cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7794
Views
0
Helpful
16
Replies

Simple routing to the Internet

Gregg Hughes
Level 1
Level 1

Good afternoon, all!

I'm trying to complete a change in our infrastructure where we've added another subnet in a datacenter.  I need to get routing from hosts behind the router out to the Internet.  I can ping from any host to any other subnet host in our LAN.  I can ping from the router to the Internet (8.8.8.8).  However, I cannot ping from any host behind the router to the internet.  I'm sure there's a simple fix that I just can't see from where I am.

Details:

  The LAN side interface is 192.168.208.1/24.  The WAN side is 192.168.156.7/24.  I have EIGRP set up to redistribute from networks 192.168.5.0 and 192.168.156.0, auto-summary.  There are no static routes.

I used an existing, working configuration as a template.  I can ping to the Internet from both the router and from hosts behind the router.  

The two configurations are shown as old.txt and new.txt - the new one is the configuration from the router that's misbehaving.

As you can see the configs are nearly identical.  It's a really old firmware, but I don't need it to do much.

 

Thanks to all for looking!

 

Gregg

 

2 Accepted Solutions

Accepted Solutions

All your addressing is private so something must be doing NAT on your IPs.

It looks to me as though 192.168.56.1 is perhaps meant to be doing NAT.

If so have you set it up for the 192.168.208.x IP subnet ?

By the way not sure I understand your EIGRP configuration on either router ie. you have network statements such as 192.168.5.0/24 but no interfaces using that IP subnet unless you only posted some of the configuration ?

Jon

View solution in original post

mfurnival
Level 4
Level 4

From what you describe it does not look as if you are doing NAT on this particular device in question and your internet breakout is somewhere else further up the chain.

What I suspect is happening is that the firewall / router further upstream does not know how to route the return traffic back to this router. If you look at your config:

 

interface FastEthernet0/0
 ip address 192.168.156.7 255.255.255.0
 speed auto
 full-duplex
 no mop enabled
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 192.168.208.1 255.255.255.0
 speed auto
 full-duplex
 no mop enabled
!
router eigrp 1
 redistribute connected
 network 192.168.5.0
 network 192.168.156.0
 auto-summary
!

 

Your "WAN" side interface is participating in EIGRP but the LAN side is not so anything north of this router does not know about the 192.168.208.0/24 network.

Try adding "network 192.168.208.0" under router eigrp 1 process.

 

View solution in original post

16 Replies 16

Hello

I am not sure I understand:

" I can ping from any host to any other subnet host in our LAN.  I can ping from the router to the Internet (8.8.8.8).  However, I cannot ping from any host behind the router to the internet"


"I can ping to the Internet from both the router and from hosts behind the router."

Can you elaborate on this please.
res
 

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello, Paul!

When I log to the router console I can ping to 8.8.8.8.  When I log to any host in the network behind the router (192.168.208.0) I can't get to 8.8.8.8.  I can get to any internal network or host, but not out to the Internet. A traceroute from the router looks like this:

  1 192.168.156.1 0 msec 4 msec 0 msec
  2 67.53.158.129 0 msec 0 msec 4 msec
  3 rrcs-67-52-245-145.west.biz.rr.com (67.52.245.145) 0 msec 0 msec 0 msec
  4 65.189.183.129 [MPLS: Label 5487 Exp 0] 8 msec 4 msec 8 msec
  5 tge1-3-0-13.gnfdwibb01r.midwest.rr.com (65.29.44.190) 12 msec 8 msec 8 msec
  6 bu-ether16.chcgildt87w-bcr00.tbone.rr.com (66.109.6.204) 12 msec 12 msec 12 msec
  7 0.ae4.pr1.chi10.tbone.rr.com (66.109.1.66) 28 msec 8 msec 12 msec
  8 ix-27-0.tcore2.CT8-Chicago.as6453.net (64.86.79.97) 9 msec 8 msec 8 msec
  9 72.14.219.82 68 msec 64 msec 64 msec
 10 209.85.255.132 8 msec
      209.85.143.152 24 msec
      209.85.255.26 8 msec
 11 72.14.237.130 [MPLS: Label 33939 Exp 4] 20 msec
      209.85.254.240 [MPLS: Label 283703 Exp 4] 16 msec
      72.14.237.133 [MPLS: Label 282067 Exp 4] 20 msec
 12 209.85.244.209 [MPLS: Label 664914 Exp 4] 20 msec
      209.85.250.4 [MPLS: Label 389782 Exp 4] 20 msec 16 msec
 13 216.239.43.217 20 msec
      216.239.49.25 20 msec
      72.14.233.135 20 msec
 14  *  *  *
 15 google-public-dns-a.google.com (8.8.8.8) 16 msec 16 msec 20 msec

 

So traffic can get from the router out to the Internet, but not from behind the router.  A traceroute from a host behind the router (192.168.208.101) has this for a traceroute:

 1  192.168.208.1 (192.168.208.1)  0.877 ms  0.835 ms  0.806 ms
 2  192.168.156.1 (192.168.156.1)  1.380 ms  0.717 ms  0.576 ms
 3  * * *
 4  * * *
 5  * * * and so on.

 

Let me know if this helps!

Thanks!

 

Gregg

 

 

All your addressing is private so something must be doing NAT on your IPs.

It looks to me as though 192.168.56.1 is perhaps meant to be doing NAT.

If so have you set it up for the 192.168.208.x IP subnet ?

By the way not sure I understand your EIGRP configuration on either router ie. you have network statements such as 192.168.5.0/24 but no interfaces using that IP subnet unless you only posted some of the configuration ?

Jon

That is where an access-list of the approved IP addresses would come into play with the NAT overload statement.

I don't think this router is doing the NAT.

And we have no idea currently what type of device is doing the NAT, it may not be a router and it may not be a Cisco device.

The configuration you posted assumes the router is connected to the internet device and can use DHCP for a public IP but that isn't the case here.

Jon

Why NAT from one private address space to another though? I can't help but think we don't have the full picture here because there is very little in that config that looks as if connects directly to the internet.

I'm getting confused now :-)

I'm not suggesting doing NAT twice.

From the traceroutes the next hop is 192.168.56.1 which is a private IP.

Both the working and non working configurations both show that IP as a next hop.

After that it is a public IP so I am assuming that 192.168.56.1 is responsible for doing the translations and my suggestion was to check that device to see if NAT had been configured to include the 192.168.208.0/24 subnet.

Jon

Sorry Jon - I did not read your reply correctly. I thought you were suggesting that our router in question was doing the NAT when you actually refer to the next hop.

No problem, I agree we don't seem to be getting the full picture here and the EIGRP configuration is misleading.

Jon

What interface is connected to your internet port?

You can do a simple DHCP style implementation with auto nat translation.

 

 

TO Internet port

Interface xxx

ip address dhcp client-id Interface xxx

ip nat outside

 

ip nat inside source list 1 interface xxx overload

 

ip route 0.0.0.0 0.0.0.0 dhcp

 

access-list 1 permit 192.168.208.0 0.0.0.255

access-list 1 permit 192.168.156.0 0.0.0.255

 

and then put ip nat inside on your LAN port, this will configure anything your internet provider has set as a public IP address and will NAT it to that IP address as a global address. You can talk to your internet provider and assign static IP addresses if you like that option more, I find it more reliable and easier to document especially in a large environment. 

mfurnival
Level 4
Level 4

From what you describe it does not look as if you are doing NAT on this particular device in question and your internet breakout is somewhere else further up the chain.

What I suspect is happening is that the firewall / router further upstream does not know how to route the return traffic back to this router. If you look at your config:

 

interface FastEthernet0/0
 ip address 192.168.156.7 255.255.255.0
 speed auto
 full-duplex
 no mop enabled
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 192.168.208.1 255.255.255.0
 speed auto
 full-duplex
 no mop enabled
!
router eigrp 1
 redistribute connected
 network 192.168.5.0
 network 192.168.156.0
 auto-summary
!

 

Your "WAN" side interface is participating in EIGRP but the LAN side is not so anything north of this router does not know about the 192.168.208.0/24 network.

Try adding "network 192.168.208.0" under router eigrp 1 process.

 

I agree the EIGRP configuration is confusing but the "redistribute connected" should advertise the 192.168.208.0/24 subnet even though it will be an EIGRP external.

Jon

Yes I spotted that after I posted it. He doesn't explicitly say that the subnet he is trying to get to the internet from is the 192.168.208.0/24 one (although that is my assumption).

Unless his LAN side subnet is 192.168.5.0/24 which would explain that odd entry under EIGRP 1. In which case my solution might still be the answer.

It is somewhat confusing :-)

Jon