01-28-2019 03:09 PM - edited 03-05-2019 11:13 AM
I am trying to get my cisco router 4451 to route to my ISP, but have been unsuccessful. Here is what i have.
ge0/0/1
192.168.1.129 255.255.255.128
ge0/0/2
192.168.1.1 255.255.255.0
ISP Static Address
IP Address 50.78.70.245
50.78.70.252
Gateway 50.78.70.246
Need to have both ge networks to route to the ISP for internet access. Have tried using IP Route 0.0.0.0 0.0.0.0 of both ge networks but with no success, I have even taken an additional ge port and configured it with my ISP static info, but again unable to connect to the internet. I am also unable to ping any of the ISP addresses, from either of the ge networks, but can ping both ge networks.
Solved! Go to Solution.
02-05-2019 07:10 AM
I have looked at what you have posted. There may be multiple things to address and I will start with 2 major issues.
1) the addressing of your serial interfaces will not work. Both serial interfaces have IP addresses in the same network (100.100.100.0/24). I am surprised that you were able to get it into the configuration. You can not have the same subnet operate successfully on 2 physically separated links. You need to change the addressing so that B to A is one subnet and B to C is a different subnet. You might solve this by dividing your /24 into 2 subnets. But for a point to point serial connection all you really need is a /30 subnet (255.255.255.252). So your first step should be to change the addressing and subnetting of the serial interfaces.
2) router B has 3 static default routes configured. That is 2 too many.
- You have a default route on B with the next hop being the address of router A. This is good and you should keep it.
- You have a static default with the next hop being the address of router C. The syntax is ok. But this route makes no logical sense. Remember that the default route is used when you are not sure where the destination really is. It makes no sense to forward a packet for an unknown destination to C. What can C do with it? So remove this default route.
- You have a static default with the next hop being the provider address. You are correct that this is ultimately where we want the packet to an unknown destination to go. But router B has no information about where the ISP address really is and so would not be able to insert this default route into the routing table. Remove this default route.
Fix these 2 issues and let us know how things are working.
HTH
Rick
02-12-2019 06:25 AM
Thanks, made changes, and improved the network, but i still a couple of problems,
Router C unable to ping 100.100.100.1 or beyond.
Router C from a pc attached to either network can ping everything except 50.78.70.246 ISP gateway.
Router B unable to 50.78.70.246 ISP Gateway
Router A This the strange part can ping both networks on B&C but unable to ping router B serial interface 200.200.2001 or router C 200.200.200.2
Router A from a pc attached to either network can ping everything, except serial interfaces 200.200.200.1 or 200.200.200.2
Have attached updated config and network page.
I really appreciate all the assistance, advice???
01-28-2019 03:30 PM
Hello,
add the lines in bold to your config:
ge0/0/1
192.168.1.129 255.255.255.128
ip nat inside
!
ge0/0/2
192.168.1.1 255.255.255.0
ip nat inside
!
interface X
ip address 50.78.70.245 255.255.255.252
ip nat outside
!
ip nat inside source list 1 interface X overload <-- where 'x' is the interface connected to the ISP
!
access-list 1 permit 192.168.1.0
!
ip route 0.0.0.0 0.0.0.0 50.78.70.246
01-30-2019 09:33 AM
I added the lines you suggested, had no affect on the network, I have switch connected to ge0/0/1 and a pc connected to the switch, pc network is configured as IPaddress 192.168.1.5 255.255.255.128 Gateway 192.168.1.1 I can ping ge0/0/0 50.78.70.245 but unable to ping 50.78.70.246 which is the gateway, also the pc is unable to see the internet side of the router, I have attached a copy of the config of the router.
Thanks
01-30-2019 09:48 AM
Thanks for posting the router config. The main issue I see in the config is that Gig0/0/2 does not have ip nat inside. Please add that. Otherwise the config seems appropriate.
I am quite puzzled about why the PC can successfully ping 50.78.70.245 but can not ping 50.78.70.246. It seems to suggest that there might be an issue with address translation. Can you try the ping again and then show the content of the translation table?
HTH
Rick
01-30-2019 10:09 AM
Hello,
in addition to Richard's post, in your original post you said:
ISP Static Address
IP Address 50.78.70.245
50.78.70.252
Gateway 50.78.70.246
What is 50.78.70.252, or is that just a typo, and you meant to type 255.255.255.252 ?
You could try and use a route map for your NAT (changes are marked in bold). Also, although it is not recommended, try and change the default route to point to the outgoing interface:
! Last configuration change at 17:14:06 UTC Wed Jan 30 2019
!
