New 2911 config can't seem to get it right

Michael Ozorowsky · ‎04-22-2015

Hello,

I am attaching a very simple network map to this post to illustrate what I am trying to accomplish. I recently acquired a Cisco 2911 router. We have a 192.168.1.x/24 network, but we have run out of IP's. We are also moving to a new suite, and I figured I could run a fiber line between the suites, connect a switch to give both suites connectivity to the same network. Furthermore, I can create a /22 network and migrate servers/machines to new network at my leisure with near zero down time. I seem to have hit a brick wall. I factory defaulted the 2911 config. Next I set a username and password for router and enabled telnet. Next, I gave interface gi0/0 ip address 192.168.1.176. This should now join the router to the current network. I gave interface gi0/1 ip address 192.168.100.1 255.255.252.0 which should open the inside interface to the 100.x network which it did. I ran into an issue browsing the internet etc due to no NAT, so I nat'ed everything through the gi0/0 interface, and I can remote desktop from my 192.168.1.112 machine to the 192.168.100.100 server, can ping it fine etc. However through the 192.168.100.100 server I can't ping out to 8.8.8.8 from anywhere. When I'm consoled into the router I can ping everything everywhere fine from the router.

Could someone please take a look at my ip route statement and my config and guide me where I'm going wrong? I have tried a wealth of settings/configs and can't seem to get this to work.

Thank you.

IP Route:

sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, GigabitEthernet0/0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet0/0
L        192.168.1.176/32 is directly connected, GigabitEthernet0/0
C     192.168.100.0/22 is directly connected, GigabitEthernet0/1
      192.168.100.0/32 is subnetted, 1 subnets
L        192.168.100.1 is directly connected, GigabitEthernet0/1

Here is current config:

Current configuration : 1666 bytes
!
! Last configuration change at 15:53:30 UTC Wed Apr 22 2015
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/0
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
multilink bundle-name authenticated
!
voice-card 0
!
license udi pid CISCO2911/K9 sn FTX1349A0PJ
!
!
username XXXXXXX password 0 XXXXXXX
!
redundancy
!
interface GigabitEthernet0/0
description Internet
ip address 192.168.1.176 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description Inside Network
ip address 192.168.100.1 255.255.252.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.176 23 interface GigabitEthernet0/0 23
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
access-list 1 permit 192.168.1.176
!
control-plane
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 10000 0
line aux 0
line vty 0 4
exec-timeout 10000 0
login local
transport input telnet
line vty 5 20
exec-timeout 10000 0
login local
transport input telnet
!
scheduler allocate 20000 1000
end

devils_advocate · ‎04-23-2015

Although you have enabled NAT, you have only enabled the 192.168.1.176 to be NATTed.

access-list 1 permit 192.168.1.176

You need to expand this access list to ALL source IP addresses that need to be NATTed.

access-list 1 permit 192.168.1.0 0.0.0.255

This would enable all hosts with a source IP address in the 192.168.1.* network to be NATTed.

You can expand this to the whole 192.168.0.0 /16 network by using:

access-list 1 permit 192.168.0.0 0.0.255.255

Thanks

Michael Ozorowsky · ‎04-24-2015

hey devils_advocate: soon as I erased old access-list 1 permit 192.168.1.176 and replaced with access-list 1 permit 192.168.0.0 0.0.255.255 I lost connection to my server and can no longer RDP in from 192.168.1.112 TO 192.168.100.100

I can however now browse from my server out to the internet If I use the monitor plugged directly into the server..

Any suggestions?

Andre Neethling · ‎04-24-2015

Try removing this ip nat inside source static tcp 192.168.1.176 23 interface GigabitEthernet0/0 23. It doesn't look right, and you don't need to NAT to telnet your router. Enter the following command.

no ip nat inside source static tcp 192.168.1.176 23 interface GigabitEthernet0/0 23

If it till doesn't work. please post your running config?

Michael Ozorowsky · ‎04-27-2015

Hi Andre,

Here is a to the minute copy of my running config. I can currently browse out etc from my 192.168.100.x network, I can ping from 192.168.1.x TO 192.168.100.x but I am unable to RDP from my 192.168.1.x network TO 192.168.100.x.

I basically want to join both networks. I know I'm close and maybe just looking too hard at things, but missing why it isn't working. I've tried several variations of configs, so hoping to also learn something in this process.

Thanks for your help! Here's the config:

interface GigabitEthernet0/0
description Internet
ip address 192.168.1.176 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description Inside Network
ip address 192.168.100.1 255.255.252.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.3
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 10000 0
line aux 0
line vty 0 4
exec-timeout 10000 0
login local
transport input telnet
line vty 5 20
exec-timeout 10000 0
login local
transport input telnet
!
scheduler allocate 20000 1000
end

Andre Neethling · ‎04-27-2015

Try adding this nat line below:

ip nat inside source static tcp <IP address of Server> 3389 interface GigabitEthernet 0/0 3389

Michael Ozorowsky · ‎04-27-2015

Andre,

Is it possible to open all from 192.168.1.x to 192.168.100.x? I can remote from 192.168.100.x to 192.168.1.x no problem.

Andre Neethling · ‎04-27-2015

Hi Michael. You won't achieve that with NAT. However,I noticed that you do not have any public ip addressing on this router. are you doing nat on another router for internet? If so, yiu can remove all NAT configs from this router and just route the networks between each other. Then you can allow all the protocols you want between the networks, or control traffic via ACL. Or is there another reason why you want to NAT between the networks?

Andre Neethling · ‎04-27-2015

Edit: Double post.

Michael Ozorowsky · ‎04-27-2015

Hi Andre, thanks for your help!

In my first post I posted a picture of our network. Basically 192.168.1.3 is our ISP router which I have zero control of. We have a 1.x network now but are out of IP's in the /24 range. I want to create a new network with our router 192.168.100.x/22 which will give us a lot more IP's to work with. From there, I want my 1.x and 100.x networks to be able to pass all traffic, whhile I slowly move everything off the 1.x network on to the 100.x network.

once everything is off the 1.x network, and I'm controlling traffic from my router, I will add a second route for failover to a 2nd internet connection.

Andre Neethling · ‎04-27-2015

Ok. I understand. Is your ISP doing NAT on that router? If they are, can you request that they add tge new network to their NAT ACL? If they are not, can you ask them to route for your 192.168.100.x network on that router during your IP address migration So that you can route those new IPs to the outside.

Michael Ozorowsky · ‎04-27-2015

The problem is they have messed up configs before and caused us some heart ache, so my boss wants to avoid them making changes.

That said, if I set the default route on my router to 192.168.1.3 the ISP router, and set the default gateway of my computers to 192.168.1.176 (Outside interface of my router) shouldn't my router be able to pass traffic back and forth and out to the ISP router?

That's where I'm stuck; I want to just openly pass traffic pointing to my router between both networks. The problem is without me writing a NAT statement, my router won't pass traffic from the 100.x network out to the internet.

Andre Neethling · ‎04-27-2015

You can't have a default gateway that's on a different network. You really have 2 options. Either get your ISP involved with the routing of the 192.168.100.x network. ...... which they'll have to do eventually. Or you can NAT between the networks and have some limitations.

Michael Ozorowsky · ‎04-27-2015

Andre,

Can you explain? 192.168.1.176 is on the same network as my computer 192.168.1.112; what's wrong with having that as the default gateway pushing back to 192.168.1.3?

I can browse/do everything fine from my computer on the 1.x network; I just can't seem to talk from the 1.x network to my 100.x computers.

Andre Neethling · ‎04-27-2015

Apologies. I thought you were making The .176 ip the gateway for the 100.x network. I would suggest involving the ISP fir the migra as the will probably have to route for your 192.168.100.x networks in the future.