new GCP pro node - cannot browse to website

Moderator: mike

Kitkat0981
Posts: 32
Joined: Wed Oct 28, 2020 9:43 pm

new GCP pro node - cannot browse to website

Post by Kitkat0981 » Fri Mar 19, 2021 1:35 pm

Hi all,

so I purchased the PRO version and setup a new lab.

I have a linux PC and a cisco Router.
The router is setup with ip nat overload on G0.0 (nat outside) connected to a NAT cloud. It can ping 8.8.8.8 and resolve IP's no problem from CLI.
The linux PC is connected to G0/1 (nat inside) with static IP 10.0.0.2 with G0/1 as .1 GW.
It can ping 8.8.8.8 and also resolve any domains.

The issue is when trying to access websites, it loads up but the page stays blank no matter what website i go to. I never came across this issue before...

Any suggestions?

You will see in the router's console some messages after the ping. I dont know what this is and may be related to this issue. I have this EVE-NG Pro on a GCP N2 with 8v CPU and 32Gb ram with 150Gb drive.
You do not have the required permissions to view the files attached to this post.

Uldis (UD)
Posts: 5067
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Re: new GCP pro node - cannot browse to website

Post by Uldis (UD) » Fri Mar 19, 2021 6:04 pm

first answer, vIOS performance is only 1.5mbps over nat, and NAT overload for https makses it extremely slow..
Try to do same with IOL router, which have 150Mbps

to be onest vIOS routers are ok for ping only

Kitkat0981
Posts: 32
Joined: Wed Oct 28, 2020 9:43 pm

Re: new GCP pro node - cannot browse to website

Post by Kitkat0981 » Sat Mar 20, 2021 3:33 pm

oh ok i didnt know this.

I have downloaded the IOL images for R and SW and will try that. Thanks again.

Kitkat0981
Posts: 32
Joined: Wed Oct 28, 2020 9:43 pm

Re: new GCP pro node - cannot browse to website

Post by Kitkat0981 » Sat Mar 20, 2021 4:11 pm

ok so i redid a new lab with a Docker Desktop with static IP or 10.0.0.2, connnected to a R1 eth0/1 (IOL image) as ip 10.0.0.1 I can ping the router no problem.
R1 is connected to NAT cloud and has eth0/0 setup as DHCP and is getting an ip. From router i can ping 8.8.8.8 and resolve dns.

From the desktop i cannot ping 8.8.8.8
default route points to 10.0.0.1 and /etc/resolv.conf is setup with nameserver 8.8.8.8

R1 config:
interface Ethernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
...
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Ethernet0/0 overload
!
!
!
access-list 1 permit 10.0.0.0 0.0.0.255 log
R1 route and interface brief
Router#show ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 172.29.129.113 YES DHCP up up
Ethernet0/1 10.0.0.1 YES NVRAM up up
Ethernet0/2 unassigned YES NVRAM administratively down down
Ethernet0/3 unassigned YES NVRAM administratively down down
NVI0 unassigned YES unset administratively down down
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 172.29.129.254 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 172.29.129.254
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, Ethernet0/1
L 10.0.0.1/32 is directly connected, Ethernet0/1
172.29.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.29.129.0/24 is directly connected, Ethernet0/0
L 172.29.129.113/32 is directly connected, Ethernet0/0
Router#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Router#ping google.com
Translating "google.com"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.217.13.142, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Router#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Router#
any help would be appreciated ! thanks again.

Kitkat0981
Posts: 32
Joined: Wed Oct 28, 2020 9:43 pm

Re: new GCP pro node - cannot browse to website

Post by Kitkat0981 » Sat Mar 20, 2021 11:55 pm

can anyone help?

is my cisco router config correct?

Kitkat0981
Posts: 32
Joined: Wed Oct 28, 2020 9:43 pm

Re: new GCP pro node - cannot browse to website

Post by Kitkat0981 » Sun Mar 21, 2021 12:38 am

hi,

for the life of me I cannot make the devices on the LAN side to access internet eventhough the router can ping and resolve. WHy is that?

I remember when i was using the community edition, I had to setup pnet9 as a static ip and use iptables to masquerade. Do I need to do this in the Pro version also? if so, then what use is the NAT cloud?

thanks for the help.

Uldis (UD)
Posts: 5067
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Re: new GCP pro node - cannot browse to website

Post by Uldis (UD) » Sun Mar 21, 2021 3:55 pm

It is becaise NAT from EVE and your router working one way only from eve to internet :)

GCP offers single IP for outside and to use it for access devices in lab you may need:
check this out
https://www.youtube.com/watch?v=PcntWwiSk5Q
https://www.youtube.com/watch?v=7CJR2l8VXM0

and no need post same thing twice !

Kitkat0981
Posts: 32
Joined: Wed Oct 28, 2020 9:43 pm

Re: new GCP pro node - cannot browse to website

Post by Kitkat0981 » Sun Mar 21, 2021 9:37 pm

That’s not what I’m looking for. I’m looking for outbound eve lab devices out to internet. If I connect a Cisco router to the NAT cloud, it can ping the internet, but if I connect another device behind the router, it cannot ping internet even though the router is doing NAT on its outside interface.

Uldis (UD)
Posts: 5067
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Re: new GCP pro node - cannot browse to website

Post by Uldis (UD) » Sun Mar 21, 2021 9:42 pm

:)
then you simply did not configure NAT properly on your router !!!
This lab for example is using single router for internet in whole lab devices
Lab below exactly is using NAT cloud... ISP-R router cfg

Code: Select all

ip host fmc.eve.lab 10.101.1.101
ip host www.eve.lab 20.1.1.10
ip host dmz.eve.lab 20.1.1.10
ip host intranet.eve.lab 172.16.201.100
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
interface Loopback0
 no shutdown
 ip address 20.1.1.20 255.255.255.255
!
interface Loopback100
 no shutdown
 description DNS Server IP for eve.lab
 ip address 10.3.3.3 255.255.255.255
!
interface Ethernet0/0
 no shutdown
 description NAT Cloud Internet
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
!
interface Ethernet0/1
 no shutdown
 no ip address
 duplex auto
!
interface Ethernet0/1.173
 no shutdown
 description Internet1
 encapsulation dot1Q 173
 ip address 173.16.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/1.174
 no shutdown
 description Internet2
 encapsulation dot1Q 174
 ip address 174.16.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/2
 no shutdown
 no ip address
 duplex auto
!
interface Ethernet0/2.101
 no shutdown
 description Management internet
 encapsulation dot1Q 101
 ip address 10.101.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/2.102
 no shutdown
 description HQ Internet
 encapsulation dot1Q 102
 ip address 20.1.1.14 255.255.255.240
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/3
 no shutdown
 no ip address
 shutdown
 duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list inet interface Ethernet0/0 overload
!
ip access-list standard inet
 permit 10.3.3.3
 permit 20.1.1.0 0.0.0.15
 permit 10.101.1.0 0.0.0.255
 permit 173.16.1.0 0.0.0.255
 permit 174.16.1.0 0.0.0.255
You do not have the required permissions to view the files attached to this post.

Kitkat0981
Posts: 32
Joined: Wed Oct 28, 2020 9:43 pm

Re: new GCP pro node - cannot browse to website

Post by Kitkat0981 » Mon Mar 22, 2021 11:16 am

i redid the router config this morning, and now it works.... no idea what was wrong...

Thanks Uldis.

Post Reply