Edward Cho
asked on
Cisco 2901 Config Question
Good Evening,
I’m trying to figure out how to best approach this. We have a 2901 that is just doing routing for a /27 public IP block. I tried coming up with a simple config and it actually worked for a bit before it stopped working. I can’t figure out why though.
We are just connecting firewall and other devices from the 2901 including my ASA 5510.
There are several servers on the ASA hence the static routes.
Any help would be much appreciated.
—
I’m trying to figure out how to best approach this. We have a 2901 that is just doing routing for a /27 public IP block. I tried coming up with a simple config and it actually worked for a bit before it stopped working. I can’t figure out why though.
We are just connecting firewall and other devices from the 2901 including my ASA 5510.
There are several servers on the ASA hence the static routes.
Any help would be much appreciated.
—
show conf
Using 2604 out of 262136 bytes
!
! Last configuration change at 12:01:43 UTC Fri Oct 30 2015 by xxxxx
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DearLeader
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 SECRET
!
no aaa new-model
!
!
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
!
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2687731231
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2687731231
revocation-check none
rsakeypair TP-self-signed-2687731231
!
crypto pki certificate chain TP-self-signed-2687731231
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
license udi pid CISCO2901/K9 sn FGL191320Z4
!
!
username USER privilege 15 secret 5 SECRET
!
redundancy
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ISP
ip address 206.x.x.194 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
ip address 192.168.168.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 206.x.x.193
ip route 206.x.x.195 255.255.255.255 192.168.168.2
ip route 206.x.x.196 255.255.255.255 192.168.168.2
ip route 206.x.x.201 255.255.255.255 192.168.168.2
ip route 206.x.x.205 255.255.255.255 192.168.168.2
!
!
!
access-list 1 permit 206.x.x.0 0.0.0.224
access-list 23 permit 10.10.10.0 0.0.0.7
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your reply. Even without the NAT statement, I should still be able to ping the outside world from the router correct? I'm unable to ping the gateway (206.x.x.193) from the router but able to ping the assigned IP address to the port (206.x.x.194).
ROUTER#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 206.x.x.194 YES NVRAM up up
GigabitEthernet0/1 unassigned YES NVRAM administratively down down
GigabitEthernet0/0/0 unassigned YES unset up up
GigabitEthernet0/0/1 unassigned YES unset down down
GigabitEthernet0/0/2 unassigned YES unset down down
GigabitEthernet0/0/3 unassigned YES unset down down
NVI0 206.x.x.194 YES unset up up
Vlan1 unassigned YES manual up up
ROUTER#sh int stat
Interface Embedded-Service-Engine0/0 is disabled
GigabitEthernet0/0
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 7361 830975
Route cache 0 0 0 0
Total 0 0 7361 830975
Interface GigabitEthernet0/1 is disabled
GigabitEthernet0/0/0
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 16 1024 31463 2429942
Route cache 0 0 0 0
Total 16 1024 31463 2429942
GigabitEthernet0/0/1
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Total 0 0 0 0
GigabitEthernet0/0/2
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Total 0 0 0 0
GigabitEthernet0/0/3
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Total 0 0 0 0
NVI0
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Total 0 0 0 0
Vlan1
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 16 960 113 8715
Route cache 0 0 0 0
Total 16 960 113 8715
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll check the cable when I get onsite. I also found this interesting.
ROUTER#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet nnn.nnn.nnn.nnn 0 Incomplete ARPA
Internet nnn.nnn.nnn.nnn - xxxx.xxxx.xxxx ARPA GigabitEthernet0/0
You have designated an interface as 'IP nat outside', and Vlan1 as 'IP nat inside'
You have and ACL (23) that looks ok, I don't see a nat overload comment to nat the traffic though;
ip nat inside source list 23 interface GigabitEthernet 0/0 overload
Pete
You have and ACL (23) that looks ok, I don't see a nat overload comment to nat the traffic though;
ip nat inside source list 23 interface GigabitEthernet 0/0 overload
Pete
ASKER
Looks like the gateway of the ISP needed to be restarted. Traffic is now flowing again.
Made the ACL changes above but is NAT really necessary in my case? Not all public IPs will be used by the firewall. Other devices/firewalls will be eventually connected directly to the router which will require public IPs.
Thanks.
Made the ACL changes above but is NAT really necessary in my case? Not all public IPs will be used by the firewall. Other devices/firewalls will be eventually connected directly to the router which will require public IPs.
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Predrag Jovic
Sorry Buddy not enough Coffee :)
Sorry Buddy not enough Coffee :)
No problem
;)
;)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You router does not receive anything from ISP, bad cable? I guess you should contact you ISP.You're welcome. :)
ASKER
Cable was loose on the gateway and provided inconsistent confusing/results. Reseating the fiber connection corrected the problem.
ASKER
The WAN connection stopped working specifically. I'm not able to ping out from the router (well not even the gateway which is 206.x.x.193) which is connected to GE0/0.