Ping problem to External on WinXP

Unanswered Question
Nov 12th, 2008
User Badges:

Hi All

The following is the setup

C3750 Switch

interface GigabitEthernet1/0/1

description Connect to D-Link DI-808HV

no switchport

ip address



Couple of ports are assigned to VLAN 2

D-Link DI-808HV


WAN: x.x.x.74/29

Gateway: x.x.x.73

Now, from CLI of the switch, I can ping everywhere, including,, and x.x.x.74,

But from winXP client, which is connected to a VLAN 2 port, can only ping,, and x.x.x.74. and cannot go beyond that. The winXP firewall is switched off.

why cannot I ping beyond x.x.x.74? Please help,



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Istvan_Rabai Wed, 11/12/2008 - 22:33
User Badges:
  • Gold, 750 points or more

Hi Mark,

Please check:

- if you can follow up the route to the other subnets and back to the source address in the routing tables.

- that you don't have any access-lists or firewalls along the path that would block ping echo or reply packets in either direction.



markxgzhang Thu, 11/13/2008 - 01:20
User Badges:

Thanks Istvan. One thing I do not understand is that actually the tow pings are from the same computer, but one is from a HyperTerminal session and another is from WinXP platform on which the firewall is turned off. Why is that?

Yes, the D-Link device is a 8-Port Broadband VPN Router, and it has firewall function. but if it is on, how can the hyperterminal session go across?


vaisharm Thu, 11/13/2008 - 03:44
User Badges:
  • Cisco Employee,


If I understand correctly, x.x.x.74/29 is the IP on the WAN interface on the D-link router and x.x.x.73 is your ISP. This looks like a NAT issue to me. Your D-link router must be natting the network and it looks like its not natting the network. Which is why you are able to ping the WAN interface on the D-link box but not beyond it. However, when you ping from the hyper terminal session, then you use the routed-port on the switch as the source (unlike the network which is the source when you ping from the WinXP client). To confirm if this is the problem, try an extended ping beyond x.x.x.74 from the switch with interface VLAN2 as the source.

Switch#ping x.x.x.x source VLAN 2

This would most likely fail.



markxgzhang Thu, 11/13/2008 - 15:07
User Badges:

Hi Vaibhav,

Yes, you are right, tried

Switch#ping x.x.x.x source VLAN 2

and it failed.

Looks like it is not a Cisco issue, but I will try here anyway. Is there a way to change the NAT behaviour on the D-Link box, so that will be natted as well?

What I am trying to do is transfer all the flat network which is at the moment on with no VLAN config, to a VLAN environmet with switches that configured with VLANs and Routed-port. Before transferring, I'd like to make sure that internet connection is working on those switches that has vlan configurations. As you can see, only hyper terminal session can get out to internet from the VLAN configured switch, but not on the WinXP platform. What is the way to fix it please?


glen.grant Thu, 11/13/2008 - 18:00
User Badges:
  • Purple, 4500 points or more

Are you running a default static route on the 3750 pointing to the ??

markxgzhang Thu, 11/13/2008 - 18:19
User Badges:

Yes. through the routed-port that has the IP of

vaisharm Thu, 11/13/2008 - 20:16
User Badges:
  • Cisco Employee,


I am not sure how the routing, NAT is being implemented on the D-Link router. However, I found something which might help you fix this issue. Try the following settings on your D-link router.

Under Advanced -> Firewall (from the left pane)

Firewall Rules

* Enabled

Name: Allow Internal_VLANs

Action: Allow


Intrerface: LAN

IP Start:

IP End:

Destination: I am not sure if you just leave it to * if it would allow access to all sources. But you can try this. If it does not work, try the following:



IP Start:

IP End:

Protocol: *

Schedule: Always


Let us know how it goes.



markxgzhang Thu, 11/13/2008 - 21:20
User Badges:

did that. and it still the same, winXP can ping Router WAN port, x.x.x.74, but not beyond.

vaisharm Thu, 11/13/2008 - 21:30
User Badges:
  • Cisco Employee,


You probably need to contact D-Link support.



markxgzhang Thu, 11/13/2008 - 22:22
User Badges:

the last rule should allow anything from Lan to WAN. Isn't it?

Allow Internal_VLANs LAN, WAN,* *,*

Allow Ping WAN port WAN,* WAN,* ICMP,*

Deny Default *,* LAN,* *,*

Allow Default LAN,* *,* *,*

vaisharm Fri, 11/14/2008 - 00:56
User Badges:
  • Cisco Employee,

That is correct. Just to check, modify or a add a new rule and enable ICMP to a specific public IP from source range and see if ping works from the XP client to this public IP.

markxgzhang Sun, 11/16/2008 - 19:31
User Badges:

Hi Guys,

It is actually an routing issue. After I put the Static Route entry in to route back to the vlans, the ping problem disapeared. I remember Jon said something about it on another thread, and tried it, and it is working now.

Thank you very much guys.


This Discussion