You're a star. Thanks for such a comprehensive answer.
Now that you've pointed it out I don't honestly know why I hadn't thought of trying prefix-length 29 to match the block. I think I was thinking it in terms of limiting the pool (though even prefix-length 30 doesn't make sense in that context)
The fact it worked for the other one also fooled me into thinking it was correct, as you say there are no warnings.
Could you tell me how you got that syslog output? What debugging commands you used etc. Would be useful for next time :)
Again many thanks. Haven't had time to verify that it works for my configuration but satisfied that it will.
... View more
The ip nat pool command lets you use prefix-length 32, but complains about it. Essentially I have the 184.108.40.206/29 block (.185-.189 useable, .190 is gateway IP), and I want to be able to have different VLANs route out on different IPs within this block. This is because there is a legal separation between at least two entities that are sharing the same internet connection, so in simple terms I don't want Company B to be seen on the internet coming from the same IP as Company A. The TENANT-1-WAN line works as expected, NATs and presents on the internet as 220.127.116.11 . I naively assumed the same lines with a different ACL and external IP would work the same, but they don't. If I add a line like: ip nat inside source static 10.200.0.5 18.104.22.168 extendable
..then the computer on VLAN 600 with IP 10.200.0.5 can get to the internet, and presents as 22.214.171.124 correctly. This makes me think there isn't anything specifically wrong with the upstream router, but that I'm hitting some kind of internal limitation, or ARP/NAT issue. I've tried rebooting the router incidentally and it has made no difference.
... View more
Hi, I've got a Cisco 887VA-W router that is handling a /29 block of IPs. I have several VLANs that are used for tenants, guests, etc. For the most part this all works correctly, however one of the IPs in the range will not NAT for reasons unknown. There is no reference to it anywhere else in the config, and to the best of my knowledge the upstream router (which ours is physically connected to, but I do not have config access to) is not doing anything with it. Here is a sample of the config:
interface FastEthernet0 description LAN router to WAN router no ip address ! interface FastEthernet1 description LAN router to LAN switch switchport trunk allowed vlan 1,2,100,250,500,501,600,1002-1005 switchport mode trunk no ip address ! … interface Vlan1 description LAN router to WAN router ip address 126.96.36.199 255.255.255.248 ip access-group INBOUND-ACL in no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip nat outside ip inspect ACL-CBAC-INSPECT out ip virtual-reassembly in ! …. interface Vlan500 description TENANT 1 VLAN ip address 10.100.0.1 255.255.255.0 ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in ! …. interface Vlan600 description TENANT 2 VLAN ip address 10.200.0.1 255.255.255.0 ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in ! …. ip nat pool TENANT-1-WAN 188.8.131.52 184.108.40.206 prefix-length 30 ip nat pool TENANT-2-WAN 220.127.116.11 18.104.22.168 prefix-length 30 ip nat inside source list TENANT-1-NAT pool TENANT-1-WAN overload ip nat inside source list TENANT-2-NAT pool TENANT-2-WAN overload ip nat inside source list OTHERS-NAT interface Vlan1 overload …. ip access-list extended TENANT-2-NAT remark -- Block NAT traffic to RFC1918 addresses explicitly deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 192.168.0.0 0.0.255.255 deny ip any 22.214.171.124 126.96.36.199 deny ip any 127.0.0.0 0.255.255.255 permit ip 10.200.0.0 0.0.0.255 any ip access-list extended TENANT-1-NAT remark -- Block NAT traffic to RFC1918 addresses explicitly deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 192.168.0.0 0.0.255.255 deny ip any 188.8.131.52 184.108.40.206 deny ip any 127.0.0.0 0.255.255.255 permit ip 10.100.0.0 0.0.0.255 any permit ip 10.101.0.0 0.0.0.255 any
And the output from "sh ip nat stat" is as follows: Total active translations: 2195 (9 static, 2186 dynamic; 2194 extended) Peak translations: 3790, occurred 00:02:17 ago Outside interfaces: Vlan1 Inside interfaces: Vlan100, Vlan250, Vlan500, Vlan501, Vlan600 Hits: 8088307 Misses: 0 CEF Translated packets: 7998159, CEF Punted packets: 83220 Expired translations: 112977 Dynamic mappings: -- Inside Source [Id: 12] access-list TENANT-2-NAT pool TENANT-2-WAN refcount 0 pool TENANT-2-WAN: netmask 255.255.255.252 start 220.127.116.11 end 18.104.22.168 type generic, total addresses 1, allocated 0 (0%), misses 802 [Id: 9] access-list TENANT-1-NAT pool TENANT-1-WAN refcount 108 pool TENANT-1-WAN: netmask 255.255.255.252 start 22.214.171.124 end 126.96.36.199 type generic, total addresses 1, allocated 1 (100%), misses 0 [Id: 3] access-list OTHERS-NAT interface Vlan1 refcount 2071 Total doors: 0 Appl doors: 0 Normal doors: 0 Queued Packets: 0
As you can see there are a lot of misses on the TENANT-2-NAT statistics, and no allocated address. Clients on VLAN 500 can get to the internet, and their WAN IP is 188.8.131.52 as expected. Clients on VLAN 600 can't get to the internet, they just get Destination Net Unreachable from 10.200.0.1 Anyone have any thoughts about what is going wrong here? The upstream provider is adamant that this is "customer error". Thanks in advance, Darren
... View more
I've got a Cisco 887 ISR that is sat behind another that provides internet connectivity. I have 3 VLANs (via a Catalyst 3750E) and all share this one internet connection. The Dialer interface on my 887 is unused, the WAN is accessed via FA0. I have a block of /29 routed to me.
Two of the VLANs are for a tenant company - for their data and voice requirements. In order for me to easily track their usage, I've set them up to NAT/PAT to a specific IP in the block. This has been achieved via an "ip nat pool" with a single IP - which seems to be a bit of a funky way to do it but it works, the tenant's PCs and phones all go out on the specified public IP.
The problem I'm having is that the tenant has acquired a mobile phone "3G booster" box, which is a box which is designed to plug into uPnP routers and "just works". When plugged into a consumer broadband modem it works, but it doesn't when connected to my Cisco network.
There is very little documentation available since it seems to be designed for very simple networks, but what documentation I could find tells me that in situations where uPnP is not available it needs the following ports forwarded to it:
50 (TCP/IP) 123 (UDP) 500 (UDP) 4500 (UDP)
Documentation on this unit is almost non-existant, but the port requirements above seem to suggest that it needs a remote device to be able to VPN to it, rather than initialising it from the inside out.
The problem I'm having is working out how to NAT'ify ESP to it, if that's what I should be doing. The "ip nat inside source static esp host <LAN IP>" command only takes an interface as the global part. If I use "ip nat inside source static esp host <LAN IP> interface vlan 1" then the NAT translations database show the global IP as the first IP of the block, which isn't the one the VLAN is going out on.. if that makes sense.
Here is the relevant parts of my config:
ip domain name mycompany.local ip name-server 10.1.0.10 ip name-server 184.108.40.206 ip name-server 220.127.116.11 ip inspect log drop-pkt ip inspect tcp reassembly queue length 1024 ip inspect tcp reassembly timeout 15 ip inspect tcp reassembly memory limit 4096 ip inspect name COMPANY-CBAC-INSPECT tcp router-traffic ip inspect name COMPANY-CBAC-INSPECT udp router-traffic ip inspect name COMPANY-CBAC-INSPECT icmp ip inspect name COMPANY-CBAC-INSPECT ftp ip inspect name COMPANY-CBAC-INSPECT http ip inspect name COMPANY-CBAC-INSPECT https ip cef no ipv6 cef ! parameter-map type inspect global log dropped-packets enable max-incomplete low 18000 max-incomplete high 20000 ! multilink bundle-name authenticated ! cts logging verbose license udi pid C887VA-W-E-K9 sn XXXX ! controller VDSL 0 shutdown ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface Ethernet0 no ip address shutdown ! interface FastEthernet0 no ip address ! interface FastEthernet1 switchport trunk allowed vlan 1,2,100,500,501,1002-1005 switchport mode trunk no ip address ! interface FastEthernet2 no ip address shutdown ! interface FastEthernet3 no ip address shutdown ! interface Wlan-GigabitEthernet0 description Internal switch interface connecting to the embedded AP switchport access vlan 100 no ip address ! interface wlan-ap0 description Embedded Service module interface to manage the embedded AP ip unnumbered Vlan100 ! interface Vlan1 description BRANCH (C887-VAW) to ISP (C887-VAM) ip address 18.104.22.168 255.255.255.248 ip access-group COMPANY-INBOUND in no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip nat outside ip inspect COMPANY-CBAC-INSPECT out ip virtual-reassembly in ! interface Vlan100 description BRANCH (C887-VAW) to SWITCH C3750E ip address 10.1.0.1 255.255.255.0 ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in ! interface Vlan500 description TENANT DATA ip address 10.100.0.1 255.255.255.0 ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in ! interface Vlan501 description TENANT VOICE ip address 10.101.0.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! ip forward-protocol nd no ip http server no ip http secure-server ! ip flow-top-talkers top 100 sort-by bytes ! no ip nat service sip udp port 5060 ip nat pool TENANT-WAN 22.214.171.124 126.96.36.199 prefix-length 30 ip nat inside source list TENANT-NAT-NET pool TENANT-WAN overload ip nat inside source list COMPANY-NAT-NET interface Vlan1 overload ip nat inside source static tcp 10.1.0.95 443 188.8.131.52 880 extendable ip nat inside source static udp 10.1.0.20 5060 184.108.40.206 5060 extendable ip nat inside source static tcp 10.1.0.20 35300 220.127.116.11 35300 extendable ip nat inside source static 10.1.0.21 18.104.22.168 route-map ISP-SIP-DSP-RMAP ip nat inside source static tcp 10.1.0.10 25 22.214.171.124 25 extendable ip nat inside source static tcp 10.1.0.10 443 126.96.36.199 443 extendable ip nat inside source static tcp 10.1.0.10 3389 188.8.131.52 3389 extendable ip nat inside source static tcp 10.100.0.251 50 184.108.40.206 50 extendable ip nat inside source static udp 10.100.0.251 123 220.127.116.11 123 extendable ip nat inside source static udp 10.100.0.251 500 18.104.22.168 500 extendable ip nat inside source static udp 10.100.0.251 4500 22.214.171.124 4500 extendable ip route 0.0.0.0 0.0.0.0 126.96.36.199 ip ssh version 2 ! ip access-list extended TENANT-NAT-NET remark - TENANT NATified network infrastructure remark -- Block NAT traffic to RFC1918 addresses explicitly deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 192.168.0.0 0.0.255.255 permit ip 10.100.0.0 0.0.0.255 any permit ip 10.101.0.0 0.0.0.255 any ip access-list extended ISP-SIP-DSP-ACL remark -- ISP inbound NATified SIP connectivity to phone system permit udp host 10.1.0.21 range 6000 40000 host 188.8.131.52 ip access-list extended COMPANY-INBOUND remark -- Inbound traffic from Internet permit tcp any gt 1023 any eq 443 permit tcp any host 184.108.40.206 eq 50 permit udp any host 220.127.116.11 eq ntp isakmp non500-isakmp permit icmp any any echo-reply permit icmp any any unreachable permit icmp any any time-exceeded deny ip any any log ip access-list extended COMPANY-NAT-NET remark -- COMPANY NATified network infrastructure remark -- Block NAT traffic to RFC1918 addresses explicitly deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 192.168.0.0 0.0.255.255 permit ip 10.1.0.0 0.0.0.255 any ! ! route-map ISP-SIP-DSP-RMAP permit 10 match ip address ISP-SIP-DSP-ACL ! ! end
Vlan 500 and 501 are the tenant VLANs, for data and voice respectively, the 3750 switch handles DHCP for both these networks. As said the above config is working fine in the sense that "COMPANY" has a public IP of 18.104.22.168 (Vlan 1) and "TENANT" has a public IP of 22.214.171.124 - and both parties can access the internet freely. The "3G box" has a static DHCP mapping on the 3750 switch to 10.100.0.251.
I also realise now that the ip nat inside source static tcp 10.100.0.251 50 126.96.36.199 50 extendable and permit tcp any host 188.8.131.52 eq 50 lines are wrong - since initially I was informed that it was TCP 50 that needed to be port-mapped, when I've subsequently found out that it's IP 50 (ESP).
Essentially what I'm doing to do - I think - is allow IPsec passthrough specifically on 184.108.40.206, but the only command I can enter that will do NAT translation for ESP is ip nat inside source static esp 10.100.0.251 interface vlan 1 - which doesn't work as stated because the translation appears as 220.127.116.11... so I guess this 3G box is going out on 18.104.22.168, and the remote host is trying to open a tunnel back to 22.214.171.124 but ESP is only translated on 126.96.36.199.
I hope I've explained it ok! Thanks in advance for any help that can be provided. Incidentally I cannot access or modify the configuration on the router connected to FA0 (the other side of Vlan 1, 188.8.131.52)
... View more
Currently running the following firmware... Modem FW Version: 130205_1433-4.02L.03.A2pv6C035j.d23j "modem ukfeature" was in my config, and after adding it can confirm that "Force UKFeatureBit SET" is present in the "show controller vdsl 0 console [number]" output. I didn't check beforehand unfortunately. Will keep an eye on the line and see if it helps. Thanks!
... View more
Thanks, would appreciate that. Our SNR is low here too, and line attenuation is pretty high. Despite that we consistently sync at over 70Mb down. In fact, like you, being able to sync lower would probably result in a more stable line.
... View more
I'm afraid not. As things stand our line is behaving very strangely. At present there are no Reed-Solomon EC errors being reported, instead they've been replaced by thousands of CRC & Header errors - also for reasons unexplained. Our providers have tried to be helpful, but Vodafone have been next to useless. The only supported configuration is with the white Openreach box in front of the router. The fact that I would cease to see ANY information like this if that was the configuration doesn't seem to matter (or register) to them. I could put the white box in front, still have thousands of errors happening but the difference is that I would be then oblivious to them. That's not a solution in my book. So yeah, I haven't progressed this any further. The only reason I haven't been shouting thus far is that in spite of these errors the line appears to be functioning - I haven't had any complaints about dropped connections, and speed tests are uniformly fast. I've hit a brick wall with it really.
... View more
Hi, I've recently set up a C887VA-W-E-K9 router to connect to Vodafone fibre 80/20. It's my first time setting up a xDSL circuit from scratch on these routers so I don't know if the config is 100% right - but it is working anyway (much to my delight). After an initial teething period of unexplained CRC & header errors, and chronically low download speeds (~6Mbps download, 19Mbps upload) the line seems to have "settled". Despite being told we would likely be only able to get around 50Mbps due to our distance from the cabinet, the router is reporting that attainable speeds in the 80s, and syncing consistently over 73Mbps. Although no one has complained of any issues in the office that I'm aware of, I am seeing consistently high Reed-Solomon EC values in the statistics for the VDSL controller. The fact the rest of the numbers there are zero makes me think it shouldn't be this high? Here is the output from sh controller vdsl 0, taken about 30 minutes after I cleared the counters on it: Controller VDSL 0 is UP Daemon Status: Up XTU-R (DS) XTU-C (US) Chip Vendor ID: 'BDCM' 'IFTN' Chip Vendor Specific: 0x0000 0xB203 Chip Vendor Country: 0xB500 0xB500 Modem Vendor ID: 'CSCO' ' ' Modem Vendor Specific: 0x4602 0x0000 Modem Vendor Country: 0xB500 0x0000 Serial Number Near: FCZ17****** C887VA-W 15.3(3)M3 Serial Number Far: 55023***** Modem Version Near: 15.3(3)M3 Modem Version Far: 0xb203 Modem Status: TC Sync (Showtime!) DSL Config Mode: AUTO Trained Mode: G.993.2 (VDSL2) Profile 17a TC Mode: PTM Selftest Result: 0x00 DELT configuration: disabled DELT state: not running Trellis: ON ON SRA: disabled disabled SRA count: 0 0 Bit swap: enabled enabled Bit swap count: 0 0 Line Attenuation: 0.0 dB 0.0 dB Signal Attenuation: 0.0 dB 0.0 dB Noise Margin: 6.3 dB 9.8 dB Attainable Rate: 86392 kbits/s 28273 kbits/s Actual Power: 12.7 dBm 4.5 dBm Per Band Status: D1 D2 D3 U0 U1 U2 U3 Line Attenuation(dB): 10.9 25.7 39.9 0.6 20.4 31.5 N/A Signal Attenuation(dB): 10.9 25.7 39.9 0.6 20.2 31.4 N/A Noise Margin(dB): 6.3 6.3 6.3 10.2 10.0 9.6 N/A Total FECC: 107824 69 Total ES: 1 3 Total SES: 0 0 Total LOSS: 0 0 Total UAS: 0 0 Total LPRS: 0 0 Total LOFS: 0 0 Total LOLS: 0 0 Full inits: 1 Failed full inits: 0 Short inits: 0 Failed short inits: 0 Firmware Source File Name (version) -------- ------ ------------------- VDSL embedded VDSL_LINUX_DEV_01212008 (1) Modem FW Version: 130205_1433-4.02L.03.A2pv6C035j.d23j Modem PHY Version: A2pv6C035j.d23j Vendor Version: Ap6v35j.23j 68 DS Channel1 DS Channel0 US Channel1 US Channel0 Speed (kbps): 0 73775 0 20000 SRA Previous Speed: 0 0 0 0 Previous Speed: 0 0 0 0 Reed-Solomon EC: 0 107824 0 69 CRC Errors: 0 1 0 3 Header Errors: 0 0 0 0 Interleave (ms): 0.00 8.00 0.00 0.00 Actual INP: 0.00 3.00 0.00 0.00 Training Log : Stopped Training Log Filename : flash:vdsllog.bin As you can see - the Reed-Solomon EC count is already at 107,824 and it carries on rising into the millions. There doesn't seem to be any particular consistently to it. I've been in contact with our broadband providers who haven't really able to help, and insist that we have to use the BT Openreach modem in front of our router otherwise it's not a supported configuration. Vodafone are also telling them the same thing when it was escalated. I've also been told - which I don't believe - that the 887VA can't support 80/20 VDSL, but the CPU utilisation on it barely goes above 15% even with CBAC and IPSEC active, so it seems meaty enough. Vodafone also gave me a load of settings that don't (I think?) apply to VDSL at all - e.g. VCI, VPI and VC-Mux/VC-based multiplexing? I can't see any way of setting these on the Dialer0 interface, and the ATM0 interface is administratively down as it's unused. Can anyone shed any light on this? Is our "Noise margin" too low? Could a mismatch of MTU cause this kind of problem? (currently I have no MTU settings explicitly set, and sh int shows it as 1500 - which Vodafone also said we should aim for). I should point out that speed wise the speed tests I've run have consistently shown download speeds of ~70Mbps, and upload of ~18Mbps, and there hasn't been any desyncs that I've seen - so whatever is causing those Reed-Solomon EC numbers doesn't seem to be adversely affecting the line or the quality of service.
... View more
Hi Paul, Thanks for that. At initial glance it doesn't seem to have fixed it, though it's hard to tell sometimes because it seems like the integrated wlan IOS "remembers" sessions and lets me in with just one login. Other times, when it's "cold", it doesn't. Not the end of the world, but annoying. Thanks for your help :)
... View more
Hi, I recently acquired a C887VA-W-E-K9 router and have been trying to configure it for VDSL & wireless. I have got as far as a basic configuration, however when I enter service-module wlan-ap 0 session I am prompted to enter a username and password twice before I am dropped into exec mode. I am connecting to the router via SSH, rather than the console, if that matters. Router config: aaa new-model ... aaa authentication login default local aaa authorization exec default local ... username admin privilege 15 secret 5 XXXXX AP config has the same lines as above. Since service-module wlan-ap 0 session shows a banner (which I have only configured in the main router config, not within the AP IOS config) I am assuming at this point that the first prompt for username & password is actually for the router, and the second prompt is for the AP? Is there a way I can simply disable the need to log in at all when I type service-module wlan-ap 0 session, since I would guess this is a EXEC-only command anyway? Logging into the AP when I'm already logged in and exec'd to the router seems like an unnecessary overcomplicated step? Thanks in advance for any advice given :)
... View more
In a manner of speaking yes. As per the replies in this thread the issue was not with my ASA but with Virgin Media's network. Shortly after I reported the problem to them the problem went away and hasn't reoccured since.
... View more
Hi, Sorry for the late update but I wanted to leave it over the weekend to run some more tests. Having checked the logs for the cable modem I can see that there are errors showing that correspond to the times that the outside connection appears to drop, which coobberates the opinion that it is the "next hop" that is at fault, not the ASA itself... Sun Mar 13 01:20:23 2011 Sun Mar 13 01:20:23 2011 Critical (3) SYNC Timing Synchronization failure - Loss of Sync;CM-MAC=00:22:68:f0:77:20; CMTS-MAC=00:30:b8:d2:14:50;CM- QOS=1.1;CM-VER=3.0; Sun Mar 13 01:20:27 2011 Sun Mar 13 01:20:27 2011 Warning (5) Lost MDD Timeout;CM-MAC=00:22:68:f0:77: 20;CMTS-MAC=00:30:b8:d2:14:50; CM-QOS=1.1;CM-VER=3.0; Sun Mar 13 01:20:49 2011 Sun Mar 13 01:21:18 2011 Critical (3) No Ranging Response received - T3 time-out Sun Mar 13 01:21:20 2011 Sun Mar 13 01:21:20 2011 Critical (3) Ranging Request Retries exhausted Sun Mar 13 01:21:20 2011 Sun Mar 13 01:21:20 2011 Critical (3) Unicast Maintenance Ranging attempted - No response - Retries exhausted Sun Mar 13 01:21:39 2011 Sun Mar 13 01:21:39 2011 Warning (5) MIMO Event MIMO: Stored MIMO=0 post cfg file MIMO=-1;CM-MAC=00:22:68:f0:77: 20;CMTS-MAC=00:30:b8:d2:14:50; CM-QOS=1.1;CM-VER=3.0; (the above is probably meaningless in the context of Cisco ASAs but I am including it above so that anyone with a similar problem might find it on a search engine) Thanks for all the help, for the moment I will consider this matter resolved from the point of view of my Cisco equipment.
... View more
Ok it happened again, this time I switched debug arp on to see what was happening. I have attached the file showing the output from this. You can see that until I shutdown the interface and bring it back up again it just keeps repeating the same two lines: arp-req: generating request for 184.108.40.206 at interface outside arp-req: request for 220.127.116.11 still pending ...after the interface is shut down and brought back up, I get: arp-req: generating request for 18.104.22.168 at interface outside arp-req: request for 22.214.171.124 still pending arp-send: arp request built from 126.96.36.199 001e.f715.7a75 for 188.8.131.52 at 12461760 arp-in: response at outside from 184.108.40.206 0030.b8d2.1450 for 220.127.116.11 001e.f715.7a75 arp-set: added arp outside 18.104.22.168 0030.b8d2.1450 and updating NPs at 12461800 arp-in: resp from 22.214.171.124 for 126.96.36.199 on outside at 12461800 ..and internet connectivity resumes. Hope this provides some more info.
... View more