08-02-2012 11:53 AM - edited 03-04-2019 05:09 PM
I have a problem I am running into... I replaced a 2621 with a 2911. The 2911 has three interfaces and I need to use
all of them... Description:
gige0/0 dhcp static IP from ISP, public IP, they assign me 4 more usable public IPs
gige0/1 broken into four VLANS, 108, 109, 120, 127, ip nat on 109 for them to get to the internet, and a static translation on 127 for the phone system to get to the internet
gige0/2 assigned another public IP. A tenent has a linksys router on this interface, they want a public IP.
The problem is that this setup worked, but when we moved to the 2911, some nat translations are failing, and we would like to figure out how to minimize the number of public IPs we use (right now it is three + the static assigned dhcp). The nat that is not working is the nats to the 2001-3001 range. I am not sure why it is failing, but the router seems to indicate it thinks some of these overlap. This router is also doing a vpn to an asa... that seems to be working fine.
Any help would be appreciated.
Current config:
Current configuration : 6072 bytes
!
! Last configuration change at 14:31:44 UTC Thu Aug 2 2012
! NVRAM config last updated at 14:31:50 UTC Thu Aug 2 2012
! NVRAM config last updated at 14:31:50 UTC Thu Aug 2 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ncollege
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name allcom-inc.com
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2477572652
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2477572652
revocation-check none
rsakeypair TP-self-signed-2477572652
!
!
crypto pki certificate chain TP-self-signed-2477572652
certificate self-signed 01
quit
license udi pid CISCO2911/K9 sn F
license boot module c2900 technology-package securityk9
!
!
username
!
redundancy
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key SOMEKEY address 174.79.16.121
!
!
crypto ipsec transform-set myset2 esp-3des esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 174.79.16.121
set transform-set myset2
match address 101
!
!
!
!
!
interface Loopback1
ip address 76.72.92.73 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description LUS dhcp
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map mymap
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.108
description intRAnetVLAN
encapsulation dot1Q 108
ip address 192.168.8.1 255.255.255.0
!
interface GigabitEthernet0/1.109
description intERnetVLAN
encapsulation dot1Q 109
ip address 192.168.9.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.120
description cameraVLAN
encapsulation dot1Q 120
ip address 192.168.120.1 255.255.255.0
!
interface GigabitEthernet0/1.127
description collegeVoiceVLAN
encapsulation dot1Q 127
ip address 192.168.127.1 255.255.255.0
!
interface GigabitEthernet0/2
ip address 76.72.92.77 255.255.255.252
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool overit 76.72.92.73 76.72.92.73 netmask 255.255.255.252
ip nat inside source route-map nonat pool overit overload
ip nat inside source static tcp 192.168.9.2 2000 76.72.92.73 2000 extendable
ip nat inside source static tcp 192.168.9.2 2001 76.72.92.73 2001 extendable
ip nat inside source static tcp 192.168.9.2 2002 76.72.92.73 2002 extendable
ip nat inside source static tcp 192.168.9.2 2003 76.72.92.73 2003 extendable
ip nat inside source static tcp 192.168.9.10 22 76.72.92.73 2222 extendable
ip nat inside source static tcp 192.168.9.2 3002 76.72.92.73 3002 extendable
ip nat inside source static tcp 192.168.9.2 3003 76.72.92.73 3003 extendable
ip nat inside source static tcp 192.168.9.2 3004 76.72.92.73 3004 extendable
ip nat inside source static tcp 192.168.9.2 3389 76.72.92.73 9000 extendable
ip nat inside source static 192.168.9.10 76.72.92.73 route-map sip_nat
!
ip access-list extended udp_rtp
permit udp host 192.168.9.10 any range 10001 20000
!
access-list 10 permit 192.168.9.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 deny ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 deny ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 deny ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 permit ip 192.168.8.0 0.0.0.255 any
access-list 120 permit ip 192.168.9.0 0.0.0.255 any
!
!
!
!
route-map sip_nat permit 10
match ip address udp_rtp
!
route-map nonat permit 10
match ip address 120
!
!
!
!
!
control-plane
!
!
banner login ^C
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law.
^C
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
end
08-02-2012 04:12 PM
If it was working before, can be a bug. Try updating IOS.
08-03-2012 12:25 PM
It was working before on a 2621 running IOS 12. The configuration is now on a 2911 running IOS 15.
I don't thinik it is a bug in 15, rather a difference in the IOS between 12 and 15... basically, that is one
of my real questions... am I just missing something after moving from 12 to 15 and to a different router.
08-03-2012 01:44 PM
You can call it a difference, but can be a bug. Update and if still trouble, contact the TAC.
08-03-2012 03:36 PM
We had TAC 8x5 support on this, it was such a nightmare that we actually gave up, cancelled the case
and then cancelled support until we can upgrade to 24x7... They were not helping in any way.
I was hoping someone here would see a problem with it, ah well.
08-08-2012 06:25 AM
NAT working now... after debugging the appication, the app was trying to connect on port 2000, then it sends data on port 2001-2003 and 3001-3003... well after much pain with CISCO TAC, (and they did not come up with this answer, they thought it was my application)... it was the sccp protocol.
You have to do this in configure mode:
no ip nat service skinny tcp port 2000
We put int that line and our app started to work. We realized that it had to be CISCOs fault when we moved a simple FTP server to port 2000 and it failed. We moved it to port 2001 and it worked. We moved it to any other port we natted and it worked, but it would fail on 2000. After searching the web (gee, CISCO TAC has no internet access?) we found out that CISCO puts in a default ip nat service skinny tcp port 2000 by default after IOS 12.4T.
As for the public IPs... we can use a one to one NAT on the gig0/2. We thought that we would not have enough, but we
got the VPN working on the static dhcp assigned and then NAT/PAT with the one assigned to the loopback. That gives us one free if we want to use 8 and we can just do a one to one NAT with that IP and the gig0/2.
The crazy part about this all is that we closed our TAC 8x5 and ordered 24x7 as we were in a jam and they were not helping. We got the new support, called the TAC and they told us it was not their fault and not the routers fault. I have had CISCO TAC fail me before, and they are not perfect, but they seemed to give up rather easily after one test they did (they checked the syn/ack packets ,said it was working and refused to look at it after that)... I even showed them three examples of my FTP tests, and they still refused to look at it more, just giving up and asking me if I wanted a replacement router (as if that would have fixed anything).
Still, not to vent too much, the problem is fixed, just irritating when you pay for support and you always end up figuring it out yourself.
08-08-2012 02:30 PM
In similar cases, you should ask for escalation. Furthermore, there is a satisfaction form you will receive after closing a case, when the rating is low you should be contacted by a manager.
In my 20 years experience, seniors TAC engineers always did a great job, identified a lot of bugs, etc.
08-08-2012 04:00 PM
"In my 20 years experience, seniors TAC engineers always did a great job, identified a lot of bugs, etc."
I have been dealing with the TAC since oh perhaps 1994... I find the above statement to be true... the
problem I had was that I was talking to a frontline engineer who was convinced it was my problem. They
did access-lists to look at the packets, saw one syn/ack and said "our router is working, it is your fault"...
if they would have dug deeper (and this is why I sent them my FTP tests, etc), they would have seen that
it had to be something funny with the config.
Oddly, I called in after leaving a very lengthy explination. They did not want to let me talk to a manager.
They did not want me to talk to a Sr. Engineer. Heck, the person on the phone sounded like all they wanted
was for me to hangup (and mind you, I was being very amiable about it all). Sigh, I think CISCO support
was 100 times better back in the mid 1990s. They really don't care any longer. I am just one guy with $2000
worth of smartnet contracts, they don't care about me. Now, the last job I worked at, I had oh $40,000
in smartnet contracts. When I called, I got action. They worked on the case until we were happy that it
worked correctly. Hrm, they have to know all at once how much gear you have and what you spent.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide