1941 no nat

Discussion in 'Cisco' started by Supersleuth, Feb 19, 2012.

  1. Supersleuth

    Supersleuth Guest

    i have a cisco 1941 with an HWIC-4ESW installed

    IOS is C1900-universak9-mz-SPA.151-4.M3

    I have an ethernet feed from my ISP

    I configured GigabitEthernet0/0 with the public IP from the ISP /30

    I configured the IP ROUTE to the next hop up from the
    GigabitEthernet 0/0

    from the 1941 i can ping any external IP address

    they also gave me a /28 public block for the LAN Ii gave Vlan1 the 2nd
    in the range from the /28

    If I configure ai PC with 1 of the addresses from ther /28 IP's I can
    ping Vlan1 and GigabitEthernet0/0 interfaces but no further.

    if i configure the 1941 with NAT it all works.

    I dont want to use NAT i need servers on each IP with ALL ports

    Am I misssing something in the configuration or is this a IOS bug /

    i need a config for a 1941 no nat with public IP's on both WAN and
    LAN interfaces

    Any ideas please
    Supersleuth, Feb 19, 2012
    1. Advertisements

  2. Since the most basic config would do that, and NAT takes extra work,
    it would help to see your config.

    A simple config like

    int Gig0/0
    ip address
    int Fast0/0
    ip address
    ip route

    would be sufficient to do what you are asking. But without seeing
    what you've come up with, we're up in the air on what you've done.

    (No need to include passwords, or ACLs that aren't used, and the like.
    Although if you do have an ACL on an interface, you'll want to make
    sure it isn't blocking you).
    Doug McIntyre, Feb 20, 2012
    1. Advertisements

  3. Supersleuth

    Supersleuth Guest

    the first 2 octets in both subnets are the same numbers (removed for

    when I tried to give fast0/0/0 an ip address it told me that layer 2
    cant have an IP address. Thats why i gave Vlan1 the IP address

    if i connect to the router via console and issue a ping to an external
    publoic IP and that works

    If i take a PC and give it x.x 174.25 defaulkt
    gateway x.x.174.25

    I can ping to x.x.172.114 but no further

    no ipv6 cef
    ip source-route
    ip cef
    multilink bundle-name authenticated
    ip tcp synwait-time 10
    interface Embedded-Service-Engine0/0
    no ip address
    ip flow ingress
    interface GigabitEthernet0/0
    ip address x.x.172.114
    duplex auto
    speed auto
    interface GigabitEthernet0/1
    description $FW_OUTSIDE$$ES_WAN$
    no ip address
    duplex auto
    speed auto
    interface FastEthernet0/0/0
    no ip address
    interface FastEthernet0/0/1
    no ip address
    interface FastEthernet0/0/2
    no ip address
    interface FastEthernet0/0/3
    no ip address
    interface Vlan1
    ip address x.x.174.25
    ip verify unicast reverse-path
    ip tcp adjust-mss 1452
    no ip classless
    ip forward-protocol nd

    ip route x.x.172.113
    Supersleuth, Feb 20, 2012
  4. * Supersleuth hackte in den Rechenknecht:
    One idea:
    Let the Provider check, if your net is routed correctly. If they
    don't route your net towards you, then you will get exactly that result.

    Lukas Schratz, Feb 20, 2012
  5. Supersleuth

    Supersleuth Guest

    It is routed OK

    If i use a draytek router it works ok but the client wants to use the
    Cisco 1941
    Supersleuth, Feb 20, 2012
  6. * Supersleuth hackte in den Rechenknecht:
    What do you see on the router if you issue
    # ping $outsideaddress sour vlan1
    Reason for this?
    Das ist XML du!!11 Das ist der Zukunft !!!1elf
    -- Jürgen P.Meier hat ein Mac-plist gebaut
    und Volker Birk wird schlecht.
    Lukas Schratz, Feb 20, 2012

  7. Okay, so you also have an HWIC-4ESW card inserted, and you are trying
    to configure it to work in the mix as well.

    The HWIC-4ESW is a layer-2 switch bolted on a board. They aren't
    router ports (ie. that can take IP address info), but just switch
    ports, thus you need to do extra stuff to get the bolted-on-switch
    talking back to the router as well.

    I am not familure with the HWIC-4ESW on 1941, but on my 1841 with the
    HWIC-4ESW, what you did should work.

    You may want to just light up both Gigabit interfaces just to make
    sure what you are doing is functional. These are both full router
    ports and behave just like you think, without the extra wonkyness
    that a bolted-on-switch module brings you. They at least you know
    it is working, then you can tackle the HWIC-4ESW config..

    Your config looks correct otherwise.

    To troubleshoot the HWIC-4ESW, I'd start to 'show int' each of the ports
    to make sure they are up. I'd just a 'show vlan' to make sure the
    VLAN is defined, and that each of the switch ports is indeed part of
    the VLAN 1 like you are assuming. I'd make sure that Vlan1 is not 'shutdown'
    so that it can pass layer-2 switch traffic.

    I'd do a 'show route' to make sure the routes for each block show up
    in the routing table, and are Connected routes properly for each block
    to each layer-3 interface.
    Doug McIntyre, Feb 20, 2012
  8. As said by Lukas, check your connectivity with

    router# ping source Vlan1

    with Vlan1 ip in /28 subnet.

    then post output here...

    Of course you can use any public ip address instead of google dns...:)

    Marco Giuliani, Feb 21, 2012
  9. Supersleuth

    Supersleuth Guest

    ping source GigabitEthernet0/0 100% success

    ping source Vlan1 0% sucess

    What am I missing in my config to route Vlan1 to GigabitEthernet0/0
    (outside world)

    Config is posted in 1 of the previous in this chain
    Supersleuth, Feb 21, 2012
  10. It seems that your provider does not have a route to your inside subnet.

    your ISP

    G0/0 x.x.172.114/30
    cisco 1941
    Vlan1 x.x.174.25/28

    LAN.....subnet x.x.174.16/28

    Your default route is x.x.172.113
    and your ISP's router should have

    x.x.174.16 x.x.172.113.

    Anyway, you said that all was ok with draytek router:
    how we can explain this situation?

    Are you sure about your subnet assignment? Why you choose x.x.174.25/28
    ip address on vlan1? It is not first nor last subnet address.

    Marco Giuliani, Feb 22, 2012
  11. * Supersleuth hackte in den Rechenknecht:
    sh ip route
    sh vlan-switch
    sh ip int brie

    I suppose, that maybe your vlan-interface is down due to misconfiguration,
    therefore it is not able to forward traffic.

    Sie wurden Anwalt?
    --Donald Duck in MM 7/2005 (Don Rosa)
    Lukas Schratz, Feb 22, 2012
  12. Supersleuth

    Supersleuth Guest

    sorry for the typo just realised it should be a /29
    NOT /28

    I have tried the setup with a draytechk,. netgear and a linksys all
    work OK.

    There is something to do with routing any traffic that hits the Vlan1
    interface to the GigabitEthernet 0/0 interface WITHOIUT using NAT

    If the cheaper routers can do trhis the 1941 must be able to
    Supersleuth, Feb 22, 2012

  13. As my previous post indicated to you, you must be having issues with the addon
    HWIC-4ESW card you must have installed, and not routing in general.

    If you moved your config to use both the Gigabit Ethernet layer-3
    ports in the 1941 box, you'd probably work just fine.

    I also gave you some troubleshooting commands to see what may be going
    on with the HWIC-4ESW card talking (as have others).

    It isn't the router, but something with the addon card that may be
    doing you in.
    Doug McIntyre, Feb 22, 2012
  14. Supersleuth

    Supersleuth Guest

    After a week of several calls to the ISP support desk with them
    telling me their service was fine ansd the probem must be in our CPE
    This time i managed to get an ISP helpdesk engineer that aggreed to
    login to our router and take a look

    After half hour he called back and said he found an error in our
    router config and he fixed it.

    the service is now working

    When i checked ther config he said he corrected with my original one
    there was no difference.

    I think he found an error in the ISP's routing and fixed it.
    talking to other engineers they said this ISP will never admit any
    problems with their systems

    Thanks for all your help
    Supersleuth, Feb 24, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.