The attachment has been edited.  Thanks.
 

Hi,

I have two hosts on the private LAN, 10.7.0.2 and 10.7.0.50.  Both can ping each other and they can ping 10.7.0.1.  They cannot ping the WAN interface of the router or anywhere beyond that.

Kevin

I agree with John that there are no obvious issues in the config that you posted. I have two questions for you.

1) I am sure that your 7301 can ping the hosts on the LAN when using the normal source address but can the 7301 ping the hosts if it uses the WAN interface as the source? I suspect that it can not and that leads to my second question.

2) can you check and see if the hosts have their default gateway set as 10.7.0.1?

HTH

Rick

Hi Rick,

Thank you for your response.  I verified the host on the internal LAN as a gateway address of 10.7.0.1.  Here are my results from different pings:

E7_SIP#ping 8.8.8.8     

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms

E7_SIP#ping 8.8.8.8 source g0/1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.7.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms

E7_SIP#ping 8.8.8.8 source g0/2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 66.11x.xx.xx
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms

E7_SIP#ping 10.7.0.1 source g0/2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.7.0.1, timeout is 2 seconds:
Packet sent with a source address of 66.11x.xx.xx
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

hi,

could you post a brief network diagram/topology and a tracert 8.8.8.8 output from a machine on your LAN?

also, is the 7301 on a live network? maybe you could schedule a quick downtime, copy the config from your 7301 to a spare router and see if the same problem gets replicated.

7301pat.pdf posted.  Sorry for the simple diagram.  Hope it helps.

Thanks

hi,

are you running any dynamic routing protocol on your 7604?

does the 7604 have a route to your 10.7.0.0/16?

could you try adding this on your 7604 and test again?

ip route 10.7.0.0 255.255.0.0 66.11x.xx.80

No dynamic routing on my 7604 and I did not build a route to 10.7.0.0 on the 7604 because it should never see any of those addresses, correct?  I would think it would only see 66.11x.xx.80 and the associated port but I will give it a try if you think it will help.

Thanks,

Everything I read indicates that I have the PAT config correct.  I guess I have to lean toward a routing problem at this point?  Looking at my routing table I see something I do not understand:

E7_SIP#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 66.11x.xx.1 to network 0.0.0.0

     66.0.0.0/24 is subnetted, 1 subnets
C       66.11x.xx.0 is directly connected, GigabitEthernet0/2
     10.0.0.0/16 is subnetted, 1 subnets
C       10.7.0.0 is directly connected, GigabitEthernet0/1
S*   0.0.0.0/0 [1/0] via 66.11x.xx.1
E7_SIP#

Is the text in red above correct?  Shouldn't it say 66.0.0.0/8 and not /24?  Shouldn't it also say it's variably subnetted?

Thanks.

Kevin

The configuration of the interface Gig0/2 has a mask of 255.255.255.0. And this router knows of only one subnet in that network. So the entry in the routing table showing a /24 is exactly the expected behavior. And as far as the router is concerned it is not variable subnetted, there is only one subnet that the router knows about for that network. So the sunbathing is consistent and not variable.

I suspect that you are correct that you are dealing with some kind of routing problem. You gave us quite a few ping results but not results of the pings that I asked for. I asked you to try to ping 10.7.0.2 and 10.7.0.50 using Gig0/2 as the source. Would you please do those pings and post the results.

HTH

Rick

Kevin

Would you post the output of ipconfig from the host at 10.7.0.2 (and perhaps from 10.7.0.50 also)? And perhaps also the output of route print.

HTH

Rick

OK.  Now I'm thoroughly confused.  The only thing I have done this morning is to log in to the router and run a ping from the "outside" source to an IP on the "inside" LAN.  "ping 10.7.0.2 source g0/2"  Then, as you suggested, I was logging in to the host on the inside LAN to look at ifconfig and run a traceroute to the outside and see where it was getting stopped.

To my amazement the traceroute ran from 10.7.0.2 to www.ibm.com without fail.  First time that I have been able to get beyond the router.  I have been able to go anywhere else ever since.  "sho ip nat trans" looks good too:

E7_SIP#sh ip nat trans
Pro Inside global         Inside local          Outside local         Outside global
udp 66.1x.xx.80:123      10.7.0.2:123          129.6.15.30:123       129.6.15.30:123
udp 66.11x.xx.80:123      10.7.0.2:123          132.163.4.101:123     132.163.4.101:123
udp 66.11x.xx.80:123      10.7.0.2:123          152.2.133.55:123      152.2.133.55:123
udp 66.11x.xx.80:123      10.7.0.2:123          198.60.22.240:123     198.60.22.240:123
tcp 66.11x.xx.80:36788    10.7.0.2:36788        184.51.115.9:80       184.51.115.9:80
E7_SIP#

Is it possible that my ping from outside source to inside host forced the 7301 to finally "learn" that it was supposed to do PAT?  If not, I have no idea what made it work and what to do if it stops working...

Thanks,

Kevin