cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
370
Views
5
Helpful
11
Replies
Highlighted
Beginner

routing configuration issue with Cisco isr 1100

Hi all,

 

I have an internal network on my cisco isr 192.168.191.X/24 I have a client in that network that I would like to have outbound internet access.  I can't seem to come up with the right ACL, or config to allow this. Also, from the router, I can ping the gateway and vip of the 192.168.191.X subnet, but not the client. This is a Cell router and the public ip is negotiated with the Cell carrier. I can ping 8.8.8.8 outbound from the router.

 

Any help is much appreciated! This is my first foray into the Cisco CLI world so I am sure I am missing something easy. Config is below, thanks in advance!

 

#show config
Using 4990 out of 33554432 bytes
!
! Last configuration change at 16:28:15 PDT Tue Jun 2 2020
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname XXXXX
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor

!
no aaa new-model
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
!
ip dhcp pool WEBUIPool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
chat-script ltescript "" "AT!CALL1" TIMEOUT 20 "OK"
!
!
!
!
!

!
cts logging verbose
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
controller Cellular 0/2/0
lte sim data-profile 3 attach-profile 3 slot 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface Loopback1
description ### always-on interface ###
ip address 1.2.3.4 255.255.255.255
ip nat inside
!
interface Loopback4321
description ### DMNR NEMO Router Address -- Dummy non-routable IP ###
ip address 4.3.2.1 255.255.255.255
!
interface GigabitEthernet0/0/0
description Internal - 192.168.191.0
no ip address
ip tcp adjust-mss 1300
ip policy route-map clear-df
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Cellular0/2/0
description Primary_
ip address negotiated
no ip unreachables
ip nat outside
ip access-group 150 in
ip access-group 151 out
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer enable-timeout 6
dialer watch-group 1
dialer-group 1
ipv6 enable
pulse-time 1
!
interface Cellular0/2/1
no ip address
!
interface Vlan1
ip address 192.168.191.93 255.255.255.0
ip tcp adjust-mss 1390
ip policy route-map clear-df
ntp broadcast
vrrp 91 ip 192.168.191.252
vrrp 91 priority 110
!
ip nat inside source list 100 interface Cellular0/2/0 overload
ip forward-protocol nd
ip tcp mss 1300
ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
ip ssh time-out 60
ip ssh version 2
!
!
access-list 150 permit icmp host 8.8.8.8 any log
access-list 150 deny ip any any log
access-list 151 permit ip any any log
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
!
!
route-map clear-df permit 10
set ip df 0
!
!
!
control-plane
!
banner motd ^C
!
line con 0
transport input none
stopbits 1
line vty 0 4
login local
length 0
transport input ssh
!
!
!
!
!
!
end

 

#show vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1/0, Gi0/1/1, Gi0/1/2
Gi0/1/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

 

Thanks!

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hello,

 

post the running configuration again with the changes implemented that were suggested...

View solution in original post

11 REPLIES 11
Highlighted
VIP Mentor

In  your configuration, you use ACL 100 for NAT

 

But I do not see any ACL for 100 added - maybe you need to change below config with right ACL ( 150 or 151) depends in your requirement.

 

ip nat inside source list 100 interface Cellular0/2/0 overload

!
!
access-list 150 permit icmp host 8.8.8.8 any log
access-list 150 deny ip any any log
access-list 151 permit ip any any log

BB
*** Rate All Helpful Responses ***
Highlighted

Thanks for the quick reply, but no luck. any other thoughts?
Highlighted

Can you explain your network more - what port you LAN network connected? what port in the router ?,

Is this switch?

where this user connected? what is the IP address of the device?

 

BB
*** Rate All Helpful Responses ***
Highlighted

Host is plugged in to a catalyst, which is plugged into GigEth0/1/0 on the router.

 

This is a cisco isr 1100 with Verizon Cellular

 

ip address of host is 192.168.191.250

ip address of virtual IP on router is 192.168.191.93

ip address of default gateway also on router 192.168.191.252

 

host can ping .93 and .252. host can intermittently ping the cellular interface of router.

 

I cannot ping the host from the router, nor can the host access any external sites.

 

Thanks!

Highlighted

add another command to confg :

 

dialer-list 100 protocol ip permit

 

if still has an issue, post complete config after changing as an attachment, and also switch config.

 

post below output also :

sh interfaces cellular 0/2/0

show ip interface brief
sh cellular 0/2/0 connection
sh cellular 0/2/0 radio

 

BB
*** Rate All Helpful Responses ***
Highlighted
VIP Mentor

Hello,

 

make the changes marked in bold to your configuration:

 

Using 4990 out of 33554432 bytes
!
! Last configuration change at 16:28:15 PDT Tue Jun 2 2020
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname XXXXX
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
!
no aaa new-model
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
ip dhcp pool WEBUIPool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
subscriber templating
multilink bundle-name authenticated
!
chat-script ltescript "" "AT!CALL1" TIMEOUT 20 "OK"
!
cts logging verbose
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
redundancy
mode none
!
controller Cellular 0/2/0
lte sim data-profile 3 attach-profile 3 slot 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
vlan internal allocation policy ascending
!
interface Loopback1
description ### always-on interface ###
ip address 1.2.3.4 255.255.255.255
ip nat inside
!
interface Loopback4321
description ### DMNR NEMO Router Address -- Dummy non-routable IP ###
ip address 4.3.2.1 255.255.255.255
!
interface GigabitEthernet0/0/0
description Internal - 192.168.191.0
no ip address
ip tcp adjust-mss 1300
ip policy route-map clear-df
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Cellular0/2/0
description Primary_
ip address negotiated
no ip unreachables
ip nat outside
ip access-group 150 in
ip access-group 151 out
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer enable-timeout 6
dialer watch-group 1
dialer-group 1
ipv6 enable
pulse-time 1
!
interface Cellular0/2/1
no ip address
!
interface Vlan1
ip address 192.168.191.93 255.255.255.0
--> ip nat inside
ip tcp adjust-mss 1390
ip policy route-map clear-df
ntp broadcast
vrrp 91 ip 192.168.191.252
vrrp 91 priority 110
!
ip nat inside source list 100 interface Cellular0/2/0 overload
ip forward-protocol nd
ip tcp mss 1300
ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
ip ssh time-out 60
ip ssh version 2
!
--> access-list 100 permit ip 192.168.191.0 0.0.0.255 any
access-list 150 permit icmp host 8.8.8.8 any log
access-list 150 deny ip any any log
access-list 151 permit ip any any log
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
!
route-map clear-df permit 10
set ip df 0
!
control-plane
!
banner motd ^C
!
line con 0
transport input none
stopbits 1
line vty 0 4
login local
length 0
transport input ssh
!
end

Highlighted

Thanks for the quick reply, but no luck. any other thoughts? I can gut the networks and ACLs and start over if that should work...
Highlighted

Hello,

 

post the running configuration again with the changes implemented that were suggested...

View solution in original post

Highlighted

Hi Georg, this actually did the trick. I can now ping outside ip addresses. I can't resolve hosts to actually visit websites, but ips work.
Highlighted

Thanks for the quick reply!

 

show run
Building configuration...


Current configuration : 8834 bytes
!
! Last configuration change at 12:00:40 PDT Wed Jun 3 2020
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
!
no aaa new-model
clock timezone pacific -8 0
clock summer-time PDT recurring
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
!
ip dhcp pool WEBUIPool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
chat-script ltescript "" "AT!CALL1" TIMEOUT 20 "OK"
!
!
!
cts logging verbose
license udi pid C1111-4PLTEEA
license smart enable
license smart conversion automatic
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
controller Cellular 0/2/0
lte sim data-profile 3 attach-profile 3 slot 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface Loopback1
description ### always-on interface ###
ip address 1.2.3.4 255.255.255.255
ip nat inside
!
interface Loopback4321
description ### DMNR NEMO Router Address -- Dummy non-routable IP ###
ip address 4.3.2.1 255.255.255.255
!
interface GigabitEthernet0/0/0
description Internal - 192.168.191.0
no ip address
ip tcp adjust-mss 1300
ip policy route-map clear-df
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Cellular0/2/0
description Primary_
ip address negotiated
no ip unreachables
ip nat outside
ip access-group 150 in
ip access-group 151 out
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer enable-timeout 6
dialer watch-group 1
dialer-group 1
ipv6 enable
pulse-time 1
!
interface Cellular0/2/1
no ip address
!
interface Vlan1
ip address 192.168.191.93 255.255.255.0
ip nat inside
ip tcp adjust-mss 1390
ip policy route-map clear-df
ntp broadcast
vrrp 91 ip 192.168.191.252
vrrp 91 priority 110
!
ip nat inside source list 100 interface Cellular0/2/0 overload
ip forward-protocol nd
ip tcp mss 1300
ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
ip ssh time-out 60
ip ssh version 2
!
!
access-list 100 permit ip 192.168.191.0 0.0.0.255 any log
access-list 150 permit ip host 134.197.190.184 any log
access-list 150 permit ip host 131.216.32.184 any log
access-list 150 permit icmp host 8.8.8.8 any log
access-list 150 deny ip any any log
access-list 151 permit ip any any log
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
!
!
route-map clear-df permit 10
set ip df 0
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
login local
length 0
transport input ssh
!
!
!
!
!
!
end

Highlighted

Hello,

 

remove the 'log' keyword from the access list. Access list logging causes the traffic to be process switched, and kills your NAT.

 

So make sure the access list looks exactly like this:

 

access-list 100 permit ip 192.168.191.0 0.0.0.255 any