02-21-2012 05:22 PM - edited 03-04-2019 03:22 PM
All,
First off, I have been using Cisco IOS routers for many years. I have a 1941W that is giving me fits. I have a simple configuration with Gig0/0 being the WAN link and Gig0/1 being the LAN link. (Don't get me started on the AP.....I may buy a Linksys to do my WiFi...)
I used an existing configuration I had for NAT from a 3825 running IOS 12.4. I ported it very carefully to the 1941W running 15.2(2)T. It did not work, but here is my config for the 1941W. I added --------------------------------------- around what I 'think' are the relevant parts:
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 9999999
no logging console
enable secret 5 XXXXXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXX
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
no ipv6 cef
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.20.40.1 172.20.40.100
!
ip dhcp pool pool1
network 172.20.40.0 255.255.255.0
default-router 172.20.40.1
option 150 ip 76.204.73.242
dns-server 68.94.157.1
!
!
ip cef
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1941W-A/K9 sn FTX15240336
hw-module ism 0
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
-----------------------------------------------------------------------My WAN connection and IP
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 173.8.181.225 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
-----------------------------------------------------------Don't care about wireless yet!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
shutdown
arp timeout 0
no mop enabled
no mop sysid
-------------------------------------------------------------My inside LAN connection
interface GigabitEthernet0/1
ip address 172.20.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
no ip address
!
ip default-gateway 173.8.181.230
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 173.8.181.230
!
access-list 101 permit ip 172.20.40.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
line con 0
password XXXXXXXXXXX
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
password XXXXXXXXXXXXXXXX
login
transport input all
transport output all
line vty 5 15
privilege level 15
login local
transport input all
!
scheduler allocate 20000 1000
!
end
When I put the bolded lines in a 3825, it works fine. In the 1941W, it won't route. The DHCP works fine on that interface, I have a netbook attached to it. From the netbook [IP 172.20.40.101] I can ping 172.20.40.1, but can not ping 173.8.181.225, nor get anywhere outside my local network.
Doing an extended ping from the router console, source IP 172.20.40.1, it will not ping 173.8.181.225.
I tried the simple config from https://supportforums.cisco.com/thread/2129368, which seems to change the access list from 101 to 1 it works fine.
My question is what is the difference between
ip nat inside source list 101 interface GigabitEthernet0/0 overload
access-list 101 permit ip 172.20.40.0 0.0.0.255 any
and
ip nat inside source list 1 interface GigabitEthernet0/0 overload
access-list 1 permit 172.20.40.0 0.0.0.255
and why does one work in IOS 12.4 and not in 15.2?
Now on to the AP, sub interfaces, etc. I'm working with https://supportforums.cisco.com/thread/2028286 thread on that one.
Thanks for any help.
02-21-2012 07:06 PM
hi david,
could you post your show ip interface brief output?
remove this line from your config:
no ip default-gateway 173.8.181.230
try to swap UTP patch cable, harcode 100/full on your WAN interface and see if it works.
with your question regarding the ACL, it's just a matter of preference whether to use a standard or extended ACL but the object to NAT internal address is the same.
02-21-2012 11:26 PM
Router#sh ip int brief
Any interface listed with OK? value "NO" does not have a valid configuration
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 173.8.181.225 YES manual up up
wlan-ap0 unassigned YES unset administratively down down
GigabitEthernet0/1 172.20.40.1 YES manual up up
Wlan-GigabitEthernet0/0 unassigned YES unset up up
GigabitEthernet0/0/0 unassigned YES unset down down
GigabitEthernet0/0/1 unassigned YES unset down down
GigabitEthernet0/0/2 unassigned YES unset down down
GigabitEthernet0/0/3 unassigned YES unset down down
NVI0 unassigned NO unset up up
Vlan1 unassigned YES unset up up
Router#
Using the extended ACL as follows, there is no connectivity between the LAN and WAN:
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 173.8.181.230
access-list 101 permit ip 172.20.40.0 0.0.0.255 any
BUT this works fine.
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 173.8.181.230
access-list 1 permit 172.20.40.0 0.0.0.255
What I am curious about is why exactly the top command [101] works on every router I have ever tested or used up to the latest IOS 12.4, but does not on the 1941W with IOS 15.x.
Swapping cables and hard coding to 100Mb ethernet did not have any effect.
With your help using a non-extended ACL it works fine though, so I am moving on to the AP.
Thanks
02-21-2012 11:35 PM
hi david,
thanks for confirming back! it's very strange indeed and it could be an IOS bug.
maybe folks from cisco can confirm on this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide