- Cisco Community
- Technology and Support
- Networking
- Routing
- 1921/K9 not accessing Internet through LAN gateway
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2021 09:04 AM - edited 02-03-2021 02:48 AM
A few days ago I made a stray post that did not receive answers (it ended up in the wrong place, if any admins are reading this, please delete it at https://community.cisco.com/t5/switching/nat-on-isr-1921-not-working/m-p/4280492#M499556). I have checked related posts and in particular tried to follow the configuration described in https://community.cisco.com/t5/switching/how-do-you-connect-a-cisco-router-to-the-internet-through-a/td-p/2242370/page/6. This gave slightly more promising results, but still does not work as intended.
My purpose is connecting "GUEST" LAN 192.168.1.0/24 via NAT to "HOME" LAN 192.168.8.0/24 for both networks to share the mobile Internet gateway at 192.168.8.1. The gateway receives only a single global IP address from the ISP.
The 1921 configuration:
C1921#sh config Using 2539 out of 262136 bytes ! ! Last configuration change at 16:13:02 UTC Sun Jan 31 2021 ! NVRAM config last updated at 16:13:14 UTC Sun Jan 31 2021 ! version 15.7 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname C1921 ! boot-start-marker boot-end-marker ! ! no logging console enable secret 5 ###################. ! no aaa new-model ! ! ! ! ! ! ! ! ! no ip dhcp conflict logging ip dhcp excluded-address 192.168.1.0 192.168.1.99 ! ip dhcp pool GUEST network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 8.8.4.4 8.8.8.8 ! ! ! ip domain name SAVAZZI.LOCAL ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! license udi pid CISCO1921/K9 sn FCZ161821DA ! ! vtp domain VELUX vtp mode transparent username Enrico password 0 ######## ! redundancy ! ! ! ! ! vlan 2 ! ! ! ! ! ! ! ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description ##HOME## ip address dhcp ip access-group HOME in ip nat outside ip nat enable ip virtual-reassembly in duplex full speed 1000 ! interface GigabitEthernet0/1 description ##GUEST## ip address 192.168.1.1 255.255.255.0 ip nat inside ip nat enable ip virtual-reassembly in duplex full speed 1000 ! interface GigabitEthernet0/0/0 switchport access vlan 2 no ip address ! interface GigabitEthernet0/0/1 switchport access vlan 2 no ip address ! interface GigabitEthernet0/0/2 switchport access vlan 2 no ip address ! interface GigabitEthernet0/0/3 switchport access vlan 2 no ip address ! interface Vlan1 no ip address ip nat inside ip virtual-reassembly in ! interface Vlan2 ip address 192.168.2.1 255.255.255.0 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat pool GuestNatPool 192.168.8.200 192.168.8.220 netmask 255.255.255.192 ip nat inside source list 10 pool GuestNatPool overload ip nat inside source list GUEST interface Embedded-Service-Engine0/0 overload ip ssh version 2 ! ip access-list standard GUEST permit 192.168.1.0 0.0.0.255 ! ip access-list extended HOME permit tcp any any established deny tcp any any permit ip any any ! ! ! ! control-plane ! ! line con 0 exec-timeout 30 0 logging synchronous line aux 0 line 2 no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 login local transport input ssh ! scheduler allocate 20000 1000 ntp server 34.202.215.187 ntp server pool.ntp.org ! end
G0/0 successfully receives IP configuration by DHCP from the gateway and the 1921 (directly wired to a 1G switch port on the gateway) pings the gateway successfully. If the 1921 is connected to the gateway via a smart switch (which has multiple VLANs but no tagged ports), the 1921 can no longer ping the gateway, in spite of multiple PCs connected to the same switch VLAN happily using the gateway. Edit 2021-02-03: After adding ip tcp adjust-mss 1452 to each interface that has an IP address, C1921 can ping the gateway even after I assign static IP address 192.168.8.2 to C1921, and can be pinged by other devices on the same network.
A PC connected to G0/1 successfully receives its IP configuration from the 1921 and pings its gateway 192.168.1.1 successfully. It cannot ping the assigned DNS servers, nor anything else. Naturally it cannot access the Internet, either. For reasons unknown to me, the PC does not even accept a static IP address (e.g. 192.168.1.10, which is outside the DHCP address pool). Not even if I release the DHCP address manually on the PC (ipconfig /release). EDIT 21-02-02: This problem disappeared after rebooting the PC. It now accepts a manually configured IP address and still pings 192.168.1.1.
My primary interest is making PCs attached to G0/1 use the Internet gateway attached to G0/0. The other problems are odd, but I could live with them and I am mentioning them just because they might say something about my main problem.
Solved! Go to Solution.
- Labels:
-
ISR G2
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2021 05:16 AM - edited 02-22-2021 05:19 AM
Well, no replies at all to this thread, so I can just as well answer it myself.
First of all, the following solution works on a 2921 router. I did not try it yet on the 1921 that I described in my original post. However, I don't see a reason why it should not work also on a 1900 series router.
Additionally, it is not a complete solution because I did not succeed in making it work with dynamic mapping of the NAT-outside address. However, it works flawlessly by using static mapping between inside and outside address. It is possible that dynamic mapping did not work for me because these routers are not really designed for a home environment where NAT uses modern, relatively complex and relatively unsafe technologies like PnP. Static mapping avoids all such complexities, but is not suitable with a router facing toward an ISP that assigns just a single IP address (which is how virtually all home routers work). Since implementing the static mapping shown below, I have been surfing the web and doing other things on the Internet without any major compatibility problem (I did receive a few warnings about logins from a new device - perhaps some secure web services can detect that the MAC address of origin has changed, either because of the Cisco router's MAC, or because I am using a different NIC to connect through the Cisco NAT). I am writing this post while connected through the daisy-chained Cisco router NAT and Huawei home router NAT, so the proof is in the pudding.
In the following configuration, the LAN network connected to the home router is 192.168.8.0/24. My PC is currently connected to network 192.168.1.0/24 and gets its DHCP configuration there, and additionally there is a 192.168.2.0/24 network also connected to the home network via its own NAT (so the router is actually serving simultaneously two NAT inside networks and two DHCP address pools, which works just fine). The NAT address pools and the corresponding DHCP address pools contain just three IP addresses each, but scaling up is practical if you can use a wider netmask on the home network (my ISP locks it to /24 without any way to change it, so no luck here).
The configuration sequence, with comments:
! ! DHCP server address pools ! ip dhcp excluded-address 192.168.1.1 192.168.1.6 ip dhcp excluded-address 192.168.1.10 192.168.1.254 ip dhcp pool GUEST1 network 192.168.1.0 /24 domain-name GUEST1.local default-router 192.168.1.1 dns-server 192.168.8.1 8.8.8.8 8.8.4.4 exit ! ip dhcp excluded-address 192.168.2.1 192.168.2.2 ip dhcp excluded-address 192.168.2.6 192.168.2.254 ip dhcp pool GUEST2 network 192.168.2.0 /24 domain-name GUEST2.local default-router 192.168.2.1 dns-server 192.168.8.1 8.8.8.8 8.8.4.4 exit ! ! NAT static address mappings ! ip nat inside source static 192.168.2.3 192.168.8.3 ip nat inside source static 192.168.2.4 192.168.8.4 ip nat inside source static 192.168.2.5 192.168.8.5 ! ip nat inside source static 192.168.1.7 192.168.8.7 ip nat inside source static 192.168.1.8 192.168.8.8 ip nat inside source static 192.168.1.9 192.168.8.9 ! ! IP interfaces ! interface GigabitEthernet0/0 description ##HOME## ip address 192.168.8.2 255.255.255.0 ip nat outside ip nat enable ip virtual-reassembly in ip tcp adjust-mss 1452 duplex full speed 1000 no shutdown ! interface GigabitEthernet0/1 description ##GUEST1## media-type rj45 auto-failover ip address 192.168.1.1 255.255.255.0 ip nat inside ip nat enable ip virtual-reassembly in ip tcp adjust-mss 1452 no shutdown ! interface GigabitEthernet0/2 description ##GUEST2## ip address 192.168.2.1 255.255.255.0 ip nat inside ip nat enable ip virtual-reassembly in ip tcp adjust-mss 1452 duplex full speed 1000 no shutdown exit
ip route 0.0.0.0 0.0.0.0 192.168.8.1
A few commands are router-specific, for example the 2921 GigabitEthernet 0/1 interface has a combined RJ45/SFP connector that requires a slightly different configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2021 09:19 AM
Hello,
odd that you did not get a reply at all. Either way, by making the changes marked in bold, NAT should work for both dynamic and static entries:
ip dhcp excluded-address 192.168.1.1 192.168.1.6
ip dhcp excluded-address 192.168.1.10 192.168.1.254
ip dhcp pool GUEST1
network 192.168.1.0 /24
domain-name GUEST1.local
default-router 192.168.1.1
dns-server 192.168.8.1 8.8.8.8 8.8.4.4
exit
!
