Solved: Where am I going wrong - 2821 Configuration

Dean O'Meara · ‎09-03-2017

Hi All,

Currently messing around in my lab and I am trying to configure my 2821 so that I can use it connected to the internet.

I have put my Virgin Media router into modem only mode and the 2821 tells me It has picked up a public address from the modem, I am able to ping 8.8.8.8 from the 2821 however any devices connected to this are not able to utilise the internet - any ideas?

Setup

Virgin Media Modem - Cisco 2821 - Cisco Router - Endpoint

I suspect my issue is a simple NAT configuration error I have made but I am hoping you can help, configuration below

Building configuration...

Current configuration : 1824 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:/c2800nm-adventerprisek9-mz.124-15.T17.bin
boot-end-marker
!
!
no aaa new-model
no network-clock-participate wic 0
!
!
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool 192.168.1.0/24
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool 192.168.2.0/24
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
controller E1 0/0/0
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface ATM0/3/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat source list 101 interface GigabitEthernet0/0 overload
!
access-list 101 permit ip any any log
access-list 101 deny ip any any log
!
!
!
!
!
!
control-plane
!
!
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
voice-port 0/2/0
!
voice-port 0/2/1
!
voice-port 0/2/2
!
voice-port 0/2/3
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
end

Router#

Predrag Jovic · ‎09-04-2017

Also, nat statement is configured for different NAT type (ip nat enable) and wrong outside interface (Gi0/0):

ip nat source list 101 interface GigabitEthernet0/0 overload

should be changed to

ip nat inside source list 101 interface GigabitEthernet0/1 overload

Georg made typo, default route should point to Gi0/1 (ip nat outside)

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

in some cases default route needs to be configured with dhcp keyword (interface in default route does not function properly):

ip route 0.0.0.0 0.0.0.0 dhcp

Generally, for NAT you can't use "permit any any" in ACL, ACL need to be more specific as Georg suggested.

View solution in original post

GRANT3779 · ‎09-03-2017

Hi,

The router is not stateful like a firewall so you need to add some ip inspect statements for http/s traffic and apply this to the Outbound Interface.

as an example

ip inspect name FW http
ip inspect name FW https
ip inspect name FW tcp

Under WAN interface

Ip Inspect FW out

Georg Pauwen · ‎09-03-2017

Hello,

the 'log' keyword at the end of your access list kills your NAT. Remove that from your acccess list. Also, you are missing a static route. Check the config below (changes marked in bold):

Current configuration : 1824 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:/c2800nm-adventerprisek9-mz.124-15.T17.bin
boot-end-marker
!
no aaa new-model
no network-clock-participate wic 0
!
dot11 syslog
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool 192.168.1.0/24
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool 192.168.2.0/24
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8
!
no ip domain lookup
!
multilink bundle-name authenticated
!
voice-card 0
no dspfarm
!
archive
log config
hidekeys
!
controller E1 0/0/0
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface ATM0/3/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat source list 101 interface GigabitEthernet0/0 overload
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
control-plane
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
voice-port 0/2/0
!
voice-port 0/2/1
!
voice-port 0/2/2
!
voice-port 0/2/3
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
end

Predrag Jovic · ‎09-04-2017

Also, nat statement is configured for different NAT type (ip nat enable) and wrong outside interface (Gi0/0):

ip nat source list 101 interface GigabitEthernet0/0 overload

should be changed to

ip nat inside source list 101 interface GigabitEthernet0/1 overload

Georg made typo, default route should point to Gi0/1 (ip nat outside)

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

in some cases default route needs to be configured with dhcp keyword (interface in default route does not function properly):

ip route 0.0.0.0 0.0.0.0 dhcp

Generally, for NAT you can't use "permit any any" in ACL, ACL need to be more specific as Georg suggested.

Richard Burts · ‎09-04-2017

It was a very good catch that NAT was configured for the wrong interface (+ helpful).

I strongly support that suggestion that ip route 0.0.0.0 0.0.0.0 dhcp is much better than ip route 0.0.0.0 0.0.0.0 Gig0/1. A static route which specifies just the outbound interface is problematic when that interface is Ethernet so this is rarely a good suggestion

- it forces the router to arp for every remote address (increasing processing load on the router)

- it only works if the next hop device has enabled proxy arp (and many organizations are not enabling proxy arp because of the security implications)

- it increases the size of the arp table (consuming memory)

- it requires the router to refresh each arp entry every 4 hours (increasing the load on the router)

Since the original post indicates that the router is able to ping addresses in the Internet it appears that the router is learning (and using) its default route in its dhcp negotiation.

HTH

Rick

HTH

Rick

Dean O'Meara · ‎09-05-2017

Thank you all for the suggestions, I will try this tonight and post back the results.

Georg Pauwen · ‎09-05-2017

Hello,

I have added a few more things. Here is the entire configuration (important parts marked in bold):

Current configuration : 1824 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:/c2800nm-adventerprisek9-mz.124-15.T17.bin
boot-end-marker
!
no aaa new-model
no network-clock-participate wic 0
!
dot11 syslog
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool 192.168.1.0/24
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool 192.168.2.0/24
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8 8.8.4.4
!
no ip domain lookup
!
multilink bundle-name authenticated
!
voice-card 0
no dspfarm
!
archive
log config
hidekeys
!
controller E1 0/0/0
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface ATM0/3/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat source list 101 interface GigabitEthernet0/1 overload
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
!
ip route 0.0.0.0 0.0.0.0 dhcp
!
control-plane
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
voice-port 0/2/0
!
voice-port 0/2/1
!
voice-port 0/2/2
!
voice-port 0/2/3
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
end

Richard Burts · ‎09-05-2017

This is a much better suggested config. I have one additional suggestion which is about NAT. This does not really need an extended access list to work correctly. There is no checking for destination address or traffic type (for which an extended access list would be necessary). So I suggest replacing access list 101 with a standard access list to check for the source addresses.

HTH

Rick

HTH

Rick