Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
5
Helpful
4
Replies

host has no internet and can’t ping external IP's on C897VA

Go to solution
G3000LEE
Level 1
Level 1

‎12-27-2020 02:22 AM

I'm having an issue getting inside hosts internet access which is connected to the router.


I have configured this model of router a few times in the past using vdsl with success in my own home, but I can't get it working using the WAN ethernet port for a friend.

 

There is an extra static route in the routing table 141.XX.144.27 which must have been put there by the ISP, but not sure why it's there.
Please see the below output and thanks in advance for any help.


C897VA#show run
!
no ip source-route
!
!
ip dhcp pool HYPEROPTIC100
network 192.168.100.0 255.255.255.0
default-router 192.168.100.254
dns-server 8.8.8.8 8.8.4.4
!
!
ip cef
!
!
interface GigabitEthernet0
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface GigabitEthernet8
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan100
ip address 192.168.100.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
!
ip nat inside source list HYPEROPTIC100 interface GigabitEthernet8 overload
!
ip access-list standard HYPEROPTIC100
permit 192.168.100.0 0.0.0.255 log
deny any log
!

 

C897VA#show ip route
Gateway of last resort is 100.64.XX.193 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 100.64.XX.193
100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 100.64.XX.192/26 is directly connected, GigabitEthernet8
L 100.64.XX.210/32 is directly connected, GigabitEthernet8
141.XX.0.0/32 is subnetted, 1 subnets
S 141.XX.144.27 [254/0] via 100.64.XX.193, GigabitEthernet8
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, Vlan100
L 192.168.100.254/32 is directly connected, Vlan100


897VA#ping 8.8.8.8 source vlan 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

 

C897VA#show ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 100.64.XX.210:3 192.168.100.254:3 8.8.8.8:3 8.8.8.8:3
icmp 100.64.XX.210:4 192.168.100.254:4 8.8.8.8:4 8.8.8.8:4


C897VA#sh ip cef
Prefix Next Hop Interface
0.0.0.0/0 100.64.XX.193 GigabitEthernet8
0.0.0.0/8 drop
0.0.0.0/32 receive
100.64.XX.192/26 attached GigabitEthernet8
100.64.XX.192/32 receive GigabitEthernet8
100.64.XX.193/32 attached GigabitEthernet8
100.64.XX.210/32 receive GigabitEthernet8
100.64.XX.255/32 receive GigabitEthernet8
127.0.0.0/8 drop
141.XX.144.27/32 100.64.XX.193 GigabitEthernet8
192.168.100.0/24 attached Vlan100
192.168.100.0/32 receive Vlan100
192.168.100.1/32 attached Vlan100
192.168.100.254/32 receive Vlan100
192.168.100.255/32 receive Vlan100
224.0.0.0/4 drop
224.0.0.0/24 receive
240.0.0.0/4 drop
255.255.255.255/32 receive

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎12-27-2020 05:24 AM

Hello,

 

the 'log' keyword at the end of the access list causes your NAT traffic to be process switched, which effectively disables your NAT.

 

ip nat inside source list HYPEROPTIC100 interface GigabitEthernet8 overload
!
ip access-list standard HYPEROPTIC100
permit 192.168.100.0 0.0.0.255 log
deny any log

 

Remove the access list altogether and configure this:

 

access-list 1 permit 192.168.100.0 0.0.0.255
!
ip nat inside source list 1 interface GigabitEthernet8 overload

 

Also, make sure your default route is in there:


ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp

View solution in original post

4 Replies 4

Go to solution
Georg Pauwen
VIP
VIP

‎12-27-2020 05:24 AM

Hello,

 

the 'log' keyword at the end of the access list causes your NAT traffic to be process switched, which effectively disables your NAT.

 

ip nat inside source list HYPEROPTIC100 interface GigabitEthernet8 overload
!
ip access-list standard HYPEROPTIC100
permit 192.168.100.0 0.0.0.255 log
deny any log

 

Remove the access list altogether and configure this:

 

access-list 1 permit 192.168.100.0 0.0.0.255
!
ip nat inside source list 1 interface GigabitEthernet8 overload

 

Also, make sure your default route is in there:


ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp

Go to solution
Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎12-27-2020 05:52 AM

Hello,

 

also, since you are using Vlan 100, you have to manually create it first:

 

897VA#conf t

897VA(config)#vlan 100

 

So the entire configuration would look like this (important parts marked in bold

 

no ip source-route
!
vlan 100
!
ip dhcp excluded-address 192.168.100.254
!
ip dhcp pool HYPEROPTIC100
network 192.168.100.0 255.255.255.0
default-router 192.168.100.254
dns-server 8.8.8.8 8.8.4.4
!
ip cef
!
interface GigabitEthernet0
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface GigabitEthernet8
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan100
ip address 192.168.100.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip nat inside source list 1 interface GigabitEthernet8 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp
!
access-list 1 permit 192.168.100.0 0.0.0.255

0 Helpful

Go to solution
G3000LEE
Level 1
Level 1
In response to Georg Pauwen

‎12-27-2020 11:03 PM

Hi Georg,

 

Thanks a lot for your help.

 

Just removing the log from the access-list fixed the issue.  I always create a standard ACL just so I can have a meaningful name but didn't know adding log to the ACL would disable NAT. I have learnt something new.

 

I'v been using 800 model router in my house and a friends house for years and it's only by luck I didn't add log in my NAT ACL or I would have had this problem years ago.

 

Vlan100 was already created but doesn't show in the running-config;

 

C897VA#sho vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
11 noname active Gi7
100 VLAN0100 active Gi0, Gi1, Gi2, Gi3, Gi4, Gi5

 

Once again Thanks, and you're a star as I was about to drag the router to my house to test it there.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to G3000LEE

‎12-27-2020 11:55 PM

Hello,

 

Glad that everything is working.

 

The 'log' keyword is tricky indeed. Below the 'official' Q&A from Cisco:

 

Q. Does Cisco IOS NAT support ACLs with a "log" keyword?
A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support ACLs with a "log" keyword.

 

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html

0 Helpful
Customers Also Viewed These Support Documents