Another Shot

msauvola · ‎04-11-2005

No replies last time.

With the following config I can ping both to and from hosts on the Office LAN to and from the Outside Network, but not out to the ISP.

Traffic moves fine from Office LAN through NAT to and from ISP.

But from Outside Network I can only ping all router interfaces, and hosts on the Office Network. Can't get out to the ISP

What is missing or mis-configured?

(First two octets of Public Addresses not actual)

***************

version 12.1

hostname XXXX

!

ip subnet-zero

no ip domain-lookup

!

interface Ethernet0/0

description connected to Office LAN

ip address 192.168.12.1 255.255.255.0

ip broadcast-address 192.168.12.255

no ip proxy-arp

ip nat inside

ip route-cache flow

no keepalive

interface Ethernet0/1

description connected to ISP

ip address 116.16.28.34 255.255.255.240

ip broadcast-address 116.16.28.47

ip directed-broadcast

no ip proxy-arp

ip nat outside

!

interface Ethernet1/0

description Outside Network

ip address 116.16.29.65 255.255.255.240

ip broadcast-address 116.16.29.78

ip directed-broadcast

no ip proxy-arp

ip nat outside

!

ip nat translation timeout 60

ip nat pool Customers 116.16.28.39 116.16.28.40 netmask 255.255.255.240

ip nat pool Office 116.16.28.41 116.16.28.41 netmask 255.255.255.240

ip nat inside source list 101 pool Customers overload

ip nat inside source list 102 pool Office overload

ip nat inside source static 192.168.12.12 116.16.28.44

ip nat inside source static 192.168.2.10 116.16.28.46

ip nat inside source static 192.168.12.11 116.16.28.45

ip classless

ip route 0.0.0.0 0.0.0.0 116.16.28.33

ip route 192.168.2.0 255.255.255.0 Serial0/0.1

ip route 192.168.5.0 255.255.255.0 Serial0/0.2

no ip http server

access-list 101 deny tcp any any eq 137

access-list 101 deny tcp any any eq 445

access-list 101 deny tcp any any eq 1034

access-list 101 deny tcp any any eq 3127

access-list 101 permit tcp any any

access-list 102 deny tcp any any eq 137

access-list 102 deny tcp any any eq 445

access-list 102 deny tcp any any eq 1034

access-list 102 deny tcp any any eq 3127

access-list 102 permit tcp any any

end

Thanks,

Mike

burleyman · ‎04-11-2005

Still very new to NAT config but I did note one thing real quick......

ip broadcast-address 116.16.29.78 should

be....ip broadcast-address 116.16.29.79

I will look at the rest later.

Mike

smif101 · ‎04-11-2005

Well one thing I noticed is that on your outside network you have it setup for a broadcast-address of .78 when it should be .79. Actually what I would do is not even have those commands entered, the router will know what the broadcast address is because of the subnet mask you have setup. I acutally don't understand your nat pool of customers and office if you are just going to overload both of them. You can just make a pool with .39 as the address, all of the users will use. Plus get rid of access-list 102 because it is exactly the same. Here is the config I would use. Also I don't really understand the access-list you have setup, that should be used to say which IP address will be allowed to be NAT'ed. Plus I would also get rid of the ip nat outside on the e1/0 interface

interface Ethernet0/0

description connected to Office LAN

ip address 192.168.12.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip route-cache flow

no keepalive

interface Ethernet0/1

description connected to ISP

ip address 116.16.28.34 255.255.255.240

ip directed-broadcast

no ip proxy-arp

ip nat outside

!

interface Ethernet1/0

description Outside Network

ip address 116.16.29.65 255.255.255.240

ip directed-broadcast

no ip proxy-arp

!

ip nat translation timeout 60

ip nat inside source static 192.168.12.12 116.16.28.44

ip nat inside source static 192.168.2.10 116.16.28.46

ip nat inside source static 192.168.12.11 116.16.28.45

ip classless

ip route 0.0.0.0 0.0.0.0 116.16.28.33

ip route 192.168.2.0 255.255.255.0 Serial0/0.1

ip route 192.168.5.0 255.255.255.0 Serial0/0.2

ip nat pool office 116.16.28.39 116.16.28.39 netmask 255.255.255.240

ip nat inside source list 101 pool office overload

access-list 101 permit 192.168.12.0 0.0.0.255

msauvola · ‎04-11-2005

I don't know where the .78 came from. Must have been when I edited public addresses. It really was .79 in the router.

So I took it out, along with ip nat outside, so now it is just:

interface Ethernet1/0

description Outside Network

ip address 116.16.29.65 255.255.255.240

ip directed-broadcast

no ip proxy-arp

Still doesn't work.

The pool/access list thing was to separate (in my mind, anyway) things between our office LAN of 10 PCs and the other (240 PCs on 31 different subnets/T-1s coming through our router for internet access. I didn't give you the *entire* config 'cause it's so long, and I was too lazy to edit the whole thing for public viewing.

That wouldn't have anything to do with my problem anyway, would it?

Thanks for your help so far,

Mike

smif101 · ‎04-12-2005

you can just attach the config and we can look at it that way.

msauvola · ‎04-12-2005

Here it is then.

The whole thing staright out of the router except

I've replaced sensitive info with XXXs and bolded (is that a word?) network numbers on e0/1 and e1/0.

Thanks,

Mike

msauvola · ‎04-12-2005

Whoops -forgot attachment.

Here it is.

smif101 · ‎04-12-2005

I don't think the ISP knows how to reach the ip addres range xxx.xxx.29.65 which belongs to the outside network. This interface isn't participating in NAT and you should be able to ping the address xxx.xxx.28.33. Try pinging the ISP with the source address of your outside network. If that doesn't work call up your ISP and ensure that they know how to reach your outside network, I will assume that route doesn't point to your network and it is getting black holed.