Solved: Trying to understand NAT & VLANs, with Cable modem to Catalyst r

bHubTel1610c · ‎11-06-2011

Hello All;

I check in with this issue a few months ago, but got off on some other subjects. I'm a student at local community college and I have one class, basic Cisco routers, under my belt so I am dangerous. I'm registered for two classes in Cisco routers starting in January, so I'm trying to refresh my mind about routing, LANs, etc.

To recap, a friend gave me a 1711 Catalyst router, which is somewhat old. But it works. I want to try to run it behind a cable modem to the internet and hook 2 computers and game console up to the 4 port switch card (4esw). As I understand it, the router should be programmed for NAT, so that the internal hosts (inside) get routed to the one connection (fastethernet 0) that connects to the cable modem. The switch card (layer 2) connects to the router via VLAN.

If I set up a computer with a static address (192.168.1.? 255.255.255.0), I can ping from computer to switch card and from computer to the ip address that the fa0 port picks up from the cable modem via dhcp. But I get nothing from the internet.

Here's my running-config.

Router#show running-config

Building configuration...

Current configuration : 1013 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

ip cef

ip ips po max-events 100

no ftp-server write-enable

!

no crypto isakmp ccm

!

interface FastEthernet0

description connection to cable modem

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

!

ip classless

no ip http server

no ip http secure-server

!

ip nat inside source list 101 interface Vlan1 overload

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

control-plane

!

line con 0

line 1

line aux 0

line vty 0 4

!

end

Does anyone have any ideas?

Thanks, in advance, for any help or insight you can send my way.

-Bruce

cadet alain · ‎11-07-2011

Hi,

this NAT config is wrong: ip nat inside source list 101 interface Vlan1 overload

It should be

ip nat inside source list 101 interface fastethernet0 overload

if you want computers to get a DHCP address from the router you can do this:

ip dhcp excluded address 192.168.1.1

ip dhcp pool mypool

import all

network 192.168.1.0 /24

default-router 192.168.1.1

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎11-07-2011

Hi Bruce,

no problem.

1) indeed you are translating your private addresses from the LAN to the outside public address provided by the ISP so

your ip nat inside and ip nat outside interfaces were correct but not the NAT overload config because you told the router to translate an inside address to an inside address. You must tell it to translate from inside to outside.

2) the excluded address is excluded from the pool you create below that will serve your clients, it has nothing to do with the ISP dhcp address your outside interface is getting.

The only link with the pool from ISP here is the import all command which will inherit dhcp options you didn't explicitly configured from the ISP pool like for example a list of DNS servers.

If the ISP didn't send you this option via DHCP then you can either explicitly configure it under your pool with the dns-server x.x.x.x command and in this case you have 2 choices:

-list the dns servers from ISP or any public dns server like the one from Google( 8.8.8.8)

-list your router as dns server but then you'll have to configure the router for proxy-dns like this:

ip domain-lookup

ip name-server x.x.x.x

ip dns-server

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

bHubTel1610c · ‎11-06-2011

BTW, I do not get an ip address from the router to computers automatically. Hence the reference to setting up a static ip address to ping back out to cable modem.

Thanks!

-Bruce

michelkcisco · ‎11-06-2011

Hi bHubTel1610c,

So, LAN clients dont use DHCP ...

Can they do a traceroute to their (static) DNS ?

Cheers!

cadet alain · ‎11-07-2011

Hi,

this NAT config is wrong: ip nat inside source list 101 interface Vlan1 overload

It should be

ip nat inside source list 101 interface fastethernet0 overload

if you want computers to get a DHCP address from the router you can do this:

ip dhcp excluded address 192.168.1.1

ip dhcp pool mypool

import all

network 192.168.1.0 /24

default-router 192.168.1.1

Regards.

Alain

Don't forget to rate helpful posts.

bHubTel1610c · ‎11-07-2011

Hi, Cadet;

Some questions, since I'm trying to understand exactly what I'm doing.

Since fastethernet 0 is hooked to cable modem, I thought the "ip nat inside....." would be for vlan connection, since it translates the inside addresses to outside. Could you explain that a little more?
The dhcp address that the router would receive from the cable modem would never include a private address like 192.168.1.1, so is it necessary to "exclude" it from the list?

I'm not doubting you (I know that I don't know very much), it's just that I'm trying to understand what's going on.

Could you clarify, please?

Thanks!

-Bruce

cadet alain · ‎11-07-2011

Hi Bruce,

no problem.

1) indeed you are translating your private addresses from the LAN to the outside public address provided by the ISP so

your ip nat inside and ip nat outside interfaces were correct but not the NAT overload config because you told the router to translate an inside address to an inside address. You must tell it to translate from inside to outside.

2) the excluded address is excluded from the pool you create below that will serve your clients, it has nothing to do with the ISP dhcp address your outside interface is getting.

The only link with the pool from ISP here is the import all command which will inherit dhcp options you didn't explicitly configured from the ISP pool like for example a list of DNS servers.

If the ISP didn't send you this option via DHCP then you can either explicitly configure it under your pool with the dns-server x.x.x.x command and in this case you have 2 choices:

-list the dns servers from ISP or any public dns server like the one from Google( 8.8.8.8)

-list your router as dns server but then you'll have to configure the router for proxy-dns like this:

ip domain-lookup

ip name-server x.x.x.x

ip dns-server

Regards.

Alain.

Don't forget to rate helpful posts.

bHubTel1610c · ‎11-07-2011

Alain;

That did the trick. Your help has been invaluable.

Just so I understand, the overload command needed to tell the router that the addresses and packets coming from inside needed to be translated to the fa0 interface connected to the cable modem (outside), but was instead being "reflected" back to the inside, since it referenced vlan1 instead.

Also, the excluded-address was due to the ip address of the vlan1 was configured as a static address, so it wouldn't assign that address to one of the other hosts.

Once again, thanks for your help.

-Bruce

Orlando, FL.

cadet alain · ‎11-08-2011

Hi Bruce,

Yes what you are saying is correct.

Regards.

Alain.

Don't forget to rate helpful posts.

Trying to understand NAT & VLANs, with Cable modem to Catalyst router