Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
2
Helpful
3
Replies

No Internet Access, No PING Nexus L3 Interface from vlan 2-7

TheGoob
Level 4
Level 4

‎02-28-2024 05:13 PM - edited ‎02-28-2024 05:35 PM

Hello!

So, I tried to clean up my configuration and I feel as a whole I am on it, but clearly missing something. Everything plugs into Nexus which connects to FPR which connects to ISR.

ISR - 6 [STATIC] WAN to [NETWORK] LAN NAT

DHCP Servers for Networks 2-7, no vlans.

6 STATIC Routes to Networks towards FPR

 

FPR - default 'nat inside,outside'

No vlan, No DHCP

6 STATIC Routes to Networks towards NEXUS

 

NEXUS - vlan 2-7, SVI for each vlan, 0.0.0.0 0.0.0.0 [FPR IP]

What is weird is anything vlan 2-7 can not even ping the NEXUS.. ALSO, aside from that, or maybe this is the issue, but being the DHCP Servers are on ISR...through FPR...to NEXUS.. DO I need DHCP RELAY setup on any of the routers?

Here are my 3 configs... going NEXUS, ISR,FPR [in no order, just listed].

 

 

 

------------------------------
NEXUS
------------------------------

version 9.3(10) Bios:version 07.69
switchname NexusHOM

feature telnet
feature interface-vlan

ip route 0.0.0.0/0 172.16.2.1
vlan 1-7


interface Vlan1
  no shutdown
  ip address 192.168.10.3/24

interface Vlan2
  no shutdown
  ip address 192.168.1.1/24

interface Vlan3
  no shutdown
  ip address 192.168.2.1/24

interface Vlan4
  no shutdown
  ip address 192.168.3.1/24

interface Vlan5
  no shutdown
  ip address 192.168.4.1/24

interface Vlan6
  no shutdown
  ip address 192.168.6.1/24

interface Vlan7
  no shutdown
  ip address 192.168.5.1/24


interface Ethernet1/95
  description Link_to_FPR
  no switchport
  ip address 172.16.2.2/24
  no shutdown




---------------------------------------------
ISR
---------------------------------------------

version 17.9
!
hostname HoM
!
ip name-server 205.171.3.65 205.171.2.65
no ip domain lookup
ip dhcp excluded-address 192.168.4.0 192.168.4.2
ip dhcp excluded-address 192.168.4.129 192.168.4.255
ip dhcp excluded-address 192.168.6.0 192.168.6.2
ip dhcp excluded-address 192.168.6.129 192.168.6.255
ip dhcp excluded-address 192.168.3.0 192.168.3.2
ip dhcp excluded-address 192.168.3.130 192.168.3.255
ip dhcp excluded-address 192.168.1.0 192.168.1.2
ip dhcp excluded-address 192.168.2.0 192.168.2.2
ip dhcp excluded-address 192.168.5.0 192.168.5.2
ip dhcp excluded-address 192.168.5.129 192.168.5.255
!
ip dhcp pool 3
 network 192.168.3.0 255.255.255.0
 default-router 192.168.3.1
 dns-server 8.8.8.8
 lease infinite
!
ip dhcp pool 4
 network 192.168.4.0 255.255.255.0
 default-router 192.168.4.1
 dns-server 8.8.8.8
 lease infinite
!
ip dhcp pool 5
 network 192.168.5.0 255.255.255.0
 default-router 192.168.5.1
 dns-server 8.8.8.8
 lease infinite
!
ip dhcp pool 6
 network 192.168.6.0 255.255.255.0
 default-router 192.168.6.1
 dns-server 8.8.8.8
 lease infinite
!
ip dhcp pool 1
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 192.168.4.115
 lease infinite
!
ip dhcp pool 2
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.1
 dns-server 192.168.4.115
 lease infinite
!
controller Cellular 0/2/0
!
vlan internal allocation policy ascending
!
vlan 8-9
!
interface GigabitEthernet0/0/0
 description WAN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1460
 ip tcp adjust-mss 1412
 negotiation auto
 no cdp enable
 pppoe enable group global
 pppoe-client dial-pool-number 1
 spanning-tree portfast disable
!
interface GigabitEthernet0/0/1
 description Management
 ip address 192.168.8.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/1/0
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/1/1
 shutdown
!
interface GigabitEthernet0/1/2
 shutdown
!
interface GigabitEthernet0/1/3
 switchport mode access
 shutdown
!
interface GigabitEthernet0/1/4
 switchport mode access
 shutdown
!
interface GigabitEthernet0/1/5
 description TO-FPR-WAN
 switchport access vlan 8
 switchport mode access
 spanning-tree portfast
!
interface Wlan-GigabitEthernet0/1/8
!
interface Cellular0/2/0
 no ip address
 shutdown
!
interface Cellular0/2/1
 no ip address
 shutdown
!
interface Vlan1
 description ISR default LAN
 ip address 192.168.10.2 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
!
interface Vlan8
 description Link_To_FPR
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
!
interface Vlan9
 description Link_To_NEXUS
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
!
ip nat pool 177 207.108.121.177 207.108.121.177 prefix-length 30
ip nat pool 178 207.108.121.178 207.108.121.178 prefix-length 30
ip nat pool 179 207.108.121.179 207.108.121.179 prefix-length 30
ip nat pool 182 207.108.121.182 207.108.121.182 prefix-length 30
ip nat pool 181 207.108.121.181 207.108.121.181 prefix-length 30
ip nat pool 180 207.108.121.180 207.108.121.180 prefix-length 30
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 4 pool 179 overload
ip nat inside source list 5 pool 178 overload
ip nat inside source list 6 pool 182 overload
ip nat inside source list 7 pool 177 overload
ip nat inside source list 8 pool 181 overload
ip nat inside source list 9 pool 180 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.1.0 255.255.255.0 172.16.1.2
ip route 192.168.2.0 255.255.255.0 172.16.1.2
ip route 192.168.3.0 255.255.255.0 172.16.1.2
ip route 192.168.4.0 255.255.255.0 172.16.1.2
ip route 192.168.5.0 255.255.255.0 172.16.1.2
ip route 192.168.6.0 255.255.255.0 172.16.1.2
!
ip access-list standard 1
 10 permit 192.168.8.0 0.0.0.255
ip access-list standard 2
 10 permit 10.0.0.0 0.0.0.255
ip access-list standard 4
 10 permit 192.168.3.0 0.0.0.255
ip access-list standard 5
 10 permit 192.168.4.0 0.0.0.255
ip access-list standard 6
 10 permit 192.168.5.0 0.0.0.255
ip access-list standard 7
 10 permit 192.168.6.0 0.0.0.255
ip access-list standard 8
 10 permit 192.168.2.0 0.0.0.255
ip access-list standard 9
 10 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit


----------------------------------
FPR
---------------------------------

NGFW Version 7.3.1
!
hostname firepower
!
interface Vlan1
 nameif inside
 security-level 0
 ip address 192.168.95.1 255.255.255.0
!
interface Ethernet1/1
 no switchport
 nameif outside [link_to_ISR]
 security-level 0
 ip address 172.16.1.2 255.255.255.0
!
interface Ethernet1/2
 no switchport
 nameif link_to_sg350xg
 security-level 0
 ip address 172.16.2.1 255.255.255.0
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup any
dns server-group CiscoUmbrellaDNSServerGroup
 name-server 208.67.222.222
 name-server 208.67.220.220
 name-server 2620:119:35::35
dns-group CiscoUmbrellaDNSServerGroup
no object-group-search access-control
object network any-ipv4
 subnet 0.0.0.0 0.0.0.0
object network any-ipv6
 subnet ::/0
object network IPv4-Private-10.0.0.0-8
 subnet 10.0.0.0 255.0.0.0
object network IPv4-Private-172.16.0.0-12
 subnet 172.16.0.0 255.240.0.0
object network IPv4-Private-192.168.0.0-16
 subnet 192.168.0.0 255.255.0.0
object network fbeye_lan_180
 subnet 192.168.1.0 255.255.255.0
object network fbeye_wan
 host 207.108.121.180
object network fhc_lan_181
 subnet 192.168.2.0 255.255.255.0
object network fhc_wan
 host 207.108.121.181
object network ISR
 host 172.16.1.1
object network main-182
 subnet 192.168.5.0 255.255.255.0
object network fbeye_mail
 host 192.168.1.180
object network fhc_181
 host 192.168.2.181
object network omv2-177
 subnet 192.168.6.0 255.255.255.0
object network proxmox-178
 subnet 192.168.4.0 255.255.255.0
object network ceyea-179
 subnet 192.168.3.0 255.255.255.0
object network sg350xg_gateway
 host 172.16.2.2
object-group network IPv4-Private-All-RFC1918
 network-object object IPv4-Private-10.0.0.0-8
 network-object object IPv4-Private-172.16.0.0-12
 network-object object IPv4-Private-192.168.0.0-16
object-group service |acSvcg-268435457
 service-object ip
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc link_to_sg350xg any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
!
nat (inside,outside) after-auto source dynamic any interface

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
route link_to_sg350xg 192.168.1.0 255.255.255.0 172.16.2.2 1
route link_to_sg350xg 192.168.2.0 255.255.255.0 172.16.2. 2 1
route link_to_sg350xg 192.168.3.0 255.255.255.0 172.16.2.2 1
route link_to_sg350xg 192.168.4.0 255.255.255.0 172.16.2.2 1
route link_to_sg350xg 192.168.5.0 255.255.255.0 172.16.2.2 1
route link_to_sg350xg 192.168.6.0 255.255.255.0 172.16.2.2 1
!
dhcpd dns 192.168.4.115
!
dhcpd address 192.168.95.5-192.168.95.254 inside
dhcpd enable inside

 

 

 Also, ignore anything sg350xg, that is my nexus.. just did not change name.

0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-29-2024 02:00 AM - edited ‎02-29-2024 02:01 AM

Hello @TheGoob ,

the ISR accesses the public internet using PPPoE and the dialer 1 interface confguration that is missing should have

interface dialer 1

ip address negotiated

This means that your device has a dynamic IP address that is provided during PPPoE negotiation via IPCP .

The only possible NAT action is to nat using dialer1 interface

The following commands :

ip nat pool 177 207.108.121.177 207.108.121.177 prefix-length 30
ip nat pool 178 207.108.121.178 207.108.121.178 prefix-length 30
ip nat pool 179 207.108.121.179 207.108.121.179 prefix-length 30
ip nat pool 182 207.108.121.182 207.108.121.182 prefix-length 30
ip nat pool 181 207.108.121.181 207.108.121.181 prefix-length 30
ip nat pool 180 207.108.121.180 207.108.121.180 prefix-length 30
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 4 pool 179 overload
ip nat inside source list 5 pool 178 overload
ip nat inside source list 6 pool 182 overload
ip nat inside source list 7 pool 177 overload
ip nat inside source list 8 pool 181 overload
ip nat inside source list 9 pool 180 overload

are you sure that those public IP addresses are yours ?

and how the ISP router can reach them ?  Your device looks like to get a dynamic IP address via PPPoE

Hope to help

Giuseppe

 

TheGoob
Level 4
Level 4
In response to Giuseppe Larosa

‎02-29-2024 05:00 PM

I apologize, I omitted the PPPoE/Dialer1 information because I was trying to “shorted” the read and focus mainly on why Nexus was not obtaining IP Addresses from the ISR, through the FPR. When I get home I am going to try what LG below had recommend about the removing NAT on FPR and, as long as nothing else in my configs are wrong, it is successful. 

0 Helpful

liviu.gheorghe
Spotlight
Spotlight

‎02-29-2024 02:41 AM

Hello @TheGoob,

Your FPR is doing NAT for inside interfaces into the IP of the outgoing interface, 172.16.1.2: 

nat (inside,outside) after-auto source dynamic any interface

You should put a no in front of it and thing should start working.

Regards, LG
*** Please Rate All Helpful Responses ***
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card