Solved: Re: Problem with NAT and internet access

an_ho · ‎06-27-2021

Hi everyone,

I am having some NAT problems with my C1111X-8P router. The network currently looks like this:

[ISP]

|

[EdgeRouter, internal: 10.0.0.1 external: dhcp] --- [other network: 192.168.1.0/24]

|

[Cisco C1111X-8P, g0/0/0: 10.0.0.100 via DHCP, vlan1 on all ports: 192.168.1.0/24]

|

[Lots of clients]

Now, all clients receive IP addresses from the 192.168.1.0/24 subnet - however, they can only sporadically access the internet. The NAT table is populated, but most of e.g. web access fails or takes forever to load.

Also, I have noted a lot of inconsistencies when using WebUI to configure the router. For example, when I activate NAT via GUI on g0/0/0 the router does not receive an IP address - but does immediately when NAT is disabled...

Please see below for an excerpt from my running-config:

version 17.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CiscoRouter
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone GMT 1 0
!
ip domain name localdomain.local
ip dhcp excluded-address 192.168.2.1 192.168.2.101
!
ip dhcp pool LAN
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8 8.8.4.4
!
!
login on-success log
!
!
subscriber templating
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-4065224063
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4065224063
revocation-check none
rsakeypair TP-self-signed-4065224063
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
license udi pid C1111X-8P sn XXXXXX
memory free low-watermark processor 73242
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii [redacted]
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
!
ip access-list standard 1
10 permit 192.168.2.0 0.0.0.255
!

Any help is greatly appreciated!!

Best

Andrew

paul driver · ‎06-27-2021

Hello
Have your clients point to the router itself for dns and then have the rtr forward dns queries also remove the default route pointing to the wan interface as it will create unnecessary arps lastly you can set mtu to avoid any fragmentation.

Example:
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0

interface GigabitEthernet0/0/0
no ip dhcp client client-id ascii [redacted]
ip mtu 1492
ip tcp adjust-mss 1452

ip dhcp pool LAN
no dns-server 8.8.8.8 8.8.4.4
dns-server 192.169.2.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

balaji.bandi · ‎06-27-2021

what is the edge router ? is the users connected to edge router works as expected ?

as per the diagram your LAN IP address 192.168.1.0/24 (but your config 192.168.2.0/24 ? Please confirm?)

[Cisco C1111X-8P, g0/0/0: 10.0.0.100 via DHCP, vlan1 on all ports: 192.168.1.0/24]

You need only 1 Route is good enough :

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp

Looks for me MTU Issue here, since you said you able to get internet, and it was noticed ON and OFF ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎06-27-2021

Hello,

try and set the MTU size to something like 1400:

interface GigabitEthernet0/0/0
ip dhcp client client-id ascii [redacted]
ip address dhcp
ip nat outside

--> ip mtu 1400
negotiation auto

paul driver · ‎06-27-2021

Hello
Have your clients point to the router itself for dns and then have the rtr forward dns queries also remove the default route pointing to the wan interface as it will create unnecessary arps lastly you can set mtu to avoid any fragmentation.

Example:
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0

interface GigabitEthernet0/0/0
no ip dhcp client client-id ascii [redacted]
ip mtu 1492
ip tcp adjust-mss 1452

ip dhcp pool LAN
no dns-server 8.8.8.8 8.8.4.4
dns-server 192.169.2.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul