I was rushing to help a friend out today who was trying to get a 3750 attached to a 1841 behind a cable modem. He called me at the last minute and figured it would be simple considering his needs were so basic.
1841 is the router, connecting to cable modem. Setup a couple of vlan subinterfaces on the 1841 as well as dhcp pools. Attached the 3750 to the router with a trunk link and passed the vlans. Associated the vlans to ports and did some basic static routes. I was rushed, under a time crunch to get my daughter and well ran into a problem reaching internet from PC. Panicking about my time and not seeing clearly to troubleshoot or figure it out.
Basics are that PC was getting IP from the 1841 via DHCP. PC could ping vlan subinterface gateway, 192.168.1.1. PC could ping the Fa0/0 IP. Which is an external IP.
Router could ping internet 8.8.8.8 with a basic "ping 8.8.8.8"
Router could NOT ping internet when I sourced from VLAN 100 subinterface (192.168.1.1)
Not sure what I'm missing but I'm missing something. So much for 20 years of experience sometimes. Thought this would be the easiest network deployment I've done in 15 years.
The fact I couldn't ping internet from the internal subinterface bugs me. Issue on the PC seems secondary to the fact I couldn't get the local subinterface to work either. So its got to just be something on the 1841 at a minimum.
Here is the config of the 1841:
FT-ROUTER#sh run
Building configuration...
Current configuration : 2394 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname FT-ROUTER
!
boot-start-marker
boot system flash c1841-ipbasek9-mz.124-20.T.bin
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
!
ip dhcp excluded-address 192.168.3.1 192.168.3.5
ip dhcp excluded-address 192.168.2.1 192.168.2.5
ip dhcp excluded-address 192.168.1.1 192.168.1.5
!
ip dhcp pool MAINDATA
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 68.105.28.16 68.105.29.16
!
ip dhcp pool PUBLICWIFI
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 68.105.28.16 68.105.29.16
!
ip dhcp pool SECURITY
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 68.105.28.16 68.105.29.16
!
!
ip cef
no ip domain lookup
!
interface FastEthernet0/0
ip address 98.190.71.2 255.255.255.240
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.100
description FT-MAIN-DATA
encapsulation dot1Q 100
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.200
description FT-PUBLIC-WIRELESS
encapsulation dot1Q 200
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.300
encapsulation dot1Q 300
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip default-gateway 98.190.71.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 98.190.71.1
!
ip nat inside source list 10 interface FastEthernet0/0 overload
!
access-list 10 permit 192.168.1.0 0.0.0.255
Here is a basic diagram:
Any glaring omissions or thoughts? I am going to go back out and try to help him tomorrow. Trying to get my thoughts right tonight.
Best Answer
In addition to the missing
ip nat outsidecommand suggested by Ron Trunk, you are only allowing NAT Overload on VLAN 100.If you want to allow NAT Overload and allow Internet access on VLAN 200 and VLAN 300 you will need to adjust your ACL to include those additional subnets.
Original Code:
Recommend changing to:
To answer your second question:
Below is a regular Static PAT statement.
These may also be needed for UDP traffic.