Help with Nat NVI0

Sin Contestar
Feb 26th, 2014
User Badges:

Please inform me on how to get NVI0 up... NAT is enabled and nvi0 is still administratively down



SPFORT-RTR-881>en

Password:

SPFORT-RTR-881#sh ip int

FastEthernet0 is up, line protocol is down

  Internet protocol processing disabled

FastEthernet1 is up, line protocol is down

  Internet protocol processing disabled

FastEthernet2 is up, line protocol is down

  Internet protocol processing disabled

FastEthernet3 is up, line protocol is down

  Internet protocol processing disabled

FastEthernet4 is up, line protocol is down

  Internet address is 208.83.93.154/30

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is enabled, interface in domain outside

  BGP Policy Mapping is disabled

  Input features: Stateful Inspection, Virtual Fragment Reassembly, IPSec input classification, Virtual Fragment Reassembly After IPSec Decryption, NAT Outside,

MCI Check

  Output features: CCE Output Classification, Post-routing NAT Outside, Post-routing NAT NVI Output, Stateful Inspection, IPSec output classification, IPSec: to

crypto engine, Post-encryption output features

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

NVI0 is administratively down, line protocol is down

  Interface is unnumbered. Using address of FastEthernet4 (208.83.93.154)

  Broadcast address is 255.255.255.255

  MTU is 1514 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is disabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is disabled

  IP Null turbo vector

  IP Null turbo vector

  IP multicast fast switching is disabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is disabled

  BGP Policy Mapping is disabled

  Input features: MCI Check

  Output features: Post-routing NAT NVI Output

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

Tunnel100 is up, line protocol is down

  Internet address is 10.250.250.1/30

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1400 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Multicast reserved groups joined: 224.0.0.1 224.0.0.2 224.0.0.22 224.0.0.13

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP Null turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is disabled

  BGP Policy Mapping is disabled

  Input features: MCI Check

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

Tunnel101 is up, line protocol is down

  Internet address is 10.251.251.1/30

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1400 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Multicast reserved groups joined: 224.0.0.1 224.0.0.2 224.0.0.22 224.0.0.13

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP Null turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is disabled

  BGP Policy Mapping is disabled

  Input features: MCI Check

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

Tunnel110 is up, line protocol is down

  Internet address is 10.250.250.5/30

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1400 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Multicast reserved groups joined: 224.0.0.1 224.0.0.2 224.0.0.22 224.0.0.13

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP Null turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is disabled

  BGP Policy Mapping is disabled

  Input features: MCI Check

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

Tunnel111 is up, line protocol is down

  Internet address is 10.251.251.5/30

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1400 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Multicast reserved groups joined: 224.0.0.1 224.0.0.2 224.0.0.22 224.0.0.13

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP Null turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is disabled

  BGP Policy Mapping is disabled

  Input features: MCI Check

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

Tunnel120 is up, line protocol is down

  Internet address is 10.250.250.9/30

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1400 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Multicast reserved groups joined: 224.0.0.1 224.0.0.2 224.0.0.22 224.0.0.13

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP Null turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is disabled

  BGP Policy Mapping is disabled

  Input features: MCI Check

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

Tunnel121 is up, line protocol is down

  Internet address is 10.251.251.9/30

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1400 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Multicast reserved groups joined: 224.0.0.1 224.0.0.2 224.0.0.22 224.0.0.13

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP Null turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is disabled

  BGP Policy Mapping is disabled

  Input features: MCI Check

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

Vlan1 is up, line protocol is down

  Internet address is 172.16.1.190/26

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Multicast reserved groups joined: 224.0.0.1 224.0.0.2 224.0.0.22 224.0.0.13

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP Null turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is enabled, interface in domain inside

  BGP Policy Mapping is disabled

  Input features: Stateful Inspection, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, MCI Check

  Output features: NAT Inside, Stateful Inspection

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

Vlan10 is up, line protocol is down

  Internet protocol processing disabled




thanks for the help in advance... been stuck on this for a while

Loading.
Rick Mié, 02/26/2014 - 15:05
User Badges:

Hello Blake.


Can you share your NAT configuration? NVI0 interface is meant for the "nat enable" feature so if you are
using static NAT or PAT NVI0 will appear down. 
bwalters5 Jue, 02/27/2014 - 05:27
User Badges:

        The Router that this config is running on shows the NVI0 up/up. Im trying to config a clone to have as a backup. I copied the config from the router that is in service, but cannot get the NVI0 up.


SPFORT-RTR-881#sh ip nat statistics
Total active translations: 2 (2 static, 0 dynamic; 2 extended)
Peak translations: 2, occurred 16:12:42 ago
Outside interfaces:
  FastEthernet4, Vlan10
Inside interfaces:
  Tunnel10, Vlan1
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] route-map ISP1 interface FastEthernet4 refcount 0
[Id: 2] route-map ISP2 interface Vlan10 refcount 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
SPFORT-RTR-881#

Rick Jue, 02/27/2014 - 09:36
User Badges:

Blake,


Unless you use the "ip nat enable" command, the NVI interface will not come up. Your normal NAT/PAT will work just fine and this is not something you need to worry about. I am not sure I can explain at this time why one router has the NVI up/up and not the other but I am sure NAT will work on your clone.


Here is some further information about NVI and when it should be used:


http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/12-4t/nat-12-4t-book/iadnat-addr-consv.html#GUID-E7293F63-C812-4C67-A086-1991E50F21FF


If you are able to share your configs, we can probably dive a little deeper into this.

bwalters5 Jue, 02/27/2014 - 09:46
User Badges:

here is the entire config


SPFORT-RTR-881#sh run
Building configuration...


Current configuration : 6949 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SPFORT-RTR-881
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable password
!
no aaa new-model
memory-size iomem 10
clock timezone CST -6
clock summer-time CDT recurring
!
!
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.1.129 172.16.1.184
ip dhcp excluded-address 172.16.1.188 172.16.1.190
!
ip dhcp pool myPool
   import all
   network 172.16.1.128 255.255.255.192
   default-router 172.16.1.190
   dns-server 4.2.2.2
!
!
ip cef
no ip domain lookup
ip multicast-routing
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key address 74.113.93.114
crypto isakmp key  address 74.113.89.171
crypto isakmp key address 74.113.91.2
crypto isakmp key  address 65.15.201.19
crypto isakmp key address 199.72.150.130
!
!
crypto ipsec transform-set secure_transform esp-aes 256 esp-sha-hmac
!
crypto map MASTER_CRYPTO_MAP 10 ipsec-isakmp
set peer 74.113.93.114
set transform-set secure_transform
match address to_Mobile
crypto map MASTER_CRYPTO_MAP 20 ipsec-isakmp
set peer 74.113.89.171
set transform-set secure_transform
match address to_HEI
crypto map MASTER_CRYPTO_MAP 30 ipsec-isakmp
set peer 74.113.91.2
set transform-set secure_transform
match address to_Calvert
crypto map MASTER_CRYPTO_MAP 40 ipsec-isakmp
set peer 65.15.201.19
set transform-set secure_transform
match address to_OceanSprings
crypto map MASTER_CRYPTO_MAP 50 ipsec-isakmp
set peer 199.72.150.130
set transform-set secure_transform
match address to_TK
!
archive
log config
  logging enable
  hidekeys
path ftp://192.168.0.29/SpanishFort-881
write-memory
!
!
ip ftp source-interface Vlan1
ip ftp username HEI
ip ftp password
!
track 10 ip sla 1 reachability
delay down 1 up 1
!
track 20 ip sla 2 reachability
delay down 1 up 1
!
!
!
interface Tunnel10
no ip address
ip nat inside
ip nat enable
ip virtual-reassembly
!
interface Tunnel100
description ***Tunnel_To_Mobile***
ip address 10.250.250.1 255.255.255.252
ip mtu 1400
ip pim version 1
ip pim sparse-dense-mode
tunnel source FastEthernet4
tunnel destination 74.113.93.114
!
interface Tunnel101
description ***Tunnel_To_Mobile_Backup***
ip address 10.251.251.1 255.255.255.252
ip mtu 1400
ip pim version 1
ip pim sparse-dense-mode
tunnel source Vlan10
tunnel destination 74.113.93.114
!
interface Tunnel110
description ***Tunnel_To_Calvert***
ip address 10.250.250.5 255.255.255.252
ip mtu 1400
ip pim version 1
ip pim sparse-dense-mode
tunnel source FastEthernet4
tunnel destination 74.113.91.2
!
interface Tunnel111
description ***Tunnel_To_Calvert_Backup***
ip address 10.251.251.5 255.255.255.252
ip mtu 1400
ip pim version 1
ip pim sparse-dense-mode
tunnel source Vlan10
tunnel destination 74.113.91.2
!
interface Tunnel120
description ***Tunnel_To_OceanSprings***
ip address 10.250.250.9 255.255.255.252
ip mtu 1400
ip pim version 1
ip pim sparse-dense-mode
tunnel source FastEthernet4
tunnel destination 65.15.201.19
!
interface Tunnel121
description ***Tunnel_To_OceanSprings_Backup***
ip address 10.251.251.9 255.255.255.252
ip mtu 1400
ip pim version 1
ip pim sparse-dense-mode
tunnel source Vlan10
tunnel destination 65.15.201.19
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 10
!
interface FastEthernet4
description ***Outside***
ip address 208.83.93.154 255.255.255.252
ip nat outside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
crypto map MASTER_CRYPTO_MAP
!
interface Vlan1
description ***Inside***
ip address 172.16.1.190 255.255.255.192
ip pim version 1
ip pim sparse-dense-mode
ip nat inside
ip nat enable
ip virtual-reassembly
ip igmp join-group 225.8.11.81
!
interface Vlan10
description To_Verizon_4G
ip dhcp client client-id FastEthernet3
ip address dhcp
ip nat outside
ip nat enable
ip virtual-reassembly
crypto map MASTER_CRYPTO_MAP
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 208.83.93.153 track 10
ip route 0.0.0.0 0.0.0.0 166.150.80.5 track 20
ip route 172.16.1.0 255.255.255.192 Tunnel110
ip route 172.16.1.0 255.255.255.192 Tunnel111 10
ip route 172.16.1.64 255.255.255.192 Tunnel100
ip route 172.16.1.64 255.255.255.192 Tunnel101 10
ip route 172.16.1.192 255.255.255.192 Tunnel120
ip route 172.16.1.192 255.255.255.192 Tunnel121 10
no ip http server
no ip http secure-server
!
!
ip pim bidir-enable
ip pim rp-address 172.16.1.126
ip nat inside source route-map ISP1 interface FastEthernet4 overload
ip nat inside source route-map ISP2 interface Vlan10 overload
ip nat inside source static udp 172.16.1.184 5198 208.83.93.154 5198 extendable
ip nat inside source static udp 172.16.1.184 5199 208.83.93.154 5199 extendable
!
ip access-list extended acl_nat
deny   ip 172.16.1.128 0.0.0.63 172.16.1.0 0.0.0.63
deny   ip 172.16.1.128 0.0.0.63 172.16.1.64 0.0.0.63
deny   ip 172.16.1.128 0.0.0.63 172.16.1.192 0.0.0.63
deny   ip 172.16.1.128 0.0.0.63 172.16.2.0 0.0.0.63
deny   ip 172.16.1.128 0.0.0.63 192.168.0.0 0.0.0.255
permit ip 172.16.1.128 0.0.0.63 any
ip access-list extended to_Calvert
permit gre host 208.83.93.154 host 74.113.91.2
permit gre host 166.150.80.6 host 74.113.91.2
ip access-list extended to_HEI
permit ip 172.16.1.128 0.0.0.63 192.168.0.0 0.0.0.255
ip access-list extended to_Mobile
permit gre host 208.83.93.154 host 74.113.93.114
permit gre host 166.150.80.6 host 74.113.93.114
ip access-list extended to_OceanSprings
permit gre host 208.83.93.154 host 65.15.201.19
permit gre host 166.150.80.6 host 65.15.201.19
ip access-list extended to_TK
permit ip 172.16.1.128 0.0.0.63 172.16.2.0 0.0.0.63
!
ip sla 1
icmp-echo 208.83.93.153
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 198.224.156.135
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now
snmp-server community HEIc0mStr8ng RO
snmp-server trap-source Vlan1
snmp-server location SpanishFort
snmp-server contact Dial HEI Support at # 434-4000
snmp-server enable traps tty
snmp-server enable traps envmon
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec tunnel stop
snmp-server host 192.168.0.29 version 2c HEIc0mStr8ng
!
!
!
!
route-map ISP2 permit 10
match ip address acl_nat
match interface Vlan10
!
route-map ISP1 permit 10
match ip address acl_nat
match interface FastEthernet4
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password
login
!
scheduler max-task-time 5000
ntp source Vlan1
ntp update-calendar
ntp server 192.168.0.2
end

Rick Jue, 02/27/2014 - 10:20
User Badges:

Thank you Blake.


I am confirming you are using normal NAT based on your configuration therefore, the "ip nat enable" commands in tunnel10, FastEthernet4, int vlan 1 and int vlan 10 is not needed. In some IOS versions, sometimes you enable "ip nat outside" or "ip nat inside" and this for some reason brings up the NVI interface but it does not get used for translations at all.


If your router is in production, you can schedule a maintenance window to remove the "ip nat enable" command to confirm is not needed and your translations will still function.

Acciones

Este Discusión