03-13-2008 07:46 AM - edited 03-03-2019 09:07 PM
Hello everyone,
Thank you for looking at this post. I have a bit of an issue that I cannot figure out.
I am attempting to setup a NAT configuration for an Internet provider but something is going on. I have changed the IP's below so they are not those for the actual provider.
FA0/0 is set to ip nat inside and Mult1 is set to ip nat outside (three T1's multilinked together).
I have setup the FA0/0 with a secondary address of 192.168.5.1/24.
The range for NAT is 1.1.1.248 - 254 with a /30 subnet. I have tried both with an overload configuration and without an overload.
When I do a sh ip nat trans on the router, I can see where a user 192.168.5.2 is translated to the first IP - 1.1.1.248. However, the user is not able to get to the Internet. They can ping actual IP addresses but anything requring a DNS lookup doesn't appear to be working.
The DNS server is working, however. The user does an nslookup and gets to their DNS server and can do lookups.
Here is some more information:
The provider has two Class C ranges:
1.1.1.0/24
2.1.1.0/24
FA0/0 is set with the following IPs:
2.1.1.1/24
1.1.1.1/24 secondary
192.168.5.1/24 secondary
192.168.6.1/24 secondary
IP access list 1 is set to permit 192.168.5.0 0.0.0.255
DNS servers are 2.1.1.3 and 2.1.1.4
When the user sets their IP to 192.168.5.2, they can ping anything in the 2.1.1.0/24 and 1.1.1.0/24 range without any problem - as well as the 192.168.5.0/24 range.
The provider has current users setup with static IPs in the 1.1.1.0/24 network range up until the NAT pool as listed above. There are also static IP users in the 2.1.1.0/24 network.
NAT settings:
timeout 300
tcp-timeout 300
finrst-timeout 300
dns-timeout 300
I am completely at a loss as to what is going on because I have looked through several other NAT resources to no avail. The user can ping and trace route to IP addresses on the Internet - but not DNS-based although DNS lookups are working without any problem.
Thank you!
Brian S.
03-13-2008 11:09 AM
Brian:
It would be nice to see the actual configs. However, I did notice one thing. If you want your NAT pool to span 1.1.1.248 -.254, the subnet mask you should be using is /29, not /30.
I am wondering if this one user has a browser configuration that uses a proxy server or a configuration script that is overriding the manual settings. Yes, he is successful when he tries to access Internet addresses from a DOS screen (nslookup), but when doing so with the browser, it seems to be failing. I would like to see another user get on the network and run some tests with him.
have you tried TELNETing to an Internet address on port 80 to see if the conenction goes through?
example: PC DOS PROMPT> telnet 69.147.114.210 80
This is what I can think of so far. I hope this can help you.
Victor
03-13-2008 12:21 PM
Thank you for the reply, Victor.
Yes, it was my mistake with the subnet mask. I was one off and it is 29 bits; 255.255.255.248 is the mask.
The NAT pool is 1.1.1.249 - 254 as well.
So you do believe that the config is setup correctly then. Here is a copy of the config - with pertinent information changed.
hostname
!
enable secret 5
!
ip subnet-zero
!
!
ip name-server 2.1.1.3
!
!
!
!
interface Multilink1
ip address 2.112.69.166 255.255.255.252
ip nat outside
no cdp enable
ppp multilink
no ppp multilink fragmentation
multilink-group 1
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0 secondary
ip address 192.168.32.1 255.255.255.0 secondary
ip address 192.168.33.1 255.255.255.0 secondary
ip address 192.168.34.1 255.255.255.0 secondary
ip address 192.168.35.1 255.255.255.0 secondary
ip address 192.168.36.1 255.255.255.0 secondary
ip address 192.168.37.1 255.255.255.0 secondary
ip address 192.168.38.1 255.255.255.0 secondary
ip address 192.168.39.1 255.255.255.0 secondary
ip address 192.168.40.1 255.255.255.0 secondary
ip address 192.168.41.1 255.255.255.0 secondary
ip address 192.168.42.1 255.255.255.0 secondary
ip address 192.168.43.1 255.255.255.0 secondary
ip address 192.168.44.1 255.255.255.0 secondary
ip address 192.168.45.1 255.255.255.0 secondary
ip address 192.168.46.1 255.255.255.0 secondary
ip address 2.1.1.1 255.255.255.0
ip nat inside
speed 100
full-duplex
!
interface Serial0/0
no ip address
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
ppp multilink
multilink-group 1
!
interface Serial0/1
no ip address
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
ppp multilink
multilink-group 1
!
interface Serial1/0
no ip address
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
ppp multilink
multilink-group 1
!
ip nat translation timeout 300
ip nat translation tcp-timeout 300
ip nat translation finrst-timeout 300
ip nat translation dns-timeout 300
ip nat pool private 1.1.1.249 1.1.1.254 netmask 255.255.255.248
ip nat inside source list 1 pool private
ip classless
ip route 0.0.0.0 0.0.0.0 2.112.69.165
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit 192.168.32.0 0.0.31.255
banner login ^C
Unauthorized access is prohibited by law
For assistance, contact
!
line con 0
password 7
login
line aux 0
line vty 0 4
password 7
login
!
!
end
03-13-2008 05:30 PM
Brian:
Im not catching anything wrong with your config.
Did you ever check the things I suggested you check in my first post?
Browser settings...other users...etc....?
Victor
03-13-2008 05:33 PM
Thank you for taking time to troubleshoot this, Victor.
After all this time, it was discovered the problem.
The owner had blocks on his DNS server to only allow those two Class C ranges to to DNS lookups. After adding the new range for the private IPs, he was able to connect and have no problems at all.
Apparently when they had a private IP and were doing DNS lookups, the DNS server was returning the top-level servers such as a-z.gltd...
Brian S.
03-13-2008 06:40 PM
You're welcome, Brian
Glad you got it beat.
victor
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide