cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
896
Views
0
Helpful
9
Replies

Routing question

spyhabs
Level 1
Level 1

Hello,

At home, I bought a lab kit with routers and switches.

 

My ISP router (Hub 3000 with WiFi capability) is connected to a Cisco 2800 series g0/0 - 192.168.2.72/24. 

I connected a switch Catalyst 3750 to Cisco 2800 g0/1 - 192.168.1.1/24. 

I have multiple hosts connected to this private network.

 

For example, I installed a Apache server to 192.168.1.4.

 

My problem:

I am not able to ping 192.168.1.4 from a device connected to 192.168.2.0 network.   It's like my ISP router cannot route packet to 192.168.1.0.  But I don't know how to fix this.  

 

can I access to a internal server or host from outside?  

 

Thanks.  It will be great to have a clear answer

 

Thanks

 

 

9 Replies 9

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @spyhabs ,

 

>> I am not able to ping 192.168.1.4 from a device connected to 192.168.2.0 network. It's like my ISP router cannot route packet to 192.168.1.0. But I don't know how to fix this. 

 

Assuming that you cannot access the ISP router to change its configuration you need to use NAT on your own C2800 router so that all addresses in 192.168.1.0/24 are translated to IP address 192.168.2.72 the one on the C2800 towards the ISP router.

 

int gi0/0

ip nat outside

 

int gi0/1

ip nat inside

 

access-list 11 permit 192.168.1.0 0.0.0.255

 

ip nat inside source list 11 interface gi0/0 overload

 

Hope to help

Giuseppe

 

Hi Giuseppe,

 

Thanks for your reply.  

 

I already set the NAT in my C2800

 

I try to ping 192.168.1.4 from my cell phone connected to 192.168.2.12 and I have a timeout.

 

C2800 configuration ====>

interface GigabitEthernet0/0
description Link to home router
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/3/0
no ip address
shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
access-list 1 permit 192.168.1.0 0.0.0.255

 

 

This is an issue about the way that nat works. When you configure a normal address translation for dynamic translation as is shown in the config that you posted, then this enables translation for traffic originated from your inside network. Unfortunately it does not work for traffic originated from outside your network. The essence of the problem is that when your cell phone attempts to ping your device on the inside network there is currently  not an entry in the translate table. To be able to ping 192.168.1.4 from 192.168.2.12 there needs to be a static nat configured translating 192.168.1.4 into some address that the router can access.

HTH

Rick

Hi Richard,

 

So, How can I configure a static NAT?  I don't see which commands to use for this:) sorry

 

Christian

    

Christian

The configuration is pretty simple

ip nat outside source static <inside_ip> <outside_ip>

The catch is that it requires a unique outside IP address. In the case of your lab it is pretty simple, just pick an IP in 192.168.2.x that is not in use. If you were really connecting to the Public Internet then it would need to be a Public IP. This is a fairly common situation when you have a server inside your network that needs to be accessible from the Public Internet.

HTH

Rick

Hi Richard,

 

What I did is the following command:

 

ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat outside source static 192.168.1.4 192.168.2.2 <<====================== NEW COMMAND
ip route 0.0.0.0 0.0.0.0 192.168.2.1

I can ping 192.168.2.2 from my cell phone 192.168.2.12.  

If I open a browser, and I type 192.168.2.2, I have a ERR_ADDRESS_UNREACHABLE.  

 

I retried to open a browser inside the network inside 192.168.1.0.  And I have access to the web page.  

 

There's something is blocked!  Is it possible that the ISP router can block these packets?

 

Thanks

 

 

Christian

Glad that the static address translation does allow ping to work. The fact that ping does work but http/https does not work is interesting. Yes it is possible that the ISP router might allow ping (considered to be very low level of threat) originated from outside, but would block http/https (considered to be high level of threat) originated from outside. If this is a lab do you have access to the ISP router? Can you find out what security policies it implements?

HTH

Rick

Hi Richard,

 

I really don't know.  This ISP router is a Hub 3000 from Bell and the interface menu is quite simple.  To management console like cisco router.  We cannot set NAT table, configure routing table.  The only thing we can do is forwarding to a specific IP and port.  I tried to set to 192.168.2.2 port 80.  And tried to connect to my public IP address and the connection is refused.  So, I wonder if I could do this..

 

Thanks

 

 

Christian

If ping does work it demonstrates that basic IP connectivity is working. So there are not issues about routing etc. If some things, like ping, do work while other things, like httphttps, do not work then it suggests that some type of security policy has been implemented. I do not have experience with Hub 3000 or any insight into its operation. So I can not offer any advice about how to make this work.

But I will ask a couple of questions:

- If this configuration allows devices on the inside network to access the Internet (and to receive responses from the Internet) is that good enough?

- Is it important that devices in the Internet be able to originate traffic to a host address on the inside network?

HTH

Rick
Review Cisco Networking for a $25 gift card