1941 no nat

Discussion in 'Cisco' started by Supersleuth, Feb 19, 2012.

  1. Supersleuth

    Supersleuth Guest

    i have a cisco 1941 with an HWIC-4ESW installed

    IOS is C1900-universak9-mz-SPA.151-4.M3

    I have an ethernet feed from my ISP


    I configured GigabitEthernet0/0 with the public IP from the ISP /30

    I configured the IP ROUTE to the next hop up from the
    GigabitEthernet 0/0

    from the 1941 i can ping any external IP address


    they also gave me a /28 public block for the LAN Ii gave Vlan1 the 2nd
    in the range from the /28



    If I configure ai PC with 1 of the addresses from ther /28 IP's I can
    ping Vlan1 and GigabitEthernet0/0 interfaces but no further.



    if i configure the 1941 with NAT it all works.

    I dont want to use NAT i need servers on each IP with ALL ports
    available

    Am I misssing something in the configuration or is this a IOS bug /
    limitation

    i need a config for a 1941 no nat with public IP's on both WAN and
    LAN interfaces


    Any ideas please
    Supersleuth, Feb 19, 2012
    #1
    1. Advertising

  2. Supersleuth <> writes:
    >i need a config for a 1941 no nat with public IP's on both WAN and
    >LAN interfaces


    Since the most basic config would do that, and NAT takes extra work,
    it would help to see your config.

    A simple config like

    int Gig0/0
    ip address 200.200.200.1 255.255.255.252
    int Fast0/0
    ip address 200.0.0.1 255.255.255.240
    ip route 0.0.0.0 0.0.0.0 200.200.200.2

    would be sufficient to do what you are asking. But without seeing
    what you've come up with, we're up in the air on what you've done.

    (No need to include passwords, or ACLs that aren't used, and the like.
    Although if you do have an ACL on an interface, you'll want to make
    sure it isn't blocking you).
    Doug McIntyre, Feb 20, 2012
    #2
    1. Advertising

  3. Supersleuth

    Supersleuth Guest

    On 20 Feb 2012 04:13:22 GMT, Doug McIntyre <> wrote:

    >Supersleuth <> writes:
    >>i need a config for a 1941 no nat with public IP's on both WAN and
    >>LAN interfaces

    >
    >Since the most basic config would do that, and NAT takes extra work,
    >it would help to see your config.
    >
    >A simple config like
    >
    >int Gig0/0
    > ip address 200.200.200.1 255.255.255.252
    >int Fast0/0
    > ip address 200.0.0.1 255.255.255.240
    >ip route 0.0.0.0 0.0.0.0 200.200.200.2
    >
    >would be sufficient to do what you are asking. But without seeing
    >what you've come up with, we're up in the air on what you've done.
    >
    >(No need to include passwords, or ACLs that aren't used, and the like.
    >Although if you do have an ACL on an interface, you'll want to make
    >sure it isn't blocking you).



    the first 2 octets in both subnets are the same numbers (removed for
    security)

    when I tried to give fast0/0/0 an ip address it told me that layer 2
    cant have an IP address. Thats why i gave Vlan1 the IP address


    if i connect to the router via console and issue a ping to an external
    publoic IP and that works


    If i take a PC and give it x.x 174.25 255.255.255.248 defaulkt
    gateway x.x.174.25


    I can ping to x.x.172.114 but no further






    no ipv6 cef
    ip source-route
    ip cef
    !
    multilink bundle-name authenticated
    !
    !
    ip tcp synwait-time 10
    !
    !
    !
    !
    interface Embedded-Service-Engine0/0
    no ip address
    ip flow ingress
    shutdown
    !
    interface GigabitEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE
    0/0$$ES_LAN$$FW_INSIDE$
    ip address x.x.172.114 255.255.255.252
    duplex auto
    speed auto
    !
    interface GigabitEthernet0/1
    description $FW_OUTSIDE$$ES_WAN$
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet0/0/0
    no ip address
    !
    interface FastEthernet0/0/1
    no ip address
    !
    interface FastEthernet0/0/2
    no ip address
    !
    interface FastEthernet0/0/3
    no ip address
    !
    interface Vlan1
    ip address x.x.174.25 255.255.255.248
    ip verify unicast reverse-path
    ip tcp adjust-mss 1452
    !
    no ip classless
    ip forward-protocol nd

    !
    ip route 0.0.0.0 0.0.0.0 x.x.172.113
    Supersleuth, Feb 20, 2012
    #3
  4. * Supersleuth hackte in den Rechenknecht:
    >
    > they also gave me a /28 public block for the LAN Ii gave Vlan1 the 2nd
    > in the range from the /28
    >
    > Any ideas please


    One idea:
    Let the Provider check, if your net is routed correctly. If they
    don't route your net towards you, then you will get exactly that result.

    luke
    --
    Als Endnutzer will ich eine CD erwerben, sie in den Trinkbecherhalter
    stopfen,[..]- und dann hat die Kiste zu laufen. Und zwar bunt,
    laut und mit möglichst wenig Nachbesserungsarbeiten.
    --Robin Socha in dcoulm
    Lukas Schratz, Feb 20, 2012
    #4
  5. Supersleuth

    Supersleuth Guest

    On Mon, 20 Feb 2012 14:27:04 +0100, Lukas Schratz
    <> wrote:

    >* Supersleuth hackte in den Rechenknecht:
    >>
    >> they also gave me a /28 public block for the LAN Ii gave Vlan1 the 2nd
    >> in the range from the /28
    >>
    >> Any ideas please

    >
    >One idea:
    >Let the Provider check, if your net is routed correctly. If they
    >don't route your net towards you, then you will get exactly that result.
    >
    >luke




    It is routed OK

    If i use a draytek router it works ok but the client wants to use the
    Cisco 1941
    Supersleuth, Feb 20, 2012
    #5
  6. * Supersleuth hackte in den Rechenknecht:
    > On 20 Feb 2012 04:13:22 GMT, Doug McIntyre <> wrote:
    >
    >>Supersleuth <> writes:

    >
    >
    > If i take a PC and give it x.x 174.25 255.255.255.248 defaulkt
    > gateway x.x.174.25
    >
    >
    > I can ping to x.x.172.114 but no further
    >

    What do you see on the router if you issue
    # ping $outsideaddress sour vlan1
    >
    >
    > ip verify unicast reverse-path

    ^^^^^^^^^^^^^^^^^^^
    Reason for this?

    > ip route 0.0.0.0 0.0.0.0 x.x.172.113


    luke
    --
    >> </plist>

    > *schüttel* Kannst Du bitte woanders hinkotzen?

    Das ist XML du!!11 Das ist der Zukunft !!!1elf
    -- Jürgen P.Meier hat ein Mac-plist gebaut
    und Volker Birk wird schlecht.
    Lukas Schratz, Feb 20, 2012
    #6
  7. Supersleuth <> writes:
    >when I tried to give fast0/0/0 an ip address it told me that layer 2
    >cant have an IP address. Thats why i gave Vlan1 the IP address



    Okay, so you also have an HWIC-4ESW card inserted, and you are trying
    to configure it to work in the mix as well.

    The HWIC-4ESW is a layer-2 switch bolted on a board. They aren't
    router ports (ie. that can take IP address info), but just switch
    ports, thus you need to do extra stuff to get the bolted-on-switch
    talking back to the router as well.

    I am not familure with the HWIC-4ESW on 1941, but on my 1841 with the
    HWIC-4ESW, what you did should work.

    You may want to just light up both Gigabit interfaces just to make
    sure what you are doing is functional. These are both full router
    ports and behave just like you think, without the extra wonkyness
    that a bolted-on-switch module brings you. They at least you know
    it is working, then you can tackle the HWIC-4ESW config..

    Your config looks correct otherwise.

    To troubleshoot the HWIC-4ESW, I'd start to 'show int' each of the ports
    to make sure they are up. I'd just a 'show vlan' to make sure the
    VLAN is defined, and that each of the switch ports is indeed part of
    the VLAN 1 like you are assuming. I'd make sure that Vlan1 is not 'shutdown'
    so that it can pass layer-2 switch traffic.

    I'd do a 'show route' to make sure the routes for each block show up
    in the routing table, and are Connected routes properly for each block
    to each layer-3 interface.
    Doug McIntyre, Feb 20, 2012
    #7
  8. On 20/02/2012 16:43, Supersleuth wrote:
    > On Mon, 20 Feb 2012 14:27:04 +0100, Lukas Schratz
    > <> wrote:
    >
    >> * Supersleuth hackte in den Rechenknecht:
    >>>
    >>> they also gave me a /28 public block for the LAN Ii gave Vlan1 the 2nd
    >>> in the range from the /28
    >>>
    >>> Any ideas please

    >>
    >> One idea:
    >> Let the Provider check, if your net is routed correctly. If they
    >> don't route your net towards you, then you will get exactly that result.
    >>
    >> luke

    >
    >
    >
    > It is routed OK
    >
    > If i use a draytek router it works ok but the client wants to use the
    > Cisco 1941


    As said by Lukas, check your connectivity with

    router# ping 8.8.8.8 source Vlan1

    with Vlan1 ip in /28 subnet.

    then post output here...

    Of course you can use any public ip address instead of google dns...:)

    Marco
    Marco Giuliani, Feb 21, 2012
    #8
  9. Supersleuth

    Supersleuth Guest

    On Tue, 21 Feb 2012 15:32:29 +0100, Marco Giuliani
    <> wrote:

    >On 20/02/2012 16:43, Supersleuth wrote:
    >> On Mon, 20 Feb 2012 14:27:04 +0100, Lukas Schratz
    >> <> wrote:
    >>
    >>> * Supersleuth hackte in den Rechenknecht:
    >>>>
    >>>> they also gave me a /28 public block for the LAN Ii gave Vlan1 the 2nd
    >>>> in the range from the /28
    >>>>
    >>>> Any ideas please
    >>>
    >>> One idea:
    >>> Let the Provider check, if your net is routed correctly. If they
    >>> don't route your net towards you, then you will get exactly that result.
    >>>
    >>> luke

    >>
    >>
    >>
    >> It is routed OK
    >>
    >> If i use a draytek router it works ok but the client wants to use the
    >> Cisco 1941

    >
    >As said by Lukas, check your connectivity with
    >
    >router# ping 8.8.8.8 source Vlan1
    >
    >with Vlan1 ip in /28 subnet.
    >
    >then post output here...
    >
    >Of course you can use any public ip address instead of google dns...:)
    >
    > Marco



    ping 8.8.8.8 source GigabitEthernet0/0 100% success

    ping 8.8.8.8 source Vlan1 0% sucess


    What am I missing in my config to route Vlan1 to GigabitEthernet0/0
    (outside world)

    Config is posted in 1 of the previous in this chain
    Supersleuth, Feb 21, 2012
    #9
  10. On 21/02/2012 21:28, Supersleuth wrote:

    > ping 8.8.8.8 source GigabitEthernet0/0 100% success
    >
    > ping 8.8.8.8 source Vlan1 0% sucess
    >
    >
    > What am I missing in my config to route Vlan1 to GigabitEthernet0/0
    > (outside world)
    >
    > Config is posted in 1 of the previous in this chain


    It seems that your provider does not have a route to your inside subnet.

    your ISP
    x.x.172.113/30

    G0/0 x.x.172.114/30
    cisco 1941
    Vlan1 x.x.174.25/28

    LAN.....subnet x.x.174.16/28

    Your default route is 0.0.0.0 0.0.0.0 x.x.172.113
    and your ISP's router should have

    x.x.174.16 255.255.255.240 x.x.172.113.

    Anyway, you said that all was ok with draytek router:
    how we can explain this situation?

    Are you sure about your subnet assignment? Why you choose x.x.174.25/28
    ip address on vlan1? It is not first nor last subnet address.

    Regards.
    Marco Giuliani, Feb 22, 2012
    #10
  11. * Supersleuth hackte in den Rechenknecht:
    >
    > ping 8.8.8.8 source GigabitEthernet0/0 100% success
    >
    > ping 8.8.8.8 source Vlan1 0% sucess
    >
    >
    > What am I missing in my config to route Vlan1 to GigabitEthernet0/0
    > (outside world)
    >
    > Config is posted in 1 of the previous in this chain


    do:
    sh ip route
    sh vlan-switch
    sh ip int brie

    I suppose, that maybe your vlan-interface is down due to misconfiguration,
    therefore it is not able to forward traffic.

    luke
    --
    > Was ich gelernt habe, war Gier und Hinterlist!

    Sie wurden Anwalt?
    --Donald Duck in MM 7/2005 (Don Rosa)
    Lukas Schratz, Feb 22, 2012
    #11
  12. Supersleuth

    Supersleuth Guest

    On Wed, 22 Feb 2012 09:57:01 +0100, Marco Giuliani
    <> wrote:

    >On 21/02/2012 21:28, Supersleuth wrote:
    >
    >> ping 8.8.8.8 source GigabitEthernet0/0 100% success
    >>
    >> ping 8.8.8.8 source Vlan1 0% sucess
    >>
    >>
    >> What am I missing in my config to route Vlan1 to GigabitEthernet0/0
    >> (outside world)
    >>
    >> Config is posted in 1 of the previous in this chain

    >
    >It seems that your provider does not have a route to your inside subnet.
    >
    >your ISP
    >x.x.172.113/30
    >
    >G0/0 x.x.172.114/30
    >cisco 1941
    >Vlan1 x.x.174.25/28
    >
    >LAN.....subnet x.x.174.16/28
    >
    >Your default route is 0.0.0.0 0.0.0.0 x.x.172.113
    >and your ISP's router should have
    >
    >x.x.174.16 255.255.255.240 x.x.172.113.
    >
    >Anyway, you said that all was ok with draytek router:
    >how we can explain this situation?
    >
    >Are you sure about your subnet assignment? Why you choose x.x.174.25/28
    >ip address on vlan1? It is not first nor last subnet address.
    >
    >Regards.
    >
    >
    >
    >
    >

    sorry for the typo just realised it should be a /29 255.255.255.248
    NOT /28


    I have tried the setup with a draytechk,. netgear and a linksys all
    work OK.

    There is something to do with routing any traffic that hits the Vlan1
    interface to the GigabitEthernet 0/0 interface WITHOIUT using NAT


    If the cheaper routers can do trhis the 1941 must be able to
    Supersleuth, Feb 22, 2012
    #12
  13. Supersleuth <> writes:
    >I have tried the setup with a draytechk,. netgear and a linksys all
    >work OK.


    >There is something to do with routing any traffic that hits the Vlan1
    >interface to the GigabitEthernet 0/0 interface WITHOIUT using NAT


    >If the cheaper routers can do trhis the 1941 must be able to



    As my previous post indicated to you, you must be having issues with the addon
    HWIC-4ESW card you must have installed, and not routing in general.

    If you moved your config to use both the Gigabit Ethernet layer-3
    ports in the 1941 box, you'd probably work just fine.

    I also gave you some troubleshooting commands to see what may be going
    on with the HWIC-4ESW card talking (as have others).

    It isn't the router, but something with the addon card that may be
    doing you in.
    Doug McIntyre, Feb 22, 2012
    #13
  14. Supersleuth

    Supersleuth Guest

    On Wed, 22 Feb 2012 10:12:15 +0100, Lukas Schratz
    <> wrote:

    >* Supersleuth hackte in den Rechenknecht:
    >>
    >> ping 8.8.8.8 source GigabitEthernet0/0 100% success
    >>
    >> ping 8.8.8.8 source Vlan1 0% sucess
    >>
    >>
    >> What am I missing in my config to route Vlan1 to GigabitEthernet0/0
    >> (outside world)
    >>
    >> Config is posted in 1 of the previous in this chain

    >
    >do:
    >sh ip route
    >sh vlan-switch
    >sh ip int brie
    >
    >I suppose, that maybe your vlan-interface is down due to misconfiguration,
    >therefore it is not able to forward traffic.
    >
    >luke



    After a week of several calls to the ISP support desk with them
    telling me their service was fine ansd the probem must be in our CPE
    This time i managed to get an ISP helpdesk engineer that aggreed to
    login to our router and take a look


    After half hour he called back and said he found an error in our
    router config and he fixed it.

    the service is now working

    When i checked ther config he said he corrected with my original one
    there was no difference.

    I think he found an error in the ISP's routing and fixed it.
    talking to other engineers they said this ISP will never admit any
    problems with their systems


    Thanks for all your help
    Supersleuth, Feb 24, 2012
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Al Dykes
    Replies:
    8
    Views:
    560
    Walter Roberson
    Oct 29, 2003
  2. zxcvar
    Replies:
    2
    Views:
    566
    zxcvar
    May 12, 2004
  3. Doug MacLean
    Replies:
    0
    Views:
    488
    Doug MacLean
    Oct 14, 2003
  4. bg
    Replies:
    7
    Views:
    914
    Doug McIntyre
    Aug 12, 2010
  5. ademartins

    Cisco Router 1941

    ademartins, Mar 16, 2011, in forum: Cisco
    Replies:
    0
    Views:
    647
    ademartins
    Mar 16, 2011
Loading...

Share This Page