Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
488
Views
0
Helpful
3
Replies

NAT issues on brand new ISR4321 w/NIM-VAB-A

hayden.whizzit
Level 1
Level 1

‎02-09-2016 09:48 PM - edited ‎03-05-2019 03:18 AM

HI All,

This is my first post here, after much lurking, and I am hoping this is the right place to come for some assistance with this painful NAT issue I am having. I would consider myself to be fairly experienced with these sorts of network, and have done many like it before without issue. Sadly not the case this time!! This is my first experience with the ISR4321 and I am not sure what I am missing here.

Quick rundown of the network:

5 VLAN's, which are routed between each other by the core switch, which is a SG300-28P. 

VLAN IP's are as follows:

VLAN1   = 10.0.10.0/24 - Used for native/servers/management
VLAN20 = 10.0.20.0/23 - Used for PC's
VLAN30 = 10.0.30.0/23 - Used for wireless clients
VLAN40 = 10.0.40.0/24 - Used for VoIP
VLAN50 = 10.0.50.0/24 - Used for CCTV

- The core switch, the SG300, is on IP 10.0.10.254 and is the default gateway for all clients on all VLAN's.
- The default gateway for the core switch is the router in question, a brand new ISR4321 with a NIM-VAB-A for ADSL 2+ Internet connection (ISP is Telstra).This router is on IP 10.0.10.253
- There is a  second gateway, and older Cisco 2811, is on IP 10.0.10.252, and has a HWIC-1ADSL internet connection (ISP is iinet).

There is a policy based route configured on the ISR4321 to push traffic from ALL VLAN's out via the second gateway, the 2811, EXCEPT VLAN40. This is done with an ACL and route-map, as you will see in the below config. The reason for this is the ADSL connection on the ISR4321 is reserved for VoIP data only, and is not used by other devices at all.

Now, when I first went to configure and deploy these two new routers into this network, which replaced an old Linsys X2000 SOHO router, I encountered some issues getting NAT to work properly on the ISR4321. I configured NAT on the ISR4321 just as I would on any other cisco router, but for some reason dynamic NAT translations were not being populated. I went in circles with this for a few hours then at some point, it just started working!! I was not sure what was the issue but I was happy it was working so the router was deployed.

Afterward, I deployed the second 2811 router which had no issues at all with the NAT configuration.

About 1 month down the track now, NAT has again stopped working on the ISR4321 which means our VoIP is no longer working. I have looked at the config again and again but I must be missing something here. For the life of me I dont know what it is. No debugging has helped, but I am also not an expert in NAT on Cisco, as in the past it has usually worked just fine with my configurations.

It is worth noting the following things before looking at this config:

- This config works perfectly on the 2811 on this ADSL connection (telstra), as well as the iinet ADSL.
- The ISR4321 has perfect connectivity back to Telstra, I can also SSH in to the router from its outside IP address.
- The clients are all able to communicate with the router no problem, and all other VLAN's except VLAN40 still have perfect internet connectivity due to passing through the ISR4321 to the 2811 via the PBR that is in place.
- I have tried changing ACL types that is used for my dynamic NAT source list, as well as commands on different interfaces etc.
- As mentioned before, this config was working for some time without changing a thing, but now dynamic nat is failing again!

This almost seems like an IOS bug to me, but I cant find anything to support that claim.
I can only assume something changed on the ISR4321, but even after reading all of the Cisco guides pertaining to NAT config on these routers, I cannot see what.

Please help!

And my apologies for the long winded post.

Thanks!

ISR4321 Config:

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname XXX_Router_ISR4321
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!


ip domain name XXXXX
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4321/K9 sn XXXXX
spanning-tree extend system-id
!
username XXXX privilege 15 secret 5 XXXX
!
redundancy
 mode none
!
!
!
!
controller VDSL 0/1/0
 operating mode adsl2+ annex A
!
!
vlan internal allocation policy ascending
!
ip tftp source-interface GigabitEthernet0
ip ssh rsa keypair-name ssh_key
!
interface GigabitEthernet0/0/0
 no ip address
 negotiation auto
!
interface GigabitEthernet0/0/1
 ip address 10.0.10.253 255.255.255.0
 ip nat inside
 ip policy route-map voip_data_out
 negotiation auto
 ip virtual-reassembly
!
interface ATM0/1/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 load-interval 30
 no atm oversubscribe
 no atm ilmi-keepalive
 no atm enable-ilmi-trap
!
interface ATM0/1/0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm enable-ilmi-trap
 pvc 8/35
 vbr-rt 969 969 1
 pppoe-client dial-pool-number 1
 !
!
interface Ethernet0/1/0
 no ip address
 no negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface Vlan1
 no ip address
!
interface Dialer1l
 ip address negotiated
 ip mtu 1452
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp chap refuse
 ppp pap sent-username XXXXXX password 0 XXXXX
 no cdp enable
 ip virtual-reassembly
!
ip nat inside source list nat_source_list interface Dialer1 overload
ip nat inside source static tcp 10.0.XX.XX XXXX interface Dialer1 XXXX
ip nat inside source static tcp 10.0.XX.XX XXXX interface Dialer1 XXXX
ip nat inside source static tcp 10.0.XX.XX XXXX interface Dialer1 XXXX
ip nat inside source static tcp 10.0.XX.XX XXXX interface Dialer1 XXXX
ip nat inside source static tcp 10.0.XX.XX XXXX interface Dialer1 XXXX
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.20.0 255.255.254.0 10.0.10.254
ip route 10.0.30.0 255.255.254.0 10.0.10.254
ip route 10.0.40.0 255.255.255.0 10.0.10.254
ip route 10.0.50.0 255.255.255.0 10.0.10.254
!
!
ip access-list extended nat_source_list
 permit ip 10.0.10.0 0.0.0.255 any
 permit ip 10.0.20.0 0.0.1.255 any
 permit ip 10.0.30.0 0.0.1.255 any
 permit ip 10.0.40.0 0.0.0.255 any
 permit ip 10.0.50.0 0.0.0.255 any
ip access-list extended voip_vlan
 permit ip 10.0.10.0 0.0.0.255 any
 permit ip 10.0.20.0 0.0.1.255 any
 permit ip 10.0.30.0 0.0.1.255 any
 permit ip 10.0.50.0 0.0.0.255 any
 deny ip 10.0.40.0 0.0.0.255 any
!
!
route-map voip_data_out permit 10
 match ip address voip_vlan
 set ip next-hop 10.0.10.252
!
!
!
!
!
control-plane
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 logging synchronous
 transport input ssh
!
!
end
1 person had this problem
Labels:
0 Helpful
3 Replies 3

hayden.whizzit
Level 1
Level 1

‎02-09-2016 09:49 PM

It is worth noting the "show ip nat translations" command shows nothing but the static translations. Not a sinlge dynamic entry.

Obviously when it was working for those few weeks this was heavily populated with dynamic entries.


Sad face.


Thanks,

Hayden

0 Helpful

tony-smith
Level 1
Level 1

‎05-16-2016 09:53 AM

What was your fix to the NAT issue; because, we are having the same issue and it happens when you disconnect the WAN link to the DSL router. The only way the NAT translations will work is a reboot of the router. As well, I can reproduce the same issue every time in a lab environment. 

0 Helpful

hayden.whizzit
Level 1
Level 1
In response to tony-smith

‎05-16-2016 10:50 PM

Hi Tony,


I ended up sending the unit back to the supplier and had the whole thing replaced. The new unit's NIM-VAB-A card was DOA, and by this stage I was at my wits end after waiting 2 months to get it all replaced. I have since sent the dead NIM-VAB-A back for a credit and will use that credit to purchase a support contract on the unit.

TAC were absolutely useless and refused to support me & my brand new ISR4321 without having a contract.

The whole time we have just been running our existing ADSL connections via the two older Cisco 2811's which have performed flawlessly.


We are currently a few days away from our new fiber internet service going live after which I will switch over from the 2 x 2811's back to the ISR4321 as our main gateway router.


Sorry I can't help you further than that - I still assume the issue was a bug in IOS-XE but I've got nothing concrete beyond that.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card