Re: 4331 routing issue inside to outside

ACorbettSS · ‎12-05-2018

I'm moving my 4331 from storage with a previously known-good config to a new facility. After making the needed changes for the ISP side of things at the new facility, I'm not able to reach the WAN from anything on the inside.

The router itself is able to ping the outside world, but nothing on GigabitEthernet 0/0/1 seems to be able to talk to the stuff on the far side of GigabitEthernet 0/0/0

Here's my config from show tech

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 300000
!
hostname ssrouter
!
boot-start-marker
boot system flash bootflash:isr4300-universalk9.03.15.03.S.155-2.S3-std.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 <removed>
enable password <removed>
!
no aaa new-model
no process cpu autoprofile hog
!
!
!
!
!
!
!
!
!

no ip bootp server
ip domain name SecureSourceUSA.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4

ip dhcp excluded-address 192.168.10.1 192.168.10.49
ip dhcp excluded-address 192.168.10.201 192.168.10.254
!
ip dhcp pool Primary
network 192.168.10.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.10.1
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-699521414
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-699521414
revocation-check none
rsakeypair TP-self-signed-699521414
!
!
crypto pki certificate chain TP-self-signed-699521414
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36393935 32313431 34301E17 0D313731 32313532 31303135
305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3639 39353231
34313430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
959BC7DB 7110B53B BA72C521 75FC9137 DD538457 DA3C1856 7651E47C 079E881C
BD8F13EC 0CBB4D30 206A73C9 7A4F76E0 56E0FA4D 496B8A5F AEEF44B7 06ADC05C
75D228C3 35A65C6F 20BD4330 98B5548F 4506722F 10D3E34B BEA04EE1 18ABDF5B
D5281E0E 7D469642 74A51D71 67A3ACF5 B60174C4 71F4775A 597DDED5 005E2E37
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014AB 1114E46E B5BFD945 AE80BB00 F2BA7AB4 5FEBC130 1D060355
1D0E0416 0414AB11 14E46EB5 BFD945AE 80BB00F2 BA7AB45F EBC1300D 06092A86
4886F70D 01010505 00038181 0066B9A6 D577DE87 3356F9E3 C8513A2A 9BBE389A
D144B0FF 38236745 CD644E10 63B6AC50 47FF9EBA FA7A71D9 522B4236 4D526B49
F361991E FFEE3FFE F96B7AB1 45C19009 397DC2C9 55FD7393 CD7844E2 B39BD555
AEF0B380 8EAA3E4B 25996A76 050699FF 826AC793 062514B0 77C4BC35 44E5AC00
6478CB74 0F45FAF7 7C4C0BA6 1E
quit
license udi pid ISR4331/K9 sn FDO203918SM
license accept end user agreement
spanning-tree extend system-id
!
username acorbett privilege 15 secret 5 <removed>
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
no cdp run
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description $ETH-WAN$
ip address 76.8.220.50 255.255.255.248
ip nat outside
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description $ETH-LAN$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip access-group 23 out
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
description $MGMT$
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
no cdp enable
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 23 interface GigabitEthernet0/0/1 overload
ip nat inside source static tcp 192.168.10.20 25 76.8.220.51 25 extendable
ip nat inside source static tcp 192.168.10.20 80 76.8.220.51 80 extendable
ip nat inside source static tcp 192.168.10.215 888 76.8.220.51 888 extendable
ip nat inside source static tcp 192.168.10.205 1024 76.8.220.51 1024 extendable
ip nat inside source static udp 192.168.10.205 1024 76.8.220.51 1024 extendable
ip nat inside source static tcp 192.168.10.205 1025 76.8.220.51 1025 extendable
ip nat inside source static udp 192.168.10.205 1025 76.8.220.51 1025 extendable
ip nat inside source static tcp 192.168.10.205 1026 76.8.220.51 1026 extendable
ip nat inside source static udp 192.168.10.205 1026 76.8.220.51 1026 extendable
ip nat inside source static tcp 192.168.10.205 1027 76.8.220.51 1027 extendable
ip nat inside source static udp 192.168.10.205 1027 76.8.220.51 1027 extendable
ip nat inside source static tcp 192.168.10.20 1935 76.8.220.51 1935 extendable
ip nat inside source static tcp 192.168.10.205 3061 76.8.220.51 3061 extendable
ip nat inside source static udp 192.168.10.205 3061 76.8.220.51 3061 extendable
ip nat inside source static tcp 192.168.10.205 3064 76.8.220.51 3064 extendable
ip nat inside source static udp 192.168.10.205 3064 76.8.220.51 3064 extendable
ip nat inside source static tcp 192.168.10.20 4351 76.8.220.51 4351 extendable
ip nat inside source static tcp 192.168.10.20 8000 76.8.220.51 8000 extendable
ip nat inside source static tcp 192.168.10.20 8001 76.8.220.51 8001 extendable
ip nat inside source static tcp 192.168.10.5 80 76.8.220.52 80 extendable
ip nat inside source static tcp 192.168.10.5 443 76.8.220.52 443 extendable
ip nat inside source static tcp 192.168.10.250 88 76.8.220.53 88 extendable
ip nat inside source static tcp 192.168.10.250 37777 76.8.220.53 37777 extendable
ip forward-protocol nd
ip http server
ip http access-class 23
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip tftp source-interface GigabitEthernet0/0/1
ip route 0.0.0.0 0.0.0.0 76.8.220.49
!
!
access-list 23 remark CCP_ACL Category=19
access-list 23 permit 192.168.10.0 0.0.0.255
!
snmp-server community <removed> RW
snmp-server community <removed> RO
snmp-server contact acorbett@securesourceusa.com
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
!
!
control-plane
!
banner login ^C Property of Secure Source. Unauthorized Access Prohibited ^C
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
password <removed>
login local
transport input telnet ssh
transport output telnet ssh
!
ntp server 192.189.54.33
ntp server 150.101.221.106
ntp server 27.50.91.108
!s

Karsten Iwen · ‎12-06-2018

Your dynamic NAT is wrong:

no ip nat inside source list 23 interface GigabitEthernet0/0/1 overload
ip nat inside source list 23 interface GigabitEthernet0/0/0 overload

ACorbettSS · ‎12-06-2018

Thank you for the recommendation. I've made this change and am still having the same problem. show ip nat translations seems to imply that there is something happening, but no machine on the inside can reach IPs outside. Is there something else you can recommend?

Karsten Iwen · ‎12-06-2018

You are using ACL 23 out of your LAN interface. That doesn't seem to make any sense to me.

ACorbettSS · ‎12-06-2018

Is there some more proper way to have the ACL set up?

Jose Lopez · ‎12-06-2018

interface GigabitEthernet0/0/1
ip access-group 23 in

Richard Burts · ‎12-06-2018

Certainly it was a major problem when access list 23 was applied outbound

access-list 23 permit 192.168.10.0 0.0.0.255

remembering that inbound and outbound for applying ACL is in reference to the router itself. So applying it outbound would deny all traffic. Applying it inbound resolves that issue. But I question using the same ACL for address translation and for access-group. Do you really want the access list applied to the interface?

HTH

Rick

HTH

Rick