08-26-2015 01:14 PM - edited 03-05-2019 02:10 AM
Good afternoon, all!
I'm trying to complete a change in our infrastructure where we've added another subnet in a datacenter. I need to get routing from hosts behind the router out to the Internet. I can ping from any host to any other subnet host in our LAN. I can ping from the router to the Internet (8.8.8.8). However, I cannot ping from any host behind the router to the internet. I'm sure there's a simple fix that I just can't see from where I am.
Details:
The LAN side interface is 192.168.208.1/24. The WAN side is 192.168.156.7/24. I have EIGRP set up to redistribute from networks 192.168.5.0 and 192.168.156.0, auto-summary. There are no static routes.
I used an existing, working configuration as a template. I can ping to the Internet from both the router and from hosts behind the router.
The two configurations are shown as old.txt and new.txt - the new one is the configuration from the router that's misbehaving.
As you can see the configs are nearly identical. It's a really old firmware, but I don't need it to do much.
Thanks to all for looking!
Gregg
Solved! Go to Solution.
08-26-2015 03:38 PM
All your addressing is private so something must be doing NAT on your IPs.
It looks to me as though 192.168.56.1 is perhaps meant to be doing NAT.
If so have you set it up for the 192.168.208.x IP subnet ?
By the way not sure I understand your EIGRP configuration on either router ie. you have network statements such as 192.168.5.0/24 but no interfaces using that IP subnet unless you only posted some of the configuration ?
Jon
08-27-2015 06:59 AM
From what you describe it does not look as if you are doing NAT on this particular device in question and your internet breakout is somewhere else further up the chain.
What I suspect is happening is that the firewall / router further upstream does not know how to route the return traffic back to this router. If you look at your config:
interface FastEthernet0/0 ip address 192.168.156.7 255.255.255.0 speed auto full-duplex no mop enabled ! interface Serial0/0 no ip address shutdown ! interface FastEthernet0/1 ip address 192.168.208.1 255.255.255.0 speed auto full-duplex no mop enabled ! router eigrp 1 redistribute connected network 192.168.5.0 network 192.168.156.0 auto-summary !
Your "WAN" side interface is participating in EIGRP but the LAN side is not so anything north of this router does not know about the 192.168.208.0/24 network.
Try adding "network 192.168.208.0" under router eigrp 1 process.
08-26-2015 01:27 PM
Hello
I am not sure I understand:
" I can ping from any host to any other subnet host in our LAN. I can ping from the router to the Internet (8.8.8.8). However, I cannot ping from any host behind the router to the internet"
"I can ping to the Internet from both the router and from hosts behind the router."
Can you elaborate on this please.
res
Paul
08-26-2015 03:03 PM
Hello, Paul!
When I log to the router console I can ping to 8.8.8.8. When I log to any host in the network behind the router (192.168.208.0) I can't get to 8.8.8.8. I can get to any internal network or host, but not out to the Internet. A traceroute from the router looks like this:
1 192.168.156.1 0 msec 4 msec 0 msec
2 67.53.158.129 0 msec 0 msec 4 msec
3 rrcs-67-52-245-145.west.biz.rr.com (67.52.245.145) 0 msec 0 msec 0 msec
4 65.189.183.129 [MPLS: Label 5487 Exp 0] 8 msec 4 msec 8 msec
5 tge1-3-0-13.gnfdwibb01r.midwest.rr.com (65.29.44.190) 12 msec 8 msec 8 msec
6 bu-ether16.chcgildt87w-bcr00.tbone.rr.com (66.109.6.204) 12 msec 12 msec 12 msec
7 0.ae4.pr1.chi10.tbone.rr.com (66.109.1.66) 28 msec 8 msec 12 msec
8 ix-27-0.tcore2.CT8-Chicago.as6453.net (64.86.79.97) 9 msec 8 msec 8 msec
9 72.14.219.82 68 msec 64 msec 64 msec
10 209.85.255.132 8 msec
209.85.143.152 24 msec
209.85.255.26 8 msec
11 72.14.237.130 [MPLS: Label 33939 Exp 4] 20 msec
209.85.254.240 [MPLS: Label 283703 Exp 4] 16 msec
72.14.237.133 [MPLS: Label 282067 Exp 4] 20 msec
12 209.85.244.209 [MPLS: Label 664914 Exp 4] 20 msec
209.85.250.4 [MPLS: Label 389782 Exp 4] 20 msec 16 msec
13 216.239.43.217 20 msec
216.239.49.25 20 msec
72.14.233.135 20 msec
14 * * *
15 google-public-dns-a.google.com (8.8.8.8) 16 msec 16 msec 20 msec
So traffic can get from the router out to the Internet, but not from behind the router. A traceroute from a host behind the router (192.168.208.101) has this for a traceroute:
1 192.168.208.1 (192.168.208.1) 0.877 ms 0.835 ms 0.806 ms
2 192.168.156.1 (192.168.156.1) 1.380 ms 0.717 ms 0.576 ms
3 * * *
4 * * *
5 * * * and so on.
Let me know if this helps!
Thanks!
Gregg
08-26-2015 03:38 PM
All your addressing is private so something must be doing NAT on your IPs.
It looks to me as though 192.168.56.1 is perhaps meant to be doing NAT.
If so have you set it up for the 192.168.208.x IP subnet ?
By the way not sure I understand your EIGRP configuration on either router ie. you have network statements such as 192.168.5.0/24 but no interfaces using that IP subnet unless you only posted some of the configuration ?
Jon
08-27-2015 08:12 AM
That is where an access-list of the approved IP addresses would come into play with the NAT overload statement.
08-27-2015 08:27 AM
I don't think this router is doing the NAT.
And we have no idea currently what type of device is doing the NAT, it may not be a router and it may not be a Cisco device.
The configuration you posted assumes the router is connected to the internet device and can use DHCP for a public IP but that isn't the case here.
Jon
08-27-2015 08:28 AM
Why NAT from one private address space to another though? I can't help but think we don't have the full picture here because there is very little in that config that looks as if connects directly to the internet.
08-27-2015 08:40 AM
I'm getting confused now :-)
I'm not suggesting doing NAT twice.
From the traceroutes the next hop is 192.168.56.1 which is a private IP.
Both the working and non working configurations both show that IP as a next hop.
After that it is a public IP so I am assuming that 192.168.56.1 is responsible for doing the translations and my suggestion was to check that device to see if NAT had been configured to include the 192.168.208.0/24 subnet.
Jon
08-27-2015 08:44 AM
Sorry Jon - I did not read your reply correctly. I thought you were suggesting that our router in question was doing the NAT when you actually refer to the next hop.
08-27-2015 08:47 AM
No problem, I agree we don't seem to be getting the full picture here and the EIGRP configuration is misleading.
Jon
08-26-2015 04:30 PM
What interface is connected to your internet port?
You can do a simple DHCP style implementation with auto nat translation.
TO Internet port
Interface xxx
ip address dhcp client-id Interface xxx
ip nat outside
ip nat inside source list 1 interface xxx overload
ip route 0.0.0.0 0.0.0.0 dhcp
access-list 1 permit 192.168.208.0 0.0.0.255
access-list 1 permit 192.168.156.0 0.0.0.255
and then put ip nat inside on your LAN port, this will configure anything your internet provider has set as a public IP address and will NAT it to that IP address as a global address. You can talk to your internet provider and assign static IP addresses if you like that option more, I find it more reliable and easier to document especially in a large environment.
08-27-2015 06:59 AM
From what you describe it does not look as if you are doing NAT on this particular device in question and your internet breakout is somewhere else further up the chain.
What I suspect is happening is that the firewall / router further upstream does not know how to route the return traffic back to this router. If you look at your config:
interface FastEthernet0/0 ip address 192.168.156.7 255.255.255.0 speed auto full-duplex no mop enabled ! interface Serial0/0 no ip address shutdown ! interface FastEthernet0/1 ip address 192.168.208.1 255.255.255.0 speed auto full-duplex no mop enabled ! router eigrp 1 redistribute connected network 192.168.5.0 network 192.168.156.0 auto-summary !
Your "WAN" side interface is participating in EIGRP but the LAN side is not so anything north of this router does not know about the 192.168.208.0/24 network.
Try adding "network 192.168.208.0" under router eigrp 1 process.
08-27-2015 07:02 AM
I agree the EIGRP configuration is confusing but the "redistribute connected" should advertise the 192.168.208.0/24 subnet even though it will be an EIGRP external.
Jon
08-27-2015 07:07 AM
Yes I spotted that after I posted it. He doesn't explicitly say that the subnet he is trying to get to the internet from is the 192.168.208.0/24 one (although that is my assumption).
Unless his LAN side subnet is 192.168.5.0/24 which would explain that odd entry under EIGRP 1. In which case my solution might still be the answer.
08-27-2015 07:10 AM
It is somewhat confusing :-)
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide