09-24-2019 12:45 AM
Dear all,
I'm struggling with getting my Cisco ISR 1921 to do proper NAT.
Setup:
Laptop > Cisco ISR 1921 int Gi0/0 > Dialer1 > EHWIC-3G-HSPA+7 (Cellular0/0/0)
I’m using NVI to do NAT.
I can ping 8.8.8.8 both from router and from laptop.
I can traceroute both from laptop and router:
e.g. tracert -d 131.152.228.33 (from laptop)
1 <1 ms <1 ms <1 ms 192.168.123.1 2 55 ms 57 ms 47 ms 192.168.42.255 3 36 ms 36 ms 36 ms 192.168.42.201 … 13 48 ms 47 ms 46 ms 130.59.39.73 14 72 ms 47 ms 46 ms 192.43.192.197 15 47 ms 46 ms 47 ms 131.152.231.241 16 * * * Zeitüberschreitung der Anforderung. 17 54 ms 76 ms 58 ms 131.152.228.33
NVI translation seems to work:
sh ip nat nvi translations:
Pro Source global Source local Destin local Destin global udp 10.14.148.29:137 192.168.123.51:137 192.168.123.255:137 192.168.123.255:137 udp 10.14.148.29:138 192.168.123.51:138 192.168.123.255:138 192.168.123.255:138 udp 10.14.148.29:1081 192.168.123.51:5060 172.16.40.11:5060 172.16.40.11:5060 udp 10.14.148.29:49208 192.168.123.51:49208 195.186.216.33:53 195.186.216.33:53 udp 10.14.148.29:49266 192.168.123.51:49266 8.8.4.4:53 8.8.4.4:53 udp 10.14.148.29:49266 192.168.123.51:49266 8.8.8.8:53 8.8.8.8:53 udp 10.14.148.29:49266 192.168.123.51:49266 195.186.152.33:53 195.186.152.33:53 ...
However, I can’t browse, and I can’t resolve DNS.
Please find below router config:
! version 15.7 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service internal hostname RT004_MOB ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ip dhcp excluded-address 192.168.123.1 192.168.123.50 ! ip dhcp pool LAN import all network 192.168.123.0 255.255.255.0 dns-server 8.8.4.4 8.8.8.8 195.186.152.33 195.186.216.33 default-router 192.168.123.1 ! ! ! ip inspect WAAS flush-timeout 10 ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! chat-script hspa-R7 "" "AT!SCACT=1,1" TIMEOUT 60 "OK" ! ! license udi pid CISCO1921/K9 sn FCZ170792R6 ! ! archive path usbflash0:/backup/$h write-memory time-period 40320 username admin privilege 15 ! redundancy notification-timer 120000 ! ! controller Cellular 0/0 ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address 192.168.123.1 255.255.255.0 ip nat enable ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Cellular0/0/0 description WWAN 3G Link ip address negotiated encapsulation slip dialer in-band dialer pool-member 1 async mode interactive routing dynamic ! interface Cellular0/0/1 no ip address encapsulation slip ! interface Dialer1 ip address negotiated ip nat enable encapsulation slip dialer pool 1 dialer idle-timeout 0 dialer string hspa-R7 dialer persistent delay initial 60 dialer-group 1 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat source list 1 interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ! dialer-list 1 protocol ip permit dialer-list 1 protocol ipv6 permit ipv6 ioam timestamp ! ! access-list 1 permit any ! control-plane ! ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line 0/0/0 exec-timeout 0 0 script dialer hspa-R7 modem InOut no exec line 0/0/1 no exec line vty 0 4 access-class 23 in privilege level 15 login transport input telnet ssh ! scheduler allocate 20000 1000 ! End
Any help appreciated.
Thanks,
Florian
Solved! Go to Solution.
09-24-2019 01:19 AM
Hello,
delete the previous access list:
no access-list 1
and change you access list 1 to:
access-list 1 permit 192.168.123.0 0.0.0.255
09-24-2019 01:19 AM
Hello,
delete the previous access list:
no access-list 1
and change you access list 1 to:
access-list 1 permit 192.168.123.0 0.0.0.255
09-24-2019 01:39 AM - edited 09-24-2019 01:40 AM
Hi Georg,
Thank you very much, this resolved the issue!
Kind regards,
Florian
09-24-2019 01:29 AM - edited 09-24-2019 01:29 AM
Hello
Your nat looks fine for a sanity check can you try applying the following.
int celluar 0/0
ip tcp adjust-mss 1452
int dialer 1
ip mtu 1492
no access-list 1
access-list 1 permit 192.168.123.0 0.0.0.255
09-24-2019 01:43 AM
Hi Paul,
I tested Georg's solution that is working fine.
Do you still suggest to adjust according to your recommendation?
Thanks,
Florian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide