Re: ISR 4331: Enable routing? - Page 2

Baphijmm1 · ‎03-12-2021

Err... For some reason, my previous question... got kicked or something? I have no idea, but it seems not to be publicly visible anymore, and I can't see any replies. So, I'm gonna try asking again? I can't imagine what I might've done wrong; it's a super-simple question...

This is a stupid question, but I've been chasing it around for 24 hours now with no positive answer. This is the best way I've found to specifically ask this question, because frankly it's the only thing I can think might be the issue.

I'm simply trying to enable routing on a 4331 router. The router can see the internet, and devices internal to the router can see the router; however, devices internal to the router cannot see the internet.

I presently have this turned off, but have already tried adding "ip nat inside source list 1 interface GigabitEthernet0/0/0 overload", which seemed to work for about five seconds before everything shut off again. I also at one time had "ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx" set, where the 'x's represent the IP address of the internet gateway; it is set again now, but having this set or not made no difference either. Present running config is thus:

Router#show running-config
Building configuration...

Current configuration : 2059 bytes
!
! Last configuration change at 16:39:50 MST Fri Mar 12 2021
! NVRAM config last updated at 00:41:09 MST Fri Mar 12 2021
!
version 15.5
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
no service dhcp
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 300000
!
hostname Router
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.15.03.S.155-2.S3-std.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 XXX
enable password 7 XXX
!
no aaa new-model
clock timezone MST -7 0
clock summer-time MDT recurring
no ip source-route
!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
!
license udi pid XXX
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Ethernet Link to External
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip nat outside
speed 1000
no negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/1
description Connection to Internal
ip address yyy.yyy.yyy.yyy 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
speed 1000
no negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
!
!
access-list 1 permit yyy.yyy.yyy.0 0.0.0.255
!
snmp-server community public RO
!
!
control-plane
!
!
line con 0
password 7 XXX
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 XXX
login
transport input none
!
ntp server 192.5.41.40
!
end

Any thoughts? Ideas, suggestions? Literally anything would be helpful at this point, I feel.

paul driver · ‎03-13-2021

Hello

GigabitEthernet0/0/0 connects to what I believe is an ISP modem, but I'm admittedly unsure; that box connects via fiber to the ISP, from whom we received the specific gateway to connect to.

Can you confirm if that /24 subnet is a rfc 1918 addressing? - if it is then you have an upstream device performing NAT if it isn’t and the given your above statement, looking at the arp table you are confirming have /24 public wan subnet which is quite unusual to have unless you are large company hence the query regards the wan addressing - are you directly connected to the isp modem or another device that resides in between?

From this rtr can reach your internal hosts and from the internal host can they ping the rtr own wan ip address.

Would suggest also to remove the current default static route and reapply also stating the physical interface this will negate any recursive lookup

ip route 0.0.0.0 0.0.0.0 gig0/0/0 x.x.x.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Baphijmm1 · ‎03-13-2021

I can confirm that /24 is correct. We are a somewhat large company.

I can ping internal devices from the router, and the internal devices can ping the router's internal address. They cannot ping the router's external address.

With the suggested change, there is no change in the symptoms.

I *believe* we are connected to a device that resides between the router and the ISP modem. This device may simply be a translation device, as we go from copper to fiber in that box. As stated elsewhere, the router is able to ping external addresses, so I do not believe the problem exists between the router and the modem. I fully believe the problem exists in the configuration of the router.

paul driver · ‎03-13-2021

Hello

You say its large company but it only has a single /24 internal lan subnet and you don’t confirm if the wan subnet is a public routed subnet or an rfc subnet?

Do you have any access-lists applied to the rtr?Are you able to post debug messages?

can you do the following:

access-list 100 permit up host <internal host> host <rtr wan ip>
debug ip packet detail 100

then ping from an internal host to the rtrs wan ip and post the output

Please make sure there isn’t an existing acl using that number before to create one

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Baphijmm1 · ‎03-13-2021

Look, I don't know what to tell you. Our company's needs are very specific, and a /24 meets them. I don't *know* if the wan subnet is publicly routed or rfc, because I don't really know what the latter means. All I know is that this was the address we were assigned.

The given item (which I assumed was a config command) results in an error at the "up" portion.

Georg Pauwen · ‎03-13-2021

Hello,

just tell us what the first two digits of the IP address of this interface is. This post is getting way too long and complicated for something seemingly simple to solve. You don't know the difference between a public and a private (RFC) address, which is no big deal, but the solution very much depends on what you have configured.

interface GigabitEthernet0/0/0
description Ethernet Link to External
ip address xxx.xxx.xxx.xxx 255.255.255.0 <-- ?
ip nat outside
speed 1000
no negotiation auto
no cdp enable

Or else, just post the results of a 'traceroute' from your workstation to e.g. 8.8.8.8.

Baphijmm1 · ‎03-13-2021

I responded elsewhere, but it's 174.137.x.x.

I can't imagine where that would make any difference, if the issue is that the router can talk to the internet, and the internet can talk to it, and the internal network can talk to it, but no traffic is getting *through* it.

Georg Pauwen · ‎03-13-2021

Hello,

when you try and ping e.g. 8.8.8.8 from a workstation, are there any entries in the NAT translation table (sh ip nat translation *) ?

Keep in mind that at any time, the lines below need to be in your configuration, without those, nothing will work:

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload

ip route 0.0.0.0 ,0.0.0.0 GigabitEthernet0/0/0

Baphijmm1 · ‎03-13-2021

Is it possible that the problem here is the firewall feature of this particular router? As this is an ISR, I mean. My understanding is that, by default, the firewall is enabled, and will pass no traffic, which is exactly the symptom I'm seeing. Is there a specific way to totally disable the firewall feature, if for no other reason than to test this hypothesis?

paul driver · ‎03-13-2021

Hello

can you confirm the wan ip is of the following:if it isn’t then it’s a public routed ip address if it is then its a non routed public ip address which means you have a device upstream performing network translation which then could be negating the connection for you lan

10.x.x.x/8

192.168..x.x:16

172.16.x.x/12

as for the access-list i see a typo in it-it should read

access-list 100 permit ip host <internal host> host <rtr wan ip>
debug ip packet detail 100

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎03-13-2021

Hello,

which outside/WAN address are you pinging ? If you don't want to post the address, just post the two first parts, e.g. 209.128.x.x

Baphijmm1 · ‎03-13-2021

I've been pinging 4.2.2.2, 8.8.8.8, google.com (when a DNS server is defined)... A number of genuine internet addresses.

Georg Pauwen · ‎03-13-2021

Hello,

I mean the IP address assigned to your WAN interface. Which IP address is that ?

Baphijmm1 · ‎03-13-2021

It's 174.137.x.x.

paul driver · ‎03-13-2021

Hello
looking at the most recent post you have confirmed the wan ip is a public routed ip so thanks for that.

Now as far as i am aware no rtr unless a UTM has a firewall enabled by default -so if you have a firewall or ios software feature enabled please confirm in fact can you post in an attached file the whole current running config of that rtr and maybe a topology diagram of how it connected -

Please include the output of that debug from the amended acl -

Lastly can you confirm what device it directly connected to the rtrs lan facing interface if its a switch please post/attach the running configuration of that as well

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Baphijmm1 · ‎03-13-2021

I don't know how to confirm whether or not the firewall is enabled; this is part of the problem.

The only device presently connected to the LAN interface is, in fact, a separate firewall (a non-Cisco product); there is nothing else beyond that firewall presently, as naturally we'd like to get this aspect of the network working before anything else comes online. Hence why I'd love to disable the firewall feature on the router. It presently does not have any configuration, save for IP addresses on the WAN and LAN interfaces, a set gateway, and a pair of DNS servers that it can't access because of this issue.