03-06-2015 03:19 PM - edited 03-05-2019 12:58 AM
04-23-2015 07:20 PM
E7_SIP#sh ip access-list
Standard IP access list 1
10 permit 10.7.0.0, wildcard bits 0.0.255.255 (3 matches)
Extended IP access list INGRESS
10 permit ip host 10.7.0.2 any log-input
20 permit ip any host 10.7.0.2 log-input
30 permit ip any any
E7_SIP#
interface GigabitEthernet0/1
ip address 10.7.0.1 255.255.0.0
ip access-group INGRESS in
ip nat inside
ip virtual-reassembly
no ip route-cache cef
duplex auto
speed auto
media-type rj45
no negotiation auto
I will not be able to test the ping from the router again until tomorrow. I will provide log info as soon as I can. Thank you!
04-24-2015 10:03 AM
I verified the access-list last night and still could not get from the inside LAN to anywhere beyond the router.
This morning I once again logged into the router and verified I could ping from the "inside" interface to anywhere beyond the router and it worked: ping 8.8.8.8 source g0/1.
I also pinged from the "outside" interface to a host on the "inside" LAN: ping 10.7.0.2 source g0/2. This was a suggestion from another thread and I had not tried it yet. It worked.
My next step was to log in to the host on the inside LAN and verify ifconfig and run a traceroute to a host outside the router. To my amazement it worked. I traced from 10.7.0.2 all the way to www.ibm.com without fail. I have been able to successfully traceroute anywhere else ever since. My NAT translation table looks good now too.
E7_SIP#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
udp 66.117.96.80:123 10.7.0.2:123 129.6.15.30:123 129.6.15.30:123
udp 66.117.96.80:123 10.7.0.2:123 132.163.4.101:123 132.163.4.101:123
udp 66.117.96.80:123 10.7.0.2:123 152.2.133.55:123 152.2.133.55:123
udp 66.117.96.80:123 10.7.0.2:123 198.60.22.240:123 198.60.22.240:123
tcp 66.117.96.80:36788 10.7.0.2:36788 184.51.115.9:80 184.51.115.9:80
Is it possible that running the outside to inside ping forced the 7301 to finally learn that it was supposed to be doing PAT? I have also removed the extended access list from the inside interface and it is still working.
Not sure what to do if it fails again.
Thanks,
Kevin
04-24-2015 02:54 PM
it's possible - what type of switch is between router and linux?
if it's a direct connection than I have not idea what to check.. maybe the linux host but unlikely.
I am glad it's working. It's hard to find what was not working now.
04-24-2015 05:47 PM
Hmmm... Cheap Netgear switch that I grabbed off my shelf for testing. Maybe doing the ping to the inside LAN forced it to do some sort of ARP resolution? Wouldn't think it was a Linux problem because the other host I was using was Win 7. Either way I'm glad its running and I thank you very much for your time and guidance. Kevin
04-23-2015 06:46 AM
I just assumed you were having same problem.
Step by step..
Let's check if NAT is working.
use - sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 66.117.96.80:1 10.7.0.1:1 8.8.8.8 8.8.8.8
and you should get something like this when you ping from router and source from Inside interface.
Next ping from a host connected to inside network and check again..
use - sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 66.117.96.80:1 10.7.0.1:1 8.8.8.8 8.8.8.8
icmp 66.117.96.80:2 10.7.0.10:2 8.8.8.8 8.8.8.8 ---> do we have NAT/PAT?
if we have NAT but ping is still not working.. we are looking at routing and PAT translation is working
if there is no line for inside host - then we can work on Translation issue.
Things to check if there is no NAT..
Is packet hitting the inside interface. (use extended ACL and log)
on LAN inside in
and we should see the packet in and out.. and post logs.
ip access-list extended INGRESS
permit ip host 10.7.0.10 any log-input
permit ip any host 10.7.0.10 log-input
permit ip any any
when you add the ACL - do a ping and check NAT again.
Has it started working?
we may need to change ACL to extended ACL for PAT. does code support extended ACL
03-06-2015 05:46 PM
Can you please post the full config of your router as I think we may be missing some key information?
03-06-2015 04:19 PM
Your NAT config looks a bit weird if you're only using one global address.
Try this:
interface GigabitEthernet0/0
ip nat inside
interface GigabitEthernet0/1
ip nat outside
access-list 1 permit 10.149.4.0 0.0.0.255
ip nat inside source list 1 interface Gi0/1 overload
03-06-2015 05:07 PM
I agree.
it should have been those four line.
I need to use 10/8 but yes
I tried that..
03-16-2015 03:49 PM
Sorry folks..
Found out that on a router when going from G0/0 to G0/1 packet is switching/CEF and not 'routing'.. when testing to confirm traffic we added an ACL and NAT started to work. We took ACL off G0/0 and NAT stopped working.
We had to disable route-cache cef
<<<<< no ip route-cache cef >>>>>
interface GigabitEthernet0/0
ip address 10.149.4.146 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
no ip route-cache cef
load-interval 30
duplex full
speed 100
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide