MacShop
asked on
Cisco ISR4431 Router Configuration Issue
I'm new to configuring Cisco Routers and am having an issue getting the router to work properly. I have defined the network interfaces and setup NAT to translate the private LAN IPs to the single Public WAN IP. As I understand it, this is actually PAT (NAT in overload mode).
Via the console port on the router, I am able to successfully use the CLI for DNS lookups, Pings, and Telnet sessions. All tests via the CLI seem to indicate the router is functioning properly.
Here's the problem -- NAT seems to work only with ICMP from a workstation on the LAN. I can ping any system on the Internet and receive a response as expected. However TCP & UDP will not translate for some unknown reason. For example, DNS lookups will not work, and access to Websites will not work when using a workstation on the LAN.
I have also tried to setup a VLAN, thinking this is what is required to connect the LAN port to the WAN port. However, when I use the CLI command "Interface VLAN 1" to create the VLAN I receive an error. It's almost like there is a feature set missing on the router.
Here's the config I'm using:
Current configuration : 1662 bytes
!
! Last configuration change at 18:23:43 UTC Mon Aug 10 2015
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname RWC-2F-Comcast
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 ********
enable password ********
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4431/K9 sn FOC19126AQT
license boot level appxk9
license boot level securityk9
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
!
!
ip tftp source-interface GigabitEthernet0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description RWC-Test-LAN
ip address 10.30.0.1 255.255.0.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
description ComcastDHCP
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
ip nat pool TEST 10.1.10.12 10.1.10.12 prefix-length 24
ip nat inside source list 7 pool TEST overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.10.1
!
!
access-list 7 permit any log
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password ********
login
!
!
end
What am I doing wrong?
Via the console port on the router, I am able to successfully use the CLI for DNS lookups, Pings, and Telnet sessions. All tests via the CLI seem to indicate the router is functioning properly.
Here's the problem -- NAT seems to work only with ICMP from a workstation on the LAN. I can ping any system on the Internet and receive a response as expected. However TCP & UDP will not translate for some unknown reason. For example, DNS lookups will not work, and access to Websites will not work when using a workstation on the LAN.
I have also tried to setup a VLAN, thinking this is what is required to connect the LAN port to the WAN port. However, when I use the CLI command "Interface VLAN 1" to create the VLAN I receive an error. It's almost like there is a feature set missing on the router.
Here's the config I'm using:
Current configuration : 1662 bytes
!
! Last configuration change at 18:23:43 UTC Mon Aug 10 2015
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname RWC-2F-Comcast
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 ********
enable password ********
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4431/K9 sn FOC19126AQT
license boot level appxk9
license boot level securityk9
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
!
!
ip tftp source-interface GigabitEthernet0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description RWC-Test-LAN
ip address 10.30.0.1 255.255.0.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
description ComcastDHCP
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
ip nat pool TEST 10.1.10.12 10.1.10.12 prefix-length 24
ip nat inside source list 7 pool TEST overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.10.1
!
!
access-list 7 permit any log
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password ********
login
!
!
end
What am I doing wrong?
If issue is still present after that, I guess you can try to change default route and NAT statement too.
ip route 0.0.0.0 0.0.0.0 gi0/0/3
ip nat inside source list 7 interface gi0/0/3 overload
ip route 0.0.0.0 0.0.0.0 gi0/0/3
ip nat inside source list 7 interface gi0/0/3 overload
ASKER
What seems to have fixed the issue is when I changed the access-list statement:
was: access-list 7 permit any log
now: access-list 101 permit ip 10.30.0.0 0.0.255.255 any
and then modified the "ip nat inside" command:
was: ip nat inside source list 7 pool TEST overload
now: ip nat inside source list 101 interface GigabitEthernet0/0/3 overload
It appears TCP and UDP packets are now being properly translated. Can anyone explain why? Is it only because I am now using an extended access list, or did the "ip nat inside" command really fix the issue?
I will continue testing ...
was: access-list 7 permit any log
now: access-list 101 permit ip 10.30.0.0 0.0.255.255 any
and then modified the "ip nat inside" command:
was: ip nat inside source list 7 pool TEST overload
now: ip nat inside source list 101 interface GigabitEthernet0/0/3 overload
It appears TCP and UDP packets are now being properly translated. Can anyone explain why? Is it only because I am now using an extended access list, or did the "ip nat inside" command really fix the issue?
I will continue testing ...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Very good. Thanks for all your help!
For TCP not working I guess that is most likely DNS issue. For resolving DNS you need to have configured DNS server in static IP address on your host (or DHCP in your local network should provide one (or configure DHCP pool(s) on router)). You can use Google's 8.8.8.8 as your DNS. If you want to use router to resolve DNS requests for your hosts you can configure router:
(config)#ip dns server
(config)#ip domain-lookup
(config)#ip name-server 8.8.8.8
(config)#ip name-server 4.2.2.5
And then you can set router's interface as primary DNS server for local hosts.
Since you can ping internet addresses from hosts in network (not from router itself) my guess is that default route, NAT, and static pool are OK.