02-28-2024 05:13 PM - edited 02-28-2024 05:35 PM
Hello!
So, I tried to clean up my configuration and I feel as a whole I am on it, but clearly missing something. Everything plugs into Nexus which connects to FPR which connects to ISR.
ISR - 6 [STATIC] WAN to [NETWORK] LAN NAT
DHCP Servers for Networks 2-7, no vlans.
6 STATIC Routes to Networks towards FPR
FPR - default 'nat inside,outside'
No vlan, No DHCP
6 STATIC Routes to Networks towards NEXUS
NEXUS - vlan 2-7, SVI for each vlan, 0.0.0.0 0.0.0.0 [FPR IP]
What is weird is anything vlan 2-7 can not even ping the NEXUS.. ALSO, aside from that, or maybe this is the issue, but being the DHCP Servers are on ISR...through FPR...to NEXUS.. DO I need DHCP RELAY setup on any of the routers?
Here are my 3 configs... going NEXUS, ISR,FPR [in no order, just listed].
------------------------------
NEXUS
------------------------------
version 9.3(10) Bios:version 07.69
switchname NexusHOM
feature telnet
feature interface-vlan
ip route 0.0.0.0/0 172.16.2.1
vlan 1-7
interface Vlan1
no shutdown
ip address 192.168.10.3/24
interface Vlan2
no shutdown
ip address 192.168.1.1/24
interface Vlan3
no shutdown
ip address 192.168.2.1/24
interface Vlan4
no shutdown
ip address 192.168.3.1/24
interface Vlan5
no shutdown
ip address 192.168.4.1/24
interface Vlan6
no shutdown
ip address 192.168.6.1/24
interface Vlan7
no shutdown
ip address 192.168.5.1/24
interface Ethernet1/95
description Link_to_FPR
no switchport
ip address 172.16.2.2/24
no shutdown
---------------------------------------------
ISR
---------------------------------------------
version 17.9
!
hostname HoM
!
ip name-server 205.171.3.65 205.171.2.65
no ip domain lookup
ip dhcp excluded-address 192.168.4.0 192.168.4.2
ip dhcp excluded-address 192.168.4.129 192.168.4.255
ip dhcp excluded-address 192.168.6.0 192.168.6.2
ip dhcp excluded-address 192.168.6.129 192.168.6.255
ip dhcp excluded-address 192.168.3.0 192.168.3.2
ip dhcp excluded-address 192.168.3.130 192.168.3.255
ip dhcp excluded-address 192.168.1.0 192.168.1.2
ip dhcp excluded-address 192.168.2.0 192.168.2.2
ip dhcp excluded-address 192.168.5.0 192.168.5.2
ip dhcp excluded-address 192.168.5.129 192.168.5.255
!
ip dhcp pool 3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 8.8.8.8
lease infinite
!
ip dhcp pool 4
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 8.8.8.8
lease infinite
!
ip dhcp pool 5
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server 8.8.8.8
lease infinite
!
ip dhcp pool 6
network 192.168.6.0 255.255.255.0
default-router 192.168.6.1
dns-server 8.8.8.8
lease infinite
!
ip dhcp pool 1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.4.115
lease infinite
!
ip dhcp pool 2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.4.115
lease infinite
!
controller Cellular 0/2/0
!
vlan internal allocation policy ascending
!
vlan 8-9
!
interface GigabitEthernet0/0/0
description WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1460
ip tcp adjust-mss 1412
negotiation auto
no cdp enable
pppoe enable group global
pppoe-client dial-pool-number 1
spanning-tree portfast disable
!
interface GigabitEthernet0/0/1
description Management
ip address 192.168.8.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/1/0
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
switchport mode access
shutdown
!
interface GigabitEthernet0/1/4
switchport mode access
shutdown
!
interface GigabitEthernet0/1/5
description TO-FPR-WAN
switchport access vlan 8
switchport mode access
spanning-tree portfast
!
interface Wlan-GigabitEthernet0/1/8
!
interface Cellular0/2/0
no ip address
shutdown
!
interface Cellular0/2/1
no ip address
shutdown
!
interface Vlan1
description ISR default LAN
ip address 192.168.10.2 255.255.255.0
ip nat inside
no ip virtual-reassembly
!
interface Vlan8
description Link_To_FPR
ip address 172.16.1.1 255.255.255.0
ip nat inside
!
interface Vlan9
description Link_To_NEXUS
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
ip nat pool 177 207.108.121.177 207.108.121.177 prefix-length 30
ip nat pool 178 207.108.121.178 207.108.121.178 prefix-length 30
ip nat pool 179 207.108.121.179 207.108.121.179 prefix-length 30
ip nat pool 182 207.108.121.182 207.108.121.182 prefix-length 30
ip nat pool 181 207.108.121.181 207.108.121.181 prefix-length 30
ip nat pool 180 207.108.121.180 207.108.121.180 prefix-length 30
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 4 pool 179 overload
ip nat inside source list 5 pool 178 overload
ip nat inside source list 6 pool 182 overload
ip nat inside source list 7 pool 177 overload
ip nat inside source list 8 pool 181 overload
ip nat inside source list 9 pool 180 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.1.0 255.255.255.0 172.16.1.2
ip route 192.168.2.0 255.255.255.0 172.16.1.2
ip route 192.168.3.0 255.255.255.0 172.16.1.2
ip route 192.168.4.0 255.255.255.0 172.16.1.2
ip route 192.168.5.0 255.255.255.0 172.16.1.2
ip route 192.168.6.0 255.255.255.0 172.16.1.2
!
ip access-list standard 1
10 permit 192.168.8.0 0.0.0.255
ip access-list standard 2
10 permit 10.0.0.0 0.0.0.255
ip access-list standard 4
10 permit 192.168.3.0 0.0.0.255
ip access-list standard 5
10 permit 192.168.4.0 0.0.0.255
ip access-list standard 6
10 permit 192.168.5.0 0.0.0.255
ip access-list standard 7
10 permit 192.168.6.0 0.0.0.255
ip access-list standard 8
10 permit 192.168.2.0 0.0.0.255
ip access-list standard 9
10 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
----------------------------------
FPR
---------------------------------
NGFW Version 7.3.1
!
hostname firepower
!
interface Vlan1
nameif inside
security-level 0
ip address 192.168.95.1 255.255.255.0
!
interface Ethernet1/1
no switchport
nameif outside [link_to_ISR]
security-level 0
ip address 172.16.1.2 255.255.255.0
!
interface Ethernet1/2
no switchport
nameif link_to_sg350xg
security-level 0
ip address 172.16.2.1 255.255.255.0
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup any
dns server-group CiscoUmbrellaDNSServerGroup
name-server 208.67.222.222
name-server 208.67.220.220
name-server 2620:119:35::35
dns-group CiscoUmbrellaDNSServerGroup
no object-group-search access-control
object network any-ipv4
subnet 0.0.0.0 0.0.0.0
object network any-ipv6
subnet ::/0
object network IPv4-Private-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0
object network IPv4-Private-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0
object network IPv4-Private-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0
object network fbeye_lan_180
subnet 192.168.1.0 255.255.255.0
object network fbeye_wan
host 207.108.121.180
object network fhc_lan_181
subnet 192.168.2.0 255.255.255.0
object network fhc_wan
host 207.108.121.181
object network ISR
host 172.16.1.1
object network main-182
subnet 192.168.5.0 255.255.255.0
object network fbeye_mail
host 192.168.1.180
object network fhc_181
host 192.168.2.181
object network omv2-177
subnet 192.168.6.0 255.255.255.0
object network proxmox-178
subnet 192.168.4.0 255.255.255.0
object network ceyea-179
subnet 192.168.3.0 255.255.255.0
object network sg350xg_gateway
host 172.16.2.2
object-group network IPv4-Private-All-RFC1918
network-object object IPv4-Private-10.0.0.0-8
network-object object IPv4-Private-172.16.0.0-12
network-object object IPv4-Private-192.168.0.0-16
object-group service |acSvcg-268435457
service-object ip
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc link_to_sg350xg any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
route link_to_sg350xg 192.168.1.0 255.255.255.0 172.16.2.2 1
route link_to_sg350xg 192.168.2.0 255.255.255.0 172.16.2. 2 1
route link_to_sg350xg 192.168.3.0 255.255.255.0 172.16.2.2 1
route link_to_sg350xg 192.168.4.0 255.255.255.0 172.16.2.2 1
route link_to_sg350xg 192.168.5.0 255.255.255.0 172.16.2.2 1
route link_to_sg350xg 192.168.6.0 255.255.255.0 172.16.2.2 1
!
dhcpd dns 192.168.4.115
!
dhcpd address 192.168.95.5-192.168.95.254 inside
dhcpd enable inside
Also, ignore anything sg350xg, that is my nexus.. just did not change name.
02-29-2024 02:00 AM - edited 02-29-2024 02:01 AM
Hello @TheGoob ,
the ISR accesses the public internet using PPPoE and the dialer 1 interface confguration that is missing should have
interface dialer 1
ip address negotiated
This means that your device has a dynamic IP address that is provided during PPPoE negotiation via IPCP .
The only possible NAT action is to nat using dialer1 interface
The following commands :
ip nat pool 177 207.108.121.177 207.108.121.177 prefix-length 30
ip nat pool 178 207.108.121.178 207.108.121.178 prefix-length 30
ip nat pool 179 207.108.121.179 207.108.121.179 prefix-length 30
ip nat pool 182 207.108.121.182 207.108.121.182 prefix-length 30
ip nat pool 181 207.108.121.181 207.108.121.181 prefix-length 30
ip nat pool 180 207.108.121.180 207.108.121.180 prefix-length 30
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 4 pool 179 overload
ip nat inside source list 5 pool 178 overload
ip nat inside source list 6 pool 182 overload
ip nat inside source list 7 pool 177 overload
ip nat inside source list 8 pool 181 overload
ip nat inside source list 9 pool 180 overload
are you sure that those public IP addresses are yours ?
and how the ISP router can reach them ? Your device looks like to get a dynamic IP address via PPPoE
Hope to help
Giuseppe
02-29-2024 05:00 PM
I apologize, I omitted the PPPoE/Dialer1 information because I was trying to “shorted” the read and focus mainly on why Nexus was not obtaining IP Addresses from the ISR, through the FPR. When I get home I am going to try what LG below had recommend about the removing NAT on FPR and, as long as nothing else in my configs are wrong, it is successful.
02-29-2024 02:41 AM
Hello @TheGoob,
Your FPR is doing NAT for inside interfaces into the IP of the outgoing interface, 172.16.1.2:
nat (inside,outside) after-auto source dynamic any interface
You should put a no in front of it and thing should start working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide