01-22-2015 12:11 PM - edited 03-05-2019 12:38 AM
Hi there folks - it's been a while since i've been on here so i'm hoping the level of technical expertise is still upto the previous high levels.
I have a problem with a C887VA-K9 that i've been scratching my head over for some time now. The router is connected to an ADSL2+ line in the UK and syncs with the upstream DSLAM with no problems at all. The broadband session is active and users who connect wirelessly through the router via 2 autonomous APs can NAT and get out to the internet no problem.
The problem exists when normal wired users on the 172.16.0.0/12 subnets we're using behind this device attempt to route through to the internet. Now, i've been through the config many times already and can't see any issues with the NAT statement, the ACLs, interface config, DHCP config etc..
I was hoping you bright sages might be able to review the config below and offer some advice on why users in the following VLANS cant get out to the internet (they can route to other, locally connected devices however)
VLAN 2 : VL2_PC (172.17.2.0/24)
VLAN 64 : VL64_VC (172.17.64.0/24)
VLAN 130 : VL130_Wireless (192.168.130.0/24)
Config as follows (company specific info removed.)
Current configuration : 12690 bytes
!
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXXXXXXXXX
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 32768 informational
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
errdisable recovery cause udld
errdisable recovery cause link-flap
errdisable recovery interval 30
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.129.1 192.168.129.2
ip dhcp excluded-address 192.168.129.5 192.168.129.6
ip dhcp excluded-address 192.168.129.254
ip dhcp excluded-address 192.168.130.1 192.168.130.99
ip dhcp excluded-address 192.168.130.201 192.168.130.254
ip dhcp excluded-address 172.17.64.201 172.17.64.254
ip dhcp excluded-address 172.17.64.1 172.17.64.20
!
ip dhcp pool LON_APS
import all
network 192.168.129.0 255.255.255.248
default-router 192.168.129.2
domain-name xx.xxx
dns-server 158.152.1.43
lease 3
!
ip dhcp pool AP3
host 192.168.129.3 255.255.255.248
client-identifier 01bc.16f5.0bfa.94
client-name wireless_ap3
!
ip dhcp pool AP4
host 192.168.129.4 255.255.255.248
client-identifier 01bc.16f5.0bf9.f8
client-name wireless_ap4
!
ip dhcp pool CLIENT_WIFI
import all
network 192.168.130.0 255.255.255.0
default-router 192.168.130.254
dns-server 158.152.1.43
domain-name xx.xxx
!
ip dhcp pool VL64_VC
import all
network 172.17.64.0 255.255.255.0
default-router 172.17.64.254
domain-name xx.xxx
dns-server 158.152.1.43
lease 3
!
!
!
no ip dhcp snooping information option
ip dhcp snooping
ip domain name mag.local
ip name-server 158.152.1.58
ip name-server 158.152.1.43
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ1843C3ZG
!
!
no spanning-tree optimize bpdu transmission
vtp domain LON
vtp mode transparent
!
!
!
!
!
controller VDSL 0
!
vlan 2
name VL2_PC
!
vlan 64
name VL64_VC
!
vlan 130
name VL130_WIRELESS
!
vlan 248
name VL248_MANAGEMENT
!
vlan 901
name VL901_DMZ
!
ip tcp mss 1300
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address xx.xx.xx.xx 255.255.255.255
ip nat enable
ip virtual-reassembly in
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
description VL2_PC
switchport access vlan 2
switchport trunk native vlan 2
switchport trunk allowed vlan 1,2,1002-1005
no ip address
!
interface FastEthernet1
switchport access vlan 901
switchport trunk native vlan 901
switchport trunk allowed vlan 1,130,901,1002-1005
switchport mode trunk
no ip address
!
interface FastEthernet2
switchport access vlan 901
switchport trunk native vlan 901
switchport trunk allowed vlan 1,130,901,1002-1005
switchport mode trunk
no ip address
!
interface FastEthernet3
description VL64_LON_VC
switchport access vlan 64
switchport trunk native vlan 64
switchport trunk allowed vlan 1,2,64,1002-1005
no ip address
!
interface Vlan1
no ip address
!
interface Vlan2
description VL2_PC
ip address 172.17.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan64
description VL64_VC
ip address 172.17.64.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ntp broadcast client
!
interface Vlan130
description VL130_WIRELESS
ip address 192.168.130.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan248
description VL248_MANAGEMENT
ip address 172.17.248.202 255.255.255.0
no ip proxy-arp
ntp broadcast client
!
interface Vlan901
description VL901_DMZ
ip address 192.168.129.2 255.255.255.248
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
description ADSL Service :XXXXXXXX
ip unnumbered Loopback0
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly in max-reassemblies 512
ip virtual-reassembly out max-reassemblies 512
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXXXXXX@XXXX.XXX
ppp chap password 7 XXXXXXXXXXXXXXXXXXXXX
ppp pap sent-username XXXXXXXXXX@XXX password 7 XXXXXXXXXXXXX
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface Loopback0 overload
ip tacacs source-interface Vlan248
!
ip access-list standard secure_vty
XXX
!
logging history size 500
logging history informational
logging trap warnings
logging facility syslog
logging source-interface Vlan248
dialer-list 1 protocol ip permit
!
tacacs server XXX
address ipv4 172.16.X.X
access-list 1 permit 192.168.129.0 0.0.0.7
access-list 1 permit 192.168.130.0 0.0.0.255
access-list 1 permit 172.17.64.0 0.0.0.255 log
access-list 1 permit 172.17.2.0 0.0.0.255 log
access-list 1 permit 192.168.2.0 0.0.0.255 log
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
banner login ^C
^C
!
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class secure_vty in
privilege level 15
logging synchronous
transport input ssh
transport output all
line vty 5 15
access-class secure_vty in
privilege level 15
password 7 121A0C041104
logging synchronous
transport input ssh
transport output all
line vty 16 189
access-class secure_vty in
transport input all
!
scheduler allocate 20000 1000
ntp server 212.85.158.10
!
end
***************************************************************
End of Config
***************************************************************
Any ideas gratefully received!!
01-22-2015 12:58 PM
I was considering using the NVI NAT method rather than traditional NAT but i'm not using any VRFs here so can't really see the benefit of doing so.
Also, the router is running the following code : c800-universalk9-mz.SPA.153-3.M3
01-22-2015 01:25 PM
Dave
Try removing the "log" keyword from your acl.
Jon
01-22-2015 02:49 PM
Jon,
Honestly, I read your response and thought to myself "Pah, this guy's mad!"..It's almost too simple... too obvious a difference between the subnets... Then I read this..
A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support ACLs with a "log" keyword.
Whilst i'm not strictly using Dynamic NAT, i'll wager removing the log entries will work. Never in a million years would I have expected that.. it's a bit late now for getting some useful traffic through this box (office is empty) but will give it a shot tomorrow.
Thanks for the quick response too, Jon.
01-23-2015 05:02 AM
Dave
Honestly, I read your response and thought to myself "Pah, this guy's mad!".
It's almost as if you know me :-)
This issue has come up a few times before on the forum so I'm pretty sure it will fix the problem for you.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide