11-11-2013 08:19 AM - edited 03-04-2019 09:32 PM
Hi all,
Due to some ongoing issues with dsl interface firmwares and the kit held in our ISP exchanges; we are havign to resort to substituting out the Cisco 877 ADSL atm interface and using a seperate router supplied by the ISP to make the initial connection.
I am struggling to get the 877 to do what I want it to now though; and have subsequently found it can only handle two VLANs.
So; my ISP provided router/modem connects to the net, anythign connected to it browses fine.
This is on subnet 192.168.1.0/24 and IP 192.168.1.254 is the router
I have a port on the 877 configured in this subnet, and in VLAN666 (so i can apply ip nat outisde)
This is on 192.168.1.139
Additionally I am using VLAN1 for corporate traffic on 172.30.59.0/24 subnet and if it could handle an additional VLAN I'd also be using 10.30.59.0/24 for voice, but that's a seperate issue (unless you have any helpful suggestions!)
The 877 can ping everything, unless I tell it to use source VLAN1.
Laptop connected to to VLAN1 can ping VLAN1, VLAN666 but not 192.168.1.254 or any internet based hosts.
ISP router can ping 192.168.1.139 on the 877 but no further.
This all stinks of NAT issues but I can't figure it out; config below:
ITTEST#show run
Building configuration...
Current configuration : 4282 bytes
!
! Last configuration change at 16:10:10 GMT Mon Nov 11 2013
! NVRAM config last updated at 16:10:14 GMT Mon Nov 11 2013
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ITTEST
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 10240
logging console critical
enable secret
enable password
!
no aaa new-model
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
dot11 syslog
no ip source-route
ip dhcp excluded-address 172.30.59.1 172.30.59.100
!
ip dhcp pool dhcppool
import all
network 172.30.59.0 255.255.255.0
default-router 172.30.59.1
dns-server 172.30.59.1 172.20.0.120 172.20.0.121
domain-name gratte.com
update arp
!
!
ip cef
ip domain name gratte.com
ip name-server 192.168.1.254
ip name-server 172.20.0.120
ip name-server 172.20.0.121
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <presharedkey> address xxx.xxx.xxx.xxx no-xauth
!
!
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC-VPN
set transform-set 3DESSHA
!
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel0
description --- IPSec Tunnel to KX ---
ip address 172.30.60.1 255.255.255.0
ip ospf mtu-ignore
load-interval 30
tunnel source Vlan1
tunnel destination xxx.xxx.xxx.xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-VPN
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
description DATA
spanning-tree portfast
!
interface FastEthernet1
description VOICE
switchport access vlan 100
switchport voice vlan 100
spanning-tree portfast
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
switchport access vlan 666
no cdp enable
spanning-tree portfast
!
interface Vlan1
ip address 172.30.59.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
no ip address
!
interface Vlan100
ip address 10.30.59.1 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface Vlan666
ip address 192.168.1.139 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface Dialer0
no ip address
!
ip default-gateway 192.168.1.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 10.20.0.0 255.255.0.0 Tunnel0
ip route 10.21.0.0 255.255.0.0 Tunnel0
ip route 64.156.192.220 255.255.255.255 Tunnel0
ip route 64.156.192.245 255.255.255.255 Tunnel0
ip route 74.50.50.16 255.255.255.255 Tunnel0
ip route 74.50.63.14 255.255.255.255 Tunnel0
ip route 172.16.0.0 255.240.0.0 Tunnel0
ip route 172.30.59.0 255.255.255.0 Vlan1
no ip http server
no ip http secure-server
!
ip dns server
ip nat source list 100 interface Vlan1 overload
!
access-list 100 permit ip 172.30.59.0 0.0.0.255 any
!
!
!
snmp-server community RO
snmp-server community RW
!
control-plane
!
!
line con 0
password
login
no modem enable
line aux 0
line vty 0 4
password
login
!
scheduler max-task-time 5000
ntp server 72.8.140.222
end
Ultimately I'll be using this for a VPN, but I can't even get internet traffic currently.
Any ideas?
Thanks,
11-12-2013 04:19 AM
Hi,
I try to ping 192.168.1.254 or anything on the net from the laptop, the router gives me no debugging information.
My bad, sorry. transit traffic is not seen by debug output.
ping sourcing from vlan1 and and post sh ip nat tr output if it is empty then ping again this time with debug ip pack 199
and do debug ip nat
Regards
Alain
Don't forget to rate helpful posts.
11-12-2013 05:01 AM
ITTEST#ping 192.168.1.254 source vlan1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Packet sent with a source address of 172.30.59.1
02:45:46: IP: s=172.30.59.1 (local), d=192.168.1.254, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
02:45:46: IP: s=172.30.59.1 (local), d=192.168.1.254 (Vlan666), len 100, sending
02:45:46: IP: s=172.30.59.1 (local), d=192.168.1.254 (Vlan666), len 100, output feature, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
02:45:46: IP: s=172.30.59.1 (local), d=192.168.1.254 (Vlan666), len 100, sending full packet.
02:45:48: IP: s=172.30.59.1 (local), d=192.168.1.254, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
02:45:48: IP: s=172.30.59.1 (local), d=192.168.1.254 (Vlan666), len 100, sending
02:45:48: IP: s=172.30.59.1 (local), d=192.168.1.254 (Vlan666), len 100, output feature, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
02:45:48: IP: s=172.30.59.1 (local), d=192.168.1.254 (Vlan666), len 100, sending full packet.
02:45:50: IP: s=172.30.59.1 (local), d=192.168.1.254, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
02:45:50: IP: s=172.30.59.1 (local), d=192.168.1.254 (Vlan666), len 100, sending
02:45:50: IP: s=172.30.59.1 (local), d=192.168.1.254 (Vlan666), len 100, output feature, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
02:45:50: IP: s=172.30.59.1 (local), d=192.168.1.254 (Vlan666), len 100, sending full packet.
02:45:52: IP: s=172.30.59.1 (local), d=192.168.1.254, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
02:45:52: IP: s=172.30.59.1 (local), d=192.168.1.254 (Vlan666), len 100, sending
02:45:52: IP: s=172.30.59.1 (local), d=192.168.1.254 (Vlan666), len 100, output feature, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
02:45:52: IP: s=172.30.59.1 (local), d=192.168.1.254 (Vlan666), len 100, sending full packet.
02:45:54: IP: s=172.30.59.1 (local), d=192.168.1.254, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
02:45:54: IP: s=172.30.59.1 (local), d=192.168.1.254 (Vlan666), len 100, sending
02:45:54: IP: s=172.30.59.1 (local), d=192.168.1.254 (Vlan666), len 100, output feature, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
02:45:54: IP: s=172.30.59.1 (local), d=192.168.1.254 (Vlan666), len 100, sending full packet.
Success rate is 0 percent (0/5)
ITTEST#
ITTEST#
ITTEST#sh ip nat tr output
^
% Invalid input detected at '^' marker.
ITTEST#sh ip nat tr
11-12-2013 05:37 AM
Hi,
the command is sh ip nat translation
but it is doing post-nat routing so there should have been a nat translation
can you confirm anyway and turn off debugging: do u all in config mode
Regards
Alain
Don't forget to rate helpful posts.
11-12-2013 06:10 AM
Hi Alain,
Thanks for the help, I've turned the debugging off; not quite sure what you want me to try now, it still doesn't work...
11-12-2013 06:19 AM
Hi,
ping again and post output of sh ip nat translation to confirm there was natting in action or not
according to result we'll investigate further.
Regards
Alain
Don't forget to rate helpful posts.
11-12-2013 06:21 AM
ITTEST#ping 192.168.1.254 source vlan1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Packet sent with a source address of 172.30.59.1
.....
Success rate is 0 percent (0/5)
ITTEST#show ip nat translation
ITTEST#
11-12-2013 06:29 AM
Hi,
ok so there is no translation finally.Can you post following:
-sh ip int Vlan1 | i Internet
-sh ip arp 192.168.1.254
- sh access-list 100
-sh ip cef 192.168.1.254
Can you also post a quick sketch of the network.
Regards
Alain
Don't forget to rate helpful posts.
11-12-2013 06:39 AM
ITTEST#sh ip int Vlan1 | i Internet
Internet address is 172.30.59.1/30
ITTEST#sh ip arp 192.168.1.254
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.254 0 7c03.d847.e488 ARPA Vlan666
ITTEST#sh access-list 100
Extended IP access list 100
10 permit ip 172.30.59.0 0.0.0.255 any
ITTEST#sh ip cef 192.168.1.254
192.168.1.254/32
attached to Vlan666
Network layout would be:
PSTN/ADSL line -------> ISP modem/router ----------> fe0/3 Cisco 877 fe0/0 -----------> laptop
192.168.1.254/24 192.168.1.139/24 172.30.59.1/24 172.30.59.123/24
Would that be enough detail?
11-12-2013 07:53 AM
Hi,
You configured Vlan1 as a /30 on the router but your attached host has a /24.
Can you change it to a /24 on the router and also change this:
ip nat source list 100 interface Vlan666 overload like this:
ip nat inside source list 100 interface Vlan666 overload
You should then be able to ping from host in vlan 1 to 192.168.1.254 and beyond
Regards
Alain
Don't forget to rate helpful posts.
11-12-2013 11:04 AM
Hi Alain,
Changing the ip nat source list 100 interface vlan666 overload to ip nat inside source list 100 interface vlan666 overload did the trick.
I've left the odd subnet on the vlan 1 address, as I use an IP in the same subnet for the tunnel interface as well, if the subnets of this IPs overlap, it doesn't let you set it. Odd I know, but when I originally made this config (well the predecessor to this one when we still used the atm interface), that was the only way I could get it to work as required, and it only meant losing the first handful of IPs in a subnet where we'd only be using about 50 IPs anyway.
Thanks a million for your help, got this router working as required just in time.
I just need to push the config on to another test router now (this one we were playing with is getting shipped out first thing tomorrow morning) and get the tunnel up, hadn't had the time to configure this on the receiving firewall though, so it may just work.
The one part I've changed initially with the hope that it'll work was the tunnel source:
interface Tunnel0
description --- IPSec Tunnel to KX ---
ip address 172.30.60.1 255.255.255.0
ip ospf mtu-ignore
load-interval 30
tunnel source Vlan1
tunnel destination xxx.xxx.xxx.xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-VPN
This was previously Dialer0, do you know if this will work?
Thanks!
11-12-2013 11:23 AM
Hi,
As long as the other VPN peer knows how to reach vlan1 then the tunnel should be up but you'll have to change the tunnel destination on this peer to vlan 1 ip address.
Regards
Alain
Don't forget to rate helpful posts.
11-14-2013 02:23 AM
Hi Alain,
The VPN peer does not receive any traffic from the Public IP of the 877, so it seems the tunnel is not trying to be established. Any ideas?
Thanks again,
11-14-2013 02:51 AM
Hi
I've opened a new discussion for this piece as my original issue (from this discussion) is now solved.
New discussionis https://supportforums.cisco.com/thread/2251447
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide