Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Added a 1711 to the mix - trouble allowing traffic

I recently added a 1711 router to one of our remote offices that was previously running only with a Linksys/ Cisco WRV54G router (in gateway mode, firewall enabled, block anonymous WAN request enabled). Given the attached picture and configuration of the 1711.

Can someone help explain why a client connected to the wireless router ( can only pass DNS and ICMP to the internet and back with success. (This seems to me to rule out any NAT or Route issues) while all other attempts show that connections are attempted from the client, but never actually established.

I have enabled an inspection map that should allow all ICMP, HTTP(s), TCP, UDP, and fragment (though I'm not sure I need the fragment) return traffic (established internally) from the internet.

One last thought - which I didn't get around to trying is to see if a client connected directly to VLAN1 (instead of the Linksys) will have the expected internet access. Must the Linksys operate in router mode given my current configuration or does it even matter. If so what implications on routing does that have (if any)?

Thanks Everyone!


Re: Added a 1711 to the mix - trouble allowing traffic

I am no expert on connections like this so I will attempt to help to maybe bounce some ideas off of.

In your config you have VLAN 2 with ip range of, but nothing in your drawing has that IP subnet applied. You also have VLAN 2 assigned to FastEthernet 2

You have VLAN 1 built but not assigned.

Try assigning VLAN 1 to FastEthernet 1.

From the router can you ping the Linksys?

From the linksys can you ping the router?

I assume from the config the Linksys is assigning DHCP in the range, then in the Linksys you are allowing traffic from one network to talk to the router on VLAN 1?

Just ideas. I hope it helps.

New Member

Re: Added a 1711 to the mix - trouble allowing traffic

Hi Engagerocks

Thanks for the reply.

VLAN2 is for the DMZ port (fastethernet 2) which currently has no devices or hosts. It's not currently relevant to the issue - unless that is I put a host on the DMZ and experience the same issue. I'll try that tonight.

As for VLAN1 interesting - I hadn't noticed that it was not applied to an interface - which makes things even more odd because, as I have the linksys router attached to that interface and it's WAN port is DHCP configured and it gets an IP address from VLAN1's pool (it gets that thought hadn't occurred to me and I wonder why VLAN1 is talking on Fastethernet 1.

As for the ping tests I can:

sucessfully ping - inside of linksys, the outside of linksys, VLAN1, Fastethernet 0 my public IP address, and I can ping and other internet addresses.

From the router I can ping internally and externally.

I'll try a few more things tonight and post my results.


Re: Added a 1711 to the mix - trouble allowing traffic

As I understand it.

You pull an IP from the router to the Linksys, and the hosts connected to the Linksys pull a DHCP address?

Is that correct?

From the host try a tracert and see where it dies, I would be interested in knowing that.

New Member

Re: Added a 1711 to the mix - trouble allowing traffic

Will do. (Tonight as the router is not currently accesible)

Also to note that I can currently connect to the configured VPN profile, but I cannot access any of the .200.0 clients despite that being my route I get a 'destination unreachable' from the outside IP address of my router (1711) also not exactly what I expected. The tunnel was built based on a split tunneling example in Cisco's documentation.

New Member

Re: Added a 1711 to the mix - trouble allowing traffic


Tracert shows a full path to both with my client directly connected to interface1 as well as wirelessly through the linksys.

DNS works as well via both connections.

I tried to apply vlan 1 to fastethernet 1 and despite entering 'switchport access vlan 1' and the router accepting the command it does not show - I think this may be intended considering the physical interface is located on the 4-port ethernet switch module.

I tried applying rules that read

allow ip any any

on both fastehernet0 in and vlan1 in, but I get the same exact results (even after a 'clear ip nat trans *')

Last but not least here's a snippet of the 'sh ip nat trans' Looks like it's doing what it's suppoed to:

Pro Inside global Inside local Outside local Outside global



New Member

Re: Added a 1711 to the mix - trouble allowing traffic

Turned out the issues was the IP CEF command. This is twice this command has bit me in the a$$. I take it that the command is not widely supported, despite the fact that the lock-down assessment of my router advises me to enable it.

CreatePlease to create content