cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2428
Views
0
Helpful
16
Replies

3845 and trouble with nat

1_1
Level 1
Level 1

I recently bought a 3845 off ebay to replace my 3745

on my 3745 I used 3x NME-16ES-1G-p for intervlan routing and had the full ac+inline power setup so I was able to power my AP via POE without a injector (and one NM-1GE for connection to a D3 cable modem)

anyway using the same version of IOS I can't seem to get NAT to work, even thoguht the config is nearly the same

on the 3845 I don't have a need for the NM-1GE which was Gi 2/0 so on the 3845 gi0/0 is the wan interface

heres the ver and config

---------------------------------------

Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 12.4(25d),

RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2010 by Cisco Systems, Inc.

Compiled Wed 18-Aug-10 09:04 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)

RLH-Router uptime is 35 minutes

System returned to ROM by reload at 09:40:57 central Sun Dec 8 2013

System restarted at 09:49:09 central Sun Dec 8 2013

System image file is "flash:c3845-adventerprisek9-mz.124-25d.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 3845 (revision 1.0) with 991232K/57344K bytes of memory.

Processor board ID FTX1444A0XP

5 Gigabit Ethernet interfaces

3 terminal lines

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity enabled.

479K bytes of NVRAM.

125440K bytes of ATA System CompactFlash (Read/Write)

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

!

! No configuration change since last restart

!

version 12.4

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname RLH_router

!

boot-start-marker

boot system flash:c3745-adventerprisek9-mz.124-25d.bin

boot-end-marker

!

no logging buffered

!

no aaa new-model

clock timezone central -6

clock summer-time -0500 recurring

ip cef

!

!

!

!

ip domain name RLH-domain.net

ip name-server 10.0.3.5

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

ipv6 unicast-routing

ipv6 cef

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username rlh privilege 15 password 5 blabla

archive

log config

  hidekeys

!

!

ip ftp username (leaving this out for now)

ip ftp password (leaving this out for now)

!

class-map match-all game (leaving this out for now)

match access-group 101 (leaving this out for now)

class-map match-any Xbox360 (leaving this out for now)

match ip dscp ef (leaving this out for now)

!

!

policy-map game (leaving this out for now)

class game (leaving this out for now)

  set ip dscp ef (leaving this out for now)

policy-map Xbox360 (leaving this out for now)

class Xbox360 (leaving this out for now)

  bandwidth 1024 (leaving this out for now)

!

!

!

!

!

!

interface Tunnel0

description Hurricane Electric IPv6 Tunnel Broker

bandwidth 30000

no ip address

ipv6 address 2001:ZZZZ:1F0E:2::2/64

ipv6 enable

ipv6 traffic-filter Internet in

ipv6 ospf 1 area 0

keepalive 10 3

tunnel source 75.x.y.33

tunnel destination 216.218.224.42

tunnel mode ipv6ip

tunnel checksum

!

interface FastEthernet0/0 (won't exist on 3845)

no ip address

shutdown

speed auto

full-duplex

!

interface FastEthernet0/1 (won't exist on 3845)

no ip address

shutdown

duplex auto

speed 100

!

interface GigabitEthernet1/0

description Link to NME-16ES-1G-p

ip address 10.255.255.1 255.255.255.252

ip nat inside

ip virtual-reassembly

ipv6 address 2001:470:B801:FFFF::/127

ipv6 ospf 1 area 0

!

interface GigabitEthernet2/0 (moving this config to GI 0/0 and the NM-1GE won't be needed and I plan to put an etherswitch here)

description Link to Comcast

bandwidth 76000

ip address 75.x.y.35 255.255.255.248 secondary

ip address 75.x.y.36 255.255.255.248 secondary

ip address 75.x.y.37 255.255.255.248 secondary

ip address 75.x.y.33 255.255.255.248

ip access-group 110 in (holding off till all's working)

ip nat outside

ip virtual-reassembly

negotiation auto

!

interface GigabitEthernet3/0

description Link to NME-16ES-1G-p (number 3)

ip address 10.255.255.9 255.255.255.252

ip nat inside

ip virtual-reassembly

ipv6 address 2001:470:B801:FFFF::4/127

ipv6 ospf 1 area 0

!

interface GigabitEthernet4/0

description Link to NME-16ES-1G-p (number 4)

ip address 10.255.255.13 255.255.255.252

ip nat inside

ip virtual-reassembly

ipv6 address 2001:470:B801:FFFF::6/127

ipv6 ospf 1 area 0

!

router eigrp 1

redistribute static

network 10.255.255.0 0.0.0.3

network 10.255.255.4 0.0.0.3

network 10.255.255.8 0.0.0.3

network 10.255.255.12 0.0.0.3

auto-summary

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 75.x.y.38

!

!

no ip http server

ip http port 1025

ip http authentication local

no ip http secure-server

ip nat translation timeout 2

ip nat pool RLH1 75.x.y.35 75.x.y.35 netmask 255.255.255.248

ip nat pool RLH2 75.x.y.36 75.x.y.36 netmask 255.255.255.248

ip nat pool RLH3 75.x.y.37 75.x.y.37 netmask 255.255.255.248

ip nat inside source list 1 pool RLH1 overload

ip nat inside source list 2 pool RLH2 overload

ip nat inside source list 3 pool RLH3 overload

(leaving out static NAT translations till things are working, deleting this part so I don't have to filter it, leaving one here as an example of how I have them0

ip nat inside source static udp 10.0.3.10 27178 75.x.y.36 27178 extendable

!

access-list 1 permit 10.0.2.0 0.0.0.255

access-list 1 deny   any

access-list 2 permit 10.0.3.0 0.0.0.255

access-list 2 deny   any

access-list 3 permit 10.0.4.0 0.0.0.255

access-list 3 deny   any

access-list 4 permit 10.255.255.0 0.0.0.3

access-list 4 deny   any

access-list 50 permit 10.0.0.0 0.0.0.255

access-list 50 deny   any

access-list 101 permit ip host 10.0.3.11 any

access-list 101 deny   ip any any

(Holding ACL 110 till things work so deleting it from this post)

snmp-server community (edited) RW

ipv6 route ::/0 Tunnel0

ipv6 router ospf 1

(IPv6 is working so I'm editing this part out)

!

!

!

!

ipv6 access-list Internet

!

ipv6 access-list VTY (IPv6 is working so I'm editing this part out)

sequence 40 permit tcp 2001:470:B801::/48 any

permit udp 2001:470:B801::/48 any

deny ipv6 any any

!

control-plane

!

!

!

!

!

!

!

!

!

banner motd  Keep Out

!

line con 0

speed 19200 (not putting this line in yet)

line 33

exec-timeout 0 0

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line 97

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line 129

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line aux 0

line vty 0 4

exec-timeout 0 0

ipv6 access-class VTY in

login local

telnet refuse-negotiations

line vty 5 15

exec-timeout 0 0

ipv6 access-class VTY in

login local

telnet refuse-negotiations

!

ntp clock-period 17179186

ntp master 2

ntp server 128.138.140.44

ntp server 207.200.81.113

ntp server 132.163.4.101

ntp server 132.163.4.102

ntp server 132.163.4.103

ntp server 201.155.229.129

ntp server 131.107.1.10

ntp server 69.25.96.13

ntp server 207.126.98.204

ntp server 129.6.15.29

ntp server 129.6.15.28

ntp server 216.200.93.8

ntp server 64.236.96.53

ntp server 208.184.49.9

ntp server 68.216.79.113

!

end

----------------------------------------------------------------------------------

Please help.

16 Replies 16

Hi Ricky,

Thanks for letting us know. I suspect that stuck ARP entries are behind the entire issue: after you replaced the 3745 with 3845, the SMC kept the old ARP entries for the IP addresses in the NAT pools, breaking the connectivity. Just a guess but that would be my first shot.

Best regards,

Peter

Ya I think thats about right.

Comcast didn't exacly go with the best solution for the way they do statics

the SMC does a form of secure RIP to communicate witht eh CMTS and while they did use a Cisco 1805 at some places (not mine thoguh) back in docsis 2 that would open them up to someone getting the key via the colsole port.)

so they use the crappy SMC that seems to use WORM memory for the arp table

My 3845 likely could ping out because the SMC might not have ever seen any data from .33 since it's last boot.

Review Cisco Networking for a $25 gift card