ip dhcp excluded-address 192.168.2.1 192.168.2.2
ip dhcp excluded-address 192.168.2.6 192.168.2.254
ip dhcp pool GUEST2
network 192.168.2.0 /24
domain-name GUEST2.local
default-router 192.168.2.1
dns-server 192.168.8.1 8.8.8.8 8.8.4.4
!
interface GigabitEthernet0/0
description ##HOME##
ip address 192.168.8.2 255.255.255.0
ip nat outside
-> no ip nat enable
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex full
speed 1000
no shutdown
!
interface GigabitEthernet0/1
description ##GUEST1##
media-type rj45 auto-failover
ip address 192.168.1.1 255.255.255.0
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
ip tcp adjust-mss 1452
no shutdown
!
interface GigabitEthernet0/2
description ##GUEST2##
ip address 192.168.2.1 255.255.255.0
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex full
speed 1000
no shutdown
!
ip nat inside source static 192.168.2.3 192.168.8.3
ip nat inside source static 192.168.2.4 192.168.8.4
ip nat inside source static 192.168.2.5 192.168.8.5
ip nat inside source static 192.168.1.7 192.168.8.7
ip nat inside source static 192.168.1.8 192.168.8.8
ip nat inside source static 192.168.1.9 192.168.8.9
!
--> ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip route 0.0.0.0 0.0.0.0 192.168.8.1
!
--> access-list 1 permit 192.168.1.0 0.0.0.255
--> access-list 1 permit 192.168.2.0 0.0.0.255
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2021 05:16 AM - edited 02-22-2021 05:19 AM
Well, no replies at all to this thread, so I can just as well answer it myself.
First of all, the following solution works on a 2921 router. I did not try it yet on the 1921 that I described in my original post. However, I don't see a reason why it should not work also on a 1900 series router.
Additionally, it is not a complete solution because I did not succeed in making it work with dynamic mapping of the NAT-outside address. However, it works flawlessly by using static mapping between inside and outside address. It is possible that dynamic mapping did not work for me because these routers are not really designed for a home environment where NAT uses modern, relatively complex and relatively unsafe technologies like PnP. Static mapping avoids all such complexities, but is not suitable with a router facing toward an ISP that assigns just a single IP address (which is how virtually all home routers work). Since implementing the static mapping shown below, I have been surfing the web and doing other things on the Internet without any major compatibility problem (I did receive a few warnings about logins from a new device - perhaps some secure web services can detect that the MAC address of origin has changed, either because of the Cisco router's MAC, or because I am using a different NIC to connect through the Cisco NAT). I am writing this post while connected through the daisy-chained Cisco router NAT and Huawei home router NAT, so the proof is in the pudding.
In the following configuration, the LAN network connected to the home router is 192.168.8.0/24. My PC is currently connected to network 192.168.1.0/24 and gets its DHCP configuration there, and additionally there is a 192.168.2.0/24 network also connected to the home network via its own NAT (so the router is actually serving simultaneously two NAT inside networks and two DHCP address pools, which works just fine). The NAT address pools and the corresponding DHCP address pools contain just three IP addresses each, but scaling up is practical if you can use a wider netmask on the home network (my ISP locks it to /24 without any way to change it, so no luck here).
The configuration sequence, with comments:
! ! DHCP server address pools ! ip dhcp excluded-address 192.168.1.1 192.168.1.6 ip dhcp excluded-address 192.168.1.10 192.168.1.254 ip dhcp pool GUEST1 network 192.168.1.0 /24 domain-name GUEST1.local default-router 192.168.1.1 dns-server 192.168.8.1 8.8.8.8 8.8.4.4 exit ! ip dhcp excluded-address 192.168.2.1 192.168.2.2 ip dhcp excluded-address 192.168.2.6 192.168.2.254 ip dhcp pool GUEST2 network 192.168.2.0 /24 domain-name GUEST2.local default-router 192.168.2.1 dns-server 192.168.8.1 8.8.8.8 8.8.4.4 exit ! ! NAT static address mappings ! ip nat inside source static 192.168.2.3 192.168.8.3 ip nat inside source static 192.168.2.4 192.168.8.4 ip nat inside source static 192.168.2.5 192.168.8.5 ! ip nat inside source static 192.168.1.7 192.168.8.7 ip nat inside source static 192.168.1.8 192.168.8.8 ip nat inside source static 192.168.1.9 192.168.8.9 ! ! IP interfaces ! interface GigabitEthernet0/0 description ##HOME## ip address 192.168.8.2 255.255.255.0 ip nat outside ip nat enable ip virtual-reassembly in ip tcp adjust-mss 1452 duplex full speed 1000 no shutdown ! interface GigabitEthernet0/1 description ##GUEST1## media-type rj45 auto-failover ip address 192.168.1.1 255.255.255.0 ip nat inside ip nat enable ip virtual-reassembly in ip tcp adjust-mss 1452 no shutdown ! interface GigabitEthernet0/2 description ##GUEST2## ip address 192.168.2.1 255.255.255.0 ip nat inside ip nat enable ip virtual-reassembly in ip tcp adjust-mss 1452 duplex full speed 1000 no shutdown exit
ip route 0.0.0.0 0.0.0.0 192.168.8.1
A few commands are router-specific, for example the 2921 GigabitEthernet 0/1 interface has a combined RJ45/SFP connector that requires a slightly different configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2021 09:19 AM
Hello,
odd that you did not get a reply at all. Either way, by making the changes marked in bold, NAT should work for both dynamic and static entries:
ip dhcp excluded-address 192.168.1.1 192.168.1.6
ip dhcp excluded-address 192.168.1.10 192.168.1.254
ip dhcp pool GUEST1
network 192.168.1.0 /24
domain-name GUEST1.local
default-router 192.168.1.1
dns-server 192.168.8.1 8.8.8.8 8.8.4.4
exit
!
ip dhcp excluded-address 192.168.2.1 192.168.2.2
ip dhcp excluded-address 192.168.2.6 192.168.2.254
ip dhcp pool GUEST2
network 192.168.2.0 /24
domain-name GUEST2.local
default-router 192.168.2.1
dns-server 192.168.8.1 8.8.8.8 8.8.4.4
!
interface GigabitEthernet0/0
description ##HOME##
ip address 192.168.8.2 255.255.255.0
ip nat outside
-> no ip nat enable
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex full
speed 1000
no shutdown
!
interface GigabitEthernet0/1
description ##GUEST1##
media-type rj45 auto-failover
ip address 192.168.1.1 255.255.255.0
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
ip tcp adjust-mss 1452
no shutdown
!
interface GigabitEthernet0/2
description ##GUEST2##
ip address 192.168.2.1 255.255.255.0
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex full
speed 1000
no shutdown
!
ip nat inside source static 192.168.2.3 192.168.8.3
ip nat inside source static 192.168.2.4 192.168.8.4
ip nat inside source static 192.168.2.5 192.168.8.5
ip nat inside source static 192.168.1.7 192.168.8.7
ip nat inside source static 192.168.1.8 192.168.8.8
ip nat inside source static 192.168.1.9 192.168.8.9
!
--> ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip route 0.0.0.0 0.0.0.0 192.168.8.1
!
--> access-list 1 permit 192.168.1.0 0.0.0.255
--> access-list 1 permit 192.168.2.0 0.0.0.255
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2021 12:25 PM
Thanks for the suggestions. For what concerns static NAT mapping, the configuration you suggested appears to work exactly the same way as before the changes. Dynamic mapping also appears to work with the changes, but I did a little investigation to understand more of what is going on.
To test dynamic mapping, I connected a NIC with static IP address (outside the DHCP address pool of course) to ##GUEST1##, and another with static IP address to ##GUEST2##.
After using the Internet for a while, sh ip nat translations shows that some of the traffic to/from ##GUEST2## passed through 192.168.8.2 (i.e. the address of router interface GigabitEthernet 0/0) and some through 192.168.8.3 (which is part of the static NAT address pool for ##GUEST2##).
Similarly, some Internet traffic to/from ##GUEST1## passed through 192.168.8.7 (which is part of the static NAT address pool for ##GUEST1##), part through 192.168.8.2 (router interface GigabitEthernet 0/0).
As far as I can see, there is no port remapping between Inside global (##HOME##) and Inside local (##GUEST1## or ##GUEST2##) with my test setup of only one NIC per network. Would TCP/UDP port remapping take place when multiple computers are using the same NAT outside addresses and their originary ports may overlap?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
