• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 322
  • Last Modified:

How do you properly add a static route for an internal host on a NATTED Cisco 2600

I have 2611 router with 2 ethernet connections. E0 is to the Internet provider, E1 is to the internal network. There is NATTING being done between the internal and external network. E0 has a /30 subnet attached to the interface with .9 being the gateway address. A second subnet of 14 addresses that is routed through the E0 interface subnet by the ISP.

PROBLEM: All is working well except It doesn't appear that I can assign a static route between an internal host address and an external address in the second subnet. I assigned a static route between the inside address and the outside address but was not able to successfully ping it. I believe I have my static route correct, I probably have setup my ip route incorrectly. Any help will be appreciated. My config is below: I have changed the external addresses to 219

router2600#sh run
Building configuration...

Current configuration : 860 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
ip subnet-zero
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 219.xx.xx.10 255.255.255.252
 ip nat outside
 no ip mroute-cache
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 10.1.1.1 255.255.0.0
 ip nat inside
 no ip mroute-cache
 speed 100
 full-duplex
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 10.1.1.35 219.xx.xx.65
ip classless
ip route 0.0.0.0 0.0.0.0 219.xx.xx.9
ip route 219.xx.xx.64 255.255.255.240 219.xx.xx.9
ip http server
ip pim bidir-enable
!
!
access-list 1 permit 10.1.0.0 0.0.255.255
!
end

YipesNet2600#
0
ljucas
Asked:
ljucas
  • 6
  • 3
  • 3
1 Solution
 
lrmooreCommented:
this is a redundant route statement
>ip route 219.xx.xx.64 255.255.255.240 219.xx.xx.9

Since your default route points to the same gateway, that doesn't do anything. The default is all you need.

If you're trying to ping something and can't, but you can browse the web and do other stuff, it's because the ISP has locked down ICMP pings. My ISP (cable) has done the same thing recently in response to the MSBlaster and Welchia worm infestation..

0
 
ljucasAuthor Commented:
I can live with the redundant route concept but not the ping. I can ping my external interface address through the ISP from an external source (using one of the public traceroute sights). If I can ping my 2600 hundred E0 interface I should be able to ping through to my host that is assigned the static address. A traceroute to the ip address in question also gets me to the external interface of my router.

I keep thinking that somehow the reply is not getting out. Should the static address be assigned to the OUTSIDE NAT instead of the INSIDE?
0
 
lrmooreCommented:
>ip nat inside source static 10.1.1.35 219.xx.xx.65

If this is what you're talking about...
Can the host go out to the web and stuff using that IP address?

I don't see any access-lists that will prevent icmp.
Check the default gateway of that host. Is it 10.1.1.1? Is the subnet mask correct? 255.255.0.0...

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
t1n0m3nCommented:
This doesn't make any sense.  How can you nat a device to a network that is not directly connected to an interface on the router?

The only way I know of would be to "ghost" the 219.xx.xx.64 255.255.255.240 network and point it internally.  (I.E. use it only for NAT)
If that is the case, then you have the route backwards.  It should be something like this:
ip route 219.xx.xx.64 255.255.255.240 10.1.1.35 1

Or you could just put it to the interface
ip route 219.xx.xx.64 255.255.255.240 interface FastEthernet0/1

The above senario would be used if you purchased more IP space from the ISP and didn't want to readdress your outside interface.
The ISP router would have to have the 219.xx.xx.64 255.255.255.240 network pointed at 219.xx.xx.10 to make this work.
0
 
t1n0m3nCommented:
so if you didnt get my above post.....

where exactly is this 219.xx.xx.64 255.255.255.240 network?
0
 
ljucasAuthor Commented:
The .64 address block is a second block of addresses to be used to facilitate the implementation of my firewall. It will be the public address block between the E1 interface and the firewall (eventually). Since my ISP is actually an IP Network Services provider, all connectivity to them is via a TCP/IP network connection. They are routing the .64 /28 addresses to the 209.xx.xx.8 /30 address block. This is the address block that is assigned to the E0 interface. Hope this clarifies matters a bit. Now let me complicate them again.

I am able to telnet to the internal host using the external address from an external location but I still cannot ping successfully -- very perplexing. Other than the 2611, I currently do not have anything between the external gateway and the internal host.

0
 
lrmooreCommented:

Can ping outside interface.
Can telnet to natted host, but can't ping it.

Two things that will stop it:
Any firewall software on the server that won't respond to a ping?

I go back to my original statement that many ISP's are blocking ICMP. They don't block to the "transit" IP that you have on the external interface, otherwise they could not manage their own network very well..
0
 
t1n0m3nCommented:
OK so, the .64 address doesn't really exist anywhere yet.

So my solution is valid.

Route the .64 box internal and use it only for NAT.

The point of routing the .64 addresses internally is to get your router to say "Hey these addresses are for me." And once they come across the outside interface, they are natted or dropped per your ACL/NAT policy.
0
 
t1n0m3nCommented:
They are routing the .64 /28 addresses to the 209.xx.xx.8 /30 address block.
------------------------------------------------------------

I hope they are routing the .64/28 addresses to the IP address of your outside interface....because if not, you will never get this to work.
0
 
ljucasAuthor Commented:
Thanks for the help.
0
 
t1n0m3nCommented:
The route
ip route 219.xx.xx.64 255.255.255.240 219.xx.xx.9
should read
ip route 219.xx.xx.64 255.255.255.240 10.1.1.1
0
 
t1n0m3nCommented:
try it an let us know how it works

0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 6
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now