What am I missing here; NAT?

tlyons · ‎05-06-2013

First let me say that if I'm posting in the wrong area, I apologize and please let me know and I can repost.

I am looking to set up a secondary, failover connection to another ISP, (In the event that our primary ISP connection fails). Our company has purchased a CradlePoint device and it shipped pre-configured for connection to Verizon's 4G LTE network.

We didn't pay the extra cost for a static address, thus we pull a DHCP address from Verizon. We have a Cisco router that has our primary ISP coming into it with a T1 circuit, and our LAN switch uplinks to the FA interface of the router. I've connected the CradlePoint device to the secondary FA interface of the router and set it for DHCP.

I've configured an IPSLA to monitor the primary public IP of the Serial interface and should it go down, I've set a static route to fail over to the FA0/1 interface where the CradlePoint device is connected. When I test this by downing the Serial interface, the IPSLA does what it's supposed to do and the secondary default route, (with the higher distance metric), becomes the primary default route.

My problem is that I cannot get any LAN devices to route out through the "new" default route through the CradlePoint to Verizon.

Note: I've tested the CradlePoint by plugging my laptop directly into it and I can get out to the Internet just fine.

I suspect my problem is a NAT'ing issue, but I'm not certain. I've not set up NAT before, so I was hoping someone would be able to assist. Below are the relative commands that are currently configured on my router.

interface FastEthernet0/1

description Cradlepoint Wireless to Verizon for Failover

ip address dhcp

ip nat outside

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

interface Serial0/2/0:0

ip address xx.xx.xx.xx 255.255.255.252

encapsulation ppp

service-policy output

ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx track 1 (This points to the Serial Interface IP Address)

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 100 (This is where the CradlePoint is connected)

ip sla 1

icmp-echo 63.233.13.181 source-interface Serial0/2/0:0

timeout 1000

frequency 5

ip sla schedule 1 life forever start-time now

From what I've researched, I'm wondering if it's as simple as just doing an 'ip nat inside source list' and an access-list permitting all internal traffic out. So, for example: (The 192.168.1.0, source list and access-list #'s are just what I pulled out of the air to list as an example)

ip nat outside source list 100 pool overload

Then....

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

If any further config info is needed just let me know. Please advise when you have a chance. Thanks.

Reza Sharifi · ‎05-06-2013

Assuming 192.168.1.0 is your LAN interface segment and is configured with "ip nat inside"

then add this:

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list 100 interface FastEthernet0/1 overload

and test again

HTH

Bilal Nawaz · ‎05-06-2013

Hello, your router is doing the routing, but there's just no NATing going on.
Would like to know how the current set up is with the serial interface, isnt there meant to be NAT for that at the moment since you have a public IP here right? Just a little confused with this :-)
Ignoring this for now, I'll move on...

I just wanted to mention, in DHCP if the gateway option is given out, this automatically puts a static route in the routing table. But if you have defined this manually with greater metric then I guess it would work and you've tested it.

Of what I can tell we need to do this:

Interface fa0/0
Description MY LAN
IP address 192.168.1.x 255.255.255.0
Ip nat inside
!
interface FastEthernet0/1
description Cradlepoint Wireless to Verizon for Failover
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/2/0:0
ip address xx.xx.xx.xx 255.255.255.252
No NAT here?????????
encapsulation ppp
service-policy output
!
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx track 1
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 100
!
ip sla 1
icmp-echo 63.233.13.181 source-interface Serial0/2/0:0
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
Ip NAT inside source list 100 interface fa0/1 overload

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

tlyons · ‎06-04-2013

Okay, I think I've managed to get an answer as to what the problem is here. The issue is with Verizon and the way they NAT their dynamically assigned addresses.

We purchased the Cradlepoint device and a dynamically assigned address from Verizon and this all came preconfigured. The issue is that there is "double NAT'ing" happening here, and this will not work with my needed configuration. When I pug in a laptop to my Cradlepoint device I NAT out with a public, routable IP address. However, when I plug that Cradlepoint into my router the router interface gets's a private 10.xxx.xxx.xxx address from Verizon that NAT's out.

The problem is that I need to NAT my workstations that are sitting behind this router, (thus the "double NAT'ing"). I've discussed this with both Cradlepoint and Verizon engineers. The proposed solution is that I will need a static, publicly routable IP address that I can configure on my router and thus only NAT out on my router and not on the Cradlepoint \ Verizon.

Verizon is looking to give me a temp static IP to test this with to ensure it will work. I will update this when I have definite discovery. Thanks.