2 Replies Latest reply on Aug 14, 2012 1:12 PM by joshmurphy

    Using secondary Internet Connection for Guest vlan

    joshmurphy New Member

      I have a guest access vlan setup that I want to push out all internet traffic to the DSL line on eth 0/2. I am doing this by using the route-map statements but it is not working.


      Secondary DSL gateway is


      I am not able to ping from: (vlan3) to (DSL)


      I am able to ping:

      from (eth 0/2) to (DSL)

      from (vlan 3) to


      And here's the crazy one,  I can ping from (vlan 1) to (DSL)


      Any help would be greatly appreciated.



        • Re: Using secondary Internet Connection for Guest vlan

          joshmurphy - Thanks for posting on the forum!


          First, I want to let you know that the ping from (VLAN3) and (DSL) will not work because source pings will not work through NATs.


          On another note you mentioned, that you were able to ping from (VLAN 1) to However, you referred to the as the DSL gateway. I was under the impression this was VLAN 3. Could you clarify whether you were pinging VLAN 3 or the DSL gateway from VLAN 1?


          Everything on your configuration looked correct to me. To troubleshoot this further, I would recommend the following steps using a PC plugged into VLAN 3:


          1. From the PC start a running ping to . This is a DNS server out on the internet and is often pinged to confirm internet connectivity. The command to start a running ping from Windows is "ping /t".


          2. While the running ping is going, issue the show ip policy-session "Private 3 - Guest" command from the CLI of the AOS device. You will want to find the session that corresponds to the running ping you have going and verify that it is a.) being NATted correctly and b.) being directed out the correct route. If traffic is being NATted and routed correctly, the session should look something like this:


          Src Vrf (if not default), Src policy class:

          Protocol (TTL) [in crypto map] -> [out crypto map] Dest VRF, Dest policy-class

            Src IP Address  Src Port    Dest IP Address    Dst Port    NAT IP Address    NAT Port

            ---------------            --------          ---------------         --------     -----------------           --------

          Policy class "Private 3 - Guest":


          icmp (60) -> "Public 3 - Guest"

            192.168.10.x          1                       1      s    1


          If the session does not look like the above, then please post what you are seeing for us to review.


          If the session does look like the above, then you will want to attempt to plug the PC directly into the DSL modem (taking the NetVanta device out of the picture) and see if you are able to get out to the internet that way. Be sure to note the IP settings your PC retrieves when plugged into the DSL modem.


          Please do not hesitate to let us know if you have any questions and what your results are from the troubleshooting steps above.