Ping problem to External on WinXP

Unanswered Question
Nov 12th, 2008
User Badges:

Hi All

The following is the setup

C3750 Switch


interface GigabitEthernet1/0/1

description Connect to D-Link DI-808HV

no switchport

ip address 192.168.8.2 255.255.255.252


VLAN 2

172.20.0.1/24

...


Couple of ports are assigned to VLAN 2


D-Link DI-808HV

Lan: 192.168.8.1/24


WAN: x.x.x.74/29

Gateway: x.x.x.73


Now, from CLI of the switch, I can ping everywhere, including 192.168.8.2, 192.168.8.1, and x.x.x.74, 72.14.207.104

But from winXP client, which is connected to a VLAN 2 port, can only ping 192.168.8.2, 192.168.8.1, and x.x.x.74. and cannot go beyond that. The winXP firewall is switched off.


why cannot I ping beyond x.x.x.74? Please help,


TIA


Mark


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Istvan_Rabai Wed, 11/12/2008 - 22:33
User Badges:
  • Gold, 750 points or more

Hi Mark,


Please check:

- if you can follow up the route to the other subnets and back to the source address in the routing tables.

- that you don't have any access-lists or firewalls along the path that would block ping echo or reply packets in either direction.


Cheers:

Istvan

markxgzhang Thu, 11/13/2008 - 01:20
User Badges:

Thanks Istvan. One thing I do not understand is that actually the tow pings are from the same computer, but one is from a HyperTerminal session and another is from WinXP platform on which the firewall is turned off. Why is that?

Yes, the D-Link device is a 8-Port Broadband VPN Router, and it has firewall function. but if it is on, how can the hyperterminal session go across?


Mark


vaisharm Thu, 11/13/2008 - 03:44
User Badges:
  • Cisco Employee,

Mark,


If I understand correctly, x.x.x.74/29 is the IP on the WAN interface on the D-link router and x.x.x.73 is your ISP. This looks like a NAT issue to me. Your D-link router must be natting the 192.168.8.0/24 network and it looks like its not natting the 172.20.0.0/24 network. Which is why you are able to ping the WAN interface on the D-link box but not beyond it. However, when you ping from the hyper terminal session, then you use the routed-port on the switch as the source (unlike the 172.20.0.0/24 network which is the source when you ping from the WinXP client). To confirm if this is the problem, try an extended ping beyond x.x.x.74 from the switch with interface VLAN2 as the source.


Switch#ping x.x.x.x source VLAN 2


This would most likely fail.


HTH,

Vaibhav

markxgzhang Thu, 11/13/2008 - 15:07
User Badges:

Hi Vaibhav,

Yes, you are right, tried

Switch#ping x.x.x.x source VLAN 2

and it failed.

Looks like it is not a Cisco issue, but I will try here anyway. Is there a way to change the NAT behaviour on the D-Link box, so that 172.20.0.0/24 will be natted as well?

What I am trying to do is transfer all the flat network which is at the moment on 192.168.8.0/24 with no VLAN config, to a VLAN environmet with switches that configured with VLANs and Routed-port. Before transferring, I'd like to make sure that internet connection is working on those switches that has vlan configurations. As you can see, only hyper terminal session can get out to internet from the VLAN configured switch, but not on the WinXP platform. What is the way to fix it please?


Thanks


glen.grant Thu, 11/13/2008 - 18:00
User Badges:
  • Purple, 4500 points or more

Are you running a default static route on the 3750 pointing to the 192.168.8.1 ??

markxgzhang Thu, 11/13/2008 - 18:19
User Badges:

Yes. through the routed-port that has the IP of 192.168.8.2.

vaisharm Thu, 11/13/2008 - 20:16
User Badges:
  • Cisco Employee,

Mark,


I am not sure how the routing, NAT is being implemented on the D-Link router. However, I found something which might help you fix this issue. Try the following settings on your D-link router.


Under Advanced -> Firewall (from the left pane)


Firewall Rules


* Enabled

Name: Allow Internal_VLANs

Action: Allow

Source:

Intrerface: LAN

IP Start: 172.20.0.1

IP End: 172.20.0.255


Destination: I am not sure if you just leave it to * if it would allow access to all sources. But you can try this. If it does not work, try the following:

Destination:

Interface:WAN

IP Start: 0.0.0.0

IP End: 0.0.0.0

Protocol: *


Schedule: Always


Apply



Let us know how it goes.


HTH,

~Vaibhav




markxgzhang Thu, 11/13/2008 - 21:20
User Badges:

did that. and it still the same, winXP can ping Router WAN port, x.x.x.74, but not beyond.


vaisharm Thu, 11/13/2008 - 21:30
User Badges:
  • Cisco Employee,

Mark,


You probably need to contact D-Link support.


HTH,

~Vaibhav

markxgzhang Thu, 11/13/2008 - 22:22
User Badges:

the last rule should allow anything from Lan to WAN. Isn't it?


Allow Internal_VLANs LAN,172.20.0.1-172.20.0.255 WAN,* *,*

Allow Ping WAN port WAN,* WAN,* ICMP,*

Deny Default *,* LAN,* *,*

Allow Default LAN,* *,* *,*


vaisharm Fri, 11/14/2008 - 00:56
User Badges:
  • Cisco Employee,

That is correct. Just to check, modify or a add a new rule and enable ICMP to a specific public IP from source range 172.20.0.1-172.20.0.255 and see if ping works from the XP client to this public IP.

markxgzhang Sun, 11/16/2008 - 19:31
User Badges:

Hi Guys,

It is actually an routing issue. After I put the Static Route entry in to route back to the vlans, the ping problem disapeared. I remember Jon said something about it on another thread, and tried it, and it is working now.

Thank you very much guys.

Actions

This Discussion