04-11-2005 10:41 AM - edited 03-02-2019 10:25 PM
No replies last time.
With the following config I can ping both to and from hosts on the Office LAN to and from the Outside Network, but not out to the ISP.
Traffic moves fine from Office LAN through NAT to and from ISP.
But from Outside Network I can only ping all router interfaces, and hosts on the Office Network. Can't get out to the ISP
What is missing or mis-configured?
(First two octets of Public Addresses not actual)
***************
version 12.1
hostname XXXX
!
ip subnet-zero
no ip domain-lookup
!
!
interface Ethernet0/0
description connected to Office LAN
ip address 192.168.12.1 255.255.255.0
ip broadcast-address 192.168.12.255
no ip proxy-arp
ip nat inside
ip route-cache flow
no keepalive
interface Ethernet0/1
description connected to ISP
ip address 116.16.28.34 255.255.255.240
ip broadcast-address 116.16.28.47
ip directed-broadcast
no ip proxy-arp
ip nat outside
!
!
interface Ethernet1/0
description Outside Network
ip address 116.16.29.65 255.255.255.240
ip broadcast-address 116.16.29.78
ip directed-broadcast
no ip proxy-arp
ip nat outside
!
ip nat translation timeout 60
ip nat pool Customers 116.16.28.39 116.16.28.40 netmask 255.255.255.240
ip nat pool Office 116.16.28.41 116.16.28.41 netmask 255.255.255.240
ip nat inside source list 101 pool Customers overload
ip nat inside source list 102 pool Office overload
ip nat inside source static 192.168.12.12 116.16.28.44
ip nat inside source static 192.168.2.10 116.16.28.46
ip nat inside source static 192.168.12.11 116.16.28.45
ip classless
ip route 0.0.0.0 0.0.0.0 116.16.28.33
ip route 192.168.2.0 255.255.255.0 Serial0/0.1
ip route 192.168.5.0 255.255.255.0 Serial0/0.2
no ip http server
access-list 101 deny tcp any any eq 137
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq 1034
access-list 101 deny tcp any any eq 3127
access-list 101 permit tcp any any
access-list 102 deny tcp any any eq 137
access-list 102 deny tcp any any eq 445
access-list 102 deny tcp any any eq 1034
access-list 102 deny tcp any any eq 3127
access-list 102 permit tcp any any
end
Thanks,
Mike
04-11-2005 11:55 AM
Still very new to NAT config but I did note one thing real quick......
ip broadcast-address 116.16.29.78 should
be....ip broadcast-address 116.16.29.79
I will look at the rest later.
Mike
04-11-2005 12:03 PM
Well one thing I noticed is that on your outside network you have it setup for a broadcast-address of .78 when it should be .79. Actually what I would do is not even have those commands entered, the router will know what the broadcast address is because of the subnet mask you have setup. I acutally don't understand your nat pool of customers and office if you are just going to overload both of them. You can just make a pool with .39 as the address, all of the users will use. Plus get rid of access-list 102 because it is exactly the same. Here is the config I would use. Also I don't really understand the access-list you have setup, that should be used to say which IP address will be allowed to be NAT'ed. Plus I would also get rid of the ip nat outside on the e1/0 interface
interface Ethernet0/0
description connected to Office LAN
ip address 192.168.12.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip route-cache flow
no keepalive
interface Ethernet0/1
description connected to ISP
ip address 116.16.28.34 255.255.255.240
ip directed-broadcast
no ip proxy-arp
ip nat outside
!
interface Ethernet1/0
description Outside Network
ip address 116.16.29.65 255.255.255.240
ip directed-broadcast
no ip proxy-arp
!
ip nat translation timeout 60
ip nat inside source static 192.168.12.12 116.16.28.44
ip nat inside source static 192.168.2.10 116.16.28.46
ip nat inside source static 192.168.12.11 116.16.28.45
ip classless
ip route 0.0.0.0 0.0.0.0 116.16.28.33
ip route 192.168.2.0 255.255.255.0 Serial0/0.1
ip route 192.168.5.0 255.255.255.0 Serial0/0.2
ip nat pool office 116.16.28.39 116.16.28.39 netmask 255.255.255.240
ip nat inside source list 101 pool office overload
access-list 101 permit 192.168.12.0 0.0.0.255
04-11-2005 01:56 PM
I don't know where the .78 came from. Must have been when I edited public addresses. It really was .79 in the router.
So I took it out, along with ip nat outside, so now it is just:
interface Ethernet1/0
description Outside Network
ip address 116.16.29.65 255.255.255.240
ip directed-broadcast
no ip proxy-arp
Still doesn't work.
The pool/access list thing was to separate (in my mind, anyway) things between our office LAN of 10 PCs and the other (240 PCs on 31 different subnets/T-1s coming through our router for internet access. I didn't give you the *entire* config 'cause it's so long, and I was too lazy to edit the whole thing for public viewing.
That wouldn't have anything to do with my problem anyway, would it?
Thanks for your help so far,
Mike
04-12-2005 05:28 AM
you can just attach the config and we can look at it that way.
04-12-2005 06:26 AM
Here it is then.
The whole thing staright out of the router except
I've replaced sensitive info with XXXs and bolded (is that a word?) network numbers on e0/1 and e1/0.
Thanks,
Mike
04-12-2005 06:29 AM
04-12-2005 08:28 AM
I don't think the ISP knows how to reach the ip addres range xxx.xxx.29.65 which belongs to the outside network. This interface isn't participating in NAT and you should be able to ping the address xxx.xxx.28.33. Try pinging the ISP with the source address of your outside network. If that doesn't work call up your ISP and ensure that they know how to reach your outside network, I will assume that route doesn't point to your network and it is getting black holed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: