01-22-2004 12:10 PM - edited 03-02-2019 01:05 PM
I have a 2621XM that I'm trying to have connect three networks. The problem is that I only have full conectivity when two of them are on the same interface with a secondary IP address.
FastEthernet 0/0 is a connection to a calble modem and is the NAT Outside
FastEthernet 0/1 is linked to another Cisco router taking us out over a T-1 managed by and outside agency 172.16.60.x via 192.168.83.1
FastEthernet 1/0-1/15 is for connections to the internal network 10.65.0.x and is the NAT Inside
When in the above configuration the router is able to ping the 172. network, but 10.65.0.x computer cannot. 10.65.0.x computers can however surf the Internet.
To get a connection to the 172 network for the inside computers I had to move the cable with the link to the other router to F1/2 and assign it's IP address to VLAN10.
What would make it so that the router can get to the remote network, but the 10.65.0.x computers cannot?
Thanks
Mike
Using 2436 out of 29688 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname BellevueFire
!
boot-start-marker
boot system flash:ipbase.bin
boot-end-marker
!
enable secret 5
!
no aaa new-model
ip subnet-zero
!
!
!
ip ftp username router
ip ftp password 7 raven
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
description WAN Connection to Cox
ip address dhcp
no ip redirects
no ip unreachables
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description Sarpy Co
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
description Old network
switchport access vlan 10
no ip address
!
interface FastEthernet1/1
description Pager Gateway
switchport access vlan 10
no ip address
!
interface FastEthernet1/2
switchport access vlan 10
no ip address
no cdp enable
!
interface FastEthernet1/3
no ip address
shutdown
!
interface FastEthernet1/4
no ip address
shutdown
!
interface FastEthernet1/5
no ip address
shutdown
!
interface FastEthernet1/6
no ip address
shutdown
!
interface FastEthernet1/7
no ip address
shutdown
!
interface FastEthernet1/8
no ip address
shutdown
!
interface FastEthernet1/9
no ip address
shutdown
!
interface FastEthernet1/10
no ip address
shutdown
!
interface FastEthernet1/11
no ip address
shutdown
!
interface FastEthernet1/12
no ip address
shutdown
!
interface FastEthernet1/13
no ip address
shutdown
!
interface FastEthernet1/14
no ip address
shutdown
!
interface FastEthernet1/15
no ip address
shutdown
!
interface GigabitEthernet1/0
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description Internal BVFD Network
ip address 192.168.83.10 255.255.255.0 secondary
ip address 10.65.0.254 255.255.255.0
ip nat inside
!
interface Vlan15
no ip address
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 68.99.8.1 254
ip route 172.16.60.0 255.255.252.0 192.168.83.1
no ip http server
!
access-list 1 permit 10.65.0.0 0.0.0.255
access-list 10 permit 68.15.231.xxx
access-list 10 permit 68.13.159.xxx
access-list 10 permit 10.65.0.0 0.0.0.255
!
line con 0
exec-timeout 0 0
password backfire
login
line aux 0
ip route 172.16.60.0 255.255.252.0 192.168.83.1
no ip http server
!
access-list 1 permit 10.65.0.0 0.0.0.255
access-list 10 permit 68.15.231.xxx
access-list 10 permit 68.13.159.xxx
access-list 10 permit 10.65.0.0 0.0.0.255
!
line con 0
exec-timeout 0 0
password
login
line aux 0
line vty 0 4
access-class 10 in
password
login
!
exception protocol ftp
exception dump 68.15.231.xxx
!
!
end
01-22-2004 12:43 PM
It looks to me like the problem may be NAT related.
Since your 10.65.0.x address source from an inside interface and match access-list 1, they are being translated to the address of the Fa 0/0 interface and then sent to the next hop.
Since the 172.16.60.x router does not know of the address associated with the NAT outside address and is not on an outside interfac, the ICMP packets are not returned.
The router pinging 172.16.0.x devices will work howerver because it should source it's fastethernet 0/1 which will be a known network to 172.16.60.x routers.
I would suggest a different access list for NAT
Try
access-list 101 deny 10.65.0.0 0.0.0.255 172.16.60.0 0.0.0.255
access-list 101 permit 10.65.0.0 0.0.0.255 any
then change your NAT statement to the following:
ip nat inside source list 101 interface FastEthernet0/0 overload
01-22-2004 12:54 PM
That would make it so that only data going to the Internet would be NATed right?
Sounds like a plan.
-Mike
01-22-2004 01:04 PM
Assuming that's the only other networks these devices access except the 172.16.60.0 subnet. If you needed to access other local networks, you could put deny statments in the list above the permit statement. Let me know how it goes.
-Steve
01-22-2004 01:19 PM
Question: Since the 172 network has a mask of 255.255.252.0, how do I translate that to the other direction of a mask?
01-22-2004 01:23 PM
Subtract the subnet mask from the value 255.255.255.255. This will give you the inverse mask which can be used as the wildcard mask.
In this case the value would be 0.0.3.255.
01-30-2004 04:04 AM
Hi, does the remote router have a route for your natted address?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide