07-27-2023 11:25 PM - edited 07-31-2023 05:53 PM
Egress equipment—core—Access Equipment—Client; now the egress equipment needs to do a cold standby, the equipment is CISCO2921/K9, after the configuration can not access the external network. The situation is as follows:
1: The client can ping the WAN port of the outlet device; Conversely, the outlet device can ping any client below;
2:The export equipment opens debug ip nat, discovered the client's data has been nat translation;
3: The export equipment directly ping the telecommunication gateway, discovered not to work (the question should be here, does not know why not work, in the simulation software test result is normal;)
4: Is there a need to configure the Dialer1 and Virtual-Template1 interfaces?
Thank you!!!
The export equipment is configured as follows:
NG_route#show run
Building configuration.
Current configuration : 4661 bytes
! Last configuration change at 07:56:17 UTC Fri Jul 28 2023
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NG_route
!
boot-start-marker
boot-end-marker
!
!
interface GigabitEthernet0/1
description WAN
ip address 36.7.84.10 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description LAN
ip address 192.192.192.2 255.255.255.252
ip nat inside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip nat pool isp 36.7.84.10 36.7.84.10 netmask 255.255.255.0
ip nat inside source list NG_ACL pool isp overload
ip nat inside source static tcp 192.100.200.5 7500 36.7.84.11 7500 extendable
ip nat inside source static udp 192.100.200.5 7500 36.7.84.11 7500 extendable
ip nat inside source static tcp 192.121.200.171 8000 36.7.84.16 8000 extendable
ip nat inside source static tcp 192.121.200.90 8089 36.7.84.16 8089 extendable
ip nat inside source static tcp 192.121.200.28 9100 36.7.84.16 9100 extendable
ip nat inside source static tcp 192.121.200.247 1433 36.7.84.16 9500 extendable
ip nat inside source static tcp 192.107.200.20 3389 36.7.84.20 3389 extendable
ip nat inside source static tcp 1.1.1.3 4444 36.7.84.20 4444 extendable
ip route 0.0.0.0 0.0.0.0 36.7.84.1
ip route 192.100.200.0 255.255.255.0 192.192.192.1
ip route 192.101.200.0 255.255.255.0 192.192.192.1
ip route 192.102.200.0 255.255.255.0 192.192.192.1
ip route 192.103.200.0 255.255.255.0 192.192.192.1
ip route 192.104.200.0 255.255.255.0 192.192.192.1
ip route 192.105.200.0 255.255.255.0 192.192.192.1
ip route 192.106.200.0 255.255.255.0 192.192.192.1
ip route 192.107.200.0 255.255.255.0 192.192.192.1
ip route 192.108.200.0 255.255.255.0 192.192.192.1
ip route 192.109.200.0 255.255.255.0 192.192.192.1
ip route 192.110.200.0 255.255.255.0 192.192.192.1
ip route 192.111.200.0 255.255.255.0 192.192.192.1
ip route 192.112.200.0 255.255.255.0 192.192.192.1
ip route 192.113.200.0 255.255.255.0 192.192.192.1
ip route 192.114.200.0 255.255.255.0 192.192.192.1
ip route 192.115.200.0 255.255.255.0 192.192.192.1
ip route 192.116.200.0 255.255.255.0 192.192.192.1
ip route 192.117.200.0 255.255.255.0 192.192.192.1
ip route 192.118.200.0 255.255.255.0 192.192.192.1
ip route 192.119.200.0 255.255.255.0 192.192.192.1
ip route 192.120.200.0 255.255.255.0 192.192.192.1
ip route 192.121.200.0 255.255.255.0 192.192.192.1
ip route 192.122.200.0 255.255.255.0 192.192.192.1
!
ip access-list extended NG_ACL
permit ip 192.100.200.0 0.0.0.255 any
permit ip 192.101.200.0 0.0.0.255 any
permit ip 192.102.200.0 0.0.0.255 any
permit ip 192.103.200.0 0.0.0.255 any
permit ip 192.104.200.0 0.0.0.255 any
permit ip 192.105.200.0 0.0.0.255 any
permit ip 192.106.200.0 0.0.0.255 any
permit ip 192.107.200.0 0.0.0.255 any
permit ip 192.108.200.0 0.0.0.255 any
permit ip 192.109.200.0 0.0.0.255 any
permit ip 192.110.200.0 0.0.0.255 any
permit ip 192.111.200.0 0.0.0.255 any
permit ip 192.112.200.0 0.0.0.255 any
permit ip 192.113.200.0 0.0.0.255 any
permit ip 192.114.200.0 0.0.0.255 any
permit ip 192.115.200.0 0.0.0.255 any
permit ip 192.116.200.0 0.0.0.255 any
permit ip 192.117.200.0 0.0.0.255 any
permit ip 192.118.200.0 0.0.0.255 any
permit ip 192.119.200.0 0.0.0.255 any
permit ip 192.120.200.0 0.0.0.255 any
permit ip 192.121.200.0 0.0.0.255 any
permit ip 192.122.200.0 0.0.0.255 any
permit ip 192.123.200.0 0.0.0.255 any
permit ip 192.192.192.1 0.0.0.2 any
!
control-plane
!
end
07-27-2023 11:34 PM
Hello,
Can you ping the default gateway 36.7.84.1? And add the network 192.192.192.2 255.255.255.252 to the ACL NG_ACL. Without it the network won't be able to NAT the traffic.
BR
07-27-2023 11:54 PM
Hello @DanielP211,
You have configured NG_ACL with IP add 192.100.200.0/24 and 192.101.200.0/24. It seems to be your LANs.
You have also Gi0/2 with this IP [192.192.192.0/30] , it seems to be th LAN side ?
Then, add ip route towards your two LANs
ip route 192.100.200.0 255.255.255.0 192.192.192.1
ip route 192.101.200.0 255.255.255.0 192.192.192.1
07-28-2023 12:56 AM
After the router is connected, ping does not pass the telecom gateway (' Exit Route—Core Switching—Access Layer' This part is normal, the route can ping to the host, the host also can ping the route), through the show ip nat tra view, has nat out, but does not know why the gateway:36.7.84.1 is not working. 192.192.192.2 This ip has already been added to NG_ACL (it was forgotten above).
07-28-2023 12:58 AM
Good afternoon. Egress Routing—Core Switching—Access It's all right. I just can't get out. What I want to know is whether the expiration of the license on the 2921 router will affect the network. Thank you
07-28-2023 01:13 AM
No the licence expiration wouldn't affect that...
07-28-2023 01:03 AM
Hello,
the NAT configuration also does not look right. Make sure your config contains only the lines below:
interface GigabitEthernet0/1
ip address 36.7.84.10 255.255.255.0
ip nat outside
!
interface GigabitEthernet0/2
ip address 192.192.192.2 255.255.255.252
ip nat inside
!
ip nat pool isp 36.7.84.10 36.7.84.10 netmak 255.255.255.0
ip nat inside source list NG_ACL pool isp overload
!
ip access-list extended NG_ACL
permit ip 192.100.200.0 0.0.0.255 any
permit ip 192.101.200.0 0.0.0.255 any
permit ip 192.123.200.0 0.0.0.255 any
!
ip route 0.0.0.0 0.0.0.0 36.7.84.1
ip route 192.0.0.0 255.0.0.0 192.192.192.1
07-28-2023 01:38 AM
The configuration is as follows: Please look into it. Thank you. I don't know why the 36.7.84.1 gateway doesn't work:
NG_route#show run
Building configuration...
Current configuration : 4661 bytes
!
! Last configuration change at 07:56:17 UTC Fri Jul 28 2023
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NG_route
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$F7Il$DqKM8AKRMzQISbOVoFZzo1
!
no aaa new-model
!
!
!
!
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
cts logging verbose
!
!
license udi pid CISCO2921/K9 sn FGL190210A9
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN
no ip address
ip mtu 1400
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN
ip address 36.7.84.10 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description LAN
ip address 192.192.192.2 255.255.255.252
ip nat inside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip nat pool isp 36.7.84.10 36.7.84.10 netmask 255.255.255.0
ip nat inside source list NG_ACL pool isp overload
ip nat inside source static tcp 192.100.200.5 7500 36.7.84.11 7500 extendable
ip nat inside source static udp 192.100.200.5 7500 36.7.84.11 7500 extendable
ip nat inside source static tcp 192.121.200.171 8000 36.7.84.16 8000 extendable
ip nat inside source static tcp 192.121.200.90 8089 36.7.84.16 8089 extendable
ip nat inside source static tcp 192.121.200.28 9100 36.7.84.16 9100 extendable
ip nat inside source static tcp 192.121.200.247 1433 36.7.84.16 9500 extendable
ip nat inside source static tcp 192.107.200.20 3389 36.7.84.20 3389 extendable
ip nat inside source static tcp 1.1.1.3 4444 36.7.84.20 4444 extendable
ip route 0.0.0.0 0.0.0.0 36.7.84.1
ip route 192.100.200.0 255.255.255.0 192.192.192.1
ip route 192.101.200.0 255.255.255.0 192.192.192.1
ip route 192.102.200.0 255.255.255.0 192.192.192.1
ip route 192.103.200.0 255.255.255.0 192.192.192.1
ip route 192.104.200.0 255.255.255.0 192.192.192.1
ip route 192.105.200.0 255.255.255.0 192.192.192.1
ip route 192.106.200.0 255.255.255.0 192.192.192.1
ip route 192.107.200.0 255.255.255.0 192.192.192.1
ip route 192.108.200.0 255.255.255.0 192.192.192.1
ip route 192.109.200.0 255.255.255.0 192.192.192.1
ip route 192.110.200.0 255.255.255.0 192.192.192.1
ip route 192.111.200.0 255.255.255.0 192.192.192.1
ip route 192.112.200.0 255.255.255.0 192.192.192.1
ip route 192.113.200.0 255.255.255.0 192.192.192.1
ip route 192.114.200.0 255.255.255.0 192.192.192.1
ip route 192.115.200.0 255.255.255.0 192.192.192.1
ip route 192.116.200.0 255.255.255.0 192.192.192.1
ip route 192.117.200.0 255.255.255.0 192.192.192.1
ip route 192.118.200.0 255.255.255.0 192.192.192.1
ip route 192.119.200.0 255.255.255.0 192.192.192.1
ip route 192.120.200.0 255.255.255.0 192.192.192.1
ip route 192.121.200.0 255.255.255.0 192.192.192.1
ip route 192.122.200.0 255.255.255.0 192.192.192.1
!
ip access-list extended NG_ACL
permit ip 192.100.200.0 0.0.0.255 any
permit ip 192.101.200.0 0.0.0.255 any
permit ip 192.102.200.0 0.0.0.255 any
permit ip 192.103.200.0 0.0.0.255 any
permit ip 192.104.200.0 0.0.0.255 any
permit ip 192.105.200.0 0.0.0.255 any
permit ip 192.106.200.0 0.0.0.255 any
permit ip 192.107.200.0 0.0.0.255 any
permit ip 192.108.200.0 0.0.0.255 any
permit ip 192.109.200.0 0.0.0.255 any
permit ip 192.110.200.0 0.0.0.255 any
permit ip 192.111.200.0 0.0.0.255 any
permit ip 192.112.200.0 0.0.0.255 any
permit ip 192.113.200.0 0.0.0.255 any
permit ip 192.114.200.0 0.0.0.255 any
permit ip 192.115.200.0 0.0.0.255 any
permit ip 192.116.200.0 0.0.0.255 any
permit ip 192.117.200.0 0.0.0.255 any
permit ip 192.118.200.0 0.0.0.255 any
permit ip 192.119.200.0 0.0.0.255 any
permit ip 192.120.200.0 0.0.0.255 any
permit ip 192.121.200.0 0.0.0.255 any
permit ip 192.122.200.0 0.0.0.255 any
permit ip 192.123.200.0 0.0.0.255 any
permit ip 192.192.192.1 0.0.0.2 any
!
!
!
!
control-plane
!
!
end
NG_route#
07-28-2023 01:53 AM
Ping from that router to 36.7.84.1 is OK ?
Possible to dump Traffic on the equipement where the IP 36.7.84.1 is configured ?
The issue is not due to licence expiration.
07-28-2023 03:54 AM
The routing device ping does not access gateway 36.7.84.1 (the ip is the operator room ip), and the other routes are replaced, and the access network is normal. Does the router have gi0/0 (rj45), 0/1 (sfp and rj45), gi0/2 (rj45), and Aux interfaces, and does outside require an interface? Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide