| [HELP] cisco 878 NAT not workinghi, I have this scenario, with a this router, I had hanging around my home. My WRT54G died yesterday, and the trendnet wireless router I got for replacing it apparently cant handle more than 2 hosts before crashing.
So I configured the 878 to do the routing and the trendnet got configured as a access point (disabled DHCP). I accomplished this using the 2 VLANS it would let me use, as can be seen on the config:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ***
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 ******
!
no aaa new-model
!
!
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.20
!
ip dhcp pool wepa
import all
network 192.168.10.0 255.255.255.0
dns-server 200.88.127.23 8.8.8.8
default-router 192.168.10.1
!
!
ip cef
ip name-server 8.8.8.8
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
controller DSL 0
mode atm
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
ip address 190.167.***.*** 255.255.255.248
ip nat outside
ip nat enable
ip virtual-reassembly
no ip mroute-cache
!
interface Vlan2
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
no ip mroute-cache
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Vlan1 190.167.***.***
no ip http server
no ip http secure-server
!
ip nat inside source list 110 interface Vlan1 overload
!
access-list 23 permit 192.168.10.0 0.0.0.255
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
snmp-server community public RO
!
!
!
!
control-plane
!
!
line con 0
password cisco
login
no modem enable
line aux 0
line vty 0 4
password cisco
login
!
scheduler max-task-time 5000
end
I ping'ed from it, and I can reach everything on internet and local network, but from hosts behind it, is not happening :( I never did this config with VLAN's before, but I see people all around internet doing it no problems whatsoever.
PD.. when I issue "show access-list", the access list 110 is not getting any hits.
--
All Is possible... |
|
|
|
| What interfaces, if any, are in VLAN 1?
What physical interface is connected to your ISP's gear?
Also, can you post the output of "show ip nat trans" and "show ip nat statistics"
Regards |
|
| I dont have this router with hdsl service, I'm trying to use it as a simple broadband router. "show ip nat trans" always came clean (no translations) and "show ip nat statistics", is below
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 1, occurred 09:46:09 ago
Outside interfaces:
Vlan1
Inside interfaces:
Vlan2
Hits: 10 Misses: 0
CEF Translated packets: 5, CEF Punted packets: 0
Expired translations: 1
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 110 interface Vlan1 refcount 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
wepasa#sho ip nat trans
wepasa#
Fa0 is the only interface I left on vlan1. I guess it doesn't come up on the config because that's the native vlan. The router wouldn't let use more than 2 vlans, btw.
--
All Is possible... |
|
1 edit | reply to HELLFIRE
double post! |
|
| doble post, sorry..
--
All Is possible... |
|
cramer
join:2007-04-10
Raleigh, NC
kudos:7 | reply to Angralitux
Remove the "ip nat enable" lines. Cisco has two ways of doing NAT... inside/outside and "enable". Never try to do both at the same time. Also, your default route is screwy; point it at an IP address only (none of the vlan1 interface crap.) [if you put an ethernet interface as a route destination, you've setup proxy-arp. 110% of the time, That. Is. Not. What. You. Want.]
[Note: routes to dialer interfaces work because a) they aren't broadcast interfaces, and b) the dialer (ppp) installs a more specific route when the interface comes up. This default route is used to trigger the dialer. It is not necessary on a DSL dialer interface as the DSL state will trigger the dialer.] |
|
| it doesn't work either I put "ip nat enable" or "ip nat inside/outside". It just happened to be there at the time I posted the config. The default route should work the way I intended it to work, with or without proxy-arp; I always do it that way because I believed it was the most correct way to do it, nonetheless as I stated in my first post, the route works, because If I ping from the router it will see everything on the internet, and hosts are able to ping the router's outside interface.
I'm using c870-advsecurityk9-mz.124-22.T.bin image on this router for what is worth, and feature navigator says this image supports nat.
--
All Is possible... |
|
| hummm... well, it doesn't support PAT as I dont see the feature on the list  maybe this is what doesn't allow to establish nat sessions :|
--
All Is possible... |
|
| reply to Angralitux
Even after installing "c870-advipservicesk9-mz.123-8.YI2", which is an "advanced ip services" image (the original one was a advanced security); and the thing is still not working.
--
All Is possible... |
|
cramer
join:2007-04-10
Raleigh, NC
kudos:7 | reply to Angralitux
"no ip nat enable" ... You aren't doing that kind of NAT. The default route doesn't require an interface; it can figure that part out itself.
The config doesn't show it, but just to be sure... "ip routing".
From an inside machine, ping 8.8.8.8 and while it's running "sh ip nat tr". If nothing shows up, NAT is broken; "debug ip nat" would be the next step... |
|
 BigzizzzlePremium
join:2005-01-27
Franklin, TN
kudos:1 | #Remove#
no access-list 110 permit ip 192.168.10.0 0.0.0.255 any
#insert Standard ACL for nat statement#
access-list 5 permit ip 192.168.10.0 0.0.0.255
#Insert Nat Statement#
ip nat inside source list 5 interface (physical) overload
Plus use the physical interfaces for denoting (ip nat outside) |
|
cramer
join:2007-04-10
Raleigh, NC
kudos:7 | The ACL isn't the problem. (I've used extended ACLs for over a decade. route-map's too.) |
|
| reply to Bigzizzzle
those interfaces can't be used as layer3 interfaces, so arguments or functionality under the "ip" command doesn't go so far to include "ip nat inside/outside".
As cramer said, the access-list is not the problem.
--
All Is possible... |
|
| reply to cramer
as weird as it sounds, I replaced the router, with a 1841, using the same config, extracted from the 878, obviously changing interface names, and the exact same problem. I decided to to give a try to what bigzizzzle said; and then IT WORKED. Dont ask me why, I suppose if I change the same on the 878 it would work, but I'm pissed of enough to not to try it. I have configured hundreds of time using the same access list, and it would work without a hitch.
--
All Is possible... |
|
cramer
join:2007-04-10
Raleigh, NC
kudos:7 | Right, blame the ACL...
ip nat inside source list localnet interface FastEthernet0/0 overload
!
ip access-list extended localnet
permit ip 192.168.1.0 0.0.0.255 192.168.48.0 0.0.7.255
permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
root@wrt600a:~# ip addr show br0
12: br0: mtu 1500 qdisc noqueue
inet 192.168.1.253/24 brd 192.168.1.255 scope global br0
root@wrt600a:~# ping 192.168.55.241
PING 192.168.55.241 (192.168.55.241): 56 data bytes
64 bytes from 192.168.55.241: seq=0 ttl=62 time=41.662 ms
64 bytes from 192.168.55.241: seq=1 ttl=62 time=111.365 ms
64 bytes from 192.168.55.241: seq=2 ttl=62 time=41.517 ms
--- 192.168.55.241 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 41.517/64.848/111.365 ms
[root:pts/0]mongoose:~/[03:52 PM]:tcpdump -p -n -n -l -i eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:53:35.998813 IP 199.72.252.14 > 192.168.55.241: ICMP echo request, id 17527, seq 0, len gth 64
15:53:35.998859 IP 192.168.55.241 > 199.72.252.14: ICMP echo reply, id 17527, seq 0, lengt h 64
15:53:37.068873 IP 199.72.252.14 > 192.168.55.241: ICMP echo request, id 17527, seq 1, len gth 64
15:53:37.068887 IP 192.168.55.241 > 199.72.252.14: ICMP echo reply, id 17527, seq 1, lengt h 64
15:53:37.998962 IP 199.72.252.14 > 192.168.55.241: ICMP echo request, id 17527, seq 2, len gth 64
15:53:37.998975 IP 192.168.55.241 > 199.72.252.14: ICMP echo reply, id 17527, seq 2, lengt h 64
I'm too lazy to add 192.168.1.0/24 to the VPN -- it's too common anyway, so I NAT it to the router's internal address which is within the VPN. (note: that only *looks* like a public address; I never renumbered.) So don't tell me it requires a "standard acl". (in fact, I just translated an inside address to another inside address as it crossed the outside interface into a crypto map.)
This works on "c3745-advipservicesk9-mz.124-15.T10.bin" and the infinitely simpler "c1700-y7-mz.124-23.bin" [IP/ADSL]. |
|
| I can do more in-depth testing, but as I said initially, I did a "show access-lists", and ACL110 never got hits. That's why I gave a try to what Bigzizzzle recommended
--
All Is possible... |
|
cramer
join:2007-04-10
Raleigh, NC
kudos:7 | Keep in mind, you'll only see a "hit" when a NAT translation is created, not for every packet. Also, "debug ip nat" as see where the failure is. |
|
