense to have it as an outside NAT interface, but I don't see a reason to have the other subinterfaces using NAT unless they are inside interfaces.The router will route between all the interfaces, as long as you have
ip routing
configured.If you do want all the subinterfaces to be outside NAT interfaces, then you need to do something like this:
One problem with NAT is that all the conversations must be initiated from the inside. For example, you will not be able to ping from an outside network to your inside network.
Also, for the network to be able to get to all the networks on the other side of those interfaces, the router must be told about how to reach those networks. Routers learn about routes in three ways:
You can really only use a single default route (
0.0.0.0/0
) because it is the route used when there are not other routes to the destination. Normally, you use a default route toward the public Internet because the Internet routing table is so large that many routers simply cannot handle all the routes.Static routes don't scale.
The ideal way is to run a routing protocol between your router and the neighboring routers.