Re: ISR 4331: Enable routing?

Baphijmm1 · ‎03-12-2021

Err... For some reason, my previous question... got kicked or something? I have no idea, but it seems not to be publicly visible anymore, and I can't see any replies. So, I'm gonna try asking again? I can't imagine what I might've done wrong; it's a super-simple question...

This is a stupid question, but I've been chasing it around for 24 hours now with no positive answer. This is the best way I've found to specifically ask this question, because frankly it's the only thing I can think might be the issue.

I'm simply trying to enable routing on a 4331 router. The router can see the internet, and devices internal to the router can see the router; however, devices internal to the router cannot see the internet.

I presently have this turned off, but have already tried adding "ip nat inside source list 1 interface GigabitEthernet0/0/0 overload", which seemed to work for about five seconds before everything shut off again. I also at one time had "ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx" set, where the 'x's represent the IP address of the internet gateway; it is set again now, but having this set or not made no difference either. Present running config is thus:

Router#show running-config
Building configuration...

Current configuration : 2059 bytes
!
! Last configuration change at 16:39:50 MST Fri Mar 12 2021
! NVRAM config last updated at 00:41:09 MST Fri Mar 12 2021
!
version 15.5
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
no service dhcp
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 300000
!
hostname Router
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.15.03.S.155-2.S3-std.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 XXX
enable password 7 XXX
!
no aaa new-model
clock timezone MST -7 0
clock summer-time MDT recurring
no ip source-route
!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
!
license udi pid XXX
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Ethernet Link to External
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip nat outside
speed 1000
no negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/1
description Connection to Internal
ip address yyy.yyy.yyy.yyy 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
speed 1000
no negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
!
!
access-list 1 permit yyy.yyy.yyy.0 0.0.0.255
!
snmp-server community public RO
!
!
control-plane
!
!
line con 0
password 7 XXX
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 XXX
login
transport input none
!
ntp server 192.5.41.40
!
end

Any thoughts? Ideas, suggestions? Literally anything would be helpful at this point, I feel.

Georg Pauwen · ‎03-13-2021

Hello,

looks like you are missing the two lines marked in bold:

Router#show running-config
Building configuration...

Current configuration : 2059 bytes
!
! Last configuration change at 16:39:50 MST Fri Mar 12 2021
! NVRAM config last updated at 00:41:09 MST Fri Mar 12 2021
!
version 15.5
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
no service dhcp
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 300000
!
hostname Router
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.15.03.S.155-2.S3-std.SPA.bin
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 XXX
enable password 7 XXX
!
no aaa new-model
clock timezone MST -7 0
clock summer-time MDT recurring
no ip source-route
!
subscriber templating
multilink bundle-name authenticated
!
license udi pid XXX
spanning-tree extend system-id
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description Ethernet Link to External
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip nat outside
speed 1000
no negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/1
description Connection to Internal
ip address yyy.yyy.yyy.yyy 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
speed 1000
no negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
!
--> ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
!
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
!
access-list 1 permit yyy.yyy.yyy.0 0.0.0.255
!
snmp-server community public RO
!
control-plane
!
line con 0
password 7 XXX
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 XXX
login
transport input none
!
ntp server 192.5.41.40
!
end

Baphijmm1 · ‎03-13-2021

Okay, while I love that someone did respond, if you'll note from the original post:

"I presently have this turned off, but have already tried adding "ip nat inside source list 1 interface GigabitEthernet0/0/0 overload", which seemed to work for about five seconds before everything shut off again. I also at one time had "ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx" set, where the 'x's represent the IP address of the internet gateway; it is set again now, but having this set or not made no difference either."

Those lines didn't help.

Georg Pauwen · ‎03-13-2021

Hello,

you need both the NAT statement and the default route no matter what.

That said, what is GigabitEthernet0/0/0 actually connected to ? The Internet, or an ISP modem ?

Baphijmm1 · ‎03-13-2021

Okay, well they've since been put back in; again, no change.

GigabitEthernet0/0/0 connects to what I believe is an ISP modem, but I'm admittedly unsure; that box connects via fiber to the ISP, from whom we received the specific gateway to connect to.

paul driver · ‎03-13-2021

Hello

when you say “what you believe to be the isp modem” are you sure you have the correct wan ip addressing etc..

please remove the static default route and also the address from the wan interface and set it to dhcp and then see if you receive allocation

int x/x

ip address dhcp

shut

no shut

sh ip route

sh ip interface brief

sh ip arp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Baphijmm1 · ‎03-13-2021

I am positive that I have the IPs correct; as stated in my second reply, the router is able to see the internet just fine. I can ping literally anything, and by defining a DNS server, I can ping URLs without issue.

paul driver · ‎03-13-2021

Hello

can you post the output i have requested please

also make sure ip routing is enable

conf t

ip routing

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Baphijmm1 · ‎03-13-2021

I will not, because you've asked me to set DHCP on that interface, when I can tell you right now that there is absolutely no DHCP that will be delivered if I do.

However, I can deliver the output WITHOUT the DHCP requirement:

show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is xxx.xxx.xxx.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via xxx.xxx.xxx.1
xxx.xxx.0.0/16 is variably subnetted, 2 subnets, 2 masks
C xxx.xxx.xxx.0/24 is directly connected, GigabitEthernet0/0/0
L xxx.xxx.xxx.2/32 is directly connected, GigabitEthernet0/0/0
yyy.yyy.yyy.0/24 is variably subnetted, 2 subnets, 2 masks
C yyy.yyy.yyy.0/24 is directly connected, GigabitEthernet0/0/1
L yyy.yyy.yyy.1/32 is directly connected, GigabitEthernet0/0/1

show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 xxx.xxx.xxx.2 YES NVRAM up up
GigabitEthernet0/0/1 yyy.yyy.yyy.1 YES NVRAM up up
GigabitEthernet0/0/2 unassigned YES NVRAM administratively down down
GigabitEthernet0 unassigned YES NVRAM administratively down down
Vlan1 unassigned YES NVRAM administratively down down

show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet xxx.xxx.xxx.1 0 bc67.1c2c.27e4 ARPA GigabitEthernet0/0/0
Internet xxx.xxx.xxx.2 - 00a6.ca36.be80 ARPA GigabitEthernet0/0/0
Internet yyy.yyy.yyy.1 - 00a6.ca36.be81 ARPA GigabitEthernet0/0/1
Internet yyy.yyy.yyy.2 11 0008.a211.f610 ARPA GigabitEthernet0/0/1

Baphijmm1 · ‎03-13-2021

One point of contention, the router IS seeing the internet. It simply isn't passing traffic through itself TO the internet.

Georg Pauwen · ‎03-13-2021

Hello,

since you have blanked out all IP addresses: is the IP address assigned to interface GigabitEthernet0/0/0 a public or a private space IP address ?

Baphijmm1 · ‎03-13-2021

It is a public address.

Georg Pauwen · ‎03-13-2021

Hello,

is the mask (/24) assigned to GigabitEthernet0/0/0 correct ? Check if your PCs can ping that public address assigned to GigabitEthernet0/0/0.

Baphijmm1 · ‎03-13-2021

So, ping response is presently turned off on the router's public side, but I have confirmed separately that the router is "visible" from the outside.

Baphijmm1 · ‎03-13-2021

In fact, just confirming it now, it *is* responding to ping. So yes, that is correct.