reg dynamic nat config

couple things:

1) usually the serial link is the outside, so:
int s0
ip nat outside

int e0
ip nat inside

2) are you doing 1-1 nat? or are you doing PAT(i.e. a couple of routables for the whole office?)
if so, you should use this:

ip nat inside source list 3 pool dyn overload

I'm not sure what this is:
ip route a.b.d.c 255.255.0.0 <gateway router id>
unless this a.b.c.d network is on a different router.

and a pet peeve of mine:

if you don't use snmp, get rid of this:
snmp-server community public RO
if you do, change the community string to something other than public and add an access list that restricts what hosts can walk your router, like this:

snmp-server community g@dz00k$ RO 10
access-list 10 permit 172.16.0.0 0.0.0.255 (an internal lan or your snmp monitoring collectors - hpov et al.)

Same thing for your line vty 0 4

line vty 0 4
access-class 10 in

:)

hi there..
thanx a lot for replying..i am using 1-1 dynamic NAT..
The a.b.d.c is the range of the mapped inside global addresses..apart from the snmp server do u think there is any other problem as to why the browser shudn't work.
Thanx once again..
Awaiting ur reply..

not sure why telnet would work and not http.

the snmp thing really was a tangential comment, more related to security of your environment than anything.

So, when you say telnet works and http doesn't, are you talking about from hosts on your internal lan(E0) going to servers outside your serial interface?

Did changing the ip nat outside/ip nat inside change anything?

What happens right after you try doing this and you do a
router> sh ip nat tra
and
router> sh ip nat sta

?
do you see the translations?

Another thing to try using to troubleshoot traffic is netflow.

on the inside and outside interfaces try this:

int e0
ip route-cache flow

int s0
ip route-cache flow

and after you do this, you can see outgoing and returning traffic by source/dest and protocols/ports. This is a great way to find things.

after this is done and you try using your browser, be on the router and issue the command:

router> sh ip cache flow

note: port numbers are in hex
protocols are in hex as well, so 06=tcp 11=tcp

So, you're looking for returning http traffic :)

i ven't tried interchanging the ip nat inside outside....

i don't think it will make much of a difference actually..but i better try it out once...


well...i am talking abt hosts of my internal LAN going out to servers connected outside...

whenever i give the command sh ip nat trans..i can see only the inside local and inside global translations whereas i cannot see the outside local and outside global translations...dunno why this is happening...

what does this ip route cache flow do ? what is it for and how does it help in configuring NAT?

Are you sure you have the subnet masks correct on both the Ethernet and the Serial interfaces? Don't see many serial links with Class A masks..

Please confirm for us that the Serial link is the 'outside' interface and the Ethernet link is the 'inside' interface.

Properly defining inside/outside will absolutely make a difference.

After you make the changes, save the config and either reboot the router, or clear ip nat trans

yes ..the subnet masks on the ethernet ans serial ports are fine..
abt interchanging the inside/outside...well..i actually configured the same router for overloading in the beginning with the same inside for serial and outside for ethernet and it worked...so i thot that it wud work even for dynamic in the same way...isn't it?
but now that u ve said it makes a difference..i'll certainly change it and see...

Is this related to your other question?

https://www.experts-exchange.com/questions/20522535/configuring-dynamic-NAT.html

Did you get the help you needed on that one? You never replied to anyone.

configuring netflow on your router allows you to get a better look into the traffic that goes into and out of your network.


You can use netflow data in determining whether or not you see outbound or return traffic.

It can be used for many things, but mostly I use it for troubleshooting.

hi there...
we have tried all that u have suggested.....we have changed the access-list and the source list,interchanged the interfaces et all....but there is not difference....the browser is not opening....
one question.....can we see the type of packet and the outside global and outside local addresses in the translation table??we are not able to view this....
thanx again..waiting for ur reply.
bye.

>....the browser is not opening....
Are you using a proper DNS server ip address? Can you ping any Internet IP addresses?
try pinging 198.6.1.2
Can you ping by FQDN?
try ping www.cisco.com

Can you traceroute?

yes..i ve tried piniging and it is working absoluely fine...and as i had mentioned earlier even my telnet is working properly..
wat is FQDN?
yes the DNS server's ip address is absolutely right...
can't just figure out wutz wrong...

yes thats exactly wat my problem is...i ve a client machine on the inside netwrok trying to get an external web page ....
i guess as u said somethin'blocking port 80....
i'll try wat u recommended and let u know...

radhikats,
No comment has been added lately (104 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Award points to lrmoore

Please leave any comments here within 7 days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Thanks,

lrmoore
EE Cleanup Volunteer
---------------------
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers,
please post comments here where a Moderator will see it.