cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4271
Views
5
Helpful
16
Replies

NAT not working on Cisco 887va

ryancisco01
Level 1
Level 1

Hi Guys, I have a Cisco 887 with an Internet link, there is a VPN which is currently working, but the users cannot access the internet. I have another model router with the exact same config that is working. But this is not.

Here is the problem, using ping from the router, I can ping google.com source vlan 1. that works for me, i see my NAT access list get hit, and I can see a NAT translation. However when a user connects to the router they get assigned an IP address (192.168.31.32 for example), they can ping the router (the default gateway) they can even ping the ATM interface of the router however they cannot ping an intenet address such as 8.8.8.8. and when trying google.com DNS does not resolve.

The problem is, I do not see them hitting the access list, or any NAT translations. Its as if the traffic doesn't hit the router. The VPN tunnel works, the traffic goes via the tunnel for the users, and by doing ping source vlan1 from the router. Also I have had to use a loopback interface because we are given /32 Ip range which cannot be applied directly to the dialer. Not sure if this has caused an issue. But it does work fine at another site. They have trried 4 different PC's, a wirlesss device and a laptop. all of them get timeout when trying to ping 8.8.8.8. The traffic is not hitting the crypto map. I checked that already. also I have removed the crypto map from the dialer interface and the access list and it still didn't work.

snippets of the config:

ip dhcp pool POOL

network 192.168.31.0 255.255.255.0

default-router 192.168.31.254

dns-server 123.100.67.135 123.100.67.136 192.168.0.31

!

!

!

ip domain name example.com

ip name-server 123.100.67.135

ip name-server 123.100.67.136

no ipv6 cef

!

crypto map ipsec-blah 110 ipsec-isakmp

**

match address ADD-IF-encrypt

!

!

interface Loopback0

ip address 123.123.123.123 255.255.255.255

ip virtual-reassembly in

!

interface ATM0

no ip address

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description DSL

ip flow ingress

pvc 0/100

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

no ip address

!

!

interface Vlan1

ip address 192.168.31.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Dialer0

ip unnumbered Loopback0

ip mtu 1492

ip nat outside

ip virtual-reassembly in max-reassemblies 1024

encapsulation ppp

crypto map blah

!

!

ip nat inside source list 105 interface Loopback0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip access-list extended ADD-IF-encrypt

permit ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255

!

access-list 105 deny   ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 105 permit ip 192.168.31.0 0.0.0.255 any

1 Accepted Solution

Accepted Solutions

Ryan

I don't understand why the route map configuration changed the NAT because it was doing the same as your acl 105.

Can you remove the log keyword from your acl 105 entries and try again.

Jon

View solution in original post

16 Replies 16

ryancisco01
Level 1
Level 1

Ok weird. I might have got it working.

Saw an odd message in the logs:

VFR(in) is being used by other features. Will be disabled when no other feature needs VFR support on interface

I reloaded the router and noticed the command "ip virtual-reassembly in" had disappeared from under lo0. I added it back in, and did not see that log again. and then straight away i saw a DNS request in the NAT xlate table. so that may have fixed it. No one is at site now to test but will find out soon.

What exactly went wrong here?

sorry for self replying

still not working. when I connect to the built in wifi module (which has address 192.168.31.30) I cannot ping 8.8.8.8 and nothing is seen in the NAT table.

Any help?

Hi,

Can you try this:

no ip nat inside source list 105 interface Loopback0 overload

ip nat inside source list 105 interface dialer0 overload

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi Alain, I tried that, but that broke the routers ability to ping the internet. changing it back to loopback0 restored the abaility for the router to see th einternet but the LAN still cannot access out.

Ryan

Can you try adding "ip nat outside" to your loopback interface.

Jon

yep tried it with ip natoutsid eon just the loop, on just th edialer and on both the dialer and loopback. Ping form the router will only work when the ip nat statement is on the dialer interface (it also works when uts on both) but none of the three combinaitons allows LAn internet access.

