Solved: I don't think it is to do

dennis.maston1 · ‎01-22-2016

Hello,
I am having a problem configuring a 2901 with a 100/100 Ethernet circuit.

The router can get out and ping externally, but my clients cannot..

The clients can ping the routers WAN interface, but unable to ping the provider gateway..

Provider = X.X.0.237 / 30
WAN IP- X.X.0.238 /30
LAN IP Block = X.X.174.16 /29

I have setup the router with the config below, but clients are unable to get access..

Any guidance is appreciated.

ROUTER#sh run
Building configuration...

Current configuration : 3588 bytes
!
! Last configuration change at 15:53:22 UTC Fri Jan 22 2016 by
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 XXXX
!
no aaa new-model
!
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool net
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
lease 5
!
!
!
ip domain name yourdomain.com
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-1202956097
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1202956097
revocation-check none
rsakeypair TP-self-signed-1202956097
!
!
crypto pki certificate chain TP-self-signed-1202956097
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323032 39353630 3937301E 170D3135 30313234 30323534
33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32303239
35363039 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AFEC 4DF027C4 3556DB8E 656CC699 7A944A1B AC88C562 F3BEDB80 A8A7CBEB
E5F8D897 85F6D176 5C7BBA87 2EE02AC1 97FD39BC FC59EB90 71F4B582 C71E8080
29776DA5 60D53740 6FCBFDC9 81722CCA CB825FC1 54A568C7 A3923DD4 D9D234C3
5A5B10D7 00214F86 ACD94C08 433431E2 32FFEC42 818A7E26 159C34E0 8836C9E0
226B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 149980A2 13FF8A8C 0C77958C 62E627AC E11A7FBB 8F301D06
03551D0E 04160414 9980A213 FF8A8C0C 77958C62 E627ACE1 1A7FBB8F 300D0609
2A864886 F70D0101 05050003 8181004F C2F9BE59 975347A8 8084619D 97689726
2D8F277B 152BF317 A9244B61 7F734457 26397D61 462173A7 664FF76B 8E93713F
6C17D3E1 ED796505 3DE9A712 B2CDB6FC E4AEA4B8 72BA11D3 516C41B8 9C2407CE
55ADEFEB 3C21ABBA B0B4D8DE 3FA55C72 98E96775 3EEC9160 59E3289B 7B108017
35F46392 092C1BB5 05BBF152 6394A7
quit
license udi pid CISCO2901/K9 sn FJC1904A2YF
!
!
username XXXX privilege 15 one-time secret 5 XX
username XXXX privilege 15 secret 5 XX
!
redundancy
!!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description CenturyLink Test
ip address X.X.0.238 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static 192.168.1.1 X.X.0.238
ip route 0.0.0.0 0.0.0.0 X.X.0.237
!
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password XXXX
login
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Jon Marshall · ‎01-22-2016

Sorry, that should have read -

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Jon

View solution in original post

Jon Marshall · ‎01-22-2016

You do need NAT but not sure what this is meant to be doing -

ip nat inside source static 192.168.1.1 X.X.0.238

so unless you have a good reason for it remove that command and try this -

access-list 101 permit 192.168.1.0 0.0.0.255 any

ip nat inside source list 101 interface gi0/0 overload

Jon

dennis.maston1 · ‎01-22-2016

No good reason besides I thought it was the proper config ;) I do not have much experience setting up NAT.. I appreciate your reply..

I have cleared out: ip nat inside source static 192.168.1.1 X.X.0.238I had to use: do clear ip nat trans *I get an error trying to add in the access list:ROUTER(config)#access-list 101 permit 192.168.1.0 0.0.0.255 any
^
% Invalid input detected at '^' marker.
The Marker is under the "." between the first 2 octets...Any ideas?

Jon Marshall · ‎01-22-2016

Sorry, that should have read -

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Jon

dennis.maston1 · ‎01-22-2016

I am waiting on the end user to test to confirm..

But could have another issue..

I tried to confirm using extedned ping - but get the error trying ot use an inside address.

Source address or interface: 192.168.1.21
% Invalid source. Must use same-VRF IP address or full interface name without spaces (e.g. Serial0/1)

I began debugging NAT and I'm seeing an Expiration in the log..

ROUTER#
*Jan 22 17:22:47.001: NAT: s=192.168.1.21->x.x.0.238, d=8.8.8.8 [20364]
*Jan 22 17:22:47.029: NAT: s=8.8.8.8, d=x.x.0.238->192.168.1.21 [61945]
*Jan 22 17:22:47.281: NAT: expiring x.x.0.238 (192.168.1.21) udp 50547 (50547)

ROUTER#sh ip nat stat
Total active translations: 2 (0 static, 2 dynamic; 2 extended)
Peak translations: 33, occurred 22:46:14 ago
Outside interfaces:
GigabitEthernet0/0
Inside interfaces:
GigabitEthernet0/1
Hits: 29895 Misses: 0
CEF Translated packets: 15371, CEF Punted packets: 770
Expired translations: 2493
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 101 interface GigabitEthernet0/0 refcount 2

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Any ideas what's causing this ?

Jon Marshall · ‎01-22-2016

You can't use an IP that does not belong to the router as the source IP.

You really need to test from an end client.

Jon

dennis.maston1 · ‎01-22-2016

Hi Jon,

I just received confirmation the clients are working but speed tests show a much slower rate..

Bypassing the router and hardcoding a laptop gets us close to full bandwidth..

Using the router we are only seeing 7mbps down and 4mbps up..

Any ideas?

Jon Marshall · ‎01-22-2016

What is the bandwidth of the link meant to be ie. are you meant to get the full rate.

Do you see any errors on the router interfaces ie. "sh int <x/y>"

Jon

dennis.maston1 · ‎01-22-2016

I incorrectly reported it was 100 by 100, when it is actually 50/50 rate.

GigabitEthernet0/0 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is 74a2.e6d1.9000 (bia 74a2.e6d1.9000)
Description: CenturyLink Test
Internet address is X.X.0.238/30
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 100Mbps, media type is RJ45
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:06, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 15
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 567000 bits/sec, 52 packets/sec
5 minute output rate 343000 bits/sec, 42 packets/sec
     286840 packets input, 255189707 bytes, 0 no buffer
     Received 25011 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     242 input errors, 0 CRC, 0 frame, 242 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     337539 packets output, 134279530 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     3 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

GigabitEthernet0/1 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is 74a2.e6d1.9001 (bia 74a2.e6d1.9001)
Internet address is 192.168.1.1/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 100Mbps, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:06, output 00:00:10, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/1/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     304398 packets input, 128793272 bytes, 0 no buffer
     Received 11704 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 1 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     366843 packets output, 264730736 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     3 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

Testing with bypassing the router produces almost full rate.

We did have a small switch off the router but we removed that switch and hard coded a workstation and plugged direct - but same slow speed issues.

The rates are mixed results

Back and forth
19.73 down
5.06 up

next test

13.44 down
1.03 up

Could the expired translations have anything to do with it?

ROUTER#show ip nat statistics
Total active translations: 22 (0 static, 22 dynamic; 22 extended)
Peak translations: 799, occurred 00:58:00 ago
Outside interfaces:
GigabitEthernet0/0
Inside interfaces:
GigabitEthernet0/1
Hits: 427777 Misses: 0
CEF Translated packets: 402441, CEF Punted packets: 11582
Expired translations: 8250
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 101 interface GigabitEthernet0/0 refcount 22

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Jon Marshall · ‎01-22-2016

I don't think it is to do with the NAT to be honest.

You do have some overruns on your connection to the ISP but that is usually a sign that your router cannot process the packets fast enough but you have very few features turned on which could affect the performance so I'm not sure what is causing the issue at the moment.

Jon

2901 Ethernet Circuit turnup