Solved: Re: Cisco 871W - NAT/DHCP issue

Th3cart3r · ‎11-09-2017

I have an 871W router connected to a 3560 switch. Clients are unable to obtain an IP address via DHCP from the router and they never connect. If I statically assign and address from the DHCP pool however, they work and are able to access the internet just fine. The DHCP doesn't seem to be working. Below is the output of the router in question.

Building configuration...

Current configuration : 12281 bytes
!
! Last configuration change at 16:13:21 UTC Thu Nov 9 2017 by flogie
! NVRAM config last updated at 16:14:04 UTC Thu Nov 9 2017 by flogie
!
version 12.4
no service pad
service telnet-zeroidle
service timestamps debug uptime
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname US_Dayton_871W
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-24.T8.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 16384 informational
logging rate-limit all 30
no logging console
enable secret 5 $1$fNXD$4GotGpv8gOq8OPjl7aUV7.
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid LHHCLIENT
vlan 2
max-associations 20
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 032853030F01221C1F
!
dot11 ssid LHHCORP
vlan 1
max-associations 20
authentication open
authentication key-management wpa
wpa-psk ascii 7 08701E1D5D4C53404A525C
!
no ip source-route
no ip gratuitous-arps
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.9.32 172.16.9.33
ip dhcp excluded-address 10.170.220.1 10.170.222.20
!
ip dhcp pool LHHCLIENT
network 172.16.9.32 255.255.255.224
default-router 172.16.9.33
dns-server 66.193.182.194
lease 0 4
!
ip dhcp pool LAN
network 10.170.220.0 255.255.255.0
dns-server 10.16.242.11 10.16.242.59
default-router 10.170.220.1
domain-name lhhinc.local
lease 0 8
!
ip dhcp pool LHHUSER
network 172.16.10.0 255.255.255.0
default-router 172.16.10.33
dns-server 10.16.242.59 10.16.242.11
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name lhhinc.local
ip inspect name CBAC udp timeout 30
ip inspect name CBAC tcp timeout 2000
ip inspect name CBAC fragment maximum 256 timeout 1
ip inspect name CBAC ftp timeout 60
login on-failure log every 3
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
vtp domain lhhinc.local
vtp mode transparent
username SVC_ORION privilege 15 secret 5 $1$qbVP$0mwrKdyb3/aZ4QT3MenOB.
username flogie privilege 15 secret 5 $1$FXck$xOKjCWGgFvhqy2cLhlGnf0
username ykarim privilege 15 secret 5 $1$cIp8$O3eCJGba27fegURWEV/Et.
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key &G01n6VpNH3r3#@ address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set DBMVPN3DES esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DBMVPN
set transform-set DBMVPN3DES
!
!
archive
log config
hidekeys
!
!
vlan 2-3
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh logging events
ip ssh version 2
ip ssh dh min size 2048
!
!
!
interface Tunnel0
bandwidth 1100
ip address 192.168.22.15 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Here2DBM
ip nhrp map multicast dynamic
ip nhrp map 192.168.22.1 209.208.34.220
ip nhrp map multicast 209.208.34.220
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 192.168.22.1
ip tcp adjust-mss 1360
no ip mroute-cache
delay 900
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DBMVPN shared
!
interface Tunnel1
bandwidth 1000
ip address 192.168.23.15 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Here2DBM
ip nhrp map multicast dynamic
ip nhrp map 192.168.23.1 209.208.34.219
ip nhrp map multicast 209.208.34.219
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 192.168.23.1
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile DBMVPN shared
!
interface FastEthernet0
description LHHCORP LAN
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 66.193.182.222 255.255.255.252
ip access-group INTERNET in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
encryption vlan 2 mode ciphers tkip
!
ssid LHHCLIENT
!
ssid LHHCORP
!
speed basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
no preamble-short
station-role root
!
interface Dot11Radio0.1
description LHHCORP USERS
encapsulation dot1Q 1 native
ip address 172.16.10.33 255.255.255.0
ip access-group LHH-RADIO in
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
no ip mroute-cache
no cdp enable
!
interface Dot11Radio0.2
description LHHCLIENTS
encapsulation dot1Q 2
ip address 172.16.9.33 255.255.255.0
ip access-group CLIENT-RADIO in
ip access-group CLIENT-RADIO-RETURN out
no ip proxy-arp
ip nat inside
ip virtual-reassembly
rate-limit input 256000 512000 768000 conform-action transmit exceed-action drop
rate-limit output 256000 512000 768000 conform-action transmit exceed-action drop
no ip mroute-cache
no cdp enable
!
interface Vlan1
description LAN
ip address 10.170.220.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip mroute-cache
!
router eigrp 1
passive-interface FastEthernet4
network 10.170.220.0 0.0.0.255
network 192.168.22.0
network 192.168.23.0
no auto-summary
eigrp stub connected summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 66.193.182.221
no ip http server
no ip http secure-server
!
!
ip nat translation tcp-timeout 2000
ip nat translation udp-timeout 60
ip nat inside source list NAT interface FastEthernet4 overload
!
ip access-list standard NAT
permit 172.16.9.0 0.0.0.255
permit 10.170.220.0 0.0.0.255
permit 172.16.10.0 0.0.0.255
!
ip access-list extended CLIENT-RADIO
permit tcp any any eq www
permit tcp any any eq 443
permit udp any any eq domain
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq 143
permit tcp any any eq 587
permit tcp any any eq 465
permit tcp any any eq 585
permit tcp any any eq 993
permit tcp any any eq 995
permit tcp any any eq 1532
permit tcp any any eq 1533
permit udp any any eq bootps
permit icmp any host 172.16.9.33 echo
permit icmp any host 10.1.201.2 echo
permit ip any host 65.211.153.81
remark portal.dbm.com
permit tcp any host 63.87.216.82
permit ip host 10.1.201.8 any
remark BLOOMBERG
permit ip any 160.43.250.0 0.0.0.255
permit ip any 206.156.53.0 0.0.0.255
permit ip any 205.216.112.0 0.0.0.255
permit ip any 208.22.56.0 0.0.0.255
permit ip any 69.191.0.0 0.0.255.255
deny icmp any any
deny ip any any
ip access-list extended CLIENT-RADIO-RETURN
permit udp any any eq bootpc
permit icmp host 10.1.201.2 any echo-reply
remark KC LAN Printer
permit ip host 10.1.201.8 any
remark inotestemp.dbm.com
permit ip host 10.1.1.18 any
deny ip 10.0.0.0 0.255.255.255 any
permit ip any any
deny ip any any
ip access-list extended INTERNET
remark Deny RFC 3330
deny ip host 0.0.0.0 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
remark Deny RFC 1918
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark Return TCP/UDP Traffic
permit tcp any any gt 1023 established
permit udp any any gt 1023
remark DMVPN Traffic
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
remark ICMP LHH_NET_ONLY
permit icmp host 66.192.226.166 any
permit icmp host 66.192.226.167 any
permit icmp host 209.208.35.72 any
permit icmp host 209.208.35.150 any
remark ICMP RETURN
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
remark SSH LHH_NET_ONLY
permit tcp host 66.192.226.166 any eq 22
permit tcp host 66.192.226.167 any eq 22
permit tcp host 209.208.35.72 any eq 22
permit tcp host 209.208.35.150 any eq 22
deny ip any any log
ip access-list extended LHH-RADIO
permit icmp any host 172.16.9.1 echo
deny icmp any 172.16.0.0 0.0.255.255
deny ip any 172.16.0.0 0.0.255.255
permit ip any any
deny ip any any
!
logging 10.16.242.129
access-list 99 permit 10.16.242.129
!
!
!
!
snmp-server group SNMP-AUTH v3 auth match exact read SNMP-VIEW write SNMP-VIEW access 99
snmp-server group SNMP-AUTH v3 priv match exact read SNMP-VIEW write SNMP-VIEW access 99
snmp-server view SNMP-VIEW iso included
snmp-server location US
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps adslline
snmp-server enable traps flash insertion removal
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps pw vc
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server host 10.16.242.129 version 3 priv lhhsnmpv3
!
control-plane
!
banner login ^C Management ID: $(hostname) ^C
banner motd ^C
* * * * * * * * * * W A R N I N G * * * * * * * * * *
This system is for the use of authorized users only.
Individuals using this computer system without
authority, or in excess of their authority, are subject
to having all of their activities on this system
monitored and recorded by system personnel. In the
course of monitoring individuals improperly using this
system, or in the course of system maintenance, the
activities of authorized users may also be monitored.
Use of any Company data obtained by unauthorized means,
is prohibited and no data may be transfered to any external
device without express authorization.
Anyone using this system expressly consents to such
monitoring and is advised that if such monitoring
reveals possible evidence of criminal activity, system
personnel may provide the evidence of such monitoring
to law enforcement officials.
^C
!
line con 0
session-timeout 9
exec-timeout 9 0
login local
no modem enable
line aux 0
no exec
transport output none
line vty 0 4
session-timeout 9
exec-timeout 9 0
login local
transport input ssh
transport output ssh
!
scheduler max-task-time 5000
ntp server 192.168.23.1
ntp server 192.168.22.1

Georg Pauwen · ‎11-09-2017

Hello,

is this a typo ?

ip dhcp excluded-address 10.170.220.1 10.170.222.20

Change that to:

ip dhcp excluded-address 10.170.220.1 10.170.220.20

otherwise you are excluding the entire DHCP range...

View solution in original post

Georg Pauwen · ‎11-09-2017

Hello,

how are the client ports on the switch configured ? Make sure they look like this

interface FastEthernet0/2

spanning-tree portfast

Can you post the configuration of your 3560 switch as well ?

Th3cart3r · ‎11-09-2017

Yes, that is how they look.
interface GigabitEthernet0/1
description LHH LAN
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
description LHH LAN
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/3
description LHH LAN
spanning-tree portfast edge
spanning-tree bpduguard enable
!

Georg Pauwen · ‎11-09-2017

Hello,

which IOS version are you running on the 3560 ? Typically, the configuration of access ports should look like this:

interface GigabitEthernet0/2
description LHH LAN
spanning-tree portfast
switchport mode access

Th3cart3r · ‎11-09-2017

It's 15.2 on the switch. I've never had to explicitly make the ports access ports before. It's a switch so the VLAN is there by default.

Georg Pauwen · ‎11-09-2017

For some reason the DHCP requests are not getting through to the 871. Post the full configuration of the switch, we may be able to spot something. Also, which port on the switch is connected to the 871 ?

Th3cart3r · ‎11-09-2017

Here is the switch config.

Current configuration : 3591 bytes
!
! Last configuration change at 21:27:10 UTC Tue Nov 7 2017 by flogie
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname US_Dayton_3560CX_SW1
!
boot-start-marker
boot-end-marker
!
!
username flogie privilege 15 secret 5 $1$vjqy$hKzo6nvVOivHxs4YGI2UA0
username SVC_ORION privilege 15 secret 5 $1$iWgT$63ayj1GrVamF/6kGBc5nb.
no aaa new-model
system mtu routing 1500
!
!
!
!
!
!
no ip domain-lookup
ip domain-name lhhinc.local
login on-failure log every 3
vtp domain lhhinc.local
vtp mode transparent
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
description LHH LAN
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
description LHH LAN
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/3
description LHH LAN
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/4
description LHH LAN
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/5
description LHH LAN
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/6
description LHH LAN
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/7
description LHH LAN
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/8
description LHH LAN
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
description Uplink to US_Dayton_871W
switchport mode trunk
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface Vlan1
ip address 10.170.220.2 255.255.255.0
!
ip default-gateway 10.170.220.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
logging source-interface Vlan1
logging host 10.16.242.129
access-list 99 permit 10.16.242.129
!
snmp-server group SNMP-AUTH v3 auth read SNMP-VIEW write SNMP-VIEW access 99
snmp-server group SNMP-AUTH v3 priv read SNMP-VIEW write SNMP-VIEW access 99
snmp-server view SNMP-VIEW iso included
snmp-server host 10.16.242.129 version 3 priv lhhsnmpv3
banner motd ^C * * * * * * * * * * W A R N I N G * * * * * * * * * *
This system is for the use of authorized users only.
Individuals using this computer system without
authority, or in excess of their authority, are subject
to having all of their activities on this system
monitored and recorded by system personnel. In the
course of monitoring individuals improperly using this
system, or in the course of system maintenance, the
activities of authorized users may also be monitored.
Use of any Company data obtained by unauthorized means,
is prohibited and no data may be transfered to any external
device without express authorization.
Anyone using this system expressly consents to such
monitoring and is advised that if such monitoring
reveals possible evidence of criminal activity, system
personnel may provide the evidence of such monitoring
to law enforcement officials.

^C
!
line con 0
session-timeout 9
exec-timeout 9 0
login local
line vty 0 4
session-timeout 9
exec-timeout 9 0
login local
transport input ssh
transport output ssh
line vty 5 15
session-timeout 9
exec-timeout 9 0
login local
transport input ssh
transport output ssh
!
ntp source Vlan1
ntp server 192.168.23.1
ntp server 192.168.22.1
!
end

Georg Pauwen · ‎11-09-2017

Hello,

currently the port on the switch connecting to the router is a trunk port, while the connecting port on the router is a (default) access port in Vlan 1. Since you are only using the default VLAN, you don't really need the trunk.

Either way, both sides need to match, so it has to be:

US_Dayton_871W

interface FastEthernet0
description LHHCORP LAN

switchport mode trunk

US_Dayton_3560CX_SW1

interface GigabitEthernet0/10
description Uplink to US_Dayton_871W
switchport mode trunk

or

US_Dayton_871W

interface FastEthernet0
description LHHCORP LAN

US_Dayton_3560CX_SW1

interface GigabitEthernet0/10
description Uplink to US_Dayton_871W

Th3cart3r · ‎11-09-2017

I tried that earlier and it didn't make a difference.

Georg Pauwen · ‎11-09-2017

Hello,

is this a typo ?

ip dhcp excluded-address 10.170.220.1 10.170.222.20

Change that to:

ip dhcp excluded-address 10.170.220.1 10.170.220.20

otherwise you are excluding the entire DHCP range...

Th3cart3r · ‎11-09-2017

Holy crap! Yes that is a typo, was supposed to be 10.170.220.20. That fixed it, thanks for the sharp eyes.

Georg Pauwen · ‎11-09-2017

Typos are easily made, glad you got it resolved...

Reza Sharifi · ‎11-09-2017

The mask for one of the subnet seems to be incorrect. Under the interface you have a /24

ip address 172.16.9.33 255.255.255.0

and the pool is a /27

p dhcp pool LHHCLIENT
network 172.16.9.32 255.255.255.224

Can you verify?

HTH

Th3cart3r · ‎11-09-2017

I'm not worries about that subnet, as we don't use it anymore. I'm concerned about the 10.170.x.x

Mark Malone · ‎11-09-2017

Hi
whats happens if you connect a laptop direct to the router does it receive an ip address ?
or if you move one of the pools back to the 3560 do they get an address ?
or debug dhcp detail or use wireshark on client pc to make sure there sending and receiving the dhcp offers and requests correctly and make sure the dhcop service is on , conft service dhcp

That's just a coupe of things i would try