Me neither. GE0/1 is just given a public IP for some reason, not sure why. For some insight, this router is an AT&T MIS router (it's a new managed service they provide) on their new enterprise fiber service (so new their own support team doesn't know about it), so it's basically managed by them and this is the configuration that was delivered to us. I'm going to try backing the config up to a file and assigning GE0/1 to 1.254 with NAT enabled and see how far I get. I wanted to see if I was missing something obvious though.

If you use gi0/1 for the private IPs it should work fine.

I really can't see the point of their configuration.

In effect you would need to then use public IPs for your clients if you connected your switch to gi0/1 and you don't have enough IPs for that.

I would talk to them and see what the idea is behind it because I think they have just got it wrong.

Jon

So I've gone ahead and tried to setup NATing using GE0/1 and I still cna't ping outside IPs. The IP I'm using is Google DNS. I get the feeling I'm very close and that I'm missing one basic thing. Here's the config:

Building configuration...

Current configuration : 6083 bytes
!
! Last configuration change at 18:15:14 UTC Wed Mar 4 2015
version 15.3
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Mxxxxxx1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
no ip source-route
!
!
!
!
!
!
no ip bootp server
no ip domain lookup
ip cef
no ipv6 source-route
ipv6 unicast-routing
ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FTX18478091
!
!
username 

redundancy
!
!
!
policy-map SHAPER
 class class-default
  shape average 10000000
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address xxx.xxx.147.162 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mfib forwarding input
 no ip mfib cef input
 no ip mfib cef output
 ip nat outside
 ip nat enable
 ip virtual-reassembly in
 load-interval 30
 duplex full
 speed 100
 ipv6 address 2001:1890:C00:644E::1110:116C/64
 ipv6 enable
 ipv6 nd ra suppress
 no ipv6 redirects
 no ipv6 unreachables
 no ipv6 mfib forwarding input
 no ipv6 mfib cef input
 no ipv6 mfib cef output
 ipv6 traffic-filter MIS-Inbound in
 no cdp enable
 service-policy output SHAPER
!
interface GigabitEthernet0/1
 ip address 192.168.1.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mfib forwarding input
 no ip mfib cef input
 no ip mfib cef output
 ip nat inside
 ip nat enable
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
 ipv6 address FD00:1111:2222:3333::1/56
 ipv6 enable
 ipv6 nd ra suppress
 no ipv6 redirects
 no ipv6 unreachables
 no ipv6 mfib forwarding input
 no ipv6 mfib cef input
 no ipv6 mfib cef output
 no cdp enable
!
interface GigabitEthernet0/0/0
 no ip address
!
interface GigabitEthernet0/0/1
 no ip address
!
interface GigabitEthernet0/0/2
 no ip address
!
interface GigabitEthernet0/0/3
 no ip address
!
interface Vlan1
 no ip address
!
interface Vlan10
 no ip address
!
interface Vlan20
 no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source static 192.168.1.254 xxx.xxx.147.162
ip default-network 0.0.0.0
ip route 0.0.0.0 0.0.0.0 xxx.xxx.147.161
ip route 192.168.1.0 255.255.255.0 xxx.xxx.147.161
!
no cdp run
ipv6 route ::/0 2001:1890:C00:644E::EE10:116C
!
!
access-list 101 deny   ip host 0.0.0.0 any log
access-list 101 permit icmp 135.89.154.144 0.0.0.15 any
access-list 101 permit icmp 135.89.152.48 0.0.0.15 any
access-list 101 permit icmp 12.38.168.0 0.0.0.15 any
access-list 101 permit icmp any any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 224.0.0.0 15.255.255.255 any
access-list 101 deny   ip 240.0.0.0 15.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip any any
!
ipv6 access-list MIS-Inbound
 remark Deny loopback address
 deny ipv6 host ::1 any
 remark Deny IPv4-mapped addresses (obsolete)
 deny ipv6 ::FFFF:0.0.0.0/96 any
 remark Deny IPv4-compatible addresses
 deny ipv6 ::/96 any
 remark Deny auto tunneled packets
 remark Deny Unique-Local packets
 deny ipv6 FC00::/7 any
 remark Deny RH0 packets
 deny ipv6 any any routing-type 0 log
 remark Deny multicast packets
 deny ipv6 FF00::/8 any
 remark Deny Customer addresses from Internet
 deny ipv6 FD00:1111:2222:3300::/56 any log
 remark permit everything else
 permit ipv6 any any
!
control-plane
!
!
line con 0
 session-timeout 30
 exec-timeout 30 0
 password 7 
 login
line aux 0
 session-timeout 30
 exec-timeout 30 0
 password 7 
 login
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 session-timeout 30
 exec-timeout 30 0
 password 7 
 login
 transport input all
!
scheduler allocate 20000 1000
ntp server 192.43.244.18
!
end

Below is the IP routing:

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is xxx.xxx.147.161 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via xxx.xxx.147.161
      12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        xxx.xxx.147.160/30 is directly connected, GigabitEthernet0/0
L        xxx.xxx.147.162/32 is directly connected, GigabitEthernet0/0
S     192.168.1.0/24 [1/0] via xxx.xxx.147.161

Okay few things -

1) you don't need "ip nat enable" under the interfaces

2) not sure what the "ip nat source static .." is doing. If this is to give inside hosts access then you can remove it.

3) not sure what acl 101 is doing as it isn't applied anywhere. So i would just remove it but if you do need it then change the acl number in the following example for NAT.

So -

no access-list 101 <-- if you want to keep this acl then just use a different acl number in the two statements below.

access-list 101 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 101 interface gi0/0 overload

Jon

Alright, I've made the changes and will provide an update later tonight or tomorrow. If all else fails, we might be getting a Layer 3 switch, which should allow me to use the ISP's configuration.

On a side note, looks like its about time for to start studying for the CCNA, Net+ isn't cutting it anymore.

Not sure how a L3 switch will help to be honest.

The issue is you have a default route pointing to the x.x.147.161 IP which makes sense.

But even if you assign the other subnet to physical interface I'm not sure how you are going to be using them ie. you may as well not have them.

I would have thought the ISP could manage the device with the existing x.x.147.162 IP but apparently not.

Anyway hope the tests go alright and if you do decide to do CCNA hope it goes well :-)

Jon

According to AT&T, the AT&T WAN Router IP is x.x.147.161 and the Customer Router IP is x.x.147.162, but the confusion didn't start until they remoted in and set ge0/1 to a public ip. It was originally 10.10.10.1, the default. They made a static route for the 192 block, but I couldn't see how I would ever connect to it without another device in the mix that I could use as a default gateway on the NAT since the port I would have used was already assigned.

Pretty much have to get CCNA now, no more web GUIs or Netgear EZmode now. Thanks much.

Everything worked out and is up and running. I think I just let AT&T mind screw me and it caused me more trouble than it should have. NAT is working fine and I'm in the process of adding the firewall and setting up an ACL for web server traffic and Exchange. Thanks much for all of your help John.