Solved: Routing issue

nawate77 · ‎05-11-2019

hi guys my first post, kindly please tell me whats wrong with my configs that i cannot connect to the internet

!
ip dhcp relay information trust-all
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.11.1 192.168.11.10
!
ip dhcp pool xxxx
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
dns-server x.x.208.19 x.x.208.18
!
!
!
ip dhcp global-options
dns-server 41.203.208.19 41.203.208.18
!
ip name-server 192.168.11.1
ip name-server 197.x.x.2
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server x.x.208.19
ip name-server x.x.208.18
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
switchport access vlan 50
no ip address
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 50
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 50
no ip address
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 50
no ip address
spanning-tree portfast
!
interface FastEthernet4
ip address x.x.x.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
description $ETH_LAN$
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
interface Vlan50
ip address 192.168.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
no ip address
no cdp enable
!
ip default-gateway 197.248.111.1
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication aaa
ip http secure-server
ip http secure-trustpoint netCA
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip dns spoofing 192.168.11.1
ip nat inside source list NAT_INSIDE interface FastEthernet4 overload
ip default-network x.x.111.0
ip route 0.0.0.0 0.0.0.0 x.x.111.1
!
ip access-list standard NAT_INSIDE
permit 192.168.11.0 0.0.0.255
!
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!

Giuseppe Larosa · ‎05-11-2019

Hello Nawate77,

at first glance the configuration looks like correct but allows access to the Internet only to users in Vlan 50 and not to users in Vlan 1.

If you have the ip routing enabled the ip default-gateway command is not needed.

It is really important that your default static route ip route 0.0.0.0 0.0.0.0 uses an IP next-hop that is reached out of Fas4 the outside interface.

NAT is only triggered when traffic is received on inside interface and has to be sent out an NAT outside interface.

To verify if you have a working internet connection from the router shell you can try to ping 8.8.8.8.

If this works you can move to use an extended ping and specify a source IP address of Vlan 50 on the router.

Also you may want to configure the ip tcp mss-adjust 1452 also under Vlan 50 to avoid issues with MTU if you are using a PPPoE internet access. I think this is needed. In alternative configure ip mtu 1492 on Fas4 and under Vlan50 SVI.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-11-2019

Hello Nawate77,

at first glance the configuration looks like correct but allows access to the Internet only to users in Vlan 50 and not to users in Vlan 1.

If you have the ip routing enabled the ip default-gateway command is not needed.

It is really important that your default static route ip route 0.0.0.0 0.0.0.0 uses an IP next-hop that is reached out of Fas4 the outside interface.

NAT is only triggered when traffic is received on inside interface and has to be sent out an NAT outside interface.

To verify if you have a working internet connection from the router shell you can try to ping 8.8.8.8.

If this works you can move to use an extended ping and specify a source IP address of Vlan 50 on the router.

Also you may want to configure the ip tcp mss-adjust 1452 also under Vlan 50 to avoid issues with MTU if you are using a PPPoE internet access. I think this is needed. In alternative configure ip mtu 1492 on Fas4 and under Vlan50 SVI.

Hope to help

Giuseppe

jurczak · ‎05-11-2019

Hello,

try moving the settings from FA4 to VLAN1 and remove the ip default-network from the global config.

interface FastEthernet4
no ip address

interface Vlan1
ip address x.x.x.2 255.255.255.0
ip nat outside

ip nat inside source list NAT_INSIDE interface Vlan1 overload

In any case I think that it would be better to use vlan50 or any other vlan as WAN interface

Georg Pauwen · ‎05-11-2019

Hello,

on a side note, looking at your config, the fact that you have an entire class C network available for your outside interface seems odd. Typically, the mask would be 255.255.255.252. and then you would use 197.248.111.1 as the next hop, and 197.248.111.2 for the FastEthernet4 address. So try and change the mask as below (marked in bold):

interface FastEthernet4
ip address 197.248.111.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto

nawate77 · ‎05-22-2019

the masking of 255.255.255.252 on the required mask, thanks for that
also I had to do port-tagging on fa4 to the ISP vlan.