Solved: A bit offtopic maybe.. but

ibrasoul · ‎07-16-2015

Hello guys i just need some help in configuring static natting to my cisco router. some configurations are already done to the router , when i try to add my server by using this command "ip nat inside source static x.x.x.x x.x.x.x " my server still cannot access internet . need some help guys. the Underlined ip is the one that i added but it fails to get internet

Here is my running config

license udi pid CISCO2921/K9 sn FCZ160970

!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description LINK TO AIRTEL
bandwidth 100000
ip address 172.16.100.2 255.255.255.240
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LINK TO CYBEROAM-A
ip address 172.16.0.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description LINK TO CYBEROAM-B
ip address 172.16.0.5 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0/1/0
ip address 41.75.211.214 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1/1

interface FastEthernet0/1/1
no ip address
shutdown
duplex auto
speed auto
!
router ospf 1
redistribute rip subnets
network 172.16.0.84 0.0.0.3 area 1
network 172.16.100.0 0.0.0.15 area 1
!
router rip
version 2
redistribute ospf 1 metric 4
passive-interface GigabitEthernet0/0
network 172.16.0.0
no auto-summary
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list AVS_INTERNET interface FastEthernet0/1/0 overload
ip nat inside source static 172.16.2.19 41.75.211.210
ip nat inside source static 172.16.2.22 41.75.211.211
ip nat inside source static 172.16.2.15 41.75.211.212
ip nat inside source static 172.16.3.28 41.75.211.214
ip route 0.0.0.0 0.0.0.0 41.75.211.209
!
ip access-list extended AVS_INTERNET
deny ip host 172.16.2.10 172.16.0.0 0.0.255.255
permit ip host 172.16.2.10 any
!
logging 172.16.4.20
!
no cdp run
!

dukenuk96 · ‎07-17-2015

Interesting... let's do some diagnostics on your router, show the following commands output from your router:

ping 8.8.8.8 source 41.75.211.211

traceroute 8.8.8.8 source 41.75.211.211

(maybe you will need to add secondary address 41.75.211.211 to FastEthernet0/1/0)

sh ip nat translations (while ping -t 8.8.8.8 from your problem host)

Then remove secondary address from router and try there:

ping 41.75.211.211

sh ip arp

View solution in original post

dukenuk96 · ‎07-17-2015

So the problem was on intermidiate device that acts as firewall and router - between the host an ISR router. After reconfiguring that device everything workes fine.

Good luck, and have a good day!

View solution in original post

dukenuk96 · ‎07-16-2015

A bit offtopic maybe.. but you have this command on interfaces:

ip virtual-reassembly in

are you sure you need it?

then you have:

ip nat inside source list AVS_INTERNET interface FastEthernet0/1/0 overload

ip access-list extended AVS_INTERNET
deny ip host 172.16.2.10 172.16.0.0 0.0.255.255
permit ip host 172.16.2.10 any

strange construction.. what do you expect from this?

And you said "my server still cannot access internet" - if the task is just to let the server access the internet and the server does not publish any external services (web, mail, etc..) then overload is enough - it is not a good practice to allow all port ranges to be translated to your internal servers.

Also please show IP configuration of the server plus traceroute. And tell - other hosts in your network are capable to access the Internet?

ibrasoul · ‎07-16-2015

this host has an ip of 172.16.2.19 , it can access internet and it is in the same subnet as that of 172.16.2.22

Below is the trace route result from this host

tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 172.16.2.1
2 1 ms <1 ms <1 ms 172.16.0.5
3 7 ms 5 ms 5 ms 41.75.211.209
4 7 ms 7 ms 7 ms 10.87.2.90
5 6 ms 7 ms 7 ms 10.87.2.122

This is ipconfig result for 172.16.2.19

Windows IP Configuration

Host Name . . . . . . . . . . . . : BI-SERVER
Primary Dns Suffix . . . . . . . : labnet.or.tz
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : labnet.or.tz

Ethernet adapter Local Area Connection 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network A
pter #2
Physical Address. . . . . . . . . : 00-15-5D-0F-04-04
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Ada
er (Emulated)
Physical Address. . . . . . . . . : 00-15-5D-0F-04-02
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network A
pter
Physical Address. . . . . . . . . : 00-15-5D-0F-04-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.16.2.19(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
Default Gateway . . . . . . . . . : 172.16.2.1
DNS Servers . . . . . . . . . . . : 172.16.4.15
41.75.208.65
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{E8A224B3-8AAE-4A10-9D6E-E847DA39A963}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{73D37043-1CFB-48D8-A91C-8B4F0E19F41A}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{FEF6AD18-2DB7-4F62-B6FE-F22792C58EB6}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Note: 172.16.2.19 and 172.16.2.22 are both virtual machine whose in 172.16.2.20

ibrasoul · ‎07-16-2015

this host has an ip of 172.16.2.19 , it can access internet and it is in the same subnet as that of 172.16.2.22

Below is the trace route result from this host

tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 172.16.2.1
2 1 ms <1 ms <1 ms 172.16.0.5
3 7 ms 5 ms 5 ms 41.75.211.209
4 7 ms 7 ms 7 ms 10.87.2.90
5 6 ms 7 ms 7 ms 10.87.2.122

This is ipconfig result for 172.16.2.19

Windows IP Configuration

Host Name . . . . . . . . . . . . : BI-SERVER
Primary Dns Suffix . . . . . . . : labnet.or.tz
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : labnet.or.tz

Ethernet adapter Local Area Connection 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network A
pter #2
Physical Address. . . . . . . . . : 00-15-5D-0F-04-04
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Ada
er (Emulated)
Physical Address. . . . . . . . . : 00-15-5D-0F-04-02
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network A
pter
Physical Address. . . . . . . . . : 00-15-5D-0F-04-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.16.2.19(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
Default Gateway . . . . . . . . . : 172.16.2.1
DNS Servers . . . . . . . . . . . : 172.16.4.15
41.75.208.65
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{E8A224B3-8AAE-4A10-9D6E-E847DA39A963}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{73D37043-1CFB-48D8-A91C-8B4F0E19F41A}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{FEF6AD18-2DB7-4F62-B6FE-F22792C58EB6}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Note: 172.16.2.19 and 172.16.2.22 are both virtual machine whose in 172.16.2.20

dukenuk96 · ‎07-16-2015

Good, show the same for 172.16.2.22

ibrasoul · ‎07-17-2015

C:\Users\administrator.LABNET>tracert 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 172.16.2.1
2 * * * Request timed out.
3 * *

C:\Users\administrator.LABNET>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : FALCON
Primary Dns Suffix . . . . . . . : labnet.or.tz
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : labnet.or.tz

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network
pter
Physical Address. . . . . . . . . : 00-15-5D-0F-04-08
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.16.2.22(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
Default Gateway . . . . . . . . . : 172.16.2.1
DNS Servers . . . . . . . . . . . : 172.16.4.15
41.75.208.65
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{A7CB4C95-5D07-44C0-9983-EC48CA6B67FA}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

dukenuk96 · ‎07-17-2015

Interesting... let's do some diagnostics on your router, show the following commands output from your router:

ping 8.8.8.8 source 41.75.211.211

traceroute 8.8.8.8 source 41.75.211.211

(maybe you will need to add secondary address 41.75.211.211 to FastEthernet0/1/0)

sh ip nat translations (while ping -t 8.8.8.8 from your problem host)

Then remove secondary address from router and try there:

ping 41.75.211.211

sh ip arp

ibrasoul · ‎07-17-2015

please see the following results after doing what you suggested

DC-WAN-ISR2921#ping 8.8.8.8 source 41.75.211.211
% Invalid source address- IP address not on any of our up interfaces

DC-WAN-ISR2921#traceroute 8.8.8.8 source 41.75.211.211
% Invalid source address- IP address not on any of our up interfaces

sh ip nat translations (41.75.211.211 added as a secondary ip in fastethernet0/1/0)

udp 41.75.211.212:61799 172.16.2.15:61799 41.75.208.65:53 41.75.208.65:53
udp 41.75.211.212:63031 172.16.2.15:63031 41.75.208.65:53 41.75.208.65:53
--- 41.75.211.212 172.16.2.15 --- ---
tcp 41.75.211.210:1234 172.16.2.19:1234 62.149.142.15:80 62.149.142.15:80
udp 41.75.211.210:5093 172.16.2.19:5093 167.114.210.233:46959 167.114.210.233:
46959
tcp 41.75.211.210:63966 172.16.2.19:63966 52.74.15.80:80 52.74.15.80:80
--- 41.75.211.210 172.16.2.19 --- ---
udp 41.75.211.211:5093 172.16.2.22:5093 167.114.210.233:46959 167.114.210.233:
46959
udp 41.75.211.211:12476 172.16.2.22:12476 1.9.47.18:52617 1.9.47.18:52617
udp 41.75.211.211:12476 172.16.2.22:12476 86.163.137.102:52323 86.163.137.102:52
323
--- 41.75.211.211 172.16.2.22 --- ---
tcp 41.75.211.214:1234 172.16.3.28:1234 62.149.142.15:80 62.149.142.15:80
icmp 41.75.211.214:3686 172.16.3.28:3686 123.126.126.107:3686 123.126.126.107:3
686
udp 41.75.211.214:5093 172.16.3.28:5093 167.114.210.233:46959 167.114.210.233:
46959
udp 41.75.211.214:50181 172.16.3.28:50181 27.106.62.222:11174 27.106.62.222:1117
4
--- 41.75.211.214 172.16.3.28 --- ---

sh ip arp results
DC-WAN-ISR2921#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 41.75.211.209 0 0019.e287.8021 ARPA FastEthernet0/1/0
Internet 41.75.211.210 - 7cad.743e.257a ARPA FastEthernet0/1/0
Internet 41.75.211.211 - 7cad.743e.257a ARPA FastEthernet0/1/0
Internet 41.75.211.212 - 7cad.743e.257a ARPA FastEthernet0/1/0
Internet 41.75.211.214 - 7cad.743e.257a ARPA FastEthernet0/1/0
Internet 172.16.0.1 - 442b.0321.c2e1 ARPA GigabitEthernet0/1
Internet 172.16.0.2 0 0002.b642.7db3 ARPA GigabitEthernet0/1
Internet 172.16.0.5 - 442b.0321.c2e2 ARPA GigabitEthernet0/2
Internet 172.16.0.6 0 0002.b642.7db2 ARPA GigabitEthernet0/2
Internet 172.16.100.1 4 0019.e286.8000 ARPA GigabitEthernet0/0
Internet 172.16.100.2 - 442b.0321.c2e0 ARPA GigabitEthernet0/0
Internet 172.16.100.3 99 f0f7.55d4.bb41 ARPA GigabitEthernet0/0
Internet 172.16.100.4 0 Incomplete ARPA
Internet 172.16.100.5 168 f0f7.55d4.9e21 ARPA GigabitEthernet0/0
Internet 172.16.100.6 110 f0f7.55d4.b681 ARPA GigabitEthernet0/0
Internet 172.16.100.7 150 f0f7.55d4.b981 ARPA GigabitEthernet0/0
Internet 172.16.100.8 165 f0f7.55b3.a881 ARPA GigabitEthernet0/0
Internet 172.16.100.9 133 f0f7.55d4.b841 ARPA GigabitEthernet0/0
Internet 172.16.100.10 35 f0f7.55d4.bb81 ARPA GigabitEthernet0/0

dukenuk96 · ‎07-17-2015

You missed a few key things I asked to do.. well.. would you like to make live tshoot using some app? You can write to my skype:andrey66_87

dukenuk96 · ‎07-17-2015

So the problem was on intermidiate device that acts as firewall and router - between the host an ISR router. After reconfiguring that device everything workes fine.

Good luck, and have a good day!

static Nat help