cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4913
Views
26
Helpful
16
Replies

NAT and ACL configuration

snoto1974
Level 1
Level 1

It's been a while since the last time I worked on a router config. I'm having issues giving the inside network access to the internet via the GigabitEthernet0/0/0 interface. In the end I would like to have a redundant route to go out the GigabitEthernet0/0/1 interface but I will work on that once get the traffic flowing out of the primary network. Below is the start of my config. Can someone tell me what I am missing? Is my NAT or ACL wrong? Thanks in advanced. 

Current configuration : 1745 bytes
!
! Last configuration change at 17:17:30 UTC Tue Apr 25 2017
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no logging buffered
enable password <Removed>
!
no aaa new-model!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4331/K9 sn FDO20450SH5
!
spanning-tree extend system-id
!
username <Removed> privilege 15 password <Removed>
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Primary Network
ip address <IP Removed> 
ip nat outside
ip nat allow-static-host
negotiation auto
!
interface GigabitEthernet0/0/1
description Secondary Network
ip address <IP removed> 
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/2
description To ASA Port 0
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip access-group 100 in
ip access-group 100 out
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 204.148.103.197
ip route 0.0.0.0 0.0.0.0 70.107.239.1 10
!
!
access-list 100 permit ip any any
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password <Removed>
login
!
!
end

16 Replies 16

Hi 

You have missed the nat statement. Please add the following Nat statement:-

ip nat inside source list 100 interface gig0/0/0 overload

Thanks. I want to use gig0/0/1 as the backup. Do I need the same command for the gig0/0/1 interface? I already added the weighed route for this interface. 

Yes, but you need to setup ip sla as well to track the route and need to add some additional commands as well to achieve the failover/redundancy. 

ip route 4.2.2.2 255.255.255.255 204.148.103.197

!

ip sla 1
icmp-echo 4.2.2.2 source-ip < GigabitEthernet0/0/0 interface IP >
frequency 15
ip sla schedule 1 life forever start-time now

!

track 1 ip sla 1 reachability
delay down 45 up 15

!

no ip route 0.0.0.0 0.0.0.0 204.148.103.197

ip route 0.0.0.0 0.0.0.0 204.148.103.197 track 1
!

route-map PRIMARY permit 10
match ip address 100
match interface GigabitEthernet0/0/0
!
route-map SECONDARY permit 10
match ip address 100
match interface GigabitEthernet0/0/1

!

no ip nat inside source list 100 interface gig0/0/0 overload

no ip nat inside source list 100 interface gig0/0/1 overload

!

ip nat inside source route-map PRIMARY  interface GigabitEthernet0/0/0 overload
ip nat inside source route-map SECONDARY  interface GigabitEthernet0/0/1 overload

!

event manager applet NAT-TRACK
event syslog pattern "TRACKING-5-STATE"
action 0.1 cli command "enable"
action 0.2 wait 3
action 0.3 cli command "clear ip nat translation *"
action 0.4 syslog msg "NAT translation cleared after track state change"

If this is helpful please rate this or marked as an answered if you get solution to this. :-)

I added everything to the config but when I add the following command I can no longer reach (ping, SSH) the public interface. 

ip nat inside source route-map PRIMARY  interface GigabitEthernet0/0/0 overload
ip nat inside source route-map SECONDARY  interface GigabitEthernet0/0/1 overload

If I console into the router I'm able to ping public IP addresses. The good thing is, the NAT appears to be working. 

Any ideas on why I cannot reach the public IP of the router? I've had Cisco TAC look at the config and they can't find anything wrong with the config. 

Here is the latest config. 

Current configuration : 2443 bytes
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname CokeTSRouter
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no logging buffered
enable password <Removed>
!
no aaa new-model
!
!
subscriber templating
multilink bundle-name authenticated
!

!
license udi pid ISR4331/K9 sn FDO20450SH5
!
spanning-tree extend system-id
!
username <Removed> privilege 15 password <Removed>
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
delay down 45 up 15
!
!
!
interface GigabitEthernet0/0/0
description Primary Network
ip address <Removed> 255.255.255.252
ip nat outside
ip nat allow-static-host
negotiation auto
!
interface GigabitEthernet0/0/1
description Secondary Network
ip address <Removed> 255.255.255.0
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/2
description To ASA Port 0
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip access-group 100 in
ip access-group 100 out
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source route-map PRIMARY interface GigabitEthernet0/0/0 overload
ip nat inside source route-map SECONDARY interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 204.148.103.197
ip route 0.0.0.0 0.0.0.0 70.107.239.1 10
!
!
ip sla 1
icmp-echo 4.2.2.2 source-ip 204.148.103.198
frequency 15
ip sla schedule 1 life forever start-time now
access-list 100 permit ip any any
!
route-map PRIMARY permit 10
match ip address 100
match interface GigabitEthernet0/0/0
!
route-map SECONDARY permit 10
match ip address 100
match interface GigabitEthernet0/0/1
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password <Removed>
login
!
event manager applet NAT-TRACK
event syslog pattern "TRACKING-5-STATE"
action 0.1 cli command "enable"
action 0.2 wait 3
action 0.3 cli command "clear ip nat translation *"
action 0.4 syslog msg "NAT translation cleared after track state change"
!
end

Please add the primary route with track. Like the following


ip route 0.0.0.0 0.0.0.0 204.148.103.197 track 1

You can reach the primary (ping,ssh) but when primary goes down then you can reach to backup. Only one at a time (which is acting as primary)as many of the provider will not allow the traffic coming from the subnet that does not belong to them.

Please rate if this is helpful.

Sorry I originally have that route in the config but when it didn't work I took it out during troubleshooting and I forgot put it back.

Anyway, I added the route with track and I am still having the same issue.   

Can you post the show ip route output. 

Run the icmp debugs and check that traffic is hitting the router or not

"debug ip icmp"

I already had icmp debugging on and my pings are not generating any logs.

A traceroute never makes it to router gateway 70.107.239.1

1 <1 ms <1 ms <1 ms 172.19.7.2
2 <1 ms <1 ms <1 ms 43.147.144.20
3 * * * Request timed out.
4 1 ms 1 ms 1 ms 12.166.247.1
5 5 ms 4 ms 4 ms 12.88.84.9
6 8 ms 6 ms 5 ms cr81.brhal.ip.att.net [12.123.22.14]
7 6 ms 5 ms 5 ms 12.122.29.53
8 4 ms 5 ms 3 ms 0.ae10.br3.atl4.alter.net [204.255.168.253]
9 * * * Request timed out.
10 23 ms 25 ms 23 ms a4-0-0-1737.ny325-dsl-rtr14.verizon-gni.net [130.81.9.182]
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.

I think I may have figured it out. I removed the "any any" acl and replaced it with a specific ACL. I can now reach the outside interface of the router. I still have some more testing but so it looks to be working. Thank you so much for all your help. 

Great. Please rate or marked your question as answered.

Well I spoke to soon. I have access to the outside interface but I broke the NAT. I will continue to work on it today. 

Hi snoto,

This is because same access list 100 is used in NAT as well. So keep access-list 100 as the same (access-list 100 permit ip any any) and use another access-list like 101 for interface ACL.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: