cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1257
Views
0
Helpful
7
Replies

Minimize IP usage on 2911 and keep NAT

rminvielle
Level 1
Level 1

I have a problem I am running into... I replaced a 2621 with a 2911. The 2911 has three interfaces and I need to use

all of them... Description:

gige0/0 dhcp static IP from ISP, public IP, they assign me 4 more usable public IPs

gige0/1 broken into four VLANS, 108, 109, 120, 127, ip nat on 109 for them to get to the internet, and a static translation on 127 for the phone system to get to the internet

gige0/2 assigned another public IP. A tenent has a linksys router on this interface, they want a public IP.

The problem is that this setup worked, but when we moved to the 2911, some nat translations are failing, and we would like to figure out how to minimize the number of public IPs we use (right now it is three + the static assigned dhcp). The nat that is not working is the nats to the 2001-3001 range. I am not sure why it is failing, but the router seems to indicate it thinks some of these overlap. This router is also doing a vpn to an asa... that seems to be working fine.

Any help would be appreciated.

Current config:

Current configuration : 6072 bytes

!

! Last configuration change at 14:31:44 UTC Thu Aug 2 2012

! NVRAM config last updated at 14:31:50 UTC Thu Aug 2 2012

! NVRAM config last updated at 14:31:50 UTC Thu Aug 2 2012

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ncollege

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

enable secret 4

!

aaa new-model

!

!

!

!        

!

!

!

aaa session-id common

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

ip domain name allcom-inc.com

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2477572652

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2477572652

revocation-check none

rsakeypair TP-self-signed-2477572652

!

!

crypto pki certificate chain TP-self-signed-2477572652

certificate self-signed 01

        quit

license udi pid CISCO2911/K9 sn F

license boot module c2900 technology-package securityk9

!

!

username

!

redundancy

!

!

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key SOMEKEY address 174.79.16.121

!

!        

crypto ipsec transform-set myset2 esp-3des esp-sha-hmac

!

crypto map mymap 1 ipsec-isakmp

set peer 174.79.16.121

set transform-set myset2

match address 101

!

!

!

!

!

interface Loopback1

ip address 76.72.92.73 255.255.255.255

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description LUS dhcp

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map mymap

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1.108

description intRAnetVLAN

encapsulation dot1Q 108

ip address 192.168.8.1 255.255.255.0

!

interface GigabitEthernet0/1.109

description intERnetVLAN

encapsulation dot1Q 109

ip address 192.168.9.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.120

description cameraVLAN

encapsulation dot1Q 120

ip address 192.168.120.1 255.255.255.0

!

interface GigabitEthernet0/1.127

description collegeVoiceVLAN

encapsulation dot1Q 127

ip address 192.168.127.1 255.255.255.0

!

interface GigabitEthernet0/2

ip address 76.72.92.77 255.255.255.252

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat pool overit 76.72.92.73 76.72.92.73 netmask 255.255.255.252

ip nat inside source route-map nonat pool overit overload

ip nat inside source static tcp 192.168.9.2 2000 76.72.92.73 2000 extendable

ip nat inside source static tcp 192.168.9.2 2001 76.72.92.73 2001 extendable

ip nat inside source static tcp 192.168.9.2 2002 76.72.92.73 2002 extendable

ip nat inside source static tcp 192.168.9.2 2003 76.72.92.73 2003 extendable

ip nat inside source static tcp 192.168.9.10 22 76.72.92.73 2222 extendable

ip nat inside source static tcp 192.168.9.2 3002 76.72.92.73 3002 extendable

ip nat inside source static tcp 192.168.9.2 3003 76.72.92.73 3003 extendable

ip nat inside source static tcp 192.168.9.2 3004 76.72.92.73 3004 extendable

ip nat inside source static tcp 192.168.9.2 3389 76.72.92.73 9000 extendable

ip nat inside source static 192.168.9.10 76.72.92.73 route-map sip_nat

!

ip access-list extended udp_rtp

permit udp host 192.168.9.10 any range 10001 20000

!

access-list 10 permit 192.168.9.0 0.0.0.255

access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 120 deny   ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 deny   ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 120 deny   ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 120 permit ip 192.168.8.0 0.0.0.255 any

access-list 120 permit ip 192.168.9.0 0.0.0.255 any

!

!

!

!        

route-map sip_nat permit 10

match ip address udp_rtp

!

route-map nonat permit 10

match ip address 120

!

!

!

!

!

control-plane

!

!

banner login ^C

WARNING: Unauthorized access to this system is forbidden and will be

prosecuted by law.

^C

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

transport input ssh

line vty 5 15

transport input ssh

!

scheduler allocate 20000 1000

end

7 Replies 7

paolo bevilacqua
Hall of Fame
Hall of Fame

If it was working before, can be a bug. Try updating IOS.

It was working before on a 2621 running IOS 12. The configuration is now on a 2911 running IOS 15.

I don't thinik it is a bug in 15, rather a difference in the IOS between 12 and 15... basically, that is one

of my real questions... am I just missing something after moving from 12 to 15 and to a different router.

You can call it a difference, but can be a bug. Update and if still trouble, contact the TAC.

We had TAC 8x5 support on this, it was such a nightmare that we actually gave up, cancelled the case

and then cancelled support until we can upgrade to 24x7... They were not helping in any way.

I was hoping someone here would see a problem with it, ah well.

rminvielle
Level 1
Level 1

NAT working now... after debugging the appication, the app was trying to connect on port 2000, then it sends data on port 2001-2003 and 3001-3003... well after much pain with CISCO TAC, (and they did not come up with this answer, they thought it was my application)... it was the sccp protocol.

You have to do this in configure mode:

no ip nat service skinny tcp port 2000

We put int that line and our app started to work. We realized that it had to be CISCOs fault when we moved a simple FTP server to port 2000 and it failed. We moved it to port 2001 and it worked. We moved it to any other port we natted and it worked, but it would fail on 2000. After searching the web (gee, CISCO TAC has no internet access?) we found out that CISCO puts in a default ip nat service skinny tcp port 2000 by default after IOS 12.4T.

As for the public IPs... we can use a one to one NAT on the gig0/2. We thought that we would not have enough, but we

got the VPN working on the static dhcp assigned and then NAT/PAT with the one assigned to the loopback. That gives us one free if we want to use 8 and we can just do a one to one NAT with that IP and the gig0/2.

The crazy part about this all is that we closed our TAC 8x5 and ordered 24x7 as we were in a jam and they were not helping. We got the new support, called the TAC and they told us it was not their fault and not the routers fault. I have had CISCO TAC fail me before, and they are not perfect, but they seemed to give up rather easily after one test they did (they checked the syn/ack packets ,said it was working and refused to look at it after that)... I even showed them three examples of my FTP tests, and they still refused to look at it more, just giving up and asking me if I wanted a replacement router (as if that would have fixed anything).

Still, not to vent too much, the problem is fixed, just irritating when you pay for support and you always end up figuring it out yourself.

In similar cases, you should ask for escalation. Furthermore, there is a satisfaction form you will receive after closing a case, when the rating is low you should be contacted by a manager.

In my 20 years experience, seniors TAC engineers always did a great job, identified a lot of bugs, etc.

"In my 20 years experience, seniors TAC engineers always did a great job, identified a lot of bugs, etc."

I have been dealing with the TAC since oh perhaps 1994... I find the above statement to be true... the

problem I had was that I was talking to a frontline engineer who was convinced it was my problem. They

did access-lists to look at the packets, saw one syn/ack and said "our router is working, it is your fault"...

if they would have dug deeper (and this is why I sent them my FTP tests, etc), they would have seen that

it had to be something funny with the config.

Oddly, I called in after leaving a very lengthy explination. They did not want to let me talk to a manager.

They did not want me to talk to a Sr. Engineer. Heck, the person on the phone sounded like all they wanted

was for me to hangup (and mind you, I was being very amiable about it all). Sigh, I think CISCO support

was 100 times better back in the mid 1990s. They really don't care any longer. I am just one guy with $2000

worth of smartnet contracts, they don't care about me. Now, the last job I worked at, I had oh $40,000

in smartnet contracts. When I called, I got action. They worked on the case until we were happy that it

worked correctly. Hrm, they have to know all at once how much gear you have and what you spent.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: