ljucas
asked on
How do you properly add a static route for an internal host on a NATTED Cisco 2600
I have 2611 router with 2 ethernet connections. E0 is to the Internet provider, E1 is to the internal network. There is NATTING being done between the internal and external network. E0 has a /30 subnet attached to the interface with .9 being the gateway address. A second subnet of 14 addresses that is routed through the E0 interface subnet by the ISP.
PROBLEM: All is working well except It doesn't appear that I can assign a static route between an internal host address and an external address in the second subnet. I assigned a static route between the inside address and the outside address but was not able to successfully ping it. I believe I have my static route correct, I probably have setup my ip route incorrectly. Any help will be appreciated. My config is below: I have changed the external addresses to 219
router2600#sh run
Building configuration...
Current configuration : 860 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
ip subnet-zero
!
!
!
!
!
!
interface FastEthernet0/0
ip address 219.xx.xx.10 255.255.255.252
ip nat outside
no ip mroute-cache
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.0.0
ip nat inside
no ip mroute-cache
speed 100
full-duplex
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 10.1.1.35 219.xx.xx.65
ip classless
ip route 0.0.0.0 0.0.0.0 219.xx.xx.9
ip route 219.xx.xx.64 255.255.255.240 219.xx.xx.9
ip http server
ip pim bidir-enable
!
!
access-list 1 permit 10.1.0.0 0.0.255.255
!
end
YipesNet2600#
PROBLEM: All is working well except It doesn't appear that I can assign a static route between an internal host address and an external address in the second subnet. I assigned a static route between the inside address and the outside address but was not able to successfully ping it. I believe I have my static route correct, I probably have setup my ip route incorrectly. Any help will be appreciated. My config is below: I have changed the external addresses to 219
router2600#sh run
Building configuration...
Current configuration : 860 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
ip subnet-zero
!
!
!
!
!
!
interface FastEthernet0/0
ip address 219.xx.xx.10 255.255.255.252
ip nat outside
no ip mroute-cache
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.0.0
ip nat inside
no ip mroute-cache
speed 100
full-duplex
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 10.1.1.35 219.xx.xx.65
ip classless
ip route 0.0.0.0 0.0.0.0 219.xx.xx.9
ip route 219.xx.xx.64 255.255.255.240 219.xx.xx.9
ip http server
ip pim bidir-enable
!
!
access-list 1 permit 10.1.0.0 0.0.255.255
!
end
YipesNet2600#
ASKER
I can live with the redundant route concept but not the ping. I can ping my external interface address through the ISP from an external source (using one of the public traceroute sights). If I can ping my 2600 hundred E0 interface I should be able to ping through to my host that is assigned the static address. A traceroute to the ip address in question also gets me to the external interface of my router.
I keep thinking that somehow the reply is not getting out. Should the static address be assigned to the OUTSIDE NAT instead of the INSIDE?
I keep thinking that somehow the reply is not getting out. Should the static address be assigned to the OUTSIDE NAT instead of the INSIDE?
>ip nat inside source static 10.1.1.35 219.xx.xx.65
If this is what you're talking about...
Can the host go out to the web and stuff using that IP address?
I don't see any access-lists that will prevent icmp.
Check the default gateway of that host. Is it 10.1.1.1? Is the subnet mask correct? 255.255.0.0...
If this is what you're talking about...
Can the host go out to the web and stuff using that IP address?
I don't see any access-lists that will prevent icmp.
Check the default gateway of that host. Is it 10.1.1.1? Is the subnet mask correct? 255.255.0.0...
This doesn't make any sense. How can you nat a device to a network that is not directly connected to an interface on the router?
The only way I know of would be to "ghost" the 219.xx.xx.64 255.255.255.240 network and point it internally. (I.E. use it only for NAT)
If that is the case, then you have the route backwards. It should be something like this:
ip route 219.xx.xx.64 255.255.255.240 10.1.1.35 1
Or you could just put it to the interface
ip route 219.xx.xx.64 255.255.255.240 interface FastEthernet0/1
The above senario would be used if you purchased more IP space from the ISP and didn't want to readdress your outside interface.
The ISP router would have to have the 219.xx.xx.64 255.255.255.240 network pointed at 219.xx.xx.10 to make this work.
The only way I know of would be to "ghost" the 219.xx.xx.64 255.255.255.240 network and point it internally. (I.E. use it only for NAT)
If that is the case, then you have the route backwards. It should be something like this:
ip route 219.xx.xx.64 255.255.255.240 10.1.1.35 1
Or you could just put it to the interface
ip route 219.xx.xx.64 255.255.255.240 interface FastEthernet0/1
The above senario would be used if you purchased more IP space from the ISP and didn't want to readdress your outside interface.
The ISP router would have to have the 219.xx.xx.64 255.255.255.240 network pointed at 219.xx.xx.10 to make this work.
so if you didnt get my above post.....
where exactly is this 219.xx.xx.64 255.255.255.240 network?
where exactly is this 219.xx.xx.64 255.255.255.240 network?
ASKER
The .64 address block is a second block of addresses to be used to facilitate the implementation of my firewall. It will be the public address block between the E1 interface and the firewall (eventually). Since my ISP is actually an IP Network Services provider, all connectivity to them is via a TCP/IP network connection. They are routing the .64 /28 addresses to the 209.xx.xx.8 /30 address block. This is the address block that is assigned to the E0 interface. Hope this clarifies matters a bit. Now let me complicate them again.
I am able to telnet to the internal host using the external address from an external location but I still cannot ping successfully -- very perplexing. Other than the 2611, I currently do not have anything between the external gateway and the internal host.
I am able to telnet to the internal host using the external address from an external location but I still cannot ping successfully -- very perplexing. Other than the 2611, I currently do not have anything between the external gateway and the internal host.
Can ping outside interface.
Can telnet to natted host, but can't ping it.
Two things that will stop it:
Any firewall software on the server that won't respond to a ping?
I go back to my original statement that many ISP's are blocking ICMP. They don't block to the "transit" IP that you have on the external interface, otherwise they could not manage their own network very well..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
They are routing the .64 /28 addresses to the 209.xx.xx.8 /30 address block.
--------------------------
I hope they are routing the .64/28 addresses to the IP address of your outside interface....because if not, you will never get this to work.
--------------------------
I hope they are routing the .64/28 addresses to the IP address of your outside interface....because if not, you will never get this to work.
ASKER
Thanks for the help.
The route
ip route 219.xx.xx.64 255.255.255.240 219.xx.xx.9
should read
ip route 219.xx.xx.64 255.255.255.240 10.1.1.1
ip route 219.xx.xx.64 255.255.255.240 219.xx.xx.9
should read
ip route 219.xx.xx.64 255.255.255.240 10.1.1.1
try it an let us know how it works
>ip route 219.xx.xx.64 255.255.255.240 219.xx.xx.9
Since your default route points to the same gateway, that doesn't do anything. The default is all you need.
If you're trying to ping something and can't, but you can browse the web and do other stuff, it's because the ISP has locked down ICMP pings. My ISP (cable) has done the same thing recently in response to the MSBlaster and Welchia worm infestation..