Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1038
Views
0
Helpful
4
Replies

Cannot get any traffic to flow through NAT besides ICMP ping

Go to solution
jmcdonagh
Level 1
Level 1

‎07-01-2020 09:06 AM - edited ‎07-01-2020 11:47 AM

This is driving me crazy, it's been a solid decade since I administered a Cisco router so perhaps I am doing something really dumb.

 

The situation is this: I can ping and ssh between the local subnets (wired and wireless). From the router itself, I can ping and lookup hostnames, thus implying TCP and UDP are operational per se.

 

However, I cannot get any traffic BESIDES ICMP ping to flow from local subnets to the Internet. The NAT translations are there. I can see the packets come back by setting up a packet-trace for ingress on the WAN interface, it says 'punted' which I think on these newer routers just means handing off the CEF? Also, In

sh ip nat stat

 I can see thousands of "Out-To-In Drops". I have no idea why they are getting dropped. I thought that without an ACL on the WAN interface, things are permitted by default? What am I missing? Here is my config:

 

version 16.7
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable password password
!
no aaa new-model
!
ip name-server 1.1.1.1 8.8.8.8
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.20.1 192.168.20.49
ip dhcp excluded-address 192.168.30.1 192.168.30.49
!
ip dhcp pool wired
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.1
 dns-server 1.1.1.1 8.8.8.8
 domain-name mydomain.com
!
ip dhcp pool wireless
 network 192.168.30.0 255.255.255.0
 default-router 192.168.30.1
 dns-server 1.1.1.1 8.8.8.8
 domain-name mydomain.com
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid C1113-8PLTEEAWB sn XXXXXXXXXXX
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
redundancy
 mode none
!
controller Cellular 0/2/0
 lte modem link-recovery rssi onset-threshold -110
 lte modem link-recovery monitor-timer 20
 lte modem link-recovery wait-timer 10
 lte modem link-recovery debounce-count 6
!
controller VDSL 0/3/0
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 description isp
 ip address xx.xx.xx.xx 255.255.255.252
 ip nat outside
 negotiation auto
!
interface GigabitEthernet0/1/0
 switchport access vlan 20
!
interface GigabitEthernet0/1/1
 switchport access vlan 20
!
interface GigabitEthernet0/1/2
 switchport access vlan 20
!
interface GigabitEthernet0/1/3
 switchport access vlan 20
!
interface GigabitEthernet0/1/4
 switchport access vlan 20
!
interface GigabitEthernet0/1/5
 switchport access vlan 20
!
interface GigabitEthernet0/1/6
 switchport access vlan 20
!
interface GigabitEthernet0/1/7
 switchport access vlan 20
!
interface Wlan-GigabitEthernet0/1/8
 switchport access vlan 30
!
interface Cellular0/2/0
 no ip address
!
interface Cellular0/2/1
 no ip address
!
interface ATM0/3/0
 no ip address
 no atm enable-ilmi-trap
!
interface Ethernet0/3/0
 no ip address
 no negotiation auto
!
interface Vlan1
 no ip address
!
interface Vlan20
 description wired
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
!
interface Vlan30
 description wireless
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
!
ip nat pool isp xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.252
ip nat inside source list 20 pool isp overload
ip nat inside source list 30 pool isp overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
!
access-list 20 permit 192.168.20.0 0.0.0.255
access-list 20 remark NAT Allow for Wired
access-list 30 permit 192.168.30.0 0.0.0.255
access-list 30 remark NAT Allow for Wireless
!
!
!
!
control-plane
!
!
line con 0
 transport preferred none
 transport input none
 stopbits 1
line vty 0 4
 login
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to jmcdonagh

‎07-01-2020 12:50 PM

Hello,

 

try to use the config below (without the pool), important parts markedin bold:

 

version 16.7
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable password password
!
no aaa new-model
!
ip name-server 1.1.1.1 8.8.8.8
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.20.1 192.168.20.49
ip dhcp excluded-address 192.168.30.1 192.168.30.49
!
ip dhcp pool wired
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 1.1.1.1 8.8.8.8
domain-name mydomain.com
!
ip dhcp pool wireless
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 1.1.1.1 8.8.8.8
domain-name mydomain.com
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid C1113-8PLTEEAWB sn XXXXXXXXXXX
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
redundancy
mode none
!
controller Cellular 0/2/0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
controller VDSL 0/3/0
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description isp
ip address xx.xx.xx.xx 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 20
!
interface GigabitEthernet0/1/1
switchport access vlan 20
!
interface GigabitEthernet0/1/2
switchport access vlan 20
!
interface GigabitEthernet0/1/3
switchport access vlan 20
!
interface GigabitEthernet0/1/4
switchport access vlan 20
!
interface GigabitEthernet0/1/5
switchport access vlan 20
!
interface GigabitEthernet0/1/6
switchport access vlan 20
!
interface GigabitEthernet0/1/7
switchport access vlan 20
!
interface Wlan-GigabitEthernet0/1/8
switchport access vlan 30
!
interface Cellular0/2/0
no ip address
!
interface Cellular0/2/1
no ip address
!
interface ATM0/3/0
no ip address
no atm enable-ilmi-trap
!
interface Ethernet0/3/0
no ip address
no negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan20
description wired
ip address 192.168.20.1 255.255.255.0
ip nat inside
!
interface Vlan30
description wireless
ip address 192.168.30.1 255.255.255.0
ip nat inside
!
--> ip nat inside source list 20 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
!
--> access-list 20 permit 192.168.20.0 0.0.0.255
--> access-list 20 permit 192.168.30.0 0.0.0.255
!
control-plane
!
line con 0
transport preferred none
transport input none
stopbits 1
line vty 0 4
login
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
end

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Georg Pauwen
VIP
VIP

‎07-01-2020 09:31 AM

Hello,

 

either the subnet mask on the interface, or the subnet mask of the pool, are misconfigured.

 

interface GigabitEthernet0/0/0
description isp
ip address xx.xx.xx.xx 255.255.252.0
ip nat outside
negotiation auto

 

!
ip nat pool isp xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.252

 

I would suspect the interface IP address, since I don't think your ISP will give you an IP address with a /22 mask. Change the subnet mask to:

 

interface GigabitEthernet0/0/0
description isp
--> ip address xx.xx.xx.xx 255.255.255.252
ip nat outside
negotiation auto

 

0 Helpful

Go to solution
jmcdonagh
Level 1
Level 1
In response to Georg Pauwen

‎07-01-2020 11:34 AM

Wow what a bonehead mistake, thanks for pointing that out!

 

So I fixed that, cleared the NAT translations, still the same issue.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to jmcdonagh

‎07-01-2020 12:50 PM

Hello,

 

try to use the config below (without the pool), important parts markedin bold:

 

version 16.7
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable password password
!
no aaa new-model
!
ip name-server 1.1.1.1 8.8.8.8
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.20.1 192.168.20.49
ip dhcp excluded-address 192.168.30.1 192.168.30.49
!
ip dhcp pool wired
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 1.1.1.1 8.8.8.8
domain-name mydomain.com
!
ip dhcp pool wireless
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 1.1.1.1 8.8.8.8
domain-name mydomain.com
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid C1113-8PLTEEAWB sn XXXXXXXXXXX
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
redundancy
mode none
!
controller Cellular 0/2/0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
controller VDSL 0/3/0
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description isp
ip address xx.xx.xx.xx 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 20
!
interface GigabitEthernet0/1/1
switchport access vlan 20
!
interface GigabitEthernet0/1/2
switchport access vlan 20
!
interface GigabitEthernet0/1/3
switchport access vlan 20
!
interface GigabitEthernet0/1/4
switchport access vlan 20
!
interface GigabitEthernet0/1/5
switchport access vlan 20
!
interface GigabitEthernet0/1/6
switchport access vlan 20
!
interface GigabitEthernet0/1/7
switchport access vlan 20
!
interface Wlan-GigabitEthernet0/1/8
switchport access vlan 30
!
interface Cellular0/2/0
no ip address
!
interface Cellular0/2/1
no ip address
!
interface ATM0/3/0
no ip address
no atm enable-ilmi-trap
!
interface Ethernet0/3/0
no ip address
no negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan20
description wired
ip address 192.168.20.1 255.255.255.0
ip nat inside
!
interface Vlan30
description wireless
ip address 192.168.30.1 255.255.255.0
ip nat inside
!
--> ip nat inside source list 20 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
!
--> access-list 20 permit 192.168.20.0 0.0.0.255
--> access-list 20 permit 192.168.30.0 0.0.0.255
!
control-plane
!
line con 0
transport preferred none
transport input none
stopbits 1
line vty 0 4
login
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
end

0 Helpful

Go to solution
jmcdonagh
Level 1
Level 1
In response to Georg Pauwen

‎07-01-2020 01:53 PM

So, your suggestion pretty much fixed it minus the default route, which had to stay with the IP for whatever reason. You are my hero rn Georg. I wonder why it wouldn't work with the pool? Or was it the multiple access lists? I don't get it

0 Helpful
Customers Also Viewed These Support Documents