Cisco 2901 Config Question

Good Evening,

I’m trying to figure out how to best approach this.  We have a 2901 that is just doing routing for a /27 public IP block.  I tried coming up with a simple config and it actually worked for a bit before it stopped working.  I can’t figure out why though.  

We are just connecting firewall and other devices from the 2901 including my ASA 5510.

There are several servers on the ASA hence the static routes.  

Any help would be much appreciated.  


show conf
Using 2604 out of 262136 bytes
!
! Last configuration change at 12:01:43 UTC Fri Oct 30 2015 by xxxxx
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DearLeader
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 SECRET
!
no aaa new-model
!
!
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
 import all
 network 10.10.10.0 255.255.255.248
 default-router 10.10.10.1 
 lease 0 2
!
!
!
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2687731231
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2687731231
 revocation-check none
 rsakeypair TP-self-signed-2687731231
!
crypto pki certificate chain TP-self-signed-2687731231
 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
license udi pid CISCO2901/K9 sn FGL191320Z4
!
!
username USER privilege 15 secret 5 SECRET
!
redundancy
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description ISP
 ip address 206.x.x.194 255.255.255.224
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 1000
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/0
 no ip address
!
interface GigabitEthernet0/0/1
 no ip address
!
interface GigabitEthernet0/0/2
 no ip address
!
interface GigabitEthernet0/0/3
 no ip address
!
interface Vlan1
 ip address 192.168.168.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 206.x.x.193
ip route 206.x.x.195 255.255.255.255 192.168.168.2
ip route 206.x.x.196 255.255.255.255 192.168.168.2
ip route 206.x.x.201 255.255.255.255 192.168.168.2
ip route 206.x.x.205 255.255.255.255 192.168.168.2
!
!
!
access-list 1 permit 206.x.x.0 0.0.0.224
access-list 23 permit 10.10.10.0 0.0.0.7
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Open in new window

LVL 4
Edward ChoManaging Exciting Technology ThingsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ArchiTech89IT Security EngineerCommented:
You'll have to elaborate on what "stopped working."

At first glance, I would take out all the individual static routes, and summarize on the /27 network itself. So basically,
     no ip route 206.x.x.195 255.255.255.255 192.168.168.2
     no ip route 206.x.x.196 255.255.255.255 192.168.168.2
     no ip route 206.x.x.201 255.255.255.255 192.168.168.2
     no ip route 206.x.x.205 255.255.255.255 192.168.168.2

replaced with
     ip route 206.x.x.192 255.255.255.224 192.168.168.2
or whatever. (I'm just assuming a /27 from the IPs you were using.)

One of the reasons you can (want to) do this is because each of these static routes has the same next hop. So just simplify.

Next, I'm more of a firewall guy, but if I remember my routing and switching right, the wildcard mask on access-list 1 is off. I'm not sure about the exact syntax, but I know for a /27 in the range example I used above, you'd want
     0.0.0.31
for a wildcard mask. And I think you should likely list
     206.x.x.192
not
     206.x.x.0
based on my assumptions before.

Maybe that'd get you started?

If you want more answers, think about describing your architecture a little further, with emphasis on what's failing where...
Edward ChoManaging Exciting Technology ThingsAuthor Commented:
Thanks for helping out.  

The WAN connection stopped working specifically.  I'm not able to ping out from the router (well not even the gateway which is 206.x.x.193) which is connected to GE0/0.
JustInCaseCommented:
Check is your default route OK. 206.x.x.193 should be your ISP router IP address
ip route 0.0.0.0 0.0.0.0 206.x.x.193
(I guess that is OK, but just in case)
And what most certainly is problem in your configuration - you don't have NAT statement - so your NAT is not working.
You configured inside and outside nat interfaces and nothing more. What's missing is:

ip nat inside source list x interface gi0/0 overload

 ACL x - should cover your network IP address range that will permit hosts to be natted (I guess that should be ACL 23, but interface vlan 1 have different IP range).

From router you should be able to ping 206.x.x.193 since it is directly connected and your router, by default should use its WAN address to ping.
What is your result for
#sh ip interface brief
#sh interface status

Static routes
ip route 206.x.x.195 255.255.255.255 192.168.168.2
ip route 206.x.x.196 255.255.255.255 192.168.168.2
ip route 206.x.x.201 255.255.255.255 192.168.168.2
ip route 206.x.x.205 255.255.255.255 192.168.168.2
will never be used by router. Your WAN interface is in IP address range 206.x.x.192/27 (if x.x is the same in both cases), so since router have directly connected interface (AD 0) static routes (AD 1) will never be used.

Also I noticed that your DHCP server is configured to assign ip addresses in 10.10.10.0/29 range, but you don't have IP interface in that range.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Edward ChoManaging Exciting Technology ThingsAuthor Commented:
Thanks for your reply.  Even without the NAT statement, I should still be able to ping the outside world from the router correct?  I'm unable to ping the gateway (206.x.x.193) from the router but able to ping the assigned IP address to the port (206.x.x.194).

ROUTER#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0 unassigned      YES NVRAM  administratively down down
GigabitEthernet0/0         206.x.x.194 YES NVRAM  up                    up
GigabitEthernet0/1         unassigned      YES NVRAM  administratively down down
GigabitEthernet0/0/0       unassigned      YES unset  up                    up
GigabitEthernet0/0/1       unassigned      YES unset  down                  down
GigabitEthernet0/0/2       unassigned      YES unset  down                  down
GigabitEthernet0/0/3       unassigned      YES unset  down                  down
NVI0                       206.x.x.194 YES unset  up                    up
Vlan1                      unassigned      YES manual up                    up
ROUTER#sh int stat
Interface Embedded-Service-Engine0/0 is disabled

GigabitEthernet0/0
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor          0          0       7361     830975
             Route cache          0          0          0          0
                   Total          0          0       7361     830975
Interface GigabitEthernet0/1 is disabled

GigabitEthernet0/0/0
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor         16       1024      31463    2429942
             Route cache          0          0          0          0
                   Total         16       1024      31463    2429942
GigabitEthernet0/0/1
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor          0          0          0          0
             Route cache          0          0          0          0
                   Total          0          0          0          0
GigabitEthernet0/0/2
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor          0          0          0          0
             Route cache          0          0          0          0
                   Total          0          0          0          0
GigabitEthernet0/0/3
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor          0          0          0          0
             Route cache          0          0          0          0
                   Total          0          0          0          0
NVI0
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor          0          0          0          0
             Route cache          0          0          0          0
                   Total          0          0          0          0
Vlan1
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor         16        960        113       8715
             Route cache          0          0          0          0
                   Total         16        960        113       8715

Open in new window

JustInCaseCommented:
Yes, you should be able to ping ISP even if nat is not correctly configured when you ping from router.
GigabitEthernet0/0
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor          0          0       7361     830975
             Route cache          0          0          0          0
                   Total          0          0       7361     830975

NVI0
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor          0          0          0          0
             Route cache          0          0          0          0
                   Total          0          0          0          0

Open in new window

NVI0 should not be up up, as much as I can remember NAT is not correctly configured for that. It should be  configured as # ip nat enable on all interfaces that participate in NAT (not with # ip nat outside, inside), and nat statement should be configured as
ip nat source list x interface gi0/0 overload
(no command inside)

Interesting is that Pkts in on Gi0/0 are 0 0 (although I asked for interface status and get interface stats :) in this case it was much better)... You router does not receive anything from ISP, bad cable? I guess you should contact you ISP.
Edward ChoManaging Exciting Technology ThingsAuthor Commented:
I'll check the cable when I get onsite.  I also found this interesting.  

ROUTER#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  nnn.nnn.nnn.nnn         0   Incomplete      ARPA
Internet  nnn.nnn.nnn.nnn         -   xxxx.xxxx.xxxx  ARPA   GigabitEthernet0/0

Open in new window

Pete LongTechnical ConsultantCommented:
You have designated an interface as 'IP nat outside', and Vlan1 as 'IP nat inside'
You have and ACL (23) that looks ok, I don't see a nat overload comment to nat the traffic though;

ip nat inside source list 23 interface GigabitEthernet 0/0 overload


Pete
Edward ChoManaging Exciting Technology ThingsAuthor Commented:
Looks like the gateway of the ISP needed to be restarted.  Traffic is now flowing again.

Made the ACL changes above but is NAT really necessary in my case?  Not all public IPs will be used by the firewall.  Other devices/firewalls will be eventually connected directly to the router which will require public IPs.

Thanks.
JustInCaseCommented:
@Pete - it was already suggested in my first post
:)

@Author  - You can exclude devices from NAT if you want to (in access list), but all ISPs should drop all traffic that has private address space as source or destination. So, for all your private address space you have to use NAT when those host go to internet.
Pete LongTechnical ConsultantCommented:
@Predrag Jovic

Sorry Buddy not enough Coffee :)
JustInCaseCommented:
No problem
;)
ArchiTech89IT Security EngineerCommented:
@Predrag
Isn't
     sh int status
only available in switches? But this is a router, right?

@Pete and @Predrag
Why would Edward worry about NATing, especially with overload? Isn't he using the public IPs on the inside and outside of the router? Why would he need NAT?

In the firewall side of things, here we would use 'identity NAT'--we'd NAT the public IP to itself out the perimeter interface. But I'm not sure that applies for routers.
JustInCaseCommented:
Noel you are right for # sh int status. Thank you for correction.
:)
Although ISRs could be routers and switches (I have one at home so I am use to have that on router), but command is valid only for switch part and not for router.

And for the second part - that don't apply to routers as much as I know. I explained (hope that I did) that because connected interfaces have AD 0, static routes would not work (AD 1). Configuring interfaces with inside and outside will not do anything by itself, still ip nat translation need to be configured.
There are maybe 3??? (2 for sure) ways how this can be done on router
1. one-to-one static NAT
2. PAT
3. ????? set second interface as ip unnumbered ???? ---- but I am not even sure that this can work and in what conditions since it should be applicable in point to point networks

So, with current router configuration from original question, I guess Author should set private addresses on servers and create one-to-one static NAT for servers.
So instead of
ip route 206.x.x.195 255.255.255.255 192.168.168.2
ip route 206.x.x.196 255.255.255.255 192.168.168.2
ip route 206.x.x.201 255.255.255.255 192.168.168.2
ip route 206.x.x.205 255.255.255.255 192.168.168.2
should be configured as
ip nat inside source static 192.168.0.2 206.x.x.195
ip nat inside source static 192.168.0.3 206.x.x.196
ip nat inside source static 192.168.0.4 206.x.x.201
ip nat inside source static 192.168.0.5 206.x.x.205
And for rest of hosts (if there are any) can be configured for nat with overload
Edward ChoManaging Exciting Technology ThingsAuthor Commented:
Just as a resolution, the ISP's fiber cable was loose hence we couldn't ping the gateway.

Thanks for all that helped.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JustInCaseCommented:
You router does not receive anything from ISP, bad cable?  I guess you should contact you ISP.
You're welcome. :)
Edward ChoManaging Exciting Technology ThingsAuthor Commented:
Cable was loose on the gateway and provided inconsistent confusing/results.  Reseating the fiber connection corrected the problem.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.