ISR 1100 ping / dns problem

Sakura · ‎09-05-2022

Hi,

I have a strange problem.

I've configured my ISR 1100 for cell interface. Internet is working from LAN (vlan200). But router cannot resolve DNS addresses and ping is not working.

WAN are on cell 0/2/0. LAN are on Vlan200 (with GE0/1/0-0/1/7 + WL0/1/8)

Some examples:

dbrouter#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
dbrouter#ping 8.8.8.8 source cell 0/2/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 2.143.172.7
.....
Success rate is 0 percent (0/5)
dbrouter#ping 8.8.8.8 source vlan200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/40/44 ms
dbrouter#

As you can see, ping is working if source interface are LAN vlan.

dbrouter#sh ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Cellular0/2/0
2.0.0.0/32 is subnetted, 1 subnets
C 2.143.172.7 is directly connected, Cellular0/2/0
172.26.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.26.254.0/24 is directly connected, Vlan1
L 172.26.254.1/32 is directly connected, Vlan1
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Vlan200
L 192.168.10.1/32 is directly connected, Vlan200
dbrouter#sh ip inter brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0/1 unassigned YES NVRAM administratively down down
GigabitEthernet0/0/1.2 10.134.101.141 YES NVRAM administratively down down
GigabitEthernet0/0/1.3 unassigned YES NVRAM administratively down down
GigabitEthernet0/0/1.6 unassigned YES unset administratively down down
GigabitEthernet0/1/0 unassigned YES unset down down
GigabitEthernet0/1/1 unassigned YES unset down down
GigabitEthernet0/1/2 unassigned YES unset down down
GigabitEthernet0/1/3 unassigned YES unset down down
GigabitEthernet0/1/4 unassigned YES unset up up
GigabitEthernet0/1/5 unassigned YES unset down down
GigabitEthernet0/1/6 unassigned YES unset up up
GigabitEthernet0/1/7 unassigned YES unset down down
Wl0/1/8 unassigned YES unset up up
Cellular0/2/0 2.143.172.7 YES IPCP up up
Cellular0/2/1 unassigned YES NVRAM administratively down down
Dialer6 unassigned YES NVRAM administratively down down
Tunnel0 192.168.10.1 YES unset up up
Virtual-Access1 unassigned YES unset up up
Vlan1 172.26.254.1 YES NVRAM up up
Vlan200 192.168.10.1 YES NVRAM up up
dbrouter#

GE0/0/1 is pre-configured for fiber optic connection, but default route for Dialer6 (GE0/0/1.6) is not configured.

What's the problem for ping? Maybe a problem with the NAT config? Cell0/2/0 and Dialer6 are NAT Outside, vlan200 are NAT Inside.

balaji.bandi · ‎09-05-2022

can you post the config. how is your ACL configured also ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎09-05-2022

The symptoms do suggest that the issue might be with NAT. Are there any other network devices (switches, routers, etc) in this network? I agree that seeing the configuration would be helpful.

HTH

Rick

Sakura · ‎09-05-2022

I've attached config.

There's a switch not manageable on the network only. But the problem are cisco -> internet, i'm trying to do a PING fron the cisco itself.

Router is "half-configured" now. I want to configure it to have a "main" connection on Dialer6 (iface GE0/0/1.6) and backup on Cell 0/2/0. Also, I need to configure DDNS, reason why I need to have dns resolve working. But now these main connection are off, because now the router are on a place where there's only cell connection.

Georg Pauwen · ‎09-06-2022

Hello,

remove the 'log' keyword from access list 2 (the 'log' keyword effectively disables NAT because it causes the packets to be process switched):

ip access-list standard 2
10 permit 192.168.10.0 0.0.0.255 log

Also, you have several NAT outside interfaces. Can you post a schematic drawing of your topology that shows what the various interfaces are actually connected to ?

Sakura · ‎09-06-2022

GE0/0/1.2, GE0/0/1.3, Dialer6 and Cell0/2/0 are outside interfaces.

Dialer6 are data interface (over GE0/0/1.6) for fiber optic connection. Cell0/2/0 are "backup" data interface (but now it's the only one). Voip services and IPTV service are additional services offered by carrier on fiber optic.

paul driver · ‎09-06-2022

Hello
Your gig0/1 and dialer interface are admin down, they need to be enabled.

GigabitEthernet0/0/1 unassigned YES NVRAM administratively down down
GigabitEthernet0/0/1.2 10.134.101.141 YES NVRAM administratively down down
GigabitEthernet0/0/1.3 unassigned YES NVRAM administratively down down
GigabitEthernet0/0/1.6 unassigned YES unset administratively down down
Dialer6 unassigned YES NVRAM administratively down down

As for your nat configuration that doesnt look correct either, the acls need to be tweeked and maybe apply some policy based routing so specific traffic can be routed towards there respective outside interfaces, leqve out your dailer backup interface for the moment, try the following:

no ip nat inside source list 2 interface Cellular0/2/0 overload
no ip nat inside source route-map NAT_LAN_INTERNA interface Dialer6 overload
no ip route 10.31.255.128 255.255.255.224 GigabitEthernet0/0/1.3 dhcp
ip access-list standard 1
no 10
10 permit 172.26.254.0 0.0.0.255 any

ip access-list extended 100
no 30
30 permit ip 192.168.10.0 0.0.0.255 10.128.0.0 0.127.255.255

route-map PBR permit 10
match ip access-list 100
set iinterface GigabitEthernet0/0/1.2

route-map PBR permit 99

int vlan 200
ip polocy route-map PBR

ip dhcp pool DHCPv4
no dns-server 8.8.8.8 8.8.4.4
dns-server 192.168.10.1
exit
ip dns server

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

balaji.bandi · ‎09-06-2022

I agree with @Georg Pauwen you have many NAT Entries, before make it complicated, test 1 ACL and how it works and make to advanced level. @paul driver provided nice confi, that should fix the issue.

Other points not related to the issue, do you really need RIP running? RIP (ripped long back) we suggest using a different IGP rather than RIP here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Sakura · ‎09-07-2022

I’ll try configuration changes on next week and told something. Thanks.

Sakura · ‎09-16-2022

I see some errors configuring router:

dbrouter(config)#ip access-list standard 1
dbrouter(config-std-nacl)#no 10
dbrouter(config-std-nacl)#10 permit 172.26.254.0 0.0.0.255 any
^ (this marker are on "a" of "any")
% Invalid input detected at '^' marker.

dbrouter(config-std-nacl)#ip access-list extended 100
dbrouter(config-ext-nacl)#no 30
dbrouter(config-ext-nacl)#30 permit ip 192.168.10.0 0.0.0.255 10.128.0.0 0.127.255.255
dbrouter(config-ext-nacl)#route-map PBR permit 10
dbrouter(config-route-map)#match ip access-list 100
^ (this marker are on first "c" of "access-list")
% Invalid input detected at '^' marker.

Richard Burts · ‎09-17-2022

The original poster mentions 2 errors in attempting to configure the router:

dbrouter(config)#ip access-list standard 1
dbrouter(config-std-nacl)#no 10
dbrouter(config-std-nacl)#10 permit 172.26.254.0 0.0.0.255 any

The error here is clear. The access list is specified as standard. In a standard acl you identify a single ip address/subnet and mask. But the attempt to configure is specifying 2 subnets.

The second error is not obvious.

dbrouter(config-ext-nacl)#route-map PBR permit 10
dbrouter(config-route-map)#match ip access-list 100

My guess is that for some reason acl 100 does not exist. To help explore this issue please post the output of show access-list.

HTH

Rick

Pierce Vasale · ‎09-16-2022

The issue is the "default source interface" the router has chosen to ping from. Could be an interface that is disabled, an IP that is not being NATted (and so the outside internet can't get back), etc. If you're having DNS lookup issues, you can use the "ip domain lookup source-interface xx" command. As for the source of default ping, it will use the interface connected to the destination -- meaning it should be using the Cellular0/2/0 interface. However, when setting that up as an IP NAT Overload, things get wonky -- the returning ICMP comes in and the NAT table looks for a corresponding NAT and there isn't one, basically. If you used a NAT Pool with different IPs, I don't believe you would run into this issue. But so long as you use Overload, you'll simply need to do an extended ping and specify a Source Interface.