Re: Cannot access 2811 router from outside

mrblister · ‎02-25-2007

I am trying to configure a new router for a new internet connection. I was given the following information from the ISP:

Connected point to point ip:

X.X.1.28/30

Default gateway:

X.X.1.29/30

Routed network IP:

X.X.3.224/28

Now, using the above info I was able to configure the router so that I can access the internet, however nothing from teh outside can see the router. I cannot ping the X.X.1.30 address, I cannot access any of the X.X.3.224/28 addresses.... nothing.

Here is a scrubbed config:

!This is the running config of the router: 192.168.254.2

!----------------------------------------------------------------------------

!version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

no aaa new-model

clock timezone PCTime -8

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

no ip source-route

ip tcp synwait-time 10

!

ip cef

!

no ip bootp server

ip name-server X.X.0.22

ip name-server X.X.1.2

ip ssh time-out 60

ip ssh authentication-retries 2

!

multilink bundle-name authenticated

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_LAN$$FW_INSIDE$

ip address 192.168.254.2 255.255.255.0 secondary

ip address X.X.3.241 255.255.255.240

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description $FW_OUTSIDE$$ES_WAN$

ip address X.X.1.30 255.255.255.252

no ip redirects

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

ip route 0.0.0.0 0.0.0.0 X.X.1.29

ip route X.X.3.240 255.255.255.240 X.X.3.254

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet0/1 overload

!

logging trap debugging

access-list 1 permit any

no cdp run

!

control-plane

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

any help would be greatly appreciated!!!

Richard Burts · ‎02-25-2007

Jim

I have looked at the config that you posted and I see a couple of things that might be issues. I am not clear why you have assigned your provider address space on the inside interface with additional secondary address space:

ip address 192.168.254.2 255.255.255.0 secondary

ip address X.X.3.241 255.255.255.240

If the issue is that you have more than 14 devices on the inside interface then I would expect that you would use the provider assigned addresses as a NAT pool and translate the private/inside addresses into the provider assigned addresses.

I also believe that it is an issue that the access list for address translation does a permit any:

access-list 1 permit any

This means that that devicdes on the inside interface that are configured in the provider assigned address space of:

X.X.3.240

will be translated into the address space on the outside interface:

ip nat inside source list 1 interface FastEthernet0/1 overload

I am also having difficulty in understanding the logic of this static route:

ip route X.X.3.240 255.255.255.240 X.X.3.254

why in the world are you attempting to route the provider assigned address space to an address withing that subnet (when that subnet is being translated to something else on the outbound interface)?

Perhaps you can clarify these points?

HTH

Rick

HTH

Rick

Danilo Dy · ‎02-25-2007

You don't have the following;

!

ip subnet-zero

!

ip classless

Why do you have this in your FastEthern0/0

!

ip address X.X.3.241 255.255.255.240

Doesn't sound logical from what your ISP is providing you.

Let us know about your NAT plan, because I think you can't turn on ip cef if you are going to use NAT overload.