NAT Configuration issue between Cisco ASR 901 routers

saran sathiamurthy · ‎10-19-2020

Below is the simple illustration of the current lap setup.

ISP <------->OfficeRouter<------GI0/1--------->GMRTR01<-------SFP---->GMRTR04<----Gi0/1--->Laptop
192.168.2.2/16 (vlan100) 172.16.1.1/16 (vlan200) (vlan100)172.16.4.1/16 172.16.4.10

The issue which I am having right now is I am unable to reach internet / DHCP server / office Gateway from GMRTR04 however I am able to reach internet/ DHCP server / office Gateway from GMRTR01

GMRTR01 logs which is connected to Home Office router

GMRTR01#sh ver
Cisco IOS Software, 901 Software (ASR901-UNIVERSALK9-M), Version 15.6(XE318_PROD_NIGHTLY_201809071237)SP, EARLY DEPLOYMENT NIGHTLY BUILD, synced to V156_2_S_FC4
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 15.6(2r)SP4, RELEASE SOFTWARE (fc1)

GMRTR01 uptime is 20 minutes
System returned to ROM by power-on
System restarted at 13:03:58 IST Tue Oct 20 2020
System image file is "flash:regression_image"
Last reload type: Normal Reload
Last reload reason: power-on

GMRTR01#sh run int gi0/1
Building configuration...

Current configuration : 167 bytes
!
interface GigabitEthernet0/1
no ip address
no ip route-cache
negotiation auto
service instance 100 ethernet
encapsulation untagged
bridge-domain 100
!
end

GMRTR01#sh run int ten0/1
Building configuration...

Current configuration : 197 bytes
!
interface TenGigabitEthernet0/1
no ip address
no ip route-cache
qos-config scheduling-mode min-bw-guarantee
service instance 200 ethernet
encapsulation untagged
bridge-domain 200
!
end

GMRTR01#sh run int vlan100
Building configuration...

Current configuration : 112 bytes
!
interface Vlan100
ip address dhcp
ip nat outside
bridge-group 100
bridge-group 100 spanning-disabled
end

GMRTR01#sh run int vlan200
Building configuration...

Current configuration : 129 bytes
!
interface Vlan200
ip address 172.16.1.1 255.255.0.0
ip nat inside
bridge-group 200
bridge-group 200 spanning-disabled
end

GMRTR01#sh ip int bri
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/1 unassigned YES NVRAM up up
TenGigabitEthernet0/1 unassigned YES NVRAM up up
Vlan100 192.168.2.88 YES DHCP up up
Vlan200 172.16.1.1 YES NVRAM up up
NAT Configuration with default routeGMRTR01#sh run
Building configuration...
!!ip nat inside source list ASTROME_NAT interface Vlan100 overload
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp
!
ip access-list standard ASTROME_NAT
permit 172.16.0.0 0.0.255.255
!
!
!
bridge 100 route ip
bridge 200 route ip
!
GMRTR01#sh ip route
Gateway of last resort is 192.168.2.2 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 192.168.2.2
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/16 is directly connected, Vlan200
L 172.16.1.1/32 is directly connected, Vlan200
C 192.168.0.0/16 is directly connected, Vlan100
192.168.2.0/32 is subnetted, 1 subnets
L 192.168.2.88 is directly connected, Vlan100

GMRTR01#ping 172.16.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

GMRTR01#ping 172.16.4.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

GMRTR01#ping 192.168.2.15
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.15, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

GMRTR01#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

GMRTR01#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms

GMRTR01#ping 8.8.8.8 source vlan 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.88
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
GMRTR01#ping 8.8.8.8 source vlan 200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

GMRTR04 logs which is connected to GMRTR01 router

GMRTR04#sh ver
Cisco IOS Software, 901 Software (ASR901-UNIVERSALK9-M), Version 15.5(1)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Tue 11-Nov-14 22:26 by prod_rel_team

ROM: System Bootstrap, Version 15.6(2r)SP4, RELEASE SOFTWARE (fc1)

GMRTR04 uptime is 32 minutes
System returned to ROM by power-on
System restarted at 01:23:07 UTC Tue Oct 20 2020
System image file is "flash:asr901-universalk9-mz.155-1.S"
Last reload type: Normal Reload
Last reload reason: power-on

GMRTR04#sh run
Building configuration...
!ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
GMRTR04#sh run int gi0/1
Building configuration...

Current configuration : 148 bytes
!
interface GigabitEthernet0/1
no ip address
negotiation auto
service instance 100 ethernet
encapsulation untagged
bridge-domain 100
!
end

GMRTR04#sh run int ten0/1
Building configuration...

Current configuration : 133 bytes
!
interface TenGigabitEthernet0/1
no ip address
service instance 100 ethernet
encapsulation untagged
bridge-domain 100
!
end

GMRTR04#sh run int vlan 100
Building configuration...

Current configuration : 114 bytes
!
interface Vlan100
ip address 172.16.4.1 255.255.0.0
bridge-group 100
bridge-group 100 spanning-disabled
end

GMRTR04#sh ip int bri
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/1 unassigned YES NVRAM up up
TenGigabitEthernet0/1 unassigned YES NVRAM up up
Vlan100 172.16.4.1 YES NVRAM up up

GMRTR04#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type State Interface
Hardware address/
User name
172.16.4.10 54ee.754f.180e Infinite Manual Active Unknown
GMRTR04#sh ip route
Gateway of last resort is 172.16.1.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 172.16.1.1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/16 is directly connected, Vlan100
L 172.16.4.1/32 is directly connected, Vlan100

GMRTR04#ping 172.16.4.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

GMRTR04#sh ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/1 unassigned YES NVRAM up up
TenGigabitEthernet0/1 unassigned YES NVRAM up up
Vlan100 172.16.4.1 YES NVRAM up up
GMRTR04#ping 172.16.4.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
GMRTR04#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
GMRTR04#ping 192.168.2.88
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.88, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
GMRTR04#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5

Laptop(172.16.4.10) logs which is connected to GMRTR04 router port Gi0/1

$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 enp3s0

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:ff:ee:4f:18:11 brd ff:ff:ff:ff:ff:ff
inet 172.16.4.10/16 brd 172.16.255.255 scope global dynamic enp3s0
valid_lft 84447sec preferred_lft 84447sec
inet6 fe80::6180:654e:6bc:ef92/64 scope link noprefixroute
valid_lft forever preferred_lft forever
$ ping 172.16.4.1 -c 4
PING 172.16.4.1 (172.16.4.1) 56(84) bytes of data.
64 bytes from 172.16.4.1: icmp_seq=1 ttl=255 time=0.419 ms
64 bytes from 172.16.4.1: icmp_seq=2 ttl=255 time=0.482 ms
64 bytes from 172.16.4.1: icmp_seq=3 ttl=255 time=0.492 ms
64 bytes from 172.16.4.1: icmp_seq=4 ttl=255 time=2.77 ms

--- 172.16.4.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3100ms
rtt min/avg/max/mdev = 0.419/1.039/2.765/0.996 ms
$ ping 172.16.1.1 -c 4
PING 172.16.1.1 (172.16.1.1) 56(84) bytes of data.
64 bytes from 172.16.1.1: icmp_seq=1 ttl=255 time=0.429 ms
64 bytes from 172.16.1.1: icmp_seq=2 ttl=255 time=0.430 ms
64 bytes from 172.16.1.1: icmp_seq=3 ttl=255 time=0.382 ms
64 bytes from 172.16.1.1: icmp_seq=4 ttl=255 time=0.505 ms

--- 172.16.1.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3083ms
rtt min/avg/max/mdev = 0.382/0.436/0.505/0.044 ms

Georg Pauwen · ‎10-19-2020

Hello,

post the full running configurations (sh run) of both the GMRTR01 and the GMRTR04 router. Also, what brand/model is the 'Office Router' ?

saran sathiamurthy · ‎10-20-2020

Thank you for your response @Georg Pauwen . Office Router is DLink DIR 890L. Configuration of GMRTR01 and GMRTR04 has been attached.

Georg Pauwen · ‎10-20-2020

Hello,

thanks for the configs. What is the purpose of the bridging ? I don't see any BDI interfaces, so I am not sure what you are trying to accomplish.

Either way, looking at the below, you have IP addresses from the same address space (172.16.0.0/16) configured on two different Vlans.

GMRTR01

interface Vlan200
ip address 172.16.1.1 255.255.0.0
ip nat inside
bridge-group 200
bridge-group 200 spanning-disabled

GMRTR04

interface Vlan100
ip address 172.16.4.1 255.255.0.0
bridge-group 100
bridge-group 100 spanning-disabled

What are your two ASR routers supposed to do ?

saran sathiamurthy · ‎10-20-2020

@Georg Pauwen the reason which we used same network on both asr router is to avoid routing.

Two ASR router purpose

Laptop connected at ISP end is suppose to transfer data from isp to the other ASR router connected to the laptop end.

This is the current lap setup where cisco asr router are connected using SFP cable which we would be removing when deploying it on the field and the data would be transferred wirelessly to the other end using our company's device.

And since data from one end needs to be transferred over other end we thought it would be simpler to keep them in the same network and avoid the complexities on routing protocols.

Having them in same network would it cause any issue for what we are trying to accomplish?

GMRTR01#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.1.1 - 4c00.8287.1d6c ARPA Vlan200
Internet 172.16.4.1 3 e02f.6d74.ef5c ARPA Vlan200
Internet 192.168.2.1 0 9c3d.cf53.6f7e ARPA Vlan100
Internet 192.168.2.2 0 6c72.203d.c91c ARPA Vlan100
Internet 192.168.2.15 8 c85b.764c.cd8b ARPA Vlan100
Internet 192.168.2.88 - 4c00.8287.1d6c ARPA Vlan100
GMRTR01#

GMRTR04#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.1.1 3 4c00.8287.1d6c ARPA Vlan100
Internet 172.16.4.1 - e02f.6d74.ef5c ARPA Vlan100
GMRTR04#

Georg Pauwen · ‎10-20-2020

Hello,

if you want to bridge Vlans, the IP addresses need to be in the same subnet.

It is probably the easiest to just change Vlan 100 to Vlan 200 on the GMRTR04 router:

interface Vlan200
ip address 172.16.4.1 255.255.0.0
bridge-group 200
bridge-group 200 spanning-disabled

saran sathiamurthy · ‎10-20-2020

@Georg Pauwen We have made the encapsulation as untagged on the interface config.

I have made the changes as you had asked

GMRTR04#sh run int ten 0/1
Building configuration...

Current configuration : 133 bytes
!
interface TenGigabitEthernet0/1
no ip address
service instance 100 ethernet
encapsulation untagged
bridge-domain 200
!
end

GMRTR04#sh run int vlan 200
Building configuration...

Current configuration : 114 bytes
!
interface Vlan200
ip address 172.16.4.1 255.255.0.0
bridge-group 200
bridge-group 200 spanning-disabled
end

GMRTR04#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/1 unassigned YES NVRAM down down
TenGigabitEthernet0/1 unassigned YES NVRAM up up
Vlan200 172.16.4.1 YES manual up up

GMRTR04#ping 192.168.2.88
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.88, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
GMRTR04#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
GMRTR04#sh ip route
Gateway of last resort is 172.16.1.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 172.16.1.1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/16 is directly connected, Vlan200
L 172.16.4.1/32 is directly connected, Vlan200

Still unable to ping the gateway and beyond from GMRTR04 but able to from GMRTR01

GMRTR01#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
GMRTR01#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 m

Georg Pauwen · ‎10-20-2020

Hello,

unfortunately I don't have two ASRs to test this on, but I think you might be missing the rewrite ingress part. Try and configure the interface configurations below:

interface GigabitEthernet0/1
no ip address
no ip route-cache
negotiation auto
service instance 100 ethernet
encapsulation dot1q 100
rewrite ingress tag pop 1 symmetric
bridge-domain 100
!
interface TenGigabitEthernet0/1
no ip address
no ip route-cache
qos-config scheduling-mode min-bw-guarantee
service instance 200 ethernet
encapsulation dot1q 200
rewrite ingress tag pop 1 symmetric
bridge-domain 200

saran sathiamurthy · ‎10-21-2020

Hello @Georg Pauwen

As soon as I add the below config

GMRTR01#sh run int gi0/1
Building configuration...

Current configuration : 206 bytes
!
interface GigabitEthernet0/1
no ip address
no ip route-cache
negotiation auto
service instance 100 ethernet
encapsulation dot1q 100
rewrite ingress tag pop 1 symmetric
bridge-domain 100
!
end

GMRTR01#sh run int ten 0/1
Building configuration...

Current configuration : 236 bytes
!
interface TenGigabitEthernet0/1
no ip address
no ip route-cache
qos-config scheduling-mode min-bw-guarantee
service instance 200 ethernet
encapsulation dot1q 200
rewrite ingress tag pop 1 symmetric
bridge-domain 200
!
end

Vlan100 went down

GMRTR01#sh ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/1 unassigned YES NVRAM up up
TenGigabitEthernet0/1 unassigned YES NVRAM up up
Vlan100 unassigned YES DHCP up up
Vlan200 172.16.1.1 YES NVRAM up up

Georg Pauwen · ‎10-21-2020

Hello,

what if you leave GigabitEthernet0/1 as it was and just change the configuration of TenGigabitEthernet0/1:

interface GigabitEthernet0/1
no ip address
no ip route-cache
negotiation auto
service instance 100 ethernet
encapsulation untagged
bridge-domain 100

!

interface TenGigabitEthernet0/1
no ip address
no ip route-cache
qos-config scheduling-mode min-bw-guarantee
service instance 200 ethernet
encapsulation dot1q 200
rewrite ingress tag pop 1 symmetric
bridge-domain 200

paul driver · ‎10-21-2020

Hello

As the office router looks like its already doing NAT (vlan 100) and you don't want to implement routing between vlan 100 and 200 why are you trying to bridge both vlans, I would have thought you would just want to bridge vlan 200 between GMRTR01 -GMRTR04 and its end host?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul