Cisco 1921 Additional Interface for WAN

I have Cisco 1921 two interfaces 0/0 and 0/1. i added gig 0/0/0 interface.  The additional interface is for WAN connection provide Internet.

ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.10.0.0 255.255.0.0 10.255.255.3
ip route 10.13.0.0 255.255.0.0 10.255.255.3

0/0 10.255.255.2 (to main office)
0/1 10.14.0.1 (lan)
0/0/0 192.168.1.2

I have no problem to ping 10.255.255.3 and 192.168.1.1, but there is no Internet connection.

What am i missing?
MoonLiveAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Costas GeorgiouNetwork AdministratorCommented:
you have not mentioned the natting . which according to me is missing.

Also if you have 0/0 and a sub interface 0/0.0 correct me if i am wrong but you should in stead use another sub interface 0/0.1 instead of 0/0

I have 5 wan IP's that i NAT to 5 internal networks using the same concept.
JustInCaseCommented:
Since your default route point to private address space
ip route 0.0.0.0 0.0.0.0 192.168.1.1
is ISP in that direction?
Typically, you would have public IP address on your WAN interface provided from your ISP.

There are few possibilities for problem in the case your IP addresses and static routes are OK:
- NAT is not configured properly (networks are not included in NAT statements), so ISP is dropping traffic since private IP addresses are used as source address
- Other router(s) have no idea where are located networks 10.10.0.0/26 and 10.13.0.0/16 traffic for those networks is send in ISP's direction instead to this router

Check routing table of other L3 devices (if there are any), and check NAT configuration.
MoonLiveAuthor Commented:
192.168.1.1 is Verizon router
10.10.x.x and 10.13.x.x route to main office for data connection.
0/0/0 is not sub-interface. it is additional gig card on Cisco 1921 router where the Verizon router is located.  I used to have 0/0 interface provide data and Internet. Now i have separate connection for data and Internet. how i check and see if NAT is configured on Cisco 1921? if not, what is command to do it?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

JustInCaseCommented:
# sh run | i nat

You can see this way all NAT statements except access list for NAT.
Probably you should paste your running config (exclude sensitive parts) and provide basic topology (although I think I got it).

For NAT configuration you should typically configure
- interfaces for your devices should be configured with ip nat inside
- interface(s) to ISP Verizon router should be configured as ip nat outside
- access list (or route map) to select traffic for natting
- nat statement

Article with basic configuration example - Configuring NAT overload

Typically Verizon router have no idea where your 10.x.x.x networks are, so you should provide static route for those on Verizon router (but not in this case since that traffic is for ISP). In this case you should NAT your traffic so Verizon router believes that all traffic is sent from 192.168.1.2 device (or that network range - you can configure NAT pool if you want).
MoonLiveAuthor Commented:
Thanks PredragJovic, Here is my running config:
RemoteSite2#show run
Building configuration...

Current configuration : 3505 bytes
!
! Last configuration change at 20:53:14 UTC Mon Feb 22 2016 by admin
!
version 15.4
!
hostname RemoteSite2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
ip dhcp excluded-address 10.16.0.1
ip dhcp excluded-address 10.16.0.1 10.16.0.255
ip dhcp excluded-address 10.16.2.200 10.16.3.254
!
!
!
ip domain name domain.com
ip name-server 10.12.2.100
ip name-server 10.12.2.200
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
cts logging verbose
!
license udi pid CISCO1921/K9 sn FGL191224FN
!
!
redundancy
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description PrimaryWANDesc_[----- WAN -----]
 ip address 10.255.255.3 255.255.255.248
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description [----- LAN -----]
 bandwidth 20000
 ip address 10.16.0.1 255.255.248.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/0
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip nat inside source list nat-list interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.255.255.1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 10.3.0.0 255.255.0.0 10.255.255.1
ip route 10.12.0.0 255.255.0.0 10.255.255.1
ip route 10.13.0.0 255.255.0.0 10.255.255.2
!
!
snmp-server community readme RO
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 transport input telnet
!
scheduler allocate 20000 1000
!
end
Thanks for your help..!!!
JustInCaseCommented:
Your NAT is not at home. :)
interface GigabitEthernet0/0
 description PrimaryWANDesc_[----- WAN -----]
 ip address 10.255.255.3 255.255.255.248
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description [----- LAN -----]
 bandwidth 20000
 ip address 10.16.0.1 255.255.248.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/0
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto

ip route 0.0.0.0 0.0.0.0 10.255.255.1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

Open in new window

You have 2 equal cost default routes??? and both point in the same direction (other than Verizon router). :)

If you want traffic to go to internet over Verizor router just one of the interfaces there should be only one default route configured.
If you want to forward traffic by source address you should use policy base routing.
For all other cases routes more specific than default default route will be used for forwarding traffic. If your office traffic in described with these static routes
ip route 10.3.0.0 255.255.0.0 10.255.255.1
ip route 10.12.0.0 255.255.0.0 10.255.255.1
ip route 10.13.0.0 255.255.0.0 10.255.255.2
then it is OK, all that traffic will be forwarded there.

And now, NAT.
If traffic to office should not be natted you can ignore it for the moment.
You can remove static default route pointing to the office.
no ip route 0.0.0.0 0.0.0.0 10.255.255.1
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

Commands that should be added:
ip route 0.0.0.0 0.0.0.0 192.168.1.1
interface Gi0/0
ip nat inside      <--- if you need to NAT traffic to office should be ip nat outside (and also there should be more pieces added to this configuration)
interface Gi0/1
ip nat inside
interface Gi0/0/0
ip nat outside

If you need both WANs to NAT traffic it  can be much more complicated, especially if failover is involved. But let me go with only Gi0/0/0 traffics to be natted.

You need to create ACL to select interested traffic for natting (this one is matching your LAN interface 10.16.0.0/21).
access-list 10 permit 10.16.0.0 0.0.7.255

Then you need to create NAT statement
ip nat inside source list 10 interface Gi0/0/0 overload

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MoonLiveAuthor Commented:
Predrag Jovic,

ip nat inside      <--- if you need to NAT traffic to office should be ip nat outside
above is little bit confusing..i may not understand what this will do.  Thanks for your explanation.

All Internet traffic should route to 192.168.1.1 (^.^ i will change something later).
And All LAN traffic route to 10.255.255.1 and 10.255.255.2

Thanks again. This is really helps!
JustInCaseCommented:
If you have 2 internet connections - both should be configured with ip nat outside (and more configuration should be done), if office traffic is currently working properly, just ignore that (and this) comment. :)
MoonLiveAuthor Commented:
Yes. 0/0 interface has been provide Internet connection, but I don't want to any Internet traffic use 0/0 interface. I would like to every devices connected on 0/1 interface uses 0/0/0 as their Internet use while 0/1 for data only.  0/0 is slow wan connection.  Thanks
JustInCaseCommented:
hm...
since it is slow WAN interface don't configure
# int Gi0/0
# ip nat inside
or if you did - you can remove it with
# int Gi0/0
# no ip nat inside

also you could filter traffic that travels through that line by using access-lists, although specific ip routes could be good enough (at least for now).
MoonLiveAuthor Commented:
PredragJovic, Does this makes it works?
no ip route 0.0.0.0 0.0.0.0 10.255.255.1
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

ip route 0.0.0.0 0.0.0.0 192.168.1.1
interface Gi0/0
ip nat inside      
interface Gi0/1
ip nat inside
interface Gi0/0/0
ip nat outside

access-list 100 remark ==[Verizon]==
access-list 100 permit ip 10.16.0.0 0.0.7.255

ip nat inside source list 100 interface gig 0/0/0 overload
JustInCaseCommented:
Almost :)
If you use number 100 you need different type of ACL (then you don't need ip in ACL also - that one is also for 100 - 199).
You should stick with range of numbers between 1 - 99, or adapt ACL, and don't configure  Gi0/0 with ip nat inside (that way traffic from that interface will not be good for natting)
MoonLiveAuthor Commented:
PredragJovic, OK..here it is another one
no ip route 0.0.0.0 0.0.0.0 10.255.255.1
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

ip route 0.0.0.0 0.0.0.0 192.168.1.1  
interface Gi0/1
ip nat inside
interface Gi0/0/0
ip nat outside

access-list 10 remark ==[Verizon]==
access-list 10 permit ip 10.16.0.0 0.0.7.255

ip nat inside source list 10 interface gig 0/0/0 overload
Thanks!!!
JustInCaseCommented:
access-list 10 permit 10.16.0.0 0.0.7.255   <--- no ip there
MoonLiveAuthor Commented:
access-list 10 permit 10.16.0.0 0.0.7.255  192.168.1.1

or

access-list 10 permit 10.16.0.0 0.0.7.255  any

Thanks!
JustInCaseCommented:
If you use ACL number 1 - 99 you can filter only by source address and that's it. So, then ACL is exactly as I wrote it
access-list 10 permit 10.16.0.0 0.0.7.255

If you use ACL number 100 - 199 then you can filter by more criteria (source, destination, port, protocol type)
access-list 100 permit ip 10.16.0.0 0.0.7.255 any

You can use any of those - it will perform exactly the same function in your case, but the first one should have less impact on router's CPU.
MoonLiveAuthor Commented:
Thanks. i will try tonight and back with you. Just curious on the 0/0/0 interface showing (web console) that "Read-Only Interfaces" is that something I need to worry?
JustInCaseCommented:
Read-Only Interfaces - never heard of it,
MoonLiveAuthor Commented:
i just applied the command and i got following error.
RemoteSite2(config)#access-list 10 permit ip 10.16.0.0 0.0.7.255
Translating "ip"...domain server (10.12.2.10) (10.12.2.24)
Invalid input detected at '^' maker. (marker was at the 10.12.2.10)

Thanks
JustInCaseCommented:
Again
access-list 10 permit 10.16.0.0 0.0.7.255
no ip there
MoonLiveAuthor Commented:
yes. i just figured out. i also added no domain-lookup too. i hope it won't hurt...Thank you so much.
now everything seems working as i intended to do. when i lookup what is ip on web, i see Verizon public IP not my main site IP. and give me triple times speed test result. Thanks for your help
JustInCaseCommented:
You're welcome.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.