Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
0
Helpful
4
Replies

C887VA-K9 Not routing packets?!.. Any ideas/help??

Dave Row
Level 1
Level 1

‎01-22-2015 12:11 PM - edited ‎03-05-2019 12:38 AM

Hi there folks - it's been a while since i've been on here so i'm hoping the level of technical expertise is still upto the previous high levels.

 

I have a problem with a C887VA-K9 that i've been scratching my head over for some time now.  The router is connected to an ADSL2+ line in the UK and syncs with the upstream DSLAM with no problems at all.   The broadband session is active and users who connect wirelessly through the router via 2 autonomous APs can NAT and get out to the internet no problem. 

 

The problem exists when normal wired users on the 172.16.0.0/12 subnets we're using behind this device attempt to route through to the internet.  Now, i've been through the config many times already and can't see any issues with the NAT statement, the ACLs, interface config, DHCP config etc..

 

I was hoping you bright sages might be able to review the config below and offer some advice on why users in the following VLANS cant get out to the internet (they can route to other, locally connected devices however)

 

VLAN 2 : VL2_PC (172.17.2.0/24)

VLAN 64 : VL64_VC (172.17.64.0/24)

VLAN 130 : VL130_Wireless (192.168.130.0/24)

 

Config as follows  (company specific info removed.)

Current configuration : 12690 bytes
!

version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXXXXXXXXX
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 32768 informational
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
errdisable recovery cause udld
errdisable recovery cause link-flap
errdisable recovery interval 30
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.129.1 192.168.129.2
ip dhcp excluded-address 192.168.129.5 192.168.129.6
ip dhcp excluded-address 192.168.129.254
ip dhcp excluded-address 192.168.130.1 192.168.130.99
ip dhcp excluded-address 192.168.130.201 192.168.130.254
ip dhcp excluded-address 172.17.64.201 172.17.64.254
ip dhcp excluded-address 172.17.64.1 172.17.64.20
!
ip dhcp pool LON_APS
 import all
 network 192.168.129.0 255.255.255.248
 default-router 192.168.129.2
 domain-name xx.xxx
 dns-server 158.152.1.43
 lease 3
!
ip dhcp pool AP3
 host 192.168.129.3 255.255.255.248
 client-identifier 01bc.16f5.0bfa.94
 client-name wireless_ap3
!
ip dhcp pool AP4
 host 192.168.129.4 255.255.255.248
 client-identifier 01bc.16f5.0bf9.f8
 client-name wireless_ap4
!
ip dhcp pool CLIENT_WIFI
 import all
 network 192.168.130.0 255.255.255.0
 default-router 192.168.130.254
 dns-server 158.152.1.43
 domain-name xx.xxx
!
ip dhcp pool VL64_VC
 import all
 network 172.17.64.0 255.255.255.0
 default-router 172.17.64.254
 domain-name xx.xxx
 dns-server 158.152.1.43
 lease 3
!
!
!
no ip dhcp snooping information option
ip dhcp snooping
ip domain name mag.local
ip name-server 158.152.1.58
ip name-server 158.152.1.43
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ1843C3ZG
!
!
no spanning-tree optimize bpdu transmission
vtp domain LON
vtp mode transparent
!
!
!
!
!
controller VDSL 0
!
vlan 2
 name VL2_PC
!
vlan 64
 name VL64_VC
!
vlan 130
 name VL130_WIRELESS
!
vlan 248
 name VL248_MANAGEMENT
!
vlan 901
 name VL901_DMZ
!
ip tcp mss 1300
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address xx.xx.xx.xx 255.255.255.255
 ip nat enable
 ip virtual-reassembly in
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Ethernet0
 no ip address
 shutdown
!
interface FastEthernet0
 description VL2_PC
 switchport access vlan 2
 switchport trunk native vlan 2
 switchport trunk allowed vlan 1,2,1002-1005
 no ip address
!
interface FastEthernet1
 switchport access vlan 901
 switchport trunk native vlan 901
 switchport trunk allowed vlan 1,130,901,1002-1005
 switchport mode trunk
 no ip address
!
interface FastEthernet2
 switchport access vlan 901
 switchport trunk native vlan 901
 switchport trunk allowed vlan 1,130,901,1002-1005
 switchport mode trunk
 no ip address
!
interface FastEthernet3
 description VL64_LON_VC
 switchport access vlan 64
 switchport trunk native vlan 64
 switchport trunk allowed vlan 1,2,64,1002-1005
 no ip address
!
interface Vlan1
 no ip address
!
interface Vlan2
 description VL2_PC
 ip address 172.17.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan64
 description VL64_VC
 ip address 172.17.64.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ntp broadcast client
!
interface Vlan130
 description VL130_WIRELESS
 ip address 192.168.130.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan248
 description VL248_MANAGEMENT
 ip address 172.17.248.202 255.255.255.0
 no ip proxy-arp
 ntp broadcast client
!
interface Vlan901
 description VL901_DMZ
 ip address 192.168.129.2 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer0
 description ADSL Service :XXXXXXXX
 ip unnumbered Loopback0
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in max-reassemblies 512
 ip virtual-reassembly out max-reassemblies 512
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname XXXXXXXXXX@XXXX.XXX
 ppp chap password 7 XXXXXXXXXXXXXXXXXXXXX
 ppp pap sent-username XXXXXXXXXX@XXX password 7 XXXXXXXXXXXXX
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface Loopback0 overload
ip tacacs source-interface Vlan248
!
ip access-list standard secure_vty
XXX


!
logging history size 500
logging history informational
logging trap warnings
logging facility syslog
logging source-interface Vlan248
dialer-list 1 protocol ip permit
!

tacacs server XXX
 address ipv4 172.16.X.X
access-list 1 permit 192.168.129.0 0.0.0.7
access-list 1 permit 192.168.130.0 0.0.0.255
access-list 1 permit 172.17.64.0 0.0.0.255 log
access-list 1 permit 172.17.2.0 0.0.0.255 log
access-list 1 permit 192.168.2.0 0.0.0.255 log
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
banner login ^C
^C
!
line con 0
 exec-timeout 0 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 access-class secure_vty in
 privilege level 15
 logging synchronous
 transport input ssh
 transport output all
line vty 5 15
 access-class secure_vty in
 privilege level 15
 password 7 121A0C041104
 logging synchronous
 transport input ssh
 transport output all
line vty 16 189
 access-class secure_vty in
 transport input all
!
scheduler allocate 20000 1000
ntp server 212.85.158.10
!
end

***************************************************************

End of Config

***************************************************************

 

Any ideas gratefully received!!

Labels:
0 Helpful
4 Replies 4

Dave Row
Level 1
Level 1

‎01-22-2015 12:58 PM

I was considering using the NVI NAT method rather than traditional NAT but i'm not using any VRFs here so can't really see the benefit of doing so.  

 

Also, the router is running the following code : c800-universalk9-mz.SPA.153-3.M3

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Dave Row

‎01-22-2015 01:25 PM

Dave

Try removing the "log" keyword from your acl.

Jon

0 Helpful

Dave Row
Level 1
Level 1
In response to Jon Marshall

‎01-22-2015 02:49 PM

Jon,

Honestly, I read your response and thought to myself "Pah, this guy's mad!"..It's almost too simple... too obvious a difference between the subnets...  Then I read this..

 

Q. Does Cisco IOS NAT support ACLs with a "log" keyword?

 

A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support ACLs with a "log" keyword.

Whilst i'm not strictly using Dynamic NAT, i'll wager removing the log entries will work.  Never in a million years would I have expected that..  it's a bit late now for getting some useful traffic through this box (office is empty) but will give it a shot tomorrow.

Thanks for the quick response too, Jon. 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Dave Row

‎01-23-2015 05:02 AM

Dave

Honestly, I read your response and thought to myself "Pah, this guy's mad!".

It's almost as if you know me :-)

This issue has come up a few times before on the forum so I'm pretty sure it will fix the problem for you.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card