Re: Help with ISR4451 PAT configuration

ktuohy1987 · ‎03-25-2019

Hello,

Im trying to deploy an isr4451 with a nim-es2-8 module and am running into issues. The end goal is to provide internet connectivity for several client devices connecting to the nim module. Presently, client devices are unable to ping out nor can they browse the internet despite seeing nat translations taking place. Clients can ping the vlan 10 and loopback for R1. Please help. Config attached below:

r1#sh run
Building configuration...

Current configuration : 4196 bytes
!
! Last configuration change at 22:47:22 UTC Mon Mar 25 2019
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family

!
no logging console
enable secret 5 *****
!
no aaa new-model
!
!
!
ip name-server 8.8.8.8

ip domain name blah.com
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool devices
network 192.168.1.0 255.255.255.0
domain-name blah.com
dns-server 8.8.8.8
default-router 192.168.1.1
lease 8
!
!
!

!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
spanning-tree extend system-id
!
username ***** privilege 15 secret 5 *****
!
redundancy
mode none

!
vlan internal allocation policy ascending
!
!

interface Loopback0
ip address 10.0.0.1 255.255.255.254
!
interface GigabitEthernet0/0/0
description **WANLINK**
ip address 1.1.1.1 255.255.255.252
ip nat outside
ip access-group 100 in
ip access-group 110 out
media-type sfp
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/2

no ip address
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/1
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/2
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/3
switchport access vlan 10
switchport mode access
!interface GigabitEthernet0/1/4
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/5
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/6
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/7
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1

no ip address
shutdown
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat pool outside 1.1.1.1 1.1.1.1 netmask 255.255.255.252
ip nat inside source list 10 pool outside overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip ssh source-interface Loopback0
ip ssh version 2
!
!
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 permit tcp any any eq 22
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq 22
access-list 100 permit udp any any eq domain

access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq 7004
access-list 100 permit tcp any any eq 7014
access-list 100 permit udp any any eq ntp
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any any eq non500-isakmp
access-list 100 permit udp any any eq 33434
access-list 100 permit udp any any eq 33435
access-list 100 permit udp any any eq 33436
access-list 100 permit ip any any
access-list 110 permit tcp any any eq 22
access-list 110 permit tcp any any eq domain
access-list 110 permit udp any any eq 22
access-list 110 permit udp any any eq domain
access-list 110 permit tcp any any eq 443
access-list 110 permit tcp any any eq 7004
access-list 110 permit tcp any any eq 7014
access-list 110 permit udp any any eq ntp
access-list 110 permit udp any any eq isakmp
access-list 110 permit udp any any eq non500-isakmp
access-list 110 permit udp any any eq 33434
access-list 110 permit udp any any eq 33435
access-list 110 permit udp any any eq 33436

access-list 110 permit ip any any
!
!
!
control-plane
!
!
line con 0
stopbits 1

login local
line aux 0
stopbits 1
line vty 0 4
login local
!
!
end

Many Thanks!!

balaji.bandi · ‎03-25-2019

Before we build advanced rules, we need to see the basic config working or not.

So lets start tweak the basic config, if it working then we go to next level. (if not thing will be complicate to diagonsis)

here is my personal suggetion :

interface GigabitEthernet0/0/0
description **WANLINK**
ip address 1.1.1.1 255.255.255.252
ip nat outside
no ip access-group 100 in <-- remove this for basic testing
no ip access-group 110 out <-- remove this for basic testing
media-type sfp
negotiation auto
ip virtual-reassembly
!
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat pool outside-net 1.1.1.1 1.1.1.1 netmask 255.255.255.252 <--- changed name not to confuse outside interface or outside pool
ip nat inside source list 10 pool outside-net overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip ssh source-interface Loopback0
ip ssh version 2
!

change above advise and test & advise

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Deepak Kumar · ‎03-25-2019

Hi,

Please make below changes:

interface GigabitEthernet0/0/0
description **WANLINK**
ip address 1.1.1.1 255.255.255.252
ip nat outside
no ip access-group 100 in
no ip access-group 110 out
media-type sfp
negotiation auto
ip virtual-reassembly

!

no ip route 0.0.0.0 0.0.0.0 1.1.1.2

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

paul driver · ‎03-26-2019

Hello

A few changes are required.

conf t
no ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 0.0.0.0 0.0.0.0 gig0/0 1.1.1.2 <---needs to be your wan next hop ip address

ip dhcp pool devices
dns-server ~~8.8.8.8~~ 208.67.222.222 208.67.220.220

interface GigabitEthernet0/0 ---<--no need for your access list as you are permitting with ip any any in both listings anyway
no ip access-group 100 in
no p access-group 110 in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ktuohy1987 · ‎03-26-2019

My apologies. I seemed to have fat fingered the next hop address on the bucket route when I sanitized the config. It is currently set to the next hop ip.

What ive done:
-I changed the nat config to reflect the pool name outside-net per Balaji
-Removed inbound and outbound ACLs on gi0/0/0
-Modifed bucket route to use interface gi0/0/0 instead of next hop IP however this breaks ping completely from the router. When I use the route ip route 0.0.0.0 0.0.0.0 1.1.1.2 I can ping the next hop and 8.8.8.8 but nothing else

ktuohy1987 · ‎03-26-2019

I found an issue with the next hop IP that I corrected and I can now ping out from the switch by IP and FQDN.

However, client devices still are not able to browse the web. The client device can ping all the way out and I can see DNS resoltuions taking place in the NAT tables but still clients cant browse.

Current config below:

r1#sh run
Building configuration...

Current configuration : 4248 bytes
!
! Last configuration change at 15:14:02 UTC Tue Mar 26 2019 by build
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no logging console
enable secret 5 *****
!
no aaa new-model
!
!
!
ip name-server 208.67.222.222 208.67.220.220

ip domain name blah.com
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool devices
network 192.168.1.0 255.255.255.0
domain-name blah.com
default-router 192.168.1.1
dns-server 208.67.222.222 208.67.220.220
lease 8
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4451-X/K9 sn FOC22396AQM
!
spanning-tree extend system-id
!
username **** privilege 15 secret 5 ****
!
redundancy
mode none
!
!
!
!
vlan internal allocation policy ascending
!
!
interface Loopback0
ip address 10.0.0.1 255.255.255.254
!
interface GigabitEthernet0/0/0
description **WANLINK**
ip address 1.1.1.1 255.255.255.252
ip nat outside
media-type sfp
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/1
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/2
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/3
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/4
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/5
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/6
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/7
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat pool outside-net 1.1.1.1 1.1.1.1 netmask 255.255.255.252
ip nat inside source list 10 pool outside-net overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 1.1.1.2
ip ssh source-interface Loopback0
ip ssh version 2
!
!
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 permit tcp any any eq 22
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq 22
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq 7004
access-list 100 permit tcp any any eq 7014
access-list 100 permit udp any any eq ntp
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any any eq non500-isakmp
access-list 100 permit udp any any eq 33434
access-list 100 permit udp any any eq 33435
access-list 100 permit udp any any eq 33436
access-list 100 permit ip any any
access-list 110 permit tcp any any eq 22
access-list 110 permit tcp any any eq domain
access-list 110 permit udp any any eq 22
access-list 110 permit udp any any eq domain
access-list 110 permit tcp any any eq 443
access-list 110 permit tcp any any eq 7004
access-list 110 permit tcp any any eq 7014
access-list 110 permit udp any any eq ntp
access-list 110 permit udp any any eq isakmp
access-list 110 permit udp any any eq non500-isakmp
access-list 110 permit udp any any eq 33434
access-list 110 permit udp any any eq 33435
access-list 110 permit udp any any eq 33436
access-list 110 permit ip any any
!
!
!
control-plane
!
!
line con 0
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
!
!
end

Deepak Kumar · ‎03-26-2019

Hi,

What is IP on your PC and share switch configuration as well?

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

balaji.bandi · ‎03-26-2019

is this DNS Server reachable ? dns-server 208.67.222.222 208.67.220.220

From clients, is this windows box,

Can you post from your windows client ipconfig /all

From windows client post the output below information

nslookup google.com

nslookup cisoc.com

ping this ip 208.67.222.222 208.67.220.220

have you tried setup a dns at client 8.8.8.8 ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help