!
interface GigabitEthernet0/0/0
description #Outside Internet#
ip address 50.78.70.245 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description #Internal Network#
ip address 192.168.1.1 255.255.255.128
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/2
ip address 192.168.1.129 255.255.255.128
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface Serial1/0/0
ip address 100.100.100.1 255.255.255.0
dsu bandwidth 44210
framing c-bit
cablelength 10
no cdp enable
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 194.169.2.65 255.255.255.0
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source route-map TO_ISP interface GigabitEthernet0/0/0 overload
no ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
!
route-map TO_ISP
match ip address 1
match interface GigabitEthernet0/0/0
!
access-list 1 permit 192.168.1.0
!
control-plane
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password Password!
login
!
end
01-30-2019 10:54 AM
I agree that the original post had garbled information about the addressing. The router config makes it pretty clear about the interface address and the gateway.
I agree that it might be a possibility to use a route map for the translation. But since the main use of route map for address translation is when you have more than one outbound interface (you want to match the interface as well as match the acl) and this situation has one a single outbound interface I do not see where there would be benefit in doing this.
I absolutely disagree with the suggestion to change the default route. Configuring a static route to point at an outbound ethernet interface without specifying the next hop will have a negative impact on router performance (how much impact is not clear but certainly having to arp for every destination address, having a larger arp table, and the cpu cycles to maintain that larger arp table are certainly negatives) but also introduces the possibility that the static route might not work at all. For this type of static route to work requires that the next hop router has enabled proxy arp, and many organizations are moving away from proxy arp because of the security issues associated with it.
HTH
Rick
01-30-2019 11:26 AM
My bad, I should have explained better what I am after. It is not a good idea to use the interface for a default route, absolutely true. The purpose of suggesting to do that was to find out if the IP address used might be the wrong one. The initial post has no subnet mask given for the IP addresses, so maybe it is not a /30, but a /28, and maybe the default gateway is the .252 ? I don't know why the .252 is in the post and what its purpose is.
If the static route works using the interface, then at least we know that the .246 is not the correct address...
01-31-2019 08:47 AM
I added the changes you suggested, but had no affect, so i am providing the exact plan of what iam trying to do, attached is the router config with the changes you suggested, also attached is the plan iam trying to do in a pdf file. This is what my ISP gave me as network info to use.
CPE IP-1 50.78.70.244/30
CPE gateway - 1 50.78.70.246
CPE subnet mask -1 255.255.255.252
CPE subnet mask -2 75.75.75.75
CPE subnet mask -3 75.75.76.76
Static IP address 50.78.70.245
even with the changes you suggested, from the router i can ping all the ip listed above, but from the pc attached to a switch with an ip address 192.168.1.5 subnet mask 255.255.255.128 Gateway 192.168.1.1, iam only able to ping the ge0/0/0 interface of the router ip address 50.78.70.245.
01-31-2019 08:48 AM
01-31-2019 09:07 AM
Hello,
It seems, that NAT doesn't work. Please check access-list 1. It's standard ACL, and wildcard is not applied, so it could be 0.0.0.0 by default:
show ip access-list 1
then you can change it:
no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255
and check again:
show ip access-list 1
or better to use named ACL.
01-31-2019 09:57 AM
Hello,
the IP addresses you listed look odd. Which ones are you supposed to you use ? For the sake of testing, try and use the 75 addresses. The config would look like this:
! Last configuration change at 17:14:06 UTC Wed Jan 30 2019
!
!
interface GigabitEthernet0/0/0
description #Outside Internet#
ip address 75.75.76.75 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description #Internal Network#
ip address 192.168.1.1 255.255.255.128
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/2
ip address 192.168.1.129 255.255.255.128
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface Serial1/0/0
ip address 100.100.100.1 255.255.255.0
dsu bandwidth 44210
framing c-bit
cablelength 10
no cdp enable
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 194.169.2.65 255.255.255.0
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
no ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 75.75.76.76
!
access-list 1 permit 192.168.1.0
!
control-plane
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password Password!
login
!
end
01-31-2019 10:20 AM
Better yet, post a screenshotof what your ISP gave you...
01-31-2019 10:24 AM
interface GigabitEthernet0/0/0
description #Outside Internet#
ip address 75.75.76.75 255.255.255.252
ip nat outside
negotiation auto
Tried this, received message from router bad mask /30 for address 75.75.76.75
01-31-2019 10:31 AM
75.75.76.75 is broadcast address with mask 30. It's invalid, and you can't configure it on interface with such mask.
Moreover, these addresses look like DNS servers.
I think, you don't need to change IP addressing, please, return as it was before.
Try option which, I wrote with ACL. You ACL doesn't match the traffic for NAT now, because it has wildcard 0.0.0.0
Configure following:
no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255
and then try connectivity and send running config on router
01-31-2019 10:32 AM
Hello,
without seeing what you actualy got from your ISP it is just guesswork. The mask could be /31 (255.255.255.254). Best to check back with your ISP to make sure you are using the correct addresses...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide