Solved: Cisco 1941 NAT help

pands_007 · ‎08-27-2017

Dear all,

I am not an expert.

Below is my configuration,

There are few issues :

1) static NAT is not working

2) some client cant able to access internet eventhouh they are in permit client list permit rang.

Can anyone help me with this ?

Thanks in advance.

interface GigabitEthernet0/0
description WAN_LINK
ip address xxx.xxx.xxx.146 255.255.255.240
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description INSIDE_LAN
ip address 192.168.10.101 255.255.255.0
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
no ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool dynamic-ip xxx.xxx.xxx.146 xxx.xxx.xxx.146 netmask 255.255.255.240
ip nat source list client-list interface GigabitEthernet0/0 overload
ip nat source static 192.168.10.102 xxx.xxx.xxx.147
ip nat source static 192.168.10.103 xxx.xxx.xxx.148
ip nat source static 192.168.10.104 xxx.xxx.xxx.149
ip nat source static 192.168.10.105 xxx.xxx.xxx.150
ip nat source static 192.168.10.106 xxx.xxx.xxx.151
ip nat source static 192.168.10.107 xxx.xxx.xxx.152
ip nat source static 192.168.10.108 xxx.xxx.xxx.153
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.145
!
ip access-list standard client-list
permit 192.168.10.115 0.0.0.140
!
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password 7 130C07131F5D56796F
login
!
scheduler allocate 20000 1000
end

paul driver · ‎08-29-2017

Hello

It could have been possibly down to your default static route, As at present the router will think any off site address is directly connected and arp for its mac

Suggest you change it to include a next-hop ip address to save unwarrented arp requests.

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 x.x.x.x (next-hop address)

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎08-27-2017

Hello,

not sure if this is a typo ?

ip access-list standard client-list
permit 192.168.10.115 0.0.0.140

140 does not exist, try 63 or 127...or 255.

pands_007 · ‎08-27-2017

Hi sorry,

That is a typo..

is the correct setting in router.

ip access-list standard client-list
permit 192.168.10.0 0.0.0.255

Why the static nat is not working ?

Thank you

Georg Pauwen · ‎08-27-2017

Hello,

remove the line:

ip nat pool dynamic-ip xxx.xxx.xxx.146 xxx.xxx.xxx.146 netmask 255.255.255.240

from your configuration, as this is not in use.

Also, change you default route to:

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx GigabitEthernet0/0

Georg Pauwen · ‎08-28-2017

Hello,

also make sure that you have 'no ip redirects' configured on your router...

pands_007 · ‎08-28-2017

Hi,

At first thank you very much for helping me.

below is my new settings, user can access internet but static nat is not working, but only one is working fine

i cant find where to apply 'no ip redirect'

ip nat source static 192.168.10.108 xxx.xxx.xxx153 --> this is working

no aaa new-model
no ipv6 cef
ip source-route
ip cef
no ip domain lookup
multilink bundle-name authenticated

interface GigabitEthernet0/0
description WAN_LINK
ip address xxx.xxx.xxx146 255.255.255.240
ip nat outside --> enabled this
ip nat enable
ip virtual-reassembly
duplex auto
speed auto

interface GigabitEthernet0/1
description INSIDE_LAN
ip address 192.168.10.101 255.255.255.0
ip nat inside --> enabled this
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat source list client-list interface GigabitEthernet0/0 overload
ip nat source static 192.168.10.102 xxx.xxx.xxx147
ip nat source static 192.168.10.103 xxx.xxx.xxx148
ip nat source static 192.168.10.104 xxx.xxx.xxx149
ip nat source static 192.168.10.105 xxx.xxx.xxx150
ip nat source static 192.168.10.106 xxx.xxx.xxx151
ip nat source static 192.168.10.107 xxx.xxx.xxx152
ip nat source static 192.168.10.108 xxx.xxx.xxx153 --> this is working
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip access-list standard client-list
permit 192.168.10.0 0.0.0.255

Georg Pauwen · ‎08-28-2017

Hello,

first of all, remove 'ip nat inside' and 'ip nat outside', these won't work with your current configyration.

I'll check why the static NAT is only working for one entry...

Can you post the output of 'show version' ? Just to check for bugs in your IOS...

pands_007 · ‎08-28-2017

Thank you.

Please find below

#show version
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.0(1)M6, RELEASE SOFTWARE (fc1)
Compiled Wed 01-Jun-11 15:31 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)

System returned to ROM by reload at 09:51:08 UTC Mon Aug 28 2017
System restarted at 09:52:21 UTC Mon Aug 28 2017
System image file is "flash0:c1900-universalk9-mz.SPA.150-1.M6.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command

Cisco CISCO1941/K9 (revision 1.0) with 491520K/32768K bytes of memory.
Processor board ID FTX1519800H
2 Gigabit Ethernet interfaces
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
254464K bytes of ATA System CompactFlash 0 (Read/Write)
3669512K bytes of ATA CompactFlash 1 (Read/Write)

Technology Package License Information for Module:'c1900'

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
------------------------------------------------------------------
ipbase        ipbasek9      Permanent      ipbasek9
security      None          None           None
data          datak9        Permanent      datak9

Configuration register is 0x2102

Georg Pauwen · ‎08-28-2017

Hello,

I found a bug that is related to static NAT and ARP resolution with NVI NAT (that is what you currently have configured). The workaround is to add a static ARP entry for the translated address:

1941(config)#arp xxx.xxx.xxx.152 hh.hh.hh

were hh.hh.hh is the MAC address of the device.

If you cannot get this to work, try the 'traditional NAT', the config is below:

interface GigabitEthernet0/0
description WAN_LINK
ip address xxx.xxx.xxx146 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

interface GigabitEthernet0/1
description INSIDE_LAN
ip address 192.168.10.101 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

no ip forward-protocol nd
no ip http server
no ip http secure-server

ip nat inside source list client-list interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.10.102 xxx.xxx.xxx147
ip nat inside source static 192.168.10.103 xxx.xxx.xxx148
ip nat inside source static 192.168.10.104 xxx.xxx.xxx149
ip nat inside source static 192.168.10.105 xxx.xxx.xxx150
ip nat inside source static 192.168.10.106 xxx.xxx.xxx151
ip nat inside source static 192.168.10.107 xxx.xxx.xxx152
ip nat inside source static 192.168.10.108 xxx.xxx.xxx153
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip access-list standard client-list
permit 192.168.10.0 0.0.0.255

pands_007 · ‎08-28-2017

Hi,

Thanks same results too..

My current settings

ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.10.102 xxx.xxx.xxx147
ip nat inside source static 192.168.10.103 xxx.xxx.xxx148
ip nat inside source static 192.168.10.104 xxx.xxx.xxx149
ip nat inside source static 192.168.10.105 xxx.xxx.xxx150
ip nat inside source static 192.168.10.106 xxx.xxx.xxx151
ip nat inside source static 192.168.10.107 xxx.xxx.xxx152
ip nat inside source static 192.168.10.108 xxx.xxx.xxx153
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
access-list 100 permit tcp any any
access-list 100 permit udp any any

but

show ip nat trans udp is working

show ip nat trans tcp is showing any translation.

Regards.

Georg Pauwen · ‎08-28-2017

Hello,

NAT doesn't like 'any any' access lists, so change access list 100 to simply:

access-list 100 permit ip 192.168.10 0 0.0.0.255 any

That said, can you check with your ISP if they are actually routing all those addresses you are using in your static NAT to you correctly ? One thing you could do is to replace your WAN IP address with any of those other addresses from the block that has been assigned to you. That way you know the addresses are properly routed. Any of them should establish connectivity with your ISP.

pands_007 · ‎08-29-2017

Hi,

Thanks, Below my new settings, its not working still. Yes i have tried changing ip address also, from 146 to 153, no luck :(

Is it possible to disable ARP completly to get NAT NVI to work.

Same settings working in Cisco 1841 ofcourse with ios version 12.0

interface GigabitEthernet0/0
description WAN_LINK
ip address xxx.xxx.xxx.146 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled

interface GigabitEthernet0/1
description INSIDE_LAN
ip address 192.168.10.101 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled

no ip forward-protocol nd

no ip http server
no ip http secure-server

ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.10.102 xxx.xxx.xxx.147
ip nat inside source static 192.168.10.103 xxx.xxx.xxx.148
ip nat inside source static 192.168.10.104 xxx.xxx.xxx.149
ip nat inside source static 192.168.10.105 xxx.xxx.xxx.150
ip nat inside source static 192.168.10.106 xxx.xxx.xxx.151
ip nat inside source static 192.168.10.107 xxx.xxx.xxx.152
ip nat inside source static 192.168.10.108 xxx.xxx.xxx.153
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

pands_007 · ‎08-29-2017

Hi,

I really dont know what is the difference between below setting and my initial excep the changes u have asked me to do, all of sudden it start working now.

Only think what i did was added a ARP entry but was not working and set

no arp xxx.xxx.xxx.xxx h.h.h.h arpa

Thank you once again :)

no aaa new-model
no ipv6 cef
ip source-route
ip cef
no ip domain lookup
multilink bundle-name authenticated

interface GigabitEthernet0/0
description WAN_LINK
ip address xxx.xxx.xxx.146 255.255.255.240
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
no shut

interface GigabitEthernet0/1
description INSIDE_LAN
ip address 192.168.10.101 255.255.255.0
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
no shut

no ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat source list client-list interface GigabitEthernet0/0 overload
ip nat source static 192.168.10.102 xxx.xxx.xxx.147
ip nat source static 192.168.10.103 xxx.xxx.xxx.148
ip nat source static 192.168.10.104 xxx.xxx.xxx.149
ip nat source static 192.168.10.105 xxx.xxx.xxx.150
ip nat source static 192.168.10.106 xxx.xxx.xxx.151
ip nat source static 192.168.10.107 xxx.xxx.xxx.152
ip nat source static 192.168.10.108 xxx.xxx.xxx.153
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip access-list standard client-list
permit 192.168.10.0 0.0.0.255

Georg Pauwen · ‎08-29-2017

Hello,

it might have been the bug I mentioned earlier, and the ARP entry have needed to clear,

Either way, you got it working now ?

paul driver · ‎08-29-2017

Hello

It could have been possibly down to your default static route, As at present the router will think any off site address is directly connected and arp for its mac

Suggest you change it to include a next-hop ip address to save unwarrented arp requests.

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 x.x.x.x (next-hop address)

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul