reg dynamic nat config

hi,
this is my dynamic nat configuration.I can't figure out the mistake as my telnet is working fine,whereas the browser isn't working.please reply as soon as possible.any help regarding this matter would be appreciated.

interface Ethernet0
 ip address <ip address> 255.255.255.0
 ip nat outside
!
interface Serial0
 ip address <ip address> 255.0.0.0
 ip nat inside
 no fair-queue
!
interface Serial1
 no ip address
!
ip nat pool dyn <pool> prefix-length 26
ip nat inside source list 3 pool dyn
ip classless
ip route 0.0.0.0 0.0.0.0 <gateway router id>
ip route a.b.d.c 255.255.0.0 <gateway router id>
no ip http server
!
access-list 3 permit a.b.c.d 0.0.255.255
snmp-server community public RO
line con 0
line aux 0
 transport input all
line vty 0 4
 password xxxxxxxx
 login
!
end
radhikatsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pedrowCommented:
couple things:

1) usually the serial link is the outside, so:
int s0
ip nat outside

int e0
ip nat inside

2) are you doing 1-1 nat? or are you doing PAT(i.e. a couple of routables for the whole office?)
if so, you should use this:

ip nat inside source list 3 pool dyn overload

I'm not sure what this is:
ip route a.b.d.c 255.255.0.0 <gateway router id>
unless this a.b.c.d network is on a different router.

and a pet peeve of mine:

if you don't use snmp, get rid of this:
snmp-server community public RO
if you do, change the community string to something other than public and add an access list that restricts what hosts can walk your router, like this:

snmp-server community g@dz00k$ RO 10
access-list 10 permit 172.16.0.0 0.0.0.255 (an internal lan or your snmp monitoring collectors - hpov et al.)

Same thing for your line vty 0 4

line vty 0 4
access-class 10 in

:)

0
radhikatsAuthor Commented:
hi there..
thanx a lot for replying..i am using 1-1 dynamic NAT..
The a.b.d.c is the range of the mapped inside global addresses..apart from the snmp server do u think there is any other problem as to why the browser shudn't work.
Thanx once again..
Awaiting ur reply..
0
pedrowCommented:
not sure why telnet would work and not http.

the snmp thing really was a tangential comment, more related to security of your environment than anything.

So, when you say telnet works and http doesn't, are you talking about from hosts on your internal lan(E0) going to servers outside your serial interface?

Did changing the ip nat outside/ip nat inside change anything?

What happens right after you try doing this and you do a
router> sh ip nat tra
and
router> sh ip nat sta

?
do you see the translations?

Another thing to try using to troubleshoot traffic is netflow.

on the inside and outside interfaces try this:

int e0
ip route-cache flow

int s0
ip route-cache flow

and after you do this, you can see outgoing and returning traffic by source/dest and protocols/ports. This is a great way to find things.

after this is done and you try using your browser, be on the router and issue the command:

router> sh ip cache flow

note: port numbers are in hex
protocols are in hex as well, so 06=tcp 11=tcp

So, you're looking for returning http traffic :)
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

radhikatsAuthor Commented:
i ven't tried interchanging the ip nat inside outside....

i don't think it will make much of a difference actually..but i better try it out once...


well...i am talking abt hosts of my internal LAN going out to servers connected outside...

whenever i give the command sh ip nat trans..i can see only the inside local and inside global translations whereas i cannot see the outside local and outside global translations...dunno why this is happening...

what does this ip route cache flow do ? what is it for and how does it help in configuring NAT?
0
lrmooreCommented:
Are you sure you have the subnet masks correct on both the Ethernet and the Serial interfaces? Don't see many serial links with Class A masks..

Please confirm for us that the Serial link is the 'outside' interface and the Ethernet link is the 'inside' interface.

Properly defining inside/outside will absolutely make a difference.

After you make the changes, save the config and either reboot the router, or clear ip nat trans

0
radhikatsAuthor Commented:
yes ..the subnet masks on the ethernet ans serial ports are fine..
abt interchanging the inside/outside...well..i actually configured the same router for overloading in the beginning with the same inside for serial and outside for ethernet and it worked...so i thot that it wud work even for dynamic in the same way...isn't it?
but now that u ve said it makes a difference..i'll certainly change it and see...
0
lrmooreCommented:
Is this related to your other question?

http://www.experts-exchange.com/Hardware/Routers/Q_20522535.html

Did you get the help you needed on that one? You never replied to anyone.
0
pedrowCommented:
configuring netflow on your router allows you to get a better look into the traffic that goes into and out of your network.


You can use netflow data in determining whether or not you see outbound or return traffic.

It can be used for many things, but mostly I use it for troubleshooting.

0
radhikatsAuthor Commented:
hi there...
we have tried all that u have suggested.....we have changed the access-list and the source list,interchanged the interfaces et all....but there is not difference....the browser is not opening....
one question.....can we see the type of packet and the outside global and outside local addresses in the translation table??we are not able to view this....
thanx again..waiting for ur reply.
bye.
0
lrmooreCommented:
>....the browser is not opening....
Are you using a proper DNS server ip address? Can you ping any Internet IP addresses?
try pinging 198.6.1.2
Can you ping by FQDN?
try ping www.cisco.com

Can you traceroute?
0
radhikatsAuthor Commented:
yes..i ve tried piniging and it is working absoluely fine...and as i had mentioned earlier even my telnet is working properly..
wat is FQDN?
yes the DNS server's ip address is absolutely right...
can't just figure out wutz wrong...
0
lrmooreCommented:
Can you open a DOS prompt, and type:
C:\>nslookup www.cisco.com
Server:  cache01.ns.uu.net
Address:  198.6.1.2

Non-authoritative answer:
Name:    www.cisco.com
Address:  198.133.219.25

If ping is working, then we have ruled out a routing issue and a NAT issue. What we have left is a name-resolution issue or something blocking port 80. The results of the above test will tell us even more.

Just to make sure we're on the same page:
You have a client machine on the inside network trying to get to an external web page like www.cisco.com, and not trying to browse a server that lives on your LAN from the outside?

Do you have any other access lists? Can you post your COMPLETE config?

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
radhikatsAuthor Commented:
yes thats exactly wat my problem is...i ve a client machine on the inside netwrok trying to get an external web page ....
i guess as u said somethin'blocking port 80....
i'll try wat u recommended and let u know...
0
lrmooreCommented:
radhikats,
No comment has been added lately (104 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Award points to lrmoore

Please leave any comments here within 7 days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Thanks,

lrmoore
EE Cleanup Volunteer
---------------------
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers,
please post comments here where a Moderator will see it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.