1941 no nat

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
i have a cisco 1941 with an HWIC-4ESW installed

IOS is C1900-universak9-mz-SPA.151-4.M3

I have an ethernet feed from my ISP


I configured GigabitEthernet0/0 with the public IP from the ISP /30

I configured the  IP ROUTE  to the next hop up from the
GigabitEthernet 0/0

from the 1941 i can ping any external  IP address


they also gave me a /28 public block for the LAN Ii gave Vlan1 the 2nd
in the range from the /28



If I configure ai PC with 1 of the addresses from ther /28  IP's I can
ping Vlan1 and  GigabitEthernet0/0 interfaces but no further.



if i configure the 1941 with NAT it all works.

I dont want to use NAT i need servers on each IP with ALL ports
available

Am I misssing something in the configuration or is this a IOS bug /
limitation

i need a config for a 1941  no nat with public IP's on both WAN and
LAN interfaces
 

Any ideas please

Re: 1941 no nat
Quoted text here. Click to load it

Since the most basic config would do that, and NAT takes extra work,
it would help to see your config.

A simple config like

int Gig0/0
 ip address 200.200.200.1 255.255.255.252
int Fast0/0
 ip address 200.0.0.1 255.255.255.240
ip route 0.0.0.0 0.0.0.0 200.200.200.2

would be sufficient to do what you are asking. But without seeing
what you've come up with, we're up in the air on what you've done.

(No need to include passwords, or ACLs that aren't used, and the like.
Although if you do have an ACL on an interface, you'll want to make
sure it isn't blocking you).


Re: 1941 no nat

Quoted text here. Click to load it


the first 2 octets in both subnets are the same numbers (removed for
security)

when I tried to give  fast0/0/0 an ip address it told me that layer 2
cant have an IP address.  Thats why i gave Vlan1 the IP address


if i connect to the router via console and issue a ping to an external
publoic IP and that works


If i take a PC and give it x.x 174.25 255.255.255.248   defaulkt
gateway x.x.174.25


I can ping to x.x.172.114 but no further






no ipv6 cef
ip source-route
ip cef
!
multilink bundle-name authenticated
!
!
ip tcp synwait-time 10
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 ip flow ingress
 shutdown
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE
0/0$$ES_LAN$$FW_INSIDE$
 ip address x.x.172.114 255.255.255.252
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description $FW_OUTSIDE$$ES_WAN$
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 no ip address
!
interface FastEthernet0/0/1
 no ip address
!
interface FastEthernet0/0/2
 no ip address
!
interface FastEthernet0/0/3
 no ip address
!
interface Vlan1
 ip address x.x.174.25 255.255.255.248
 ip verify unicast reverse-path
 ip tcp adjust-mss 1452
!
no ip classless
ip forward-protocol nd

!
ip route 0.0.0.0 0.0.0.0 x.x.172.113

Re: 1941 no nat
* Supersleuth hackte in den Rechenknecht:
Quoted text here. Click to load it
What do you see on the router if you issue
# ping $outsideaddress sour vlan1
Quoted text here. Click to load it
^^^^^^^^^^^^^^^^^^^
Reason for this?

Quoted text here. Click to load it

luke
--
Quoted text here. Click to load it
Das ist XML du!!11 Das ist der Zukunft !!!1elf
    -- Jürgen P.Meier hat ein Mac-plist gebaut
    und Volker Birk wird schlecht.

Re: 1941 no nat
Quoted text here. Click to load it


Okay, so you also have an HWIC-4ESW card inserted, and you are trying
to configure it to work in the mix as well.

The HWIC-4ESW is a layer-2 switch bolted on a board. They aren't
router ports (ie. that can take IP address info), but just switch
ports, thus you need to do extra stuff to get the bolted-on-switch
talking back to the router as well.

I am not familure with the HWIC-4ESW on 1941, but on my 1841 with the
HWIC-4ESW, what you did should work.

You may want to just light up both Gigabit interfaces just to make
sure what you are doing is functional. These are both full router
ports and behave just like you think, without the extra wonkyness
that a bolted-on-switch module brings you. They at least you know
it is working, then you can tackle the HWIC-4ESW config..

Your config looks correct otherwise.

To troubleshoot the HWIC-4ESW, I'd start to 'show int' each of the ports
to make sure they are up. I'd just a 'show vlan' to make sure the
VLAN is defined, and that each of the switch ports is indeed part of
the VLAN 1 like you are assuming. I'd make sure that Vlan1 is not 'shutdown'
so that it can pass layer-2 switch traffic.

I'd do a 'show route' to make sure the routes for each block show up
in the routing table, and are Connected routes properly for each block
to each layer-3 interface.

Re: 1941 no nat
* Supersleuth hackte in den Rechenknecht:
Quoted text here. Click to load it

One idea:
Let the Provider check, if your net is routed correctly. If they
don't route your net towards you, then you will get exactly that result.

luke
--
Als Endnutzer will ich eine CD erwerben, sie in den Trinkbecherhalter
stopfen,[..]- und dann hat die Kiste zu laufen. Und zwar bunt,
laut und mit möglichst wenig Nachbesserungsarbeiten.
--Robin Socha in dcoulm

Re: 1941 no nat
On Mon, 20 Feb 2012 14:27:04 +0100, Lukas Schratz

Quoted text here. Click to load it



It is routed OK

If i use a draytek router it works ok but the client wants to use the
Cisco 1941

Re: 1941 no nat
On 20/02/2012 16:43, Supersleuth wrote:
Quoted text here. Click to load it

As said by Lukas, check your connectivity with

router# ping 8.8.8.8 source Vlan1

with Vlan1 ip in /28 subnet.

then post output here...

Of course you can use any public ip address instead of google dns...:-)

    Marco

Re: 1941 no nat
On Tue, 21 Feb 2012 15:32:29 +0100, Marco Giuliani

Quoted text here. Click to load it


ping 8.8.8.8 source GigabitEthernet0/0      100% success

ping 8.8.8.8 source Vlan1  0% sucess


What am I missing in my config to route Vlan1  to GigabitEthernet0/0
(outside world)

Config is posted in 1 of the previous in this chain

Re: 1941 no nat
On 21/02/2012 21:28, Supersleuth wrote:

Quoted text here. Click to load it

It seems that your provider does not have a route to your inside subnet.

your ISP
x.x.172.113/30

G0/0 x.x.172.114/30
cisco 1941
Vlan1 x.x.174.25/28

LAN.....subnet x.x.174.16/28

Your default route is 0.0.0.0 0.0.0.0 x.x.172.113
and your ISP's router should have

x.x.174.16 255.255.255.240 x.x.172.113.

Anyway, you said that all was ok with draytek router:
how we can explain this situation?

Are you sure about your subnet assignment? Why you choose x.x.174.25/28
ip address on vlan1?  It is not first nor last subnet address.

Regards.







Re: 1941 no nat
On Wed, 22 Feb 2012 09:57:01 +0100, Marco Giuliani

Quoted text here. Click to load it
sorry for the typo just realised it should be a /29   255.255.255.248
NOT /28


I have tried the setup with a draytechk,. netgear and a linksys  all
work OK.

There is something to do with routing any traffic that hits the Vlan1
interface to the GigabitEthernet 0/0 interface  WITHOIUT using NAT


If the cheaper routers can do trhis the 1941 must be able to

Re: 1941 no nat
Quoted text here. Click to load it




As my previous post indicated to you, you must be having issues with the addon
HWIC-4ESW card you must have installed, and not routing in general.

If you moved your config to use both the Gigabit Ethernet layer-3
ports in the 1941 box, you'd probably work just fine.

I also gave you some troubleshooting commands to see what may be going
on with the HWIC-4ESW card talking (as have others).

It isn't the router, but something with the addon card that may be
doing you in.

Re: 1941 no nat
* Supersleuth hackte in den Rechenknecht:
Quoted text here. Click to load it

do:
sh ip route
sh vlan-switch
sh ip int brie

I suppose, that maybe your vlan-interface is down due to misconfiguration,
therefore it is not able to forward traffic.

luke
--
Quoted text here. Click to load it
Sie wurden Anwalt?
    --Donald Duck in MM 7/2005 (Don Rosa)

Re: 1941 no nat
On Wed, 22 Feb 2012 10:12:15 +0100, Lukas Schratz

Quoted text here. Click to load it


After a week of several calls to the ISP support desk with them
telling me their service was fine ansd the probem must be in our CPE
This time i managed to get an ISP helpdesk engineer that aggreed to
login to our router and take a look


After half hour he called back and said he found an error in our
router config and he fixed it.

the service is now working

When i checked ther config he said he corrected with my original one
there was no difference.

I think he found an error in the ISP's routing and fixed it.
talking to other engineers they said this ISP will never admit any
problems with their systems


Thanks for all your help

Site Timeline