cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2426
Views
0
Helpful
16
Replies

3845 and trouble with nat

1_1
Level 1
Level 1

I recently bought a 3845 off ebay to replace my 3745

on my 3745 I used 3x NME-16ES-1G-p for intervlan routing and had the full ac+inline power setup so I was able to power my AP via POE without a injector (and one NM-1GE for connection to a D3 cable modem)

anyway using the same version of IOS I can't seem to get NAT to work, even thoguht the config is nearly the same

on the 3845 I don't have a need for the NM-1GE which was Gi 2/0 so on the 3845 gi0/0 is the wan interface

heres the ver and config

---------------------------------------

Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 12.4(25d),

RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2010 by Cisco Systems, Inc.

Compiled Wed 18-Aug-10 09:04 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)

RLH-Router uptime is 35 minutes

System returned to ROM by reload at 09:40:57 central Sun Dec 8 2013

System restarted at 09:49:09 central Sun Dec 8 2013

System image file is "flash:c3845-adventerprisek9-mz.124-25d.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 3845 (revision 1.0) with 991232K/57344K bytes of memory.

Processor board ID FTX1444A0XP

5 Gigabit Ethernet interfaces

3 terminal lines

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity enabled.

479K bytes of NVRAM.

125440K bytes of ATA System CompactFlash (Read/Write)

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

!

! No configuration change since last restart

!

version 12.4

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname RLH_router

!

boot-start-marker

boot system flash:c3745-adventerprisek9-mz.124-25d.bin

boot-end-marker

!

no logging buffered

!

no aaa new-model

clock timezone central -6

clock summer-time -0500 recurring

ip cef

!

!

!

!

ip domain name RLH-domain.net

ip name-server 10.0.3.5

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

ipv6 unicast-routing

ipv6 cef

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username rlh privilege 15 password 5 blabla

archive

log config

  hidekeys

!

!

ip ftp username (leaving this out for now)

ip ftp password (leaving this out for now)

!

class-map match-all game (leaving this out for now)

match access-group 101 (leaving this out for now)

class-map match-any Xbox360 (leaving this out for now)

match ip dscp ef (leaving this out for now)

!

!

policy-map game (leaving this out for now)

class game (leaving this out for now)

  set ip dscp ef (leaving this out for now)

policy-map Xbox360 (leaving this out for now)

class Xbox360 (leaving this out for now)

  bandwidth 1024 (leaving this out for now)

!

!

!

!

!

!

interface Tunnel0

description Hurricane Electric IPv6 Tunnel Broker

bandwidth 30000

no ip address

ipv6 address 2001:ZZZZ:1F0E:2::2/64

ipv6 enable

ipv6 traffic-filter Internet in

ipv6 ospf 1 area 0

keepalive 10 3

tunnel source 75.x.y.33

tunnel destination 216.218.224.42

tunnel mode ipv6ip

tunnel checksum

!

interface FastEthernet0/0 (won't exist on 3845)

no ip address

shutdown

speed auto

full-duplex

!

interface FastEthernet0/1 (won't exist on 3845)

no ip address

shutdown

duplex auto

speed 100

!

interface GigabitEthernet1/0

description Link to NME-16ES-1G-p

ip address 10.255.255.1 255.255.255.252

ip nat inside

ip virtual-reassembly

ipv6 address 2001:470:B801:FFFF::/127

ipv6 ospf 1 area 0

!

interface GigabitEthernet2/0 (moving this config to GI 0/0 and the NM-1GE won't be needed and I plan to put an etherswitch here)

description Link to Comcast

bandwidth 76000

ip address 75.x.y.35 255.255.255.248 secondary

ip address 75.x.y.36 255.255.255.248 secondary

ip address 75.x.y.37 255.255.255.248 secondary

ip address 75.x.y.33 255.255.255.248

ip access-group 110 in (holding off till all's working)

ip nat outside

ip virtual-reassembly

negotiation auto

!

interface GigabitEthernet3/0

description Link to NME-16ES-1G-p (number 3)

ip address 10.255.255.9 255.255.255.252

ip nat inside

ip virtual-reassembly

ipv6 address 2001:470:B801:FFFF::4/127

ipv6 ospf 1 area 0

!

interface GigabitEthernet4/0

description Link to NME-16ES-1G-p (number 4)

ip address 10.255.255.13 255.255.255.252

ip nat inside

ip virtual-reassembly

ipv6 address 2001:470:B801:FFFF::6/127

ipv6 ospf 1 area 0

!

router eigrp 1

redistribute static

network 10.255.255.0 0.0.0.3

network 10.255.255.4 0.0.0.3

network 10.255.255.8 0.0.0.3

network 10.255.255.12 0.0.0.3

auto-summary

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 75.x.y.38

!

!

no ip http server

ip http port 1025

ip http authentication local

no ip http secure-server

ip nat translation timeout 2

ip nat pool RLH1 75.x.y.35 75.x.y.35 netmask 255.255.255.248

ip nat pool RLH2 75.x.y.36 75.x.y.36 netmask 255.255.255.248

ip nat pool RLH3 75.x.y.37 75.x.y.37 netmask 255.255.255.248

ip nat inside source list 1 pool RLH1 overload

ip nat inside source list 2 pool RLH2 overload

ip nat inside source list 3 pool RLH3 overload

(leaving out static NAT translations till things are working, deleting this part so I don't have to filter it, leaving one here as an example of how I have them0

ip nat inside source static udp 10.0.3.10 27178 75.x.y.36 27178 extendable

!

access-list 1 permit 10.0.2.0 0.0.0.255

access-list 1 deny   any

access-list 2 permit 10.0.3.0 0.0.0.255

access-list 2 deny   any

access-list 3 permit 10.0.4.0 0.0.0.255

access-list 3 deny   any

access-list 4 permit 10.255.255.0 0.0.0.3

access-list 4 deny   any

access-list 50 permit 10.0.0.0 0.0.0.255

access-list 50 deny   any

access-list 101 permit ip host 10.0.3.11 any

access-list 101 deny   ip any any

(Holding ACL 110 till things work so deleting it from this post)

snmp-server community (edited) RW

ipv6 route ::/0 Tunnel0

ipv6 router ospf 1

(IPv6 is working so I'm editing this part out)

!

!

!

!

ipv6 access-list Internet

!

ipv6 access-list VTY (IPv6 is working so I'm editing this part out)

sequence 40 permit tcp 2001:470:B801::/48 any

permit udp 2001:470:B801::/48 any

deny ipv6 any any

!

control-plane

!

!

!

!

!

!

!

!

!

banner motd  Keep Out

!

line con 0

speed 19200 (not putting this line in yet)

line 33

exec-timeout 0 0

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line 97

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line 129

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line aux 0

line vty 0 4

exec-timeout 0 0

ipv6 access-class VTY in

login local

telnet refuse-negotiations

line vty 5 15

exec-timeout 0 0

ipv6 access-class VTY in

login local

telnet refuse-negotiations

!

ntp clock-period 17179186

ntp master 2

ntp server 128.138.140.44

ntp server 207.200.81.113

ntp server 132.163.4.101

ntp server 132.163.4.102

ntp server 132.163.4.103

ntp server 201.155.229.129

ntp server 131.107.1.10

ntp server 69.25.96.13

ntp server 207.126.98.204

ntp server 129.6.15.29

ntp server 129.6.15.28

ntp server 216.200.93.8

ntp server 64.236.96.53

ntp server 208.184.49.9

ntp server 68.216.79.113

!

end

----------------------------------------------------------------------------------

Please help.

2 Accepted Solutions

Accepted Solutions

Ricky,

Can you please remove the secondary IP addresses from your Gi0/0 interface, then do clear ip nat translation * and try the traceroute again? You should not need to have the secondary IP addresses configured on your interface just because you are translating into them; the router is smart enough to create ProxyARP entries on behalf of addresses in the pools. I would like to remove all parts of the configuration that may interfere with the proper straightforward operation of NAT and routing.

Thank you!

Best regards,

Peter

View solution in original post

Hi Ricky,

Thanks for letting us know. I suspect that stuck ARP entries are behind the entire issue: after you replaced the 3745 with 3845, the SMC kept the old ARP entries for the IP addresses in the NAT pools, breaking the connectivity. Just a guess but that would be my first shot.

Best regards,

Peter

View solution in original post

16 Replies 16

Peter Paluch
Cisco Employee
Cisco Employee

Ricky,

Your current 3745 configuration indeed does not show any signs of configuration trouble, and I see no reason why it should not work on the 3845. However, to troubleshoot the 3845 behavior, we would need to see its configuration after you transferred it from 3745. Also, the output from show ip nat translation and show ip nat statistics would be necessary to see if there is at least something happening in the NAT. Can you please provide this information?

Best regards,

Peter

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname LOGIX-Router

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

ip domain name Domain-Logix.local

ip name-server 10.0.2.6

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

ipv6 unicast-routing

ipv6 cef

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username rlh privilege 15 password 5 blabla

!

!

!

!

!

!

!

interface Loopback1 (added for testing

ip address 10.254.254.0 255.255.255.255

!

interface Tunnel0

description Hurricane Electric IPv6 Tunnel Broker

bandwidth 30000

no ip address

ipv6 address 2001:470:1F0E:2::2/64

ipv6 enable

ipv6 traffic-filter Internet in

ipv6 ospf 1 area 0

keepalive 10 3

tunnel source 75.148.235.33

tunnel destination 216.218.224.42

tunnel mode ipv6ip

tunnel checksum

!

interface GigabitEthernet0/0

description Link to Comcast

bandwidth 76000

ip address 75.148.235.35 255.255.255.248 secondary

ip address 75.148.235.36 255.255.255.248 secondary

ip address 75.148.235.37 255.255.255.248 secondary

ip address 75.148.235.33 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet1/0

description Link to NME-16ES-1G-p (number 1)

ip address 10.255.255.1 255.255.255.252

ip nat inside

ip virtual-reassembly

ipv6 address 2001:470:B801:FFFF::/127

ipv6 ospf 1 area 0

!

interface GigabitEthernet3/0

description Link to NME-16ES-1G-p (number 3)

ip address 10.255.255.9 255.255.255.252

ip nat inside

ip virtual-reassembly

ipv6 address 2001:470:B801:FFFF::4/127

ipv6 ospf 1 area 0

!

interface GigabitEthernet4/0

description Link to NME-16ES-1G-p (number 4)

ip address 10.255.255.13 255.255.255.252

ip nat inside

ip virtual-reassembly

ipv6 address 2001:470:B801:FFFF::6/127

ipv6 ospf 1 area 0

!

router eigrp 1

redistribute connected

redistribute static

network 10.255.255.0 0.0.0.3

network 10.255.255.4 0.0.0.3

network 10.255.255.8 0.0.0.3

network 10.255.255.12 0.0.0.3

auto-summary

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 75.148.235.38

!

!

no ip http server

no ip http secure-server

ip nat translation timeout 2

ip nat pool RLH1 75.148.235.35 75.148.235.35 netmask 255.255.255.248

ip nat pool RLH2 75.148.235.36 75.148.235.36 netmask 255.255.255.248

ip nat pool RLH3 75.148.235.37 75.148.235.37 netmask 255.255.255.248

ip nat inside source list 1 pool RLH1 overload

ip nat inside source list 2 pool RLH2 overload

ip nat inside source list 3 pool RLH3 overload

!

access-list 1 permit 10.0.2.0 0.0.0.255

access-list 1 permit 10.255.255.0 0.0.0.255

access-list 1 deny any

access-list 2 permit 10.0.3.0 0.0.0.255

access-list 2 deny any

access-list 3 permit 10.0.4.0 0.0.0.255

access-list 3 deny any

access-list 4 permit 10.255.255.0 0.0.0.3

access-list 4 deny any

ipv6 route ::/0 Tunnel0

ipv6 router ospf 1

log-adjacency-changes

area 0 range 2001:470:B801:FFFF::/127

area 0 range 2001:470:B801:FFFF::2/127

area 0 range 2001:470:B801:FFFF::4/127

area 0 range 2001:470:B801:FFFF::6/127

default-information originate

passive-interface Tunnel0

redistribute connected

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line 66

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line 194

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line 258

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line vty 0 4

login local

line vty 5 15

login local

!

scheduler allocate 20000 1000

!

end

Ricky,

Thank you for the additional data. What about the show ip nat translation and show ip nat statistics? They contain some vital data about the NAT, apart from others, whether at least some NAT translations have been created. Once again, though, the configuration appears to be correct.

I wonder - with this configuration, are you actually able to ping from your 3845 out to the internet? Can you ping the default gateway, or perhaps ping even farther? I am thinking of a remote possibility of your internet connection being tied to the MAC address of the 3745 router, preventing you from connecting the 3845 directly.

Best regards,

Peter

from the 3845 I can ping the internet but if I source the ping from anything but the wan interface it fails (only pasting part of nat trans as its very long)

LOGIX-Router#sh ip nat t

Pro Inside global      Inside local       Outside local      Outside global

icmp 75.148.235.35:768 10.0.2.5:768       4.2.2.1:768        4.2.2.1:768

icmp 75.148.235.35:768 10.0.2.5:768       73.2.80.1:768      73.2.80.1:768

icmp 75.148.235.35:768 10.0.2.5:768       75.148.235.34:768  75.148.235.34:768

udp 75.148.235.35:1025 10.0.2.5:1025      10.254.254.1:161   10.254.254.1:161

udp 75.148.235.35:1026 10.0.2.5:1026      10.254.254.2:161   10.254.254.2:161

udp 75.148.235.35:1027 10.0.2.5:1027      10.254.254.2:161   10.254.254.2:161

udp 75.148.235.35:1028 10.0.2.5:1028      10.254.254.2:161   10.254.254.2:161

udp 75.148.235.35:1030 10.0.2.5:1030      10.254.254.6:161   10.254.254.6:161

udp 75.148.235.35:1031 10.0.2.5:1031      10.254.254.6:161   10.254.254.6:161

udp 75.148.235.35:1032 10.0.2.5:1032      10.254.254.6:161   10.254.254.6:161

udp 75.148.235.35:1033 10.0.2.5:1033      10.254.254.1:161   10.254.254.1:161

udp 75.148.235.35:1034 10.0.2.5:1034      10.254.254.1:161   10.254.254.1:161

udp 75.148.235.35:1035 10.0.2.5:1035      10.254.254.1:161   10.254.254.1:161

udp 75.148.235.35:1038 10.0.2.5:1038      10.254.254.2:161   10.254.254.2:161

udp 75.148.235.35:1039 10.0.2.5:1039      10.254.254.2:161   10.254.254.2:161

udp 75.148.235.35:1040 10.0.2.5:1040      10.254.254.2:161   10.254.254.2:161

udp 75.148.235.35:1041 10.0.2.5:1041      10.254.254.6:161   10.254.254.6:161

udp 75.148.235.35:1042 10.0.2.5:1042      10.254.254.6:161   10.254.254.6:161

udp 75.148.235.35:1045 10.0.2.5:1045      10.254.254.1:161   10.254.254.1:161

udp 75.148.235.35:1046 10.0.2.5:1046      10.254.254.1:161   10.254.254.1:161

udp 75.148.235.35:1047 10.0.2.5:1047      10.254.254.1:161   10.254.254.1:161

udp 75.148.235.35:1048 10.0.2.5:1048      10.254.254.2:161   10.254.254.2:161

Total active translations: 808 (0 static, 808 dynamic; 808 extended)

Outside interfaces:

  GigabitEthernet0/0

Inside interfaces:

  GigabitEthernet1/0, GigabitEthernet3/0, GigabitEthernet4/0

Hits: 12953  Misses: 18011

CEF Translated packets: 26158, CEF Punted packets: 9800

Expired translations: 21358

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 1 pool RLH1 refcount 802

pool RLH1: netmask 255.255.255.248

        start 75.148.235.35 end 75.148.235.35

        type generic, total addresses 1, allocated 1 (100%), misses 0

[Id: 2] access-list 2 pool RLH2 refcount 6

pool RLH2: netmask 255.255.255.248

        start 75.148.235.36 end 75.148.235.36

        type generic, total addresses 1, allocated 1 (100%), misses 355

[Id: 3] access-list 3 pool RLH3 refcount 0

pool RLH3: netmask 255.255.255.248

        start 75.148.235.37 end 75.148.235.37

        type generic, total addresses 1, allocated 0 (0%), misses 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

LOGIX-Router#sh ip nat t

Pro Inside global      Inside local       Outside local      Outside global

icmp 75.148.235.35:768 10.0.2.5:768       4.2.2.1:768        4.2.2.1:768

icmp 75.148.235.35:768 10.0.2.5:768       73.2.80.1:768      73.2.80.1:768

icmp 75.148.235.35:768 10.0.2.5:768       75.148.235.34:768  75.148.235.34:768

udp 75.148.235.35:1025 10.0.2.5:1025      10.254.254.1:161   10.254.254.1:161

udp 75.148.235.35:1026 10.0.2.5:1026      10.254.254.2:161   10.254.254.2:161

udp 75.148.235.35:1027 10.0.2.5:1027      10.254.254.2:161   10.254.254.2:161

udp 75.148.235.35:1028 10.0.2.5:1028      10.254.254.2:161   10.254.254.2:161

udp 75.148.235.35:1030 10.0.2.5:1030      10.254.254.6:161   10.254.254.6:161

udp 75.148.235.35:1031 10.0.2.5:1031      10.254.254.6:161   10.254.254.6:161

udp 75.148.235.35:1032 10.0.2.5:1032      10.254.254.6:161   10.254.254.6:161

udp 75.148.235.35:1033 10.0.2.5:1033      10.254.254.1:161   10.254.254.1:161

udp 75.148.235.35:1034 10.0.2.5:1034      10.254.254.1:161   10.254.254.1:161

udp 75.148.235.35:1035 10.0.2.5:1035      10.254.254.1:161   10.254.254.1:161

udp 75.148.235.35:1038 10.0.2.5:1038      10.254.254.2:161   10.254.254.2:161

udp 75.148.235.35:1039 10.0.2.5:1039      10.254.254.2:161   10.254.254.2:161

udp 75.148.235.35:1040 10.0.2.5:1040      10.254.254.2:161   10.254.254.2:161

udp 75.148.235.35:1041 10.0.2.5:1041      10.254.254.6:161   10.254.254.6:161

udp 75.148.235.35:1042 10.0.2.5:1042      10.254.254.6:161   10.254.254.6:161

udp 75.148.235.35:1045 10.0.2.5:1045      10.254.254.1:161   10.254.254.1:161

udp 75.148.235.35:1046 10.0.2.5:1046      10.254.254.1:161   10.254.254.1:161

udp 75.148.235.35:1047 10.0.2.5:1047      10.254.254.1:161   10.254.254.1:161

udp 75.148.235.35:1048 10.0.2.5:1048      10.254.254.2:161   10.254.254.2:161

Total active translations: 808 (0 static, 808 dynamic; 808 extended)
Outside interfaces:
  GigabitEthernet0/0
Inside interfaces:
  GigabitEthernet1/0, GigabitEthernet3/0, GigabitEthernet4/0
Hits: 12953  Misses: 18011
CEF Translated packets: 26158, CEF Punted packets: 9800
Expired translations: 21358
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 pool RLH1 refcount 802
pool RLH1: netmask 255.255.255.248
        start 75.148.235.35 end 75.148.235.35
        type generic, total addresses 1, allocated 1 (100%), misses 0
[Id: 2] access-list 2 pool RLH2 refcount 6
pool RLH2: netmask 255.255.255.248
        start 75.148.235.36 end 75.148.235.36
        type generic, total addresses 1, allocated 1 (100%), misses 355
[Id: 3] access-list 3 pool RLH3 refcount 0
pool RLH3: netmask 255.255.255.248
        start 75.148.235.37 end 75.148.235.37
        type generic, total addresses 1, allocated 0 (0%), misses 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Ricky,

The NAT obviously works - the entries are a clear proof.

I wonder: There seems to be a lot of entries created on behalf of the 10.0.2.5 station, with this station trying to 10.254.254.x on SNMP ports. Is this normal? The sequence of translation entries suggests that the station must have been very intense in generating that many requests and consuming quite a number of entries in your NAT table. That could account for some of the issues you are seeing.

My suggestion: let's verify whether the basic routing and very simple NAT works on your router. I suggest temporarily reworking one of your ACLs to allow NAT only from directly connected networks on your router (avoiding the 10.0.2.5 as that one seems to be aggressive at present), and seeing if the NAT works with this limited configuration. If it does, let's start adding the networks back.

Best regards,

Peter

Well I can't ping the internet from behind the router

ie can't ping 4.2.2.2 (Level3 anycast dns)

10.0.2.5 is my PRTG network monitor so I'll just stop it for now (maybe I forgot to update it when I switched from 10.254.254 to 10.255.255

ok after stopping my SNMP monitor heres the trans and stats

Pro Inside global      Inside local       Outside local      Outside global

udp 75.148.235.35:55260 10.0.2.6:55260    65.61.188.4:53     65.61.188.4:53

udp 75.148.235.35:55260 10.0.2.6:55260    69.20.95.4:53      69.20.95.4:53

udp 75.148.235.35:55604 10.0.2.6:55604    216.239.32.10:53   216.239.32.10:53

udp 75.148.235.35:55604 10.0.2.6:55604    216.239.34.10:53   216.239.34.10:53

udp 75.148.235.35:56523 10.0.2.6:56523    65.61.188.4:53     65.61.188.4:53

udp 75.148.235.35:56863 10.0.2.6:56863    144.160.20.47:53   144.160.20.47:53

udp 75.148.235.35:56863 10.0.2.6:56863    144.160.112.22:53  144.160.112.22:53

udp 75.148.235.35:56863 10.0.2.6:56863    144.160.128.140:53 144.160.128.140:53

udp 75.148.235.35:56865 10.0.2.6:56865    216.239.32.10:53   216.239.32.10:53

udp 75.148.235.35:56865 10.0.2.6:56865    216.239.34.10:53   216.239.34.10:53

udp 75.148.235.35:56865 10.0.2.6:56865    216.239.36.10:53   216.239.36.10:53

udp 75.148.235.35:56865 10.0.2.6:56865    216.239.38.10:53   216.239.38.10:53

udp 75.148.235.35:57481 10.0.2.6:57481    216.239.32.10:53   216.239.32.10:53

udp 75.148.235.35:57481 10.0.2.6:57481    216.239.34.10:53   216.239.34.10:53

udp 75.148.235.35:57481 10.0.2.6:57481    216.239.36.10:53   216.239.36.10:53

udp 75.148.235.35:57481 10.0.2.6:57481    216.239.38.10:53   216.239.38.10:53

udp 75.148.235.35:57602 10.0.2.6:57602    144.160.20.47:53   144.160.20.47:53

udp 75.148.235.35:57602 10.0.2.6:57602    144.160.112.22:53  144.160.112.22:53

udp 75.148.235.35:57602 10.0.2.6:57602    144.160.128.140:53 144.160.128.140:53

udp 75.148.235.35:47639 10.0.2.9:47639    24.20.181.82:65500 24.20.181.82:65500

udp 75.148.235.35:47639 10.0.2.9:47639    31.33.116.157:17226 31.33.116.157:1722

6

Pro Inside global      Inside local       Outside local      Outside global

udp 75.148.235.35:47639 10.0.2.9:47639    64.228.142.46:62873 64.228.142.46:6287

3

udp 75.148.235.35:47639 10.0.2.9:47639    66.212.214.157:13384 66.212.214.157:13

384

udp 75.148.235.35:47639 10.0.2.9:47639    67.168.146.220:63803 67.168.146.220:63

803

udp 75.148.235.35:47639 10.0.2.9:47639    67.238.11.131:58166 67.238.11.131:5816

6

udp 75.148.235.35:47639 10.0.2.9:47639    71.187.50.192:16513 71.187.50.192:1651

3

udp 75.148.235.35:47639 10.0.2.9:47639    81.102.82.146:18558 81.102.82.146:1855

8

udp 75.148.235.35:47639 10.0.2.9:47639    82.244.229.91:52981 82.244.229.91:5298

1

udp 75.148.235.35:47639 10.0.2.9:47639    83.226.168.88:50639 83.226.168.88:5063

9

udp 75.148.235.35:47639 10.0.2.9:47639    92.113.81.237:43177 92.113.81.237:4317

7

udp 75.148.235.35:47639 10.0.2.9:47639    94.71.145.119:58425 94.71.145.119:5842

5

udp 75.148.235.35:47639 10.0.2.9:47639    95.77.241.16:41628 95.77.241.16:41628

udp 75.148.235.35:47639 10.0.2.9:47639    98.215.229.197:18805 98.215.229.197:18

805 Pro Inside global      Inside local       Outside local      Outside global
udp 75.148.235.35:55260 10.0.2.6:55260    65.61.188.4:53     65.61.188.4:53
udp 75.148.235.35:55260 10.0.2.6:55260    69.20.95.4:53      69.20.95.4:53
udp 75.148.235.35:55604 10.0.2.6:55604    216.239.32.10:53   216.239.32.10:53
udp 75.148.235.35:55604 10.0.2.6:55604    216.239.34.10:53   216.239.34.10:53
udp 75.148.235.35:56523 10.0.2.6:56523    65.61.188.4:53     65.61.188.4:53
udp 75.148.235.35:56863 10.0.2.6:56863    144.160.20.47:53   144.160.20.47:53
udp 75.148.235.35:56863 10.0.2.6:56863    144.160.112.22:53  144.160.112.22:53
udp 75.148.235.35:56863 10.0.2.6:56863    144.160.128.140:53 144.160.128.140:53
udp 75.148.235.35:56865 10.0.2.6:56865    216.239.32.10:53   216.239.32.10:53
udp 75.148.235.35:56865 10.0.2.6:56865    216.239.34.10:53   216.239.34.10:53
udp 75.148.235.35:56865 10.0.2.6:56865    216.239.36.10:53   216.239.36.10:53
udp 75.148.235.35:56865 10.0.2.6:56865    216.239.38.10:53   216.239.38.10:53
udp 75.148.235.35:57481 10.0.2.6:57481    216.239.32.10:53   216.239.32.10:53
udp 75.148.235.35:57481 10.0.2.6:57481    216.239.34.10:53   216.239.34.10:53
udp 75.148.235.35:57481 10.0.2.6:57481    216.239.36.10:53   216.239.36.10:53
udp 75.148.235.35:57481 10.0.2.6:57481    216.239.38.10:53   216.239.38.10:53
udp 75.148.235.35:57602 10.0.2.6:57602    144.160.20.47:53   144.160.20.47:53
udp 75.148.235.35:57602 10.0.2.6:57602    144.160.112.22:53  144.160.112.22:53
udp 75.148.235.35:57602 10.0.2.6:57602    144.160.128.140:53 144.160.128.140:53
udp 75.148.235.35:47639 10.0.2.9:47639    24.20.181.82:65500 24.20.181.82:65500
udp 75.148.235.35:47639 10.0.2.9:47639    31.33.116.157:17226 31.33.116.157:1722
6
Pro Inside global      Inside local       Outside local      Outside global
udp 75.148.235.35:47639 10.0.2.9:47639    64.228.142.46:62873 64.228.142.46:6287
3
udp 75.148.235.35:47639 10.0.2.9:47639    66.212.214.157:13384 66.212.214.157:13
384
udp 75.148.235.35:47639 10.0.2.9:47639    67.168.146.220:63803 67.168.146.220:63
803
udp 75.148.235.35:47639 10.0.2.9:47639    67.238.11.131:58166 67.238.11.131:5816
6
udp 75.148.235.35:47639 10.0.2.9:47639    71.187.50.192:16513 71.187.50.192:1651
3
udp 75.148.235.35:47639 10.0.2.9:47639    81.102.82.146:18558 81.102.82.146:1855
8
udp 75.148.235.35:47639 10.0.2.9:47639    82.244.229.91:52981 82.244.229.91:5298
1
udp 75.148.235.35:47639 10.0.2.9:47639    83.226.168.88:50639 83.226.168.88:5063
9
udp 75.148.235.35:47639 10.0.2.9:47639    92.113.81.237:43177 92.113.81.237:4317
7
udp 75.148.235.35:47639 10.0.2.9:47639    94.71.145.119:58425 94.71.145.119:5842
5
udp 75.148.235.35:47639 10.0.2.9:47639    95.77.241.16:41628 95.77.241.16:41628
udp 75.148.235.35:47639 10.0.2.9:47639    98.215.229.197:18805 98.215.229.197:18
805

Total active translations: 36 (0 static, 36 dynamic; 36 extended)

Outside interfaces:

  GigabitEthernet0/0

Inside interfaces:

  GigabitEthernet1/0, GigabitEthernet3/0, GigabitEthernet4/0

Hits: 17152  Misses: 23343

CEF Translated packets: 33864, CEF Punted packets: 13485

Expired translations: 28772

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 1 pool RLH1 refcount 35

pool RLH1: netmask 255.255.255.248

        start 75.148.235.35 end 75.148.235.35

        type generic, total addresses 1, allocated 1 (100%), misses 0

[Id: 2] access-list 2 pool RLH2 refcount 1

pool RLH2: netmask 255.255.255.248

        start 75.148.235.36 end 75.148.235.36

        type generic, total addresses 1, allocated 1 (100%), misses 470

[Id: 3] access-list 3 pool RLH3 refcount 0

pool RLH3: netmask 255.255.255.248

        start 75.148.235.37 end 75.148.235.37

        type generic, total addresses 1, allocated 0 (0%), misses 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

Total active translations: 36 (0 static, 36 dynamic; 36 extended)
Outside interfaces:
  GigabitEthernet0/0
Inside interfaces:
  GigabitEthernet1/0, GigabitEthernet3/0, GigabitEthernet4/0
Hits: 17152  Misses: 23343
CEF Translated packets: 33864, CEF Punted packets: 13485
Expired translations: 28772
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 pool RLH1 refcount 35
pool RLH1: netmask 255.255.255.248
        start 75.148.235.35 end 75.148.235.35
        type generic, total addresses 1, allocated 1 (100%), misses 0
[Id: 2] access-list 2 pool RLH2 refcount 1
pool RLH2: netmask 255.255.255.248
        start 75.148.235.36 end 75.148.235.36
        type generic, total addresses 1, allocated 1 (100%), misses 470
[Id: 3] access-list 3 pool RLH3 refcount 0
pool RLH3: netmask 255.255.255.248
        start 75.148.235.37 end 75.148.235.37
        type generic, total addresses 1, allocated 0 (0%), misses 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

ok I'll also stop the app on 2.9

Ricky,

Even if your 10.0.2.5 is your PRTG monitor, there seems to be an issue in routing: why would the packets to 10.254.254.x be routed out to public internet? It does not make sense.

You say you can not ping the internet from behind the router. What would traceroute say? Where does the traceroute stop?

Best regards,

Peter

well 10.254.254.1 used to be an IP of my router and as 10.254.254.x is an unknown net it would send it to the gateway of last resort (guess I never updated it to point to 10.255.255.1 instead)

from a computer I can ping

10.0.2.1 (etherswitch vlan interface)

10.255.255.2 (etherswitch vlan interface pointing to the router

10.255.255.1 (router interface pointing to etherswitch)

10.254.254.0 (router loop back interface , proving that it's routing)

but not 75.148.235.38 (ISP gateway pointing to me)

heres the tracert

  1     1 ms     2 ms     2 ms  rlh-ethsw.rlh-domain.net [10.0.2.1]

  2    <1 ms    <1 ms    <1 ms  10.255.255.1

  3     *        *        *     Request timed out.

  4     *        *        *     Request timed out.

  5     *        *        *     Request timed out.

  6     *        *        *     Request timed out.

  7     *        *        *     Request timed out.

  8     *        *        *     Request timed out.

  9     *        *        *     Request timed out.

Ricky,

Can you please remove the secondary IP addresses from your Gi0/0 interface, then do clear ip nat translation * and try the traceroute again? You should not need to have the secondary IP addresses configured on your interface just because you are translating into them; the router is smart enough to create ProxyARP entries on behalf of addresses in the pools. I would like to remove all parts of the configuration that may interfere with the proper straightforward operation of NAT and routing.

Thank you!

Best regards,

Peter

ok removed the secondaries but still can't ping from a computer

for testing I've now shutdown gi 1/0, 3/0 and 4/0

and changed acl 1 to include loopback1

and added ip nat inside on the loopback

I issued the follosing list of commands

int gi 1/0

shut

int gi 3/0

shut

int gi 4/0

shut

exit

no access-list 1

access-list 1 permit 10.0.2.0 0.0.0.255

access-list 1 permit 10.254.254.0 0.0.0.255

access-list 1 deny   any

int loopback1

ip nat in

so this should prevent any more nat translations other than what should occur for a ping sourced from the loopback

LOGIX-Router#ping 4.2.2.2 source lo 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.254.254.0
.....
Success rate is 0 percent (0/5)
LOGIX-Router#sh ip nat t
Pro Inside global      Inside local       Outside local      Outside global
icmp 75.148.235.35:2   10.254.254.0:2     4.2.2.2:2          4.2.2.2:2

oh man am I mad at comcast now

after hours of troubleshooting the router I just power cycled the cable modem (SMC D3 acting as a pure router) and now it works

seems like it didn't want to reply to my new router for anything but the 33 till I power cycled it.

Review Cisco Networking for a $25 gift card