09-12-2014 08:58 AM - edited 03-04-2019 11:45 PM
Hello all,
I came across a rather strange issue. I am able to SSH to the device from my home but while I am consoled in, I cannot ping the ISP gateway or any other IP's. As expected, all trace-routes fail without hitting the gateway as the first hop. I have been reading about the NVI0 interface and I decided to use it. Most of the sample cofigs on here use the "old" ip nat inside / outside on the appropriate interfaces. What do you guys suggest?
Here is the running config. It is rather simple since i did not add all the access-lists except the ones I thought necessary to test the circuit. Please point out any mistakes or errors. Thanks in advance!
Current configuration : 1679 bytes
!
! Last configuration change at 04:05:17 UTC Fri Sep 12 2014
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname StandbyGZ-2911
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$BRaM$igChPMXLeHjgYR7EGk/Nb/
!
no aaa new-model
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip domain name StandbyGZ.local
ip name-server 211.136.20.203
ip name-server 211.139.136.68
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2911/K9 sn FGL174410H9
!
!
username StandbyGZ secret 5 $1$CXWC$m6kqTGbf0HDLCvkfU7.RA/
!
!
ip ssh version 2
!
!
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description UPLINK TO CHINA MOBILE
ip address 183.x.x.x 255.255.255.128
ip access-group REMOTE-ADMIN-ACL in
no ip redirects
ip nat enable
duplex auto
speed auto
!
interface GigabitEthernet0/2
description CONNECTION TO LAN SWITCH 3650-CORE
ip address 10.10.1.254 255.255.254.0
no ip redirects
ip nat enable
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source list LAN-NAT-ACL interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 183.x.x.x
!
ip access-list standard LAN-NAT-ACL
permit 10.10.0.0 0.0.1.255
!
ip access-list extended REMOTE-ADMIN-ACL
permit tcp host 68.107.195.213 any eq 22 log
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input ssh
transport output ssh
!
scheduler allocate 20000 1000
end
StandbyGZ-2911# sh ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/1 183.x.x.x YES NVRAM up up
GigabitEthernet0/2 10.10.1.254 YES NVRAM up up
NVI0 183.x.x.x YES unset up up
StandbyGZ-2911#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 183.233.184.129 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 183.233.184.129
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.0.0/23 is directly connected, GigabitEthernet0/2
L 10.10.1.254/32 is directly connected, GigabitEthernet0/2
183.233.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 183.x.x.x/25 is directly connected, GigabitEthernet0/1
L 183.x.x.x/32 is directly connected, GigabitEthernet0/1
09-12-2014 09:12 AM
Don't you have to define the nat inside and outside interface?
Interface g0/1
ip nat outside
interface g0/2
ip nat inside
09-12-2014 09:41 AM
Hi Chris,
That is what how I am used to configure the NAT, but IOS 12.3 and on introduced interface NVI0, which according to cisco documentation should make applying the NAT statements "easier". IP nat enable has to be enabled on all interfaces and then NVI0 makes the "inside" and "outside" decisions. I was hoping that someone could clarify the real use of that NVI0 interface and if it causes problems. Apparently it cannot be removed from the config.
09-16-2014 06:02 AM
could it be the fact that you have an ACL for ssh but you don't permit ICMP in?
ip access-list extended REMOTE-ADMIN-ACL
permit tcp host 68.107.195.213 any eq 22 log
implicit deny?
09-12-2014 11:19 AM
I've never used that then, I've used the nat inside outside and object based nat on Asa firewalls never using nvi0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide