cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
290
Views
1
Helpful
3
Replies

Upgrade from C887VA to ISR4451 - no Internet, gateway IP = network?

DazOG
Beginner
Beginner

Hi

Really hoping someone can help as I feel like a bit of an idiot at the moment…

I’ve got a Cisco 887VA router that I’m looking to replace with an ISR4451-X.  The 887VA is connected to a fibre router provided by our supplier (a Technicolor DGA4134).  The 887VA router is working fine with the following (redacted) configuration:

interface FastEthernet0
no ip address

interface FastEthernet1
switchport trunk allowed vlan 100
switchport mode trunk
no ip address

interface Vlan1
description WAN
ip address 1.1.1.137 255.255.255.248
ip nat outside

interface Vlan100
description LAN
ip address 10.1.0.1 255.255.255.0
Ip nat inside

ip access-list extended COMPANY-LAN
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 224.0.0.0 15.255.255.255
deny ip any 127.0.0.0 0.255.255.255
permit ip 10.1.0.0 0.0.0.255 any

ip nat inside source list COMPANY-LAN interface Vlan1 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.136

 

The first three octets of the public IPs are made up, but the last octet and netmask is as it is on the router.  

The ISR is configured similarly, although it is being prepared for a dual failover ISP setup with a leased line due to be installed.  It also has a NIM-ES-4 installed, hence the VLAN config.  The pertinent config is as follows:

interface GigabitEthernet0/0/0
description LEASED LINE ISP
Ip address 192,168.0.1 255.255.255.0
Ip nat outside

interface GigabitEthernet0/0/2
description FIBRE ISP
Ip address 1.1.1.137 255.255.255.248
ip nat outside

interface Vlan1
no ip address
shutdown

interface Vlan100
description LAN
ip address 10.1.0.1 255.255.255.0
ip nat inside

interface GigabitEthernet0/1/0
description ROUTER TO SWITCH
switchport trunk allowed vlan 100
switchport mode trunk

ip access-list extended COMPANY-LAN
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 224.0.0.0 15.255.255.255
deny ip any 127.0.0.0 0.255.255.255
permit ip 10.1.0.0 0.0.0.255 any

ip nat inside source route-map NAT-LEASEDLINE interface GigabitEthernet0/0/0 overload
ip nat inside source route-map NAT-FIBRE interface GigabitEthernet0/0/2 overload
ip route 0.0.0.0 0.0.0.0 192.168.0.2 track 5
ip route 0.0.0.0 0.0.0.0 1.1.1.136 10

track 5 ip sla 1 reachability

ip sla 1
icmp-echo 192.168.0.2 source-interface GigabitEthernet0/0/0
threshold 1000
timeout 1000
frequency 10
ip sla schedule 1 life forever start-time now

route-map NAT-FIBRE permit 10
match ip address ext COMPANY-LAN
match interface GigabitEthernet0/0/2

route-map NAT-LEASEDLINE permit 10
match ip address ext COMPANY-LAN
match interface GigabitEthernet0/0/0

The “ip sla” stuff seems to be working properly, looking at “ip route” it shows the gateway of last resort is 1.1.1.136 (per the ip route statements).

The problem I’ve got is that I can’t ping any Internet address from the ISR, or from any machine on the LAN (10.1.0.x).

What sticks out to me is that 1.1.1.136/29 apparently gives me useable addresses between .137 - .142, but on the Fibre router the gateway address is apparently 1.1.1.136 - the same as the network address?  Surely this is wrong, isn’t it?

But why does this configuration work on the C887VA and not the ISR?  Is it because the C887VA ports are layer 3, and the ports on the ISR are a mixture of layer 2 (built in) and layer 3 (NIM-ES-4)?

IMG_6935.jpeg

Thanks in advance for any help provided

 

3 Replies 3

pieterh
VIP
VIP

what device produces this screen shot? (it mentions firewalling ?)
indeed x.x.x.136 as default gateway sounds not correct
it may be a bug in the software that generates this output

it may also indicate the network connecting the ISP is not /29
maybe your interface to your ISP has larger netmask, but you are only assigned a range (not a subnet) within this mask

source and destination netmask CAN be different , it will work as long as the addresses fall within each others netmask
this explains it has no effect on the 0.0.0.0 route
real firewall's also check the netmask to match, so there it will not work

 

Thanks.

I forgot to bump this thread, but I managed to get it working.

To answer your initial question - the device that produced that screenshot is the Technicolor DGA4134 router that was supplied preconfigured by our ISP.  I managed to get admin access to it to get that screenshot.

Regards whether they are using a bigger subnet - the WAN IPs for this router are completely different, a different range and subnet. x.x.x.136/29 are our routed LAN IPs, confirmed in documentation.

I ended up fixing it by bumping the "Gateway Address" on that router to .137, and changed the IP on my Cisco to .138, with a corresponding change to the default route.  After i did this everything sprung into life.

I thought I must be doing something wrong if the existing configuration (gateway .136, Cisco .137) was working on my Cisco 887VA router, but not on the ISR4451, but in the interests of not losing any more sleep over it I've just sacrificed a public IP that I perhaps should never have had.

Thanks for taking the time to reply

thanks for the follow-up
good to hear you solved the problem
greetings,

Pieter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: