Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Strange VLAN issue (Sub-int)

Status
Not open for further replies.
chieftan

chieftan

MIS
Dec 18, 2002
292
GB
Here is the basic setup:-

Laptop -> SSG5 -> SSG140 -> 1721 -> Outside World

We know the routing between the laptop and the 1721 is okay as the laptop is set to DHCP and the 1721 is the DHCP server and it assigns the addresses correctly.

Here is the weird part...

I can ping from the laptop to the subinterface on the 1721 - so the inside facing interface.

I CANNOT ping, from the laptop to the external interface (Ethernet0) of the 1721 even though it is a physical, addressed interface on the 1721, the only difference being it is a different network (Shouldnt matter).

Now, here is the, even stranger, issue. If I ping from the 1721 Router to the Laptop address with extended ping and using the external interface (Ethernet0) as the initiator, it is successful.

So, all in, from the router to the laptop success, from the laptop to the router, failure......

All routes in the SSG's are fine..... scratch head
 
Sort by date Sort by votes
Hi Allworx

Wish it was that easy... :(

All is good firewall side....

Real head scratcher
 
Upvote 0 Downvote
give us the network address info including what devices are performing NAT

 
Upvote 0 Downvote
Well, from a head scratching perspective, it has become a bit more obvious now.

The address on the internal interface (FA0.96) was labelled as 192.168.196.253 / 24 but the vlan coming in was 192.168.96.0 network. My access list for the NATting only catered for the 96 addresses and, of course, if you are doing an extended ping it will be looking for the "ACTUAL" interface address which was a 196. So, from the Cisco router I can now ping externally and NATting is performed as should be after adding in the access-list for 196 address range.

However, from the laptop, I still can ping the FA0.96 address, but no further.

The reason I mention the WIC card is because the only obvious difference I can see is that the 192.168.96.0 network is VLAN'd and therefore dot1q.

I know from reading on the Cisco site that the WIC does not seem to support Subinterfaces and therefore dot1q, however, read what I think about this:-

The packet comes into the router with a dot1q header on top of the VLAN header. Now, the router has to make a routing decision based on the IP address destination, so, the real question now is, does the router strip the tags and then read the address and send out of the WIC or does it not and read the address behind the tag?

If it strips the tags off then I cannot see there being a problem, however, it the tag remains, then there could be an issue with the WIC.....
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

phonedudeSr
  • Locked
  • Question
Cisco Unity Connection Subscriber issue
Replies
2
Views
223
phonedudeSr
phonedudeSr
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
329
bdk76
bdk76
cheikhdtn
  • Locked
  • Question
VLAN
Replies
3
Views
147
iggsterman
iggsterman
mikey789
  • Locked
  • Question
Can 4000-M Routing VLANs ?
Replies
0
Views
138
mikey789
mikey789
HollTel
  • Locked
  • Question
Cisco UC520 Shared Line issue
Replies
0
Views
101
HollTel
HollTel

Part and Inventory Search

Sponsor

Back
Top