04-02-2014 11:33 AM - edited 03-07-2019 06:58 PM
I have a somewhat older 1712 I picked up, understanding that it should do what I am looking for.
I have a 5 IP block from my provider that I need to map out 1:1. The way I understand this is to first assign the interfaces their IP address, then create the static NAT maps using:
ip nat inside source static (source ip) (destination ip)
I then set a default route 0.0.0.0 0.0.0.0 75.140.236.209 (my gateway) and set the default-gateway command as well.
When all is said and done, I can only reach the internet with ONE IP address.
I have tried many different things, assigning all the necessary IPs to the interface (as secondary IP's), assigning them to a VLAN, and translating to/from the vlan, or even simply swapping the interfaces used so that the 4 port wic holds the external connection, and the locals on the integrated FE.
At this point I am at a loss, any help will be appreciated.
I am including all the logs - the system info, running config, ip route, ip nat table, and ping results. As this is fairly long, I hope you all don't mind if I simply attatch it as a document.
Solved! Go to Solution.
04-02-2014 12:47 PM
Can you -
access-list 101 permit ip host 75.140.236.211 any
access-list 101 permit ip any any
access-list 102 permit ip any host 75.140.236.211
access-list 102 permit ip any any
int fa0
ip access-group 101 out
ip access-group 102 in
then try to connect again and then see what hits you get on the acls.
Jon
04-02-2014 11:50 AM
Your config looks okay.
A couple of things -
1) your routing table shows the vlan subnet as 168.10.0.0/24 ?
2) can you remove the ip default-gateway ... command as you don't need it.
Can you then "clear ip nat translations *"
and then try and connect only from 192.168.100.3 and post the results ie. did it work and also the NAT translation table.
Jon
04-02-2014 12:12 PM
This is an error resulting from the console line speed being set too high... at 115k I get occasional errors in what it reports - that is one of those errors I didn't catch.
The actual table looks like this:
Gateway of last resort is 75.140.236.209 to network 0.0.0.0
C 192.168.100.0/24 is directly connected, Vlan1
75.0.0.0/29 is subnetted, 1 subnets
C 75.140.236.208 is directly connected, FastEthernet 0
S 0.0.0.0/0 [1/0] via75.140.236.209
Will clear the translations, and report back shortly.
EDIT: Here it is:
Router#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 75.140.236.210 192.168.100.2 --- ---
icmp 75.140.236.211:1 192.168.100.3:1 75.140.236.209:1 75.140.236.209:1
udp 75.140.236.211:60442 192.168.100.3:60442 8.8.8.8:53 8.8.8.8:53
--- 75.140.236.211 192.168.100.3 --- ---
--- 75.140.236.212 192.168.100.4 --- ---
--- 75.140.236.213 192.168.100.5 --- ---
--- 75.140.236.214 192.168.100.6 --- ---
SECOND EDIT:
To clarify, no, it could not ping through, either to the gateway, or out to the DNS.
04-02-2014 12:12 PM
In the output of "sh ver"
I see
Configuration register is 0x3922
Can you change it 0x2102, save and reboot the router?
HTH
04-02-2014 12:33 PM
I gave it the command change-register 0x2102, then saved and reloaded - it started back up in 0x3922...
EDIT: Trying again using Rommon to make the change.
EDIT 2: Yep - that did it! Got it to 0x2102. Sadly, no change in behavior - only console line speed.
04-02-2014 12:15 PM
So the translations are being built correctly but presumably the connectivity is not working ?
What is the 75.140.236.209 device ?
Jon
04-02-2014 12:18 PM
That is the gateway provided by the ISP.
04-02-2014 12:28 PM
Like i say, there does not appear to be anything wrong with your config.
It could be an issue with the ISP device ie. wrong subnet mask on the interface connecting to your router.
The range the ISP assigned to you, was it with a 255.255.255.248 subnet mask ?
Jon
04-02-2014 12:30 PM
Yes, and I did call and confirm that as well. I have also confirmed that all addresses are working correctly when directly connected.
04-02-2014 12:47 PM
Can you -
access-list 101 permit ip host 75.140.236.211 any
access-list 101 permit ip any any
access-list 102 permit ip any host 75.140.236.211
access-list 102 permit ip any any
int fa0
ip access-group 101 out
ip access-group 102 in
then try to connect again and then see what hits you get on the acls.
Jon
04-02-2014 01:03 PM
Ok, applied the list - no change in status.
Can still ping local network, and not the gateway or remote network.
04-02-2014 01:06 PM
Sorry, it wasn't to see if it would work, it was to see what is happening to the traffic.
So if you do a "sh ip access-list 101" and see hits it means the traffic left your router.
If you do the same for acl 102 and there are no hits it means no traffic is returning.
If this is the case probably time to have another conversation with your ISP.
If you see no hits on acl 101 then there is an issue with your router.
Jon
04-02-2014 01:34 PM
Ok, there are several matches on the outgoing interface, but none on the incoming interface.
But my question here, is what are we learning from this that we did not already know? So far as I can tell - the router is the issue - not thier equipment.
The address gets translated, but never forwarded so far as I can tell.
I will set up a PC shortly, to mimick the router (with the same IP's on the main interface) and see what happens there.
EDIT: I'll be damned - you are correct. I am not sure what their equipment is doing, but my PC respondes exactly as it should.
04-02-2014 01:34 PM
Ok, there are several matches on the outgoing interface, but none on the incoming interface.
Can you be specific as to exactly what you see ie. are you saying in acl 101 you see hits for the first line, the one with the host IP address as the source ?
If so are you also saying for acl 102 you do not see any hits in the first line ?
If so what we have learnt is your router is working as far as i can see.
We already know it is doing the NAT from the translation tables and now we know the router is also forwarding the traffic to the ISP device.
We don't know where the traffic is failing but we know traffic isn't getting back to your router.
If the acls are not showing what i described above can you clarify ?
Jon
04-02-2014 01:52 PM
Ok, it doesn't show any details, just the number of hits - and yes, zero hits on the return interface, with 100+ on the outgoing interface.
I did manage to prove the router is working though - by using a PC with the gateway address and testing connectivity to it using all the addresses in use (210-214). I am troubleshooting the gateway now.
I appreaciate your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide