Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
767
Views
0
Helpful
3
Replies

Newbie NAT, DHCP problem

olesnica2001
Level 1
Level 1

‎05-12-2013 11:27 PM - edited ‎03-07-2019 01:19 PM

Hello

I am a newbie to Cisco. I am trying to setup NAT with DHCP in our office on CISCO 819 router. I am having a problem with DHCP not assigning an IP on vlan1. I cannot figure out what i'm doing wrong. Below is my config and  debug from DHCP. Any help is greatly appreciated.

router#sh config

Using 4328 out of 262136 bytes

!

! Last configuration change at 05:56:39 UTC Mon May 13 2013 by cisco

! NVRAM config last updated at 05:57:16 UTC Mon May 13 2013 by cisco

! NVRAM config last updated at 05:57:16 UTC Mon May 13 2013 by cisco

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname yourname

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

no aaa new-model

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-230656754

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-230656754

revocation-check none

rsakeypair TP-self-signed-230656754

!

!

crypto pki certificate chain TP-self-signed-230656754

certificate self-signed 01 nvram:IOS-Self-Sig#6.cer

ip source-route

ip cef

!

!

!

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 192.168.20.1

ip dhcp excluded-address 192.168.1.1 192.168.1.10

!

ip dhcp pool ccp-pool

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 75.75.75.75 75.75.76.76

lease 0 2

!

!

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

!

!

multilink bundle-name authenticated

!

!

username tomek privilege 15 secret 4 R1ODRxztRdGPKo8bhaOx1rdYvIPTFzjT.JyC.9QqZZo

!

!

!

!

controller Cellular 0

!

!

!

!

!

!

!

!

interface Cellular0

no ip address

encapsulation ppp

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface GigabitEthernet0

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Serial0

no ip address

shutdown

clock rate 2000000

!

interface Vlan1

description $ETH_LAN$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 101 interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

no cdp run

!

!

!

!

!

control-plane

!

!

line con 0

login local

no modem enable

line aux 0

line 3

no exec

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

May 13 06:19:17.311: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up

May 13 06:19:18.311: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to up

May 13 06:19:46.347: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

May 13 06:19:46.851: DHCPD: client's VPN is .

May 13 06:19:46.851: DHCPD: No option 125

May 13 06:19:46.851: DHCPD: DHCPREQUEST received from client 0100.2511.d842.e2.

May 13 06:19:46.851: DHCPD: client has moved to a new subnet.

May 13 06:19:46.851: DHCPD: Sending DHCPNAK to client 0100.2511.d842.e2.

May 13 06:19:46.851: DHCPD: no option 125

May 13 06:19:46.851: DHCPD: broadcasting BOOTREPLY to client 0025.11d8.42e2.

May 13 06:19:46.955: DHCPD: client's VPN is .

May 13 06:19:46.955: DHCPD: No option 125

May 13 06:19:46.955: DHCPD: DHCPDISCOVER received from client 0100.2511.d842.e2 on interface Vlan1.

May 13 06:19:46.955: DHCPD: Sending DHCPOFFER to client 0100.2511.d842.e2 (192.168.1.13).

May 13 06:19:46.955: DHCPD: no option 125

May 13 06:19:46.955: DHCPD: creating ARP entry (192.168.1.13, 0025.11d8.42e2, vrf default).

May 13 06:19:46.955: DHCPD: unicasting BOOTREPLY to client 0025.11d8.42e2 (192.168.1.13).

May 13 06:19:46.959: DHCPD: client's VPN is .

May 13 06:19:46.959: DHCPD: No option 125

May 13 06:19:46.959: DHCPD: DHCPREQUEST received from client 0100.2511.d842.e2.

May 13 06:19:46.959: DHCPD: Appending system default domain

May 13 06:19:46.959: DHCPD: Using hostname 'NELSON-PC.yourdomain.com.' for dynamic update (from FQDN option)

May 13 06:19:46.959: DHCPD: Sending DHCPACK to client 0100.2511.d842.e2 (192.168.1.13).

May 13 06:19:46.959: DHCPD: no option 125

May 13 06:19:46.959: DHCPD: ARP entry exists (192.168.1.13, 0025.11d8.42e2).

May 13 06:19:46.959: DHCPD: unicasting BOOTREPLY to client 0025.11d8.42e2 (192.168.1.13).

May 13 06:19:50.147: DHCPD: client's VPN is .

May 13 06:19:50.147: DHCPD: No option 125

May 13 06:19:50.147: DHCPD: DHCPINFORM received from client 0100.2511.d842.e2 (192.168.1.13).

May 13 06:19:50.147: DHCPD: Sending DHCPACK to client 0100.2511.d842.e2 (192.168.1.13).

May 13 06:19:50.147: DHCPD: no option 125

May 13 06:19:50.147: DHCPD: broadcasting BOOTREPLY to client 0025.11d8.42e2.

Labels:
0 Helpful
3 Replies 3

cadet alain
VIP Alumni
VIP Alumni

‎05-12-2013 11:40 PM

Hi,

from the debug you posted, an IP address is allocated: 192.168.1.13.

You should change your static route though if you want NAT to work:

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0

ip route 0.0.0.0 0.0.0.0 dhcp

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

olesnica2001
Level 1
Level 1
In response to cadet alain

‎05-13-2013 05:08 PM

Alain

Thank you very much for the info. I made the change you suggested and it works great.

Now I am having another problem. I am running a web server and a few domains, so I created port forwarding in the cisco router. It works great except I cannot access any of the domains from within the local network. If I am outside of my LAN I can access all domains and all forwarded ports without any problem. Is there a fix for this?

Here is my current config:

OELSNET#sh config

Using 5055 out of 262136 bytes

!

! Last configuration change at 22:44:39 UTC Mon May 13 2013

! NVRAM config last updated at 22:45:02 UTC Mon May 13 2013

! NVRAM config last updated at 22:45:02 UTC Mon May 13 2013

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname OELSNET

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

enable secret 4 tSbSU3Pb6mNOFHkcgKob.3Da88lZB6DHtrZGJTA1/zU

enable password 1234

!

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2215678432

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2215678432

revocation-check none

rsakeypair TP-self-signed-2215678432

!

!

crypto pki certificate chain TP-self-signed-2215678432

certificate self-signed 01 nvram:IOS-Self-Sig#7.cer

ip source-route

ip cef

!

!

!

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 192.168.20.1

ip dhcp excluded-address 192.168.1.1 192.168.1.10

!

ip dhcp pool ccp-pool

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 75.75.75.75 75.75.76.76

lease 0 2

!

!

no ip domain lookup

ip domain name comcast.net

no ipv6 cef

!

!

multilink bundle-name authenticated

!

!

!

username tomek privilege 15 secret 4 R1ODRxztRdGPKo8bhaOx1rdYvIPTFzjT.JyC.9QqZZo

!

!

!

!

controller Cellular 0

!

!

!

!

!

!

!

!

interface Cellular0

no ip address

encapsulation ppp

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface GigabitEthernet0

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Serial0

no ip address

shutdown

clock rate 2000000

!

interface Vlan1

description $ETH_LAN$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 101 interface GigabitEthernet0 overload

ip nat inside source static tcp 192.168.1.134 80 interface GigabitEthernet0 80

ip nat inside source static tcp 192.168.1.134 25 interface GigabitEthernet0 25

ip nat inside source static tcp 192.168.1.134 53 interface GigabitEthernet0 53

ip nat inside source static tcp 192.168.1.134 22 interface GigabitEthernet0 22

ip nat inside source static tcp 192.168.1.134 21 interface GigabitEthernet0 21

ip nat inside source static tcp 192.168.1.113 81 interface GigabitEthernet0 81

ip nat inside source static tcp 192.168.1.100 8081 interface GigabitEthernet0 8081

ip nat inside source static tcp 192.168.1.134 8080 interface GigabitEthernet0 8080

ip route 0.0.0.0 0.0.0.0 dhcp

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip any any

no cdp run

!

!

!

!

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line 3

no exec

line vty 0 4

privilege level 15

password polska112qbs

transport input ssh

!

scheduler allocate 20000 1000

end

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to olesnica2001

‎05-13-2013 11:01 PM

Hi,

This is a well known problem called NAT hairpinning.Normally it could be solved by configuring NAT NVI instead of "traditional" NAT but I've never tried it myself:

int vlan 1

no ip nat in

ip nat enable

no ip redirects

int g0

no ip nat out

ip nat enable

no ip redirects

no ip nat inside source list 101 interface GigabitEthernet0 overload

no ip nat inside source static tcp 192.168.1.134 80 interface GigabitEthernet0 80

no ip nat inside source static tcp 192.168.1.134 25 interface GigabitEthernet0 25

no ip nat inside source static tcp 192.168.1.134 53 interface GigabitEthernet0 53

no ip nat inside source static tcp 192.168.1.134 22 interface GigabitEthernet0 22

no ip nat inside source static tcp 192.168.1.134 21 interface GigabitEthernet0 21

no ip nat inside source static tcp 192.168.1.113 81 interface GigabitEthernet0 81

no ip nat inside source static tcp 192.168.1.100 8081 interface GigabitEthernet0 8081

no ip nat inside source static tcp 192.168.1.134 8080 interface GigabitEthernet0 8080

ip nat inside source list 101 interface GigabitEthernet0 overload

ip nat source static tcp 192.168.1.134 80 interface GigabitEthernet0 80

ip nat source static tcp 192.168.1.134 25 interface GigabitEthernet0 25

ip nat  source static tcp 192.168.1.134 53 interface GigabitEthernet0 53

ip nat  source static tcp 192.168.1.134 22 interface GigabitEthernet0 22

ip nat  source static tcp 192.168.1.134 21 interface GigabitEthernet0 21

ip nat  source static tcp 192.168.1.113 81 interface GigabitEthernet0 81

ip nat source static tcp 192.168.1.100 8081 interface GigabitEthernet0 8081

ip nat  source static tcp 192.168.1.134 8080 interface GigabitEthernet0 8080

Another solution is to use split-DNS: http://en.wikipedia.org/wiki/Split-horizon_DNS

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card