The following is the setup
description Connect to D-Link DI-808HV
ip address 192.168.8.2 255.255.255.252
Couple of ports are assigned to VLAN 2
Now, from CLI of the switch, I can ping everywhere, including 192.168.8.2, 192.168.8.1, and x.x.x.74, 184.108.40.206
But from winXP client, which is connected to a VLAN 2 port, can only ping 192.168.8.2, 192.168.8.1, and x.x.x.74. and cannot go beyond that. The winXP firewall is switched off.
why cannot I ping beyond x.x.x.74? Please help,
- if you can follow up the route to the other subnets and back to the source address in the routing tables.
- that you don't have any access-lists or firewalls along the path that would block ping echo or reply packets in either direction.
Thanks Istvan. One thing I do not understand is that actually the tow pings are from the same computer, but one is from a HyperTerminal session and another is from WinXP platform on which the firewall is turned off. Why is that?
Yes, the D-Link device is a 8-Port Broadband VPN Router, and it has firewall function. but if it is on, how can the hyperterminal session go across?
If I understand correctly, x.x.x.74/29 is the IP on the WAN interface on the D-link router and x.x.x.73 is your ISP. This looks like a NAT issue to me. Your D-link router must be natting the 192.168.8.0/24 network and it looks like its not natting the 172.20.0.0/24 network. Which is why you are able to ping the WAN interface on the D-link box but not beyond it. However, when you ping from the hyper terminal session, then you use the routed-port on the switch as the source (unlike the 172.20.0.0/24 network which is the source when you ping from the WinXP client). To confirm if this is the problem, try an extended ping beyond x.x.x.74 from the switch with interface VLAN2 as the source.
Switch#ping x.x.x.x source VLAN 2
This would most likely fail.
Yes, you are right, tried
Switch#ping x.x.x.x source VLAN 2
and it failed.
Looks like it is not a Cisco issue, but I will try here anyway. Is there a way to change the NAT behaviour on the D-Link box, so that 172.20.0.0/24 will be natted as well?
What I am trying to do is transfer all the flat network which is at the moment on 192.168.8.0/24 with no VLAN config, to a VLAN environmet with switches that configured with VLANs and Routed-port. Before transferring, I'd like to make sure that internet connection is working on those switches that has vlan configurations. As you can see, only hyper terminal session can get out to internet from the VLAN configured switch, but not on the WinXP platform. What is the way to fix it please?
I am not sure how the routing, NAT is being implemented on the D-Link router. However, I found something which might help you fix this issue. Try the following settings on your D-link router.
Under Advanced -> Firewall (from the left pane)
Name: Allow Internal_VLANs
IP Start: 172.20.0.1
IP End: 172.20.0.255
Destination: I am not sure if you just leave it to * if it would allow access to all sources. But you can try this. If it does not work, try the following:
IP Start: 0.0.0.0
IP End: 0.0.0.0
Let us know how it goes.
the last rule should allow anything from Lan to WAN. Isn't it?
Allow Internal_VLANs LAN,172.20.0.1-172.20.0.255 WAN,* *,*
Allow Ping WAN port WAN,* WAN,* ICMP,*
Deny Default *,* LAN,* *,*
Allow Default LAN,* *,* *,*
That is correct. Just to check, modify or a add a new rule and enable ICMP to a specific public IP from source range 172.20.0.1-172.20.0.255 and see if ping works from the XP client to this public IP.
It is actually an routing issue. After I put the Static Route entry in to route back to the vlans, the ping problem disapeared. I remember Jon said something about it on another thread, and tried it, and it is working now.
Thank you very much guys.