Cisco 1800 NAT configuration - networking

I have Cisco 1812 router which I would like to setup as our office internet gateway. Although I followed guides on Cisco web site, I cannot get NAT to work.
My problem is that NAT is not happening, and I cannot get why.
When I connect to router, I get IP address from DHCP, and I can ping both local interface IP (192.168.210.254) and public IP (212.94.196.71 slightly changed), but I cannot get pass to internet. I cannot ping default gateway from machine connected to local interface, but I can ping it from the router itself, as well as any site on the internet.
Lastly, show ip nat translations is showing empty list.
What am I doing wrong?
Here is my configuration
Current configuration : 2022 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$FXW9$XXXXXXXXXXXXXXXXXXX.
!
no aaa new-model
!
resource policy
!
no ip routing
!
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.210.240 192.168.210.254
ip dhcp excluded-address 192.168.210.1 192.168.210.4
!
ip dhcp pool lan1
network 192.168.210.0 255.255.255.0
dns-server 192.168.210.100
default-router 192.168.210.254
domain-name mydomain.com
!
ip name-server 210.127.96.3
ip name-server 210.127.96.4
!
interface FastEthernet0
ip address 192.168.210.254 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
speed auto
full-duplex
!
interface FastEthernet1
ip address 212.94.196.71 255.255.255.240
ip nat outside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
no ip route-cache
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface FastEthernet9
shutdown
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
no ip route-cache
!
interface Vlan10
ip address 10.28.10.254 255.255.255.0
no ip route-cache
!
interface Vlan11
ip address 10.1.11.254 255.255.255.0
no ip route-cache
!
interface Vlan55
ip address 10.28.55.254 255.255.255.0
no ip route-cache
!
ip default-gateway 212.94.196.65
!
!
no ip http server
no ip http secure-server
ip nat pool ovrld 212.94.196.71 212.94.196.71 prefix-length 28
!
access-list 7 permit 192.168.210.0 0.0.0.31
snmp-server community public RO
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

You forgot enable translation of inside source addresses.
ip nat inside source { list <acl> pool <name> [overload] |
static <local-ip><global-ip> }
I see you already have an access-list so (according to your private addressing) in global config add:
ip nat inside source list 7 pool ovrld
Additional Edit:
With IP routing enabled ip routing it works

Your DHCP is for the lower subnet and your gateway is in another subnet the top .224-254
your nat list is for the .0 subnet

Related

How to identify which network interface is used for a given route?

I am on a Windows 10 machine. I have got the below routes configured in my machine.
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 1
10.1.0.0 255.255.0.0 192.168.2.1 192.168.2.5 1
10.2.0.0 255.255.0.0 192.168.3.1 192.168.3.5 1
When ping IP 10.1.1.1, I want to determine which network interface will be used to route the traffic.
Is there any network utility that can help me find the correct route based on the destination IP?
If you ping 10.1.1.1, it will use the interface with the IP 192.168.2.5 looking at your route table.
You can also use tracert 10.1.1.1 to see what route your network traffic will take.

BGP Protocol configuration between two VPC

I would need to configure a cross connect between two networks via SFP Fiber.
Unfortunately I'm new on BGP configuration and would need confirmation that I'm doing it on the right way...
I have Two VPC:
VPC A:
ASN 200
IP Router: 169.254.250.1
Sub Network: 10.0.0.1/34
VPC B:
ASN 100
IP Router: 169.254.250.2
4 Servers: 169.254.131.1 / 169.254.131.2 / 169.254.131.3 / 169.254.131.4
VPC A is completely configured, I purchased a Cisco router C1113-8PM to configure my VPC B. My aim is to ensure that any server on VPC A can access my 4 servers located in VPC B through BGP.
The procedure I started to write into VPC B Router:
#Configure ASN VPC B on Router
enable
configure terminal
router bgp 100
bgp router-id 169.254.250.2
timers bgp 70 120
end
# Configure ASN VPC A and routes
configure terminal
neighbor 169.254.250.1 remote-as 200
address-family ipv4 unicast
neighbor 169.254.250.1 activate
end
is it enough ? Do I need to set each IP address of my VPC B into BGP table ? how ?
Targeted topology and config should be as I described below
Network Diagram
Two important commands are needed to enable this peering:
Peer-gateway : The vPC peer-gateway functionality allows a vPC switch to act as the active gateway for packets that are addressed to the router MAC address of the vPC peer
layer3 peer-router : no change for TTL of packets destined to the peer, external device sees the vPC domain as single physical entity from layer route protocol peering perspective as well.
Configurations
Leaf 1:
! Form the vPC domain:
vpc domain 1
peer-switch
role priority 10 peer-keepalive destination 192.0.2.2 source 192.0.2.1 peer-gateway layer3 peer-router ipv6 nd synchronize ip arp synchronize
!
!vPC peer-link interface members
interface Ethernet1/53 - 54
description vPC-Peerlink member
switchport
switchport mode trunk
channel-group 11 mode active
no shutdown
!
! vPC peer-link port-channel
interface port-channel11
description vPC-peerlink
switchport
switchport mode trunk
spanning-tree port type network
no shutdown
vpc peer-link
!
! vPC port-channel member to External Device
interface Ethernet1/52
description ExternalDevice Eth2/13
switchport
switchport mode trunk
switchport trunk allowed vlan 203,205
mtu 9216
channel-group 12 mode active
no shutdown
!
! vPC port-channel to External Device
interface port-channel12
description vPC port-channel to External Device
switchport
switchport mode trunk
switchport trunk allowed vlan 203,205
mtu 9216
vpc 12
!
! Layer 3 interface to the Eternal device:
interface Vlan205
no shutdown
vrf member Customer
! BFD for eBGP
bfd interval 500 min_rx 500 multiplier 3
! Disable bfd echo, as it is not supported over vPC
no bfd echo
no ip redirects
! We use/29 as we need 3 ip address, one per each member of the ! vPC domain and 3rd for the External Device
ip address 198.51.100.1/29 tag 800204
! Disable redirects - this is needed to enable BFD
no ipv6 redirects
!
router bgp 65535
router bgp 65535
router-id 203.0.113.1
log-neighbor-changes
address-family ipv4 unicast
Customer router-id 198.51.100.1 address-family ipv4 unicast neighbor 198.51.100.2 description Leaf-2 remote-as 65535 address-family ipv4 unicast soft-reconfiguration inbound always neighbor 198.51.100.3 description to External Device bfd remote-as 65000 update-source Vlan205 address-family ipv4 unicast soft-reconfiguration inbound always ! Leaf 2:
! Form the vPC domain:
vpc domain 1
peer-switch
role priority 10
peer-keepalive destination 192.0.2.1 source 192.0.2.2
peer-gateway
layer3 peer-router
ipv6 nd synchronize
ip arp synchronize
!
!vPC peer-link interface members
interface Ethernet1/53 - 54
description vPC-Peerlink member
switchport
switchport mode trunk
channel-group 11 mode active
no shutdown
!
! vPC peer-link port-channel
interface port-channel11
description vPC-peerlink
switchport
switchport mode trunk
spanning-tree port type network
no shutdown
vpc peer-link
!
! vPC port-channel member to External Device
interface Ethernet1/52
description ExternalDevice Eth2/13
switchport
switchport mode trunk
switchport trunk allowed vlan 203,205
mtu 9216
channel-group 12 mode active
no shutdown
!
! vPC port-channel to External Device
interface port-channel12
description vPC port-channel to External Device
switchport
switchport mode trunk
switchport trunk allowed vlan 203,205
mtu 9216
vpc 12
!
! Layer 3 interface to the Eternal device:
interface Vlan205
no shutdown
vrf member Customer
! BFD for eBGP
bfd interval 500 min_rx 500 multiplier 3
! Disable bfd echo, as it is not supported over vPC
no bfd echo
no ip redirects
! We use/29 as we need 3 ip address, one per each member of the ! vPC domain and 3rd for the External Device
ip address 198.51.100.2/29 tag 800204
! Disable redirects - this is needed to enable BFD
no ipv6 redirects
!
router bgp 65535
router bgp 65535
router-id 203.0.113.2
log-neighbor-changes
address-family ipv4 unicast
vrf Customer
router-id 198.51.100.2
address-family ipv4 unicast
neighbor 198.51.100.1
description Leaf-2
remote-as 65535
address-family ipv4 unicast
soft-reconfiguration inbound always
neighbor 198.51.100.3
description to External Device
bfd
remote-as 65000
update-source Vlan205
address-family ipv4 unicast
soft-reconfiguration inbound always
!
External Device (NX-OS style CLI):
interface Ethernet2/13 - 14
switchport
switchport mode trunk
switchport trunk allowed vlan 203,205
mtu 9216
channel-group 12 mode active
no shutdown
!
interface port-channel12
switchport
switchport mode trunk
switchport trunk allowed vlan 203,205
mtu 9216
no shutdown
!
interface Vlan205
no shutdown
mtu 9216
! See notes in Leaf-1 and Leaf 2 for BFD
bfd interval 500 min_rx 500 multiplier 3
no bfd echo
no ip redirects
ip address 198.51.100.3/29
no ipv6 redirects
!
router bgp 65000
log-neighbor-changes
address-family ipv4 unicast
neighbor 198.51.100.1 remote-as 65535
description to Leaf-1
update-source Vlan205
bfd
neighbor 198.51.100.2 remote-as 65535
description to Leaf-2
update-source Vlan205
bfd
end
!
Verify
Below is output of show bgp ipv4 unicast neighbors. It verifies that:
BGP neighborship is established and stable
BFD is enabled between external neighbors
Troubleshoot
Following commands will help verify operation:
show vpc
show vpc consistency-parameters global
show vpc consistency-parameters interface <interface>
show bgp ipv4 unicast neighbors
show bgp ipv4 unicast summary
Ref. https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/217099-ebgp-peering-over-vpc-on-nexus.html

Trouble with static routing on a single-router network simulated in GNS3

I'm trying to simulate this simple one-router network in GNS3, but I'm having trouble setting up static routing from the left half (connected to router's fastEthernet0/0) to the right half(connected to router's fastEthernet0/1).
Here are the sequence of commands I type in the router telnet, but as you can see below, no static route is made and I can't understand why.
conf t
interface fastEthernet0/0
ip address 192.168.88.5 255.255.255.0
no shut
interface fastEthernet0/1
ip address 10.0.0.5 255.255.255.0
no shut
end
conf t
ip route 192.168.88.0 255.255.255.0 10.0.0.1
ip route 192.168.88.0 255.255.255.0 10.0.0.2
ip route 10.0.0.0 255.255.255.0 192.168.88.1
ip route 10.0.0.0 255.255.255.0 192.168.88.2
end
show ip route
The result, as you can see there's no static route built at all:
What may I be doing wrong? All help will be appreciated. (note: I'm not allowed to change the network topology or add new routers)
you better use your router's interface as a gateway for connecting to other networks.
So you may use:
ip route 192.168.88.0 255.255.255.0 fastEthernet0/0
instead of fastEthernet0/0, you can say 192.168.88.5. both are correct.
ip route 10.0.0.0 255.255.255.0 10.0.0.5
The problem with your code is you're targeting the whole network just to one system in your whole network
Your target to another network should be either your router's interface or another (next) router's interface.

First time configuring cisco router by myself Why can't I reach the internet?

I can ping from the router Google's DNS server at 8.8.8.8 and 8.8.4.4...I can reach all inside network devices attached in the 192.168.1.X range. Other than those few addresses, I can't reach outside of my router. I have pulled an IP from my ISP. I have a route built to my next-hop address provided by my ISP.
Below is my running-config. I used a guide FROM CISCO to set this up. If anyone sees any reason why I am only able to reach these two addresses, please let me know.
Current configuration : 1903 bytes
!
! Last configuration change at 14:49:37 UTC Wed Oct 14 2020
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname StorageRTR
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$3PFU$WQpG5ApsBE/6BZZpd7Oew1
enable password Probasco1!
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.6
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.8
ip dhcp excluded-address 192.168.1.9
ip dhcp excluded-address 192.168.1.10
!
ip dhcp pool CLIENT
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1941/K9 sn FJC1931E0DD
!
!
username Rob password 0 Probasco1
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 102 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 10.255.77.69
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
!
no cdp run
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
stopbits 1
line aux 0
line vty 0 4
exec-timeout 30 0
login local
length 0
transport input all
!
scheduler allocate 20000 1000
end
The configuration looks ok to me, but you should not need to configure your gateway IP statically when you are using DHCP, but I guess it's working since you are able to ping Google DNS. I would remove this line:
ip route 0.0.0.0 0.0.0.0 10.255.77.69
You can check if you have the right ip using this command:
show ip int brief
And check your route with this command:
show ip route
The gateway IP from your ISP is a private IP address, so the ISP will be doing NAT once more before you get to the Internet. Perhaps the ISP router is blocking stuff, like DNS to Google?
What happens if you connect a PC directly to the ISP router? Are you able to browse the Internet then? If the ISP hands out different DNS servers, try using those in the Cisco router.

CISCO router 827 - VPN ezvpn configuration

i'm facing with this simple configuration and i can't figure it out.
Scenario:
With a cisco vpn client (or ipad, iphone..) i can connect to my company vpn.
What i know is:
VPN GROUP NAME
VPN KEY
VPN SERVER PUBLIC IP
VPN USERNAME and PASSWORD
Ip address of virtual adapter created by cisco vpn client: 10.0.201.31 255.255.255.0
My lan 172.23.28.0 255.255.255.224
Company lan 172.19.248.0 255.255.252.0
The question is "How can i handle this for my home's lan with a cisco 827 router ?"
I think the steps are:
1) configuring eth0, dns and dhcp (done)
2) configuring ATM0 and Dialer0 to get internet access (done)
3) configuring access list and ip routes for my lan (done)
4)configuring ezvpn parameters (done)
5) configuring virtual interface with Ip 10.0.201.31 (What kind of interface?)
6) Set inside and outside nat for "crypto ipsec client ezvpn MYVPNTUNNELNAME" (which interfaces and how ?)
7) configuring route to 172.19.248.0 255.255.252.0 (how?)
Here is my configuration:
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R827
!
boot-start-marker
boot-end-marker
!
enable secret 5 cryptedSecret
enable password notcrypted
!
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 172.23.28.1
ip dhcp excluded-address 172.23.28.2
ip dhcp excluded-address 172.23.28.3
ip dhcp excluded-address 172.23.28.4
ip dhcp excluded-address 172.23.28.5
ip dhcp excluded-address 172.23.28.6
ip dhcp excluded-address 172.23.28.7
ip dhcp excluded-address 172.23.28.8
ip dhcp excluded-address 172.23.28.9
ip dhcp excluded-address 172.23.28.10
!
ip dhcp pool CeccoDhcp
network 172.23.28.0 255.255.255.224
default-router 172.23.28.1
dns-server 8.8.8.8
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
!
!
!
crypto ipsec client ezvpn MYVPNTUNNELNAME
connect auto
group MYGROUPNAME key MYGROUPKEY
mode network-extension
peer PUBLICIPOFVPNSERVER
username MYUSER password MYPASSWORD
!
!
!
interface Ethernet0
ip address 172.23.28.1 255.255.255.224
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username aliceadsl password 7 15130705072F2A203B3F
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
ip nat inside source list 101 interface Dialer0 overload
!
!
access-list 101 permit ip 172.23.28.0 0.0.0.31 any
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
stopbits 1
line vty 0 4
password MYTERMINALPASSWORD
login
!
scheduler max-task-time 5000
end
End of configuration.
Please note:
If i add
crypto ipsec client ezvpn MYVPNTUNNELNAME
to Dialer0
and
crypto ipsec client ezvpn MYVPNTUNNELNAME inside
to Ethernet0
i get this:
Tunnel name : MYVPNTUNNELNAME
Inside interface list: Ethernet0,
Outside interface: Dialer0
Current State: READY
Last Event: CONN_UP
Hope someone could help me.
Thanks in advance.
Cecco
Ok, I compared your config to some old notes I had. I did work turning up Cisco VPNs in the past so this jogged my memory.
I think the READY state and CONN_UP last event mean that it sits there, prior to authentication. And this may be because you're not telling the 871 how to handle XAUTH.
Try adding the below to your crypto ipsec client ezvpn section:
xauth userid mode interactive
That and turning debugging on should give you something to work on. Let me know how it goes.
Solved!!
Thanks to James help i switched ezvpn conf to "mode client" and with debug i noticed that the problem was on server side, cause "storage-password enable" was not set.
When company's net admin told me that "storage-password enable" was set i just did:
conf t
int Dia0
crypto ipsec client ezvpn MYVPNTUNNELNAME
....and everything works perfectly :-)

Resources