Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
1
Helpful
3
Replies

Upgrade from C887VA to ISR4451 - no Internet, gateway IP = network?

DazOG
Level 1
Level 1

‎11-20-2023 03:48 PM - edited ‎11-20-2023 04:03 PM

Hi

Really hoping someone can help as I feel like a bit of an idiot at the moment…

I’ve got a Cisco 887VA router that I’m looking to replace with an ISR4451-X.  The 887VA is connected to a fibre router provided by our supplier (a Technicolor DGA4134).  The 887VA router is working fine with the following (redacted) configuration:

interface FastEthernet0
   no ip address 

interface FastEthernet1
   switchport trunk allowed vlan 100
   switchport mode trunk
   no ip address

interface Vlan1 
   description WAN
   ip address 1.1.1.137 255.255.255.248
   ip nat outside 

interface Vlan100 
   description LAN
   ip address 10.1.0.1 255.255.255.0 
   Ip nat inside

ip access-list extended COMPANY-LAN
   deny ip any 10.0.0.0 0.255.255.255
   deny ip any 172.16.0.0 0.15.255.255
   deny ip any 192.168.0.0 0.0.255.255
   deny ip any 224.0.0.0 15.255.255.255
   deny ip any 127.0.0.0 0.255.255.255
   permit ip 10.1.0.0 0.0.0.255 any

ip nat inside source list COMPANY-LAN interface Vlan1 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.136

 

The first three octets of the public IPs are made up, but the last octet and netmask is as it is on the router.  

The ISR is configured similarly, although it is being prepared for a dual failover ISP setup with a leased line due to be installed.  It also has a NIM-ES-4 installed, hence the VLAN config.  The pertinent config is as follows:

interface GigabitEthernet0/0/0
   description LEASED LINE ISP 
   Ip address 192,168.0.1 255.255.255.0
   Ip nat outside

interface GigabitEthernet0/0/2
   description FIBRE ISP
   Ip address 1.1.1.137 255.255.255.248
   ip nat outside

interface Vlan1
   no ip address
   shutdown

interface Vlan100
   description LAN
   ip address 10.1.0.1 255.255.255.0 
   ip nat inside

interface GigabitEthernet0/1/0
   description ROUTER TO SWITCH
   switchport trunk allowed vlan 100
   switchport mode trunk
   
ip access-list extended COMPANY-LAN
   deny ip any 10.0.0.0 0.255.255.255
   deny ip any 172.16.0.0 0.15.255.255
   deny ip any 192.168.0.0 0.0.255.255
   deny ip any 224.0.0.0 15.255.255.255
   deny ip any 127.0.0.0 0.255.255.255
   permit ip 10.1.0.0 0.0.0.255 any

ip nat inside source route-map NAT-LEASEDLINE interface GigabitEthernet0/0/0 overload
ip nat inside source route-map NAT-FIBRE interface GigabitEthernet0/0/2 overload
ip route 0.0.0.0 0.0.0.0 192.168.0.2 track 5
ip route 0.0.0.0 0.0.0.0 1.1.1.136 10

track 5 ip sla 1 reachability

ip sla 1
   icmp-echo 192.168.0.2 source-interface GigabitEthernet0/0/0
   threshold 1000
   timeout 1000
   frequency 10
ip sla schedule 1 life forever start-time now

route-map NAT-FIBRE permit 10
   match ip address ext COMPANY-LAN
   match interface GigabitEthernet0/0/2

route-map NAT-LEASEDLINE permit 10
   match ip address ext COMPANY-LAN
   match interface GigabitEthernet0/0/0

The “ip sla” stuff seems to be working properly, looking at “ip route” it shows the gateway of last resort is 1.1.1.136 (per the ip route statements).

The problem I’ve got is that I can’t ping any Internet address from the ISR, or from any machine on the LAN (10.1.0.x).

What sticks out to me is that 1.1.1.136/29 apparently gives me useable addresses between .137 - .142, but on the Fibre router the gateway address is apparently 1.1.1.136 - the same as the network address?  Surely this is wrong, isn’t it?

But why does this configuration work on the C887VA and not the ISR?  Is it because the C887VA ports are layer 3, and the ports on the ISR are a mixture of layer 2 (built in) and layer 3 (NIM-ES-4)?

IMG_6935.jpeg

Thanks in advance for any help provided

 

Labels:
0 Helpful
3 Replies 3

pieterh
VIP
VIP

‎11-24-2023 04:02 AM

what device produces this screen shot? (it mentions firewalling ?)
indeed x.x.x.136 as default gateway sounds not correct
it may be a bug in the software that generates this output

it may also indicate the network connecting the ISP is not /29
maybe your interface to your ISP has larger netmask, but you are only assigned a range (not a subnet) within this mask

source and destination netmask CAN be different , it will work as long as the addresses fall within each others netmask
this explains it has no effect on the 0.0.0.0 route
real firewall's also check the netmask to match, so there it will not work

 

DazOG
Level 1
Level 1
In response to pieterh

‎11-24-2023 04:14 AM - edited ‎11-24-2023 04:15 AM

Thanks.

I forgot to bump this thread, but I managed to get it working.

To answer your initial question - the device that produced that screenshot is the Technicolor DGA4134 router that was supplied preconfigured by our ISP.  I managed to get admin access to it to get that screenshot.

Regards whether they are using a bigger subnet - the WAN IPs for this router are completely different, a different range and subnet. x.x.x.136/29 are our routed LAN IPs, confirmed in documentation.

I ended up fixing it by bumping the "Gateway Address" on that router to .137, and changed the IP on my Cisco to .138, with a corresponding change to the default route.  After i did this everything sprung into life.

I thought I must be doing something wrong if the existing configuration (gateway .136, Cisco .137) was working on my Cisco 887VA router, but not on the ISR4451, but in the interests of not losing any more sleep over it I've just sacrificed a public IP that I perhaps should never have had.

Thanks for taking the time to reply

0 Helpful

pieterh
VIP
VIP
In response to DazOG

‎11-24-2023 05:16 AM

thanks for the follow-up
good to hear you solved the problem
greetings,

Pieter

0 Helpful
Customers Also Viewed These Support Documents