cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
499
Views
0
Helpful
3
Replies

1941W Routing and NAT question , any ideas?

dbrockma
Cisco Employee
Cisco Employee

All,

First off, I have been using Cisco IOS routers for many years.  I have a 1941W that is giving me fits.  I have a simple configuration with Gig0/0 being the WAN link and Gig0/1 being the LAN link.  (Don't get me started on the AP.....I may buy a Linksys to do my WiFi...)

I used an existing configuration I had for NAT from a 3825 running IOS 12.4.  I ported it very carefully to the 1941W running  15.2(2)T.  It did not work, but here is my config for the 1941W.  I added --------------------------------------- around what I 'think' are the relevant parts:

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 9999999
no logging console
enable secret 5 XXXXXXXXXXXXXXXXX

enable password XXXXXXXXXXXXXXXX
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
no ipv6 cef
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.20.40.1 172.20.40.100
!
ip dhcp pool pool1
network 172.20.40.0 255.255.255.0
default-router 172.20.40.1
option 150 ip 76.204.73.242
dns-server 68.94.157.1
!
!
ip cef
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1941W-A/K9 sn FTX15240336
hw-module ism 0
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!

-----------------------------------------------------------------------My WAN connection and IP
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 173.8.181.225 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!

-----------------------------------------------------------Don't care about wireless yet!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
shutdown
arp timeout 0
no mop enabled
no mop sysid

-------------------------------------------------------------My inside LAN connection
interface GigabitEthernet0/1
ip address 172.20.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
no ip address
!
ip default-gateway 173.8.181.230
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 173.8.181.230
!
access-list 101 permit ip 172.20.40.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
line con 0
password XXXXXXXXXXX
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
password XXXXXXXXXXXXXXXX
login
transport input all
transport output all
line vty 5 15
privilege level 15
login local
transport input all
!
scheduler allocate 20000 1000
!
end

When I put the bolded lines in a 3825, it works fine.  In the 1941W, it won't route. The DHCP works fine on that interface, I have a netbook attached to it.  From the netbook [IP 172.20.40.101] I can ping 172.20.40.1, but can not ping 173.8.181.225, nor get anywhere outside my local network.

Doing an extended ping from the router console, source IP 172.20.40.1, it will not ping 173.8.181.225.

I tried the simple config from https://supportforums.cisco.com/thread/2129368, which seems to change the access list from 101 to 1 it works fine.

My question is what is the difference between

ip nat inside source list 101 interface GigabitEthernet0/0 overload

access-list 101 permit ip 172.20.40.0 0.0.0.255 any

and

ip nat inside source list 1 interface GigabitEthernet0/0 overload

access-list 1 permit 172.20.40.0 0.0.0.255

and why does one work in IOS 12.4 and not in 15.2?

Now on to the AP, sub interfaces, etc.  I'm working with https://supportforums.cisco.com/thread/2028286 thread on that one.

Thanks for any help.

3 Replies 3

johnlloyd_13
Level 9
Level 9

hi david,

could you post your show ip interface brief output?

remove this line from your config:

no ip default-gateway 173.8.181.230

try to swap UTP patch cable, harcode 100/full on your WAN interface and see if it works.

with your question regarding the ACL, it's just a matter of preference whether to use a standard or extended ACL but the object to NAT internal address is the same.

Router#sh ip int brief
Any interface listed with OK? value "NO" does not have a valid configuration

Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0 unassigned      YES unset  administratively down down
GigabitEthernet0/0         173.8.181.225   YES manual up                    up
wlan-ap0                   unassigned      YES unset  administratively down down
GigabitEthernet0/1         172.20.40.1     YES manual up                    up
Wlan-GigabitEthernet0/0    unassigned      YES unset  up                    up
GigabitEthernet0/0/0       unassigned      YES unset  down                  down
GigabitEthernet0/0/1       unassigned      YES unset  down                  down
GigabitEthernet0/0/2       unassigned      YES unset  down                  down
GigabitEthernet0/0/3       unassigned      YES unset  down                  down
NVI0                       unassigned      NO  unset  up                    up
Vlan1                      unassigned      YES unset  up                    up
Router#

Using the extended ACL as follows, there is no connectivity between the LAN and WAN:

ip nat inside source list 101 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 173.8.181.230

access-list 101 permit ip 172.20.40.0 0.0.0.255 any

BUT this works fine.

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 173.8.181.230

access-list 1 permit 172.20.40.0 0.0.0.255

What I am curious about is why exactly the top command [101] works on every router I have ever tested or used up to the latest IOS 12.4, but does not on the 1941W with IOS 15.x.

Swapping cables and hard coding to 100Mb ethernet did not have any effect.

With your help using a non-extended ACL it works fine though, so I am moving on to the AP.

Thanks

hi david,

thanks for confirming back! it's very strange indeed and it could be an IOS bug.

maybe folks from cisco can confirm on this.

Review Cisco Networking for a $25 gift card