Site thats working: (same model router, config is indenticla line by line)

Total active translations: 184 (0 static, 184 dynamic; 184 extended)

Peak translations: 1521, occurred 1d14h ago

Outside interfaces:

  Dialer0, Loopback0, Virtual-Access2

Inside interfaces:

  Vlan1

Hits: 9374281  Misses: 0

CEF Translated packets: 9367037, CEF Punted packets: 7233

Expired translations: 76614

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 105 interface Loopback0 refcount 184

Total doors: 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

site thats not working:

Total active translations: 0 (0 static, 0 dynamic; 0 extended)

Peak translations: 5, occurred 2d17h ago

Outside interfaces:

  Dialer0, Loopback0, Virtual-Access2

Inside interfaces:

  Vlan1

Hits: 243  Misses: 0

CEF Translated packets: 105, CEF Punted packets: 24

Expired translations: 19

Dynamic mappings:

-- Inside Source

[Id: 8] access-list 105 interface Loopback0 refcount 0

Total doors: 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

Ryan

Is the rest of the configuration the same as with the working router ?

Are the switch ports left in the default vlan ?

Can you try "debug ip nat translations" and then try connecting from a PC and see what shows up ?

Jon

Yes I went through the configs line by line. Even the IOS images are exactly the same.

The thing is though, When I debug NAT I see NOTHING when trying to ping form a host. no hits against the ACL either. i even tried debugging IP packet then searching for the host address but saw no entries (mkay have scrolled too quickly though). But the host can ping the router and the router can ping the host, and the host can ping a host on the other side of the VPN tunnel.

made some progress, I got NAT to work. However it natted ALL my traffic and hence broke the VPN. This is what I used:

ip access-list extended NAT_ACL

deny   ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.31.0 0.0.0.255 any

route-map NAT_ACL

ip nat inside source route-map NAT_ACL interface lo0 overload

Ryan

You must have read my mind as i was about to suggest disabling the IPSEC tunnel and chaning your NAT statement. I think this is to with an interaction between the two.

Can you post the entire configuration please.

Jon

Here you go, FYI I did try disabling the Ipsec, but it didnt make any difference, this is the original config. I have rmeoved the route map since it broek the VPN.

version 15.2

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname router

!

!

no aaa new-model

clock timezone NZST+12 12 0

clock summer-time NZDT+13 recurring last Sun Sep 3:00 1 Sun Apr 2:00

!

crypto pki trustpoint TP-self-signed-3138814177

trim

!

!

crypto pki certificate chain TP-self-signed-3138814177

trim

ip cef

!

!

!

no ip dhcp use vrf connected

!

ip dhcp pool POOL

network 192.168.31.0 255.255.255.0

default-router 192.168.31.254

dns-server 123.100.67.135 123.100.67.136 192.168.0.31

!

!

!

ip domain name trim

ip name-server 123.100.67.135

ip name-server 123.100.67.136

no ipv6 cef

!

!

!

!

!

!

!

controller VDSL 0

!

ip tftp source-interface Vlan1

!

!

crypto isakmp policy 15

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key trim

!

crypto ipsec security-association replay disable

!

crypto ipsec transform-set aes-sha esp-aes esp-md5-hmac

mode tunnel

!

!

!

crypto map trim 11 ipsec-isakmp

set peer trim

set transform-set aes-sha

match address encrypt

!

!

!

!

!

interface Loopback0

ip address trim 255.255.255.255

ip nat outside

ip virtual-reassembly in

!

interface ATM0

no ip address

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description DSL

ip flow ingress

pvc 0/100

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Ethernet0

no ip address

shutdown

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

!

interface Vlan1

description Branch LAN

ip address 192.168.31.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Dialer0

ip unnumbered Loopback0

ip mtu 1492

ip nat outside

ip virtual-reassembly in max-reassemblies 1024

encapsulation ppp

dialer pool 1

dialer-group 1

ppp trim

no cdp enable

crypto map trim

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 105 interface Loopback0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip access-list extended encrypt

permit ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255

!

logging trap warnings

logging host 202.175.136.98

logging host 202.175.136.117

access-list 105 deny   ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255 log

access-list 105 permit ip 192.168.31.0 0.0.0.255 any log

no cdp run

!

!

scheduler max-task-time 5000

scheduler allocate 20000 1000

!

Ryan

I don't understand why the route map configuration changed the NAT because it was doing the same as your acl 105.

Can you remove the log keyword from your acl 105 entries and try again.

Jon

Well I have never seen anything like it before, but removing the log keyword has resolved it!! (pretty sure I only added the log in *because* it wouldnt work)

Many blessings to you Jon I still have some hair left too.

Ryan

No problem, glad you got it sorted.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: