1811 Router NAT problems

Unanswered Question
Sep 4th, 2009

I have a new 1811 and have configured for internet access using SDM. I can't access the internet from any of my internal ports. From my WAn port I can ping my gateway but not the internet. From my internal ports, I can ping the WAn on the router, but not the next hop gateway (my ISP router).

I just need it to work as a router, no firewall options, as it sits behind the ISP router.

I have 4 VLANS as well as the native.

It may seem obvious, I am not great on Cisco, I followed the tech notes and SDM to the letter, the damn thing just wont work (I have spent all day on it).

There may be some obvious things I didn't do, there you go, Cisco is so user friendly, I must have missed it...:>)

If anyone has any "oh, you just need to add this line and it will wor" moments, then pleae let me know...

If anyone is prepared to have a look at my config, please let me know, I will upload it tomorrow (CET).

Thanks,

NM

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Peter Paluch Sat, 09/05/2009 - 09:25

Hello Neil,

You're welcome. Please post the configuration here, as it is the starting point to have a look what the SDM has (or hasn't) done.

Best regards,

Peter

Peter Paluch Sat, 09/05/2009 - 13:13

Hello Neil,

I am having a look at your configuration.

Your switch ports do not seem to be assigned into VLANs - or more properly, the switchports are placed into VLAN1 except the switchport Fa5 which is configured as a trunk port. Is this how you want to have your ports assigned to VLANs? Also, do you need the Fa5 to be a trunk port?

The access-list 105 placed on the Fa0 interface does not permit receiving DHCP messages. It seems to me that if you connect to your ISP via Fa0, the router is not even able to get an IP address. Correctly, the access-list 105 should contain the following line anywhere before its last line:

access-list 105 permit udp any eq 67 any eq 68

I suppose you are going to correct the ACL using the SDM so take care to exactly copy the source and destination port (source is 67, destination is 68). The source and destination IP address must be "any" and the protocol is UDP. The action must be PERMIT. Once again, this entry must be placed before the last line, preferably under the "permit" lines with the ICMP protocol.

On your Fa1 port, you also have a DHCP client configured. Is that necessary? Are you using that port to connect to outside world? If not I suggest removing the "ip address dhcp client-id FastEthernet1" from the interface. Note that even if you do use it for outside connectivity, the NAT configuration still references the Fa0 interface so it would need to be modified as well.

Apart from this, your configuration seems to be OK. I suggest sticking with the VLAN1 for now and trying to get it running. Most certainly, the ACL 105 must be corrected as suggested earlier.

Please give it a try and let us know if it worked. If it did not help please post your actual configuration again.

Thanks!

Best regards,

Peter

neilmac Sun, 09/13/2009 - 04:20

Hi, Peter.

Apologies for the late reply, I had to take a trip away for a week.

I have cleaned up the access lists, the entry you sepcify on 105 shows:

access-list 105 permit udp any eq bootps any eq bootpc

This is the line you asked me to add, but was already there I think.

I have attached the latest show run, and a jpeg of the network set up. This router will sit behind an ISP router, so for now we don't need any firewalling, we just need it to route the vlans to the internet.

In this config, FA0 is picking up an IP address, however anything on the LAN can ping the WAN IP Address but goes no further.

Please have a look at the new show run and please advise.

In this updated config, FA9 is the trunk port, used to connect to the LAN.

Many thanks,

Neil

Peter Paluch Sun, 09/13/2009 - 05:26

Hello Neil,

Thanks for adding the line to the ACL 105. I believe it was not there, at least according to your earlier configuration you have posted here. Nevertheles, it is there now as it should.

Neil, currently you are using the ACL 2 to select the inside networks eligible for NAT. That ACL does not contain the network 192.168.1.0/24. Is that intentional?

As your configuration looks basically OK, I believe that there is only some glitch in the existing ACLs and firewalls. I suggest removing all the ACLs from your interfaces. You may do it in SDM but personally I suggest doing it by hand. You may paste the following commands into your router, they will do it:

configure terminal

interface fa0

no ip access-group 105 in

no ip inspect SDM_LOW out

int vlan1

no ip access-group 100 in

int vlan20

no ip access-group 101 in

int vlan 30

no ip access-group 102 in

int vlan40

no ip access-group 103 in

int vlan50

no ip access-group 104 in

end

Then give it a try. What I am suspecting is that the outside network is the 192.168.0.0/16. As you can see in ACL 105, it drops packets from such sources, as an outside interface does not expect to receive privately-addresses packets (what is "outside" is largely based upon what the administrator says, while the SDM has its own ideas here). That might be the cause why the outside network does not appear to respond.

In any case, when you do the experiment and it still does not work, please again enclose your current running configuration and also the output of these commands:

show ip route

show ip nat translation

Best regards,

Peter

neilmac Sun, 09/13/2009 - 11:15

Hi Peter.

All done, I also removed the deny entries for the non routable addresses.

From the router FA0 (WAN) I can ping the gateway and the internet. From the LAN I can ping the WAN, but not the ISP gateway, not anything beyond.

Please find attached Show run and show ip details. My test environment is currently using 192.168.100.x on the WAN, just to not confuse with 192.168.0.x, which will be the live dhcp on site.

Many thanks for the help, it's greatly appreciated.

Neil

Peter Paluch Sun, 09/13/2009 - 11:26

Hi Neil,

Your routing table currently contains only the network 192.168.1.0/24 on the Vlan1 - presumably the inside network - and the 192.168.100.0/24 on the Fa0 which is probably the outside network. Have you been doing the tests from the PC in the VLAN1?

Also, please note again that you are currently using the ACL 2 to determine the local addresses eligible for NAT translation, however, that ACL is missing the line:

access-list 2 permit 192.168.1.0 0.0.0.255

You need to add that line into the ACL 2, otherwise, the network 192.168.1.0/24 will not be subject to NAT translation.

Best regards,

Peter

neilmac Sun, 09/13/2009 - 11:36

Hi Peter.

All done, I also removed the deny entries for the non routable addresses.

From the router FA0 (WAN) I can ping the gateway and the internet. From the LAN I can ping the WAN, but not the ISP gateway, not anything beyond.

Please find attached Show run and show ip details. My test environment is currently using 192.168.100.x on the WAN, just to not confuse with 192.168.0.x, which will be the live dhcp on site.

Many thanks for the help, it's greatly appreciated.

Neil

Peter Paluch Sun, 09/13/2009 - 12:11

Neil,

You seem to have reposted the same configuration and experiment without correcting the ACL 2 as I suggested in my previous post. Can you please have a look at it?

Best regards,

Peter

neilmac Sun, 09/13/2009 - 15:26

It appended the show run to the end, so if you scroll down you will see it. I have cleaned it up, so now this is the show run as it currently stands.

Peter Paluch Sun, 09/13/2009 - 15:31

Hi Neil,

I stand by my observation. This is what I see in your "show run" output:

ip nat inside source list 2 interface FastEthernet0 overload

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.4.0 0.0.0.255

access-list 2 permit 192.168.3.0 0.0.0.255

access-list 2 permit 192.168.2.0 0.0.0.255

access-list 2 permit 192.168.5.0 0.0.0.255

The network 192.168.1.0/24 is missing from the ACL 2 and you are using the ACL 2 for NAT in the indicated "ip nat inside source" command. If your routing table hasn't changed from the last time, it will still contain only the network 192.168.1.0/24 so I assume that if you are doing any tests from a PC behind your router, it absolutely must be a member of the 192.168.1.0/24 network. So in order to test it properly, it must be present in the ACL 2.

Best regards,

Peter

neilmac Sun, 09/13/2009 - 16:51

Thanks, Peter.

I will add:

access-list 2 permit 192.168.1.0 0.0.0.255

and see how it goes.

I'll post back with info.

Neil

neilmac Tue, 09/15/2009 - 06:41

Hi, Peter.

There are 2 nat access lists, 1 and 2. Neither had 192.168.1.0 on it now they both do (as shown below). The latest show run is attached, I can't test this until tonight when I get the router home as the ip conflicts with my office network.

BTW, can you forsee any DNS problems with this ?

Neil

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.4.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 1 permit 192.168.5.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.4.0 0.0.0.255

access-list 2 permit 192.168.3.0 0.0.0.255

access-list 2 permit 192.168.2.0 0.0.0.255

access-list 2 permit 192.168.5.0 0.0.0.255

access-list 2 permit 192.168.1.0 0.0.0.255

neilmac Tue, 09/15/2009 - 09:10

OK, I now have internet on the native VLAN 192.168.1.0, in that I can ping external addresses.

However, I have no DNS, so something amiss. Forwarders not working somewhere.

Last pice of the puzzle. Please help !

Neil

Lucien Avramov Tue, 09/15/2009 - 09:12

Have you configured the DNS server?

The command is ip name-server IPADDR_DNS_SERVER

Peter Paluch Tue, 09/15/2009 - 10:24

Hello Neil,

As Lucien has correctly pointed out, if you want the command line on your router to resolve names to IP addresses, you need to configure the

ip name-server DNS_IP_ADDRESS

ip domain-lookup

in your router. This command applies only to your router, however - not to your clients. If you want your router to also serve as a DNS server for your PC workstations, then add also this command:

ip dns server

and then set your clients to use the IP address of your router as the DNS server.

Regarding the ACL 1 - it is not presently used in your configuration so I suggest removing it because it is currently confusing to have two identical ACLs with only one being used.

Best regards,

Peter

neilmac Tue, 09/15/2009 - 11:08

At last !!

I seem to have internet now, thank you so much guys.

I am not able to test the trunk port, do you envisage any problem there of the vlans having issues ?

Peter Paluch Wed, 09/16/2009 - 10:41

Neil,

You have created and configured the VLAN interfaces but did you create the VLANs themselves? When you issue the command

show vlan-switch brief

do you see all the necessary VLANs?

Best regards,

Peter

neilmac Wed, 09/16/2009 - 23:06

Hi, Peter.

Well, I thought I had created the VLANS. I have sent the router to the customer now, so when the connect it I may have to go in remotely and correct this if it's an issue.

What commands do I need to add now ?

Neil

Actions

This Discussion