NAT issue

Discussion in 'Networking, Telephony & Internet' started by g@z, Apr 27, 2019.

  1. g@z

    g@z Member

    Joined:
    Jul 27, 2001
    Messages:
    2,132
    Location:
    Melbourne
    I'm tryng a Cisco 1941 router on my NBN HFC modem, and it's not working.

    However, if i plug the WAN side into my home network using the old Telstra modem and a laptop into the LAN side, it works fine. The NAT stats are there, the translations are there, i can ping 8.8.8.8 etc. Gets a DHCP ip from my home network ok on the WAN interface. basic config and it's working great.

    but if i plug the nbn modem into the WAN side and turn off the old telstra modem it doesnt work. it gets a WAN IP ok, and from the 1941 console i can ping 8.8.8.8, but NAT just seems to stop working.

    WTF am I doing???

    Regards,
    g@z.
     
  2. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    10,254
    Location:
    Melbourne
    can you dump the config of the 1941?
     
  3. OP
    OP
    g@z

    g@z Member

    Joined:
    Jul 27, 2001
    Messages:
    2,132
    Location:
    Melbourne
    Hey, thanks for the reply. The config is below as requested along with some commands to confirm the NAT is working, and this config works at the moment as I'm connected through it to post this!

    So this is my laptop-1941-switch-C6300router-nbnhfcmodem-isp.

    It fails when it's 1941-nbnhfcmodem-isp. I will have to post the same command outputs later as family still online doing stuff :)

    access list is getting hits:

    Gateway#sho access-lists
    Standard IP access list 99
    10 permit 192.168.10.0, wildcard bits 0.0.0.255
    Extended IP access list VTY-ACL
    10 permit ip 192.168.10.0 0.0.0.255 any
    20 deny ip any any log
    Extended IP access list aclAllowNat
    10 permit ip 192.168.10.0 0.0.0.255 any (8397 matches)
    Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet log
    20 deny tcp any any eq www log
    30 deny tcp any any eq 22 log
    40 permit tcp any any eq 22 log


    Gateway#sho ip nat statistics
    Total active translations: 348 (0 static, 348 dynamic; 348 extended)
    Peak translations: 993, occurred 00:03:11 ago
    Outside interfaces:
    GigabitEthernet0/0
    Inside interfaces:
    GigabitEthernet0/1
    Hits: 132785 Misses: 0
    CEF Translated packets: 50739, CEF Punted packets: 6085
    Expired translations: 8256
    Dynamic mappings:
    -- Inside Source
    [Id: 1] access-list aclAllowNat interface GigabitEthernet0/0 refcount 348

    Total doors: 0
    Appl doors: 0
    Normal doors: 0
    Queued Packets: 0
    Gateway#sho ip nat tr
    Gateway#sho ip nat translations
    Pro Inside global Inside local Outside local Outside global
    tcp 192.168.0.23:1062 192.168.10.2:1062 XXXXXXXX:443 XXXXXXXX:443
    tcp 192.168.0.23:1190 192.168.10.2:1190 XXXXXXXX:443 XXXXXXXX:443
    tcp 192.168.0.23:1778 192.168.10.2:1778 XXXXXXXX:443 XXXXXXXX:443
    tcp 192.168.0.23:1835 192.168.10.2:1835 XXXXXXXX:443 XXXXXXXX:443
    tcp 192.168.0.23:2489 192.168.10.2:2489 XXXXXXXX:80 XXXXXXXX:80
    .
    .
    udp 192.168.0.23:54725 192.168.10.2:54725 8.8.8.8:53 8.8.8.8:53
    udp 192.168.0.23:54961 192.168.10.2:54961 8.8.8.8:53 8.8.8.8:53
    udp 192.168.0.23:54991 192.168.10.2:54991 8.8.8.8:53 8.8.8.8:53
    udp 192.168.0.23:55124 192.168.10.2:55124 8.8.8.8:53 8.8.8.8:53
    udp 192.168.0.23:55167 192.168.10.2:55167 8.8.8.8:53 8.8.8.8:53
    udp 192.168.0.23:55378 192.168.10.2:55378 8.8.8.8:53 8.8.8.8:53

    Gateway#sho ip int bri
    Interface IP-Address OK? Method Status Protocol
    Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
    GigabitEthernet0/0 192.168.0.23 YES DHCP up up
    GigabitEthernet0/1 192.168.10.1 YES NVRAM up up
    FastEthernet0/0/0 unassigned YES unset down down
    FastEthernet0/0/1 unassigned YES unset down down
    FastEthernet0/0/2 unassigned YES unset down down
    FastEthernet0/0/3 unassigned YES unset down down
    NVI0 unassigned YES unset administratively down down
    Vlan1 unassigned YES unset down down

    Gateway#sho ip route
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2
    i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
    ia - IS-IS inter area, * - candidate default, U - per-user static route
    o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
    + - replicated route, % - next hop override

    Gateway of last resort is 192.168.0.1 to network 0.0.0.0

    S* 0.0.0.0/0 [254/0] via 192.168.0.1
    192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
    C 192.168.0.0/24 is directly connected, GigabitEthernet0/0
    L 192.168.0.23/32 is directly connected, GigabitEthernet0/0
    192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
    C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
    L 192.168.10.1/32 is directly connected, GigabitEthernet0/1


    Gateway#sho run
    Building configuration...

    Current configuration : 2965 bytes
    !
    ! No configuration change since last restart
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname Gateway
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret XXXXXXXX
    !
    no aaa new-model
    clock timezone AUEST 10 0
    clock summer-time AUESDT recurring 1 Sun Oct 2:00 1 Sun Apr 2:00
    !
    no ipv6 cef
    ip source-route
    ip cef
    !
    ip dhcp bootp ignore
    !
    ip dhcp pool poolLAN
    import all
    network 192.168.10.0 255.255.255.0
    default-router 192.168.10.1
    dns-server 8.8.8.8 208.76.222.222 208.67.220.220
    lease 2
    update arp
    !
    ip domain name local
    login block-for 600 attempts 3 within 60
    login on-failure log
    login on-success log
    multilink bundle-name authenticated
    !
    crypto pki token default removal timeout 0
    !
    license udi pid CISCO1941/K9 sn XXXXXXXX
    license boot module c1900 technology-package datak9
    !
    memory reserve console 4096
    username admin secret XXXXXXXX
    !
    redundancy
    !
    ip ssh time-out 60
    ip ssh authentication-retries 5
    ip ssh source-interface GigabitEthernet0/1
    ip ssh version 2
    !
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    !
    interface GigabitEthernet0/0
    description ISP
    ip address dhcp
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly in
    no ip route-cache
    ip tcp adjust-mss 1452
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    !
    interface GigabitEthernet0/1
    description Internal Network
    ip address 192.168.10.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    !
    interface FastEthernet0/0/0
    no ip address
    !
    interface FastEthernet0/0/1
    no ip address
    !
    interface FastEthernet0/0/2
    no ip address
    !
    interface FastEthernet0/0/3
    no ip address
    !
    interface Vlan1
    no ip address
    !
    ip forward-protocol nd
    !
    no ip http server
    no ip http secure-server
    !
    ip nat inside source list aclAllowNat interface GigabitEthernet0/0 overload
    !
    ip access-list extended VTY-ACL
    permit ip 192.168.10.0 0.0.0.255 any
    deny ip any any log
    ip access-list extended aclAllowNat
    permit ip 192.168.10.0 0.0.0.255 any
    !
    access-list 99 permit 192.168.10.0 0.0.0.255
    !
    control-plane
    !
    line con 0
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
    stopbits 1
    line vty 0 4
    access-class VTY-ACL in
    password 7 XXXXXXXX
    logging synchronous
    login
    length 0
    transport input ssh
    line vty 5 15
    access-class VTY-ACL in
    password 7 XXXXXXXX
    logging synchronous
    login
    transport input ssh
    !
    scheduler allocate 20000 1000
    end

    Gateway#sho ver
    Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2012 by Cisco Systems, Inc.
    Compiled Tue 20-Mar-12 17:58 by prod_rel_team

    ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)

    Gateway uptime is 42 minutes
    System returned to ROM by power-on
    System restarted at 20:35:33 AUEST Sat Apr 27 2019
    System image file is "flash0:c1900-universalk9-mz.SPA.151-4.M4.bin"
    Last reload type: Normal Reload


    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.

    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

    If you require further assistance please contact us by sending email to
    export@cisco.com.

    Cisco CISCO1941/K9 (revision 1.0) with 487424K/36864K bytes of memory.
    Processor board ID XXXXXXXX
    4 FastEthernet interfaces
    2 Gigabit Ethernet interfaces
    1 terminal line
    DRAM configuration is 64 bits wide with parity disabled.
    255K bytes of non-volatile configuration memory.
    250880K bytes of ATA System CompactFlash 0 (Read/Write)


    License Info:

    License UDI:

    -------------------------------------------------
    Device# PID SN
    -------------------------------------------------
    *0 CISCO1941/K9 XXXXXXXX



    Technology Package License Information for Module:'c1900'

    -----------------------------------------------------------------
    Technology Technology-package Technology-package
    Current Type Next reboot
    ------------------------------------------------------------------
    ipbase ipbasek9 Permanent ipbasek9
    security None None None
    data datak9 RightToUse datak9

    Configuration register is 0x2102

    Gateway#
     
    Last edited: Apr 28, 2019
  4. OP
    OP
    g@z

    g@z Member

    Joined:
    Jul 27, 2001
    Messages:
    2,132
    Location:
    Melbourne
    Fixed.

    It appears that it takes quite some time for the ISP to recognise my newly connected router.

    Gateway#sho arp
    Protocol Address Age (min) Hardware Addr Type Interface
    Internet 167.179.xxx.xxx 0 Incomplete ARPA
    Internet 167.179.xxx.xxx - a44c.11e9.4c40 ARPA GigabitEthernet0/0
    Internet 192.168.10.2 25 4026.1981.270c ARPA GigabitEthernet0/1
    Internet 192.168.10.3 25 9cf4.8e83.e549 ARPA GigabitEthernet0/1

    Gateway#
    Gateway#sho arp
    Protocol Address Age (min) Hardware Addr Type Interface
    Internet 167.179.xxx.xxx 2 b026.8015.cb3c ARPA GigabitEthernet0/0
    Internet 167.179.xxx.xxx - a44c.11e9.4c40 ARPA GigabitEthernet0/0
    Internet 192.168.10.2 28 4026.1981.270c ARPA GigabitEthernet0/1
    Internet 192.168.10.3 28 9cf4.8e83.e549 ARPA GigabitEthernet0/1

    After about 25 mins it started to work! Very hard to test this in a house full of people and it was only after everyone else in the house had gone to bed I could leave it connected long enough to test.

    Regards,
    g@z.
     
  5. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    10,254
    Location:
    Melbourne
    /me confused...

    originally you said NAT seemed to stop working, you could ping google DNS from the console, but I presume not from a client? since the router was getting a WAN IP, that sounds less like a NAT issue and more that the ISP was blackholing traffic for the second WAN IP?
     
  6. OP
    OP
    g@z

    g@z Member

    Joined:
    Jul 27, 2001
    Messages:
    2,132
    Location:
    Melbourne
    yeah, i'm not sure what i thought i saw first up now. I configured up a second one with a working config from another forum just in case it was my poor config skills on the first router. So i might have had two issues with the first router (config and isp) but only wait time with the second router.

    Regards,
    g@z.
     

Share This Page

Advertisement: