Re: ISR 4331: Enable routing? - Page 4

Baphijmm1 · ‎03-12-2021

Err... For some reason, my previous question... got kicked or something? I have no idea, but it seems not to be publicly visible anymore, and I can't see any replies. So, I'm gonna try asking again? I can't imagine what I might've done wrong; it's a super-simple question...

This is a stupid question, but I've been chasing it around for 24 hours now with no positive answer. This is the best way I've found to specifically ask this question, because frankly it's the only thing I can think might be the issue.

I'm simply trying to enable routing on a 4331 router. The router can see the internet, and devices internal to the router can see the router; however, devices internal to the router cannot see the internet.

I presently have this turned off, but have already tried adding "ip nat inside source list 1 interface GigabitEthernet0/0/0 overload", which seemed to work for about five seconds before everything shut off again. I also at one time had "ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx" set, where the 'x's represent the IP address of the internet gateway; it is set again now, but having this set or not made no difference either. Present running config is thus:

Router#show running-config
Building configuration...

Current configuration : 2059 bytes
!
! Last configuration change at 16:39:50 MST Fri Mar 12 2021
! NVRAM config last updated at 00:41:09 MST Fri Mar 12 2021
!
version 15.5
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
no service dhcp
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 300000
!
hostname Router
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.15.03.S.155-2.S3-std.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 XXX
enable password 7 XXX
!
no aaa new-model
clock timezone MST -7 0
clock summer-time MDT recurring
no ip source-route
!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
!
license udi pid XXX
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Ethernet Link to External
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip nat outside
speed 1000
no negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/1
description Connection to Internal
ip address yyy.yyy.yyy.yyy 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
speed 1000
no negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
!
!
access-list 1 permit yyy.yyy.yyy.0 0.0.0.255
!
snmp-server community public RO
!
!
control-plane
!
!
line con 0
password 7 XXX
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 XXX
login
transport input none
!
ntp server 192.5.41.40
!
end

Any thoughts? Ideas, suggestions? Literally anything would be helpful at this point, I feel.

paul driver · ‎03-16-2021

Hello

Can you confirm you did what i recommended-

Which was:

-perform the ip packet debug (detail provided)

- write erase the rtr

- reload the rtr

- attach a pc to lan interface and not the non cisco firewall

- reapply the configuration ( already provided)

- test connection again

—————————————————————————-

access-list 100 permit up host <internal host> host <rtr wan ip>

debug ip packet detail 100

post output of the above debug-

Then what I think you need to do here is:
1) erase the routers existing configuration and reload it
2) disconnect the none cisco fw that’s connecting to the lan interface of the rtr and attach a single host with a valid ip/subnet mask /default-gateway of the internal lan subnet
3) apply the following configuration and test connection again from the lan host.

write erase
reload

after reload but do not hardcode the physical interfaces:
conf t
ip routing
int gig0/0/0
description
no shut
ip address 174.x.x.x. 255.255.255.0
ip nat outside

int gig0/0/1
description Lan
ip address x.x.x.y 255.255.255.0
ip nat inside

access-list 1 permit x.x.x.y 0.0.0.255 <lan subnet>
ip nat inside source-list 1 interface gig0/0/0

ip route 0.0.0.0 0.0.0.0 gig0/0/0 174.x.x.x < wan next hop>

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Scott Leport · ‎03-16-2021

Hello,

Silly question, but are you sure you have your IP addresses the correct way around, e.g. you have your usable IP address assigned to your IP interface and not your providers IP assigned to your IP interface instead? That might cause an issue like this, or possibly an incorrect default route?

This post has been quite long and it's possible I may have missed some detail which makes this question irrelevant, but figured it was worth checking since there is still much we don't know.

Baphijmm1 · ‎03-18-2021

We've ultimately decided to go a different route, which worked exactly the way it was supposed to the first time. So, this thread is no longer necessary.

Richard Burts · ‎03-19-2021

Thanks for the update. Glad to know that you used a different approach and that it works for you.

HTH

Rick