Solved

How do you properly add a static route for an internal host on a NATTED Cisco 2600

Posted on 2003-10-27
12
312 Views
Last Modified: 2010-04-17
I have 2611 router with 2 ethernet connections. E0 is to the Internet provider, E1 is to the internal network. There is NATTING being done between the internal and external network. E0 has a /30 subnet attached to the interface with .9 being the gateway address. A second subnet of 14 addresses that is routed through the E0 interface subnet by the ISP.

PROBLEM: All is working well except It doesn't appear that I can assign a static route between an internal host address and an external address in the second subnet. I assigned a static route between the inside address and the outside address but was not able to successfully ping it. I believe I have my static route correct, I probably have setup my ip route incorrectly. Any help will be appreciated. My config is below: I have changed the external addresses to 219

router2600#sh run
Building configuration...

Current configuration : 860 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
ip subnet-zero
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 219.xx.xx.10 255.255.255.252
 ip nat outside
 no ip mroute-cache
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 10.1.1.1 255.255.0.0
 ip nat inside
 no ip mroute-cache
 speed 100
 full-duplex
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 10.1.1.35 219.xx.xx.65
ip classless
ip route 0.0.0.0 0.0.0.0 219.xx.xx.9
ip route 219.xx.xx.64 255.255.255.240 219.xx.xx.9
ip http server
ip pim bidir-enable
!
!
access-list 1 permit 10.1.0.0 0.0.255.255
!
end

YipesNet2600#
0
Comment
Question by:ljucas
  • 6
  • 3
  • 3
12 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9629566
this is a redundant route statement
>ip route 219.xx.xx.64 255.255.255.240 219.xx.xx.9

Since your default route points to the same gateway, that doesn't do anything. The default is all you need.

If you're trying to ping something and can't, but you can browse the web and do other stuff, it's because the ISP has locked down ICMP pings. My ISP (cable) has done the same thing recently in response to the MSBlaster and Welchia worm infestation..

0
 

Author Comment

by:ljucas
ID: 9629675
I can live with the redundant route concept but not the ping. I can ping my external interface address through the ISP from an external source (using one of the public traceroute sights). If I can ping my 2600 hundred E0 interface I should be able to ping through to my host that is assigned the static address. A traceroute to the ip address in question also gets me to the external interface of my router.

I keep thinking that somehow the reply is not getting out. Should the static address be assigned to the OUTSIDE NAT instead of the INSIDE?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9629757
>ip nat inside source static 10.1.1.35 219.xx.xx.65

If this is what you're talking about...
Can the host go out to the web and stuff using that IP address?

I don't see any access-lists that will prevent icmp.
Check the default gateway of that host. Is it 10.1.1.1? Is the subnet mask correct? 255.255.0.0...

0
 
LVL 3

Expert Comment

by:t1n0m3n
ID: 9630978
This doesn't make any sense.  How can you nat a device to a network that is not directly connected to an interface on the router?

The only way I know of would be to "ghost" the 219.xx.xx.64 255.255.255.240 network and point it internally.  (I.E. use it only for NAT)
If that is the case, then you have the route backwards.  It should be something like this:
ip route 219.xx.xx.64 255.255.255.240 10.1.1.35 1

Or you could just put it to the interface
ip route 219.xx.xx.64 255.255.255.240 interface FastEthernet0/1

The above senario would be used if you purchased more IP space from the ISP and didn't want to readdress your outside interface.
The ISP router would have to have the 219.xx.xx.64 255.255.255.240 network pointed at 219.xx.xx.10 to make this work.
0
 
LVL 3

Expert Comment

by:t1n0m3n
ID: 9630984
so if you didnt get my above post.....

where exactly is this 219.xx.xx.64 255.255.255.240 network?
0
 

Author Comment

by:ljucas
ID: 9633435
The .64 address block is a second block of addresses to be used to facilitate the implementation of my firewall. It will be the public address block between the E1 interface and the firewall (eventually). Since my ISP is actually an IP Network Services provider, all connectivity to them is via a TCP/IP network connection. They are routing the .64 /28 addresses to the 209.xx.xx.8 /30 address block. This is the address block that is assigned to the E0 interface. Hope this clarifies matters a bit. Now let me complicate them again.

I am able to telnet to the internal host using the external address from an external location but I still cannot ping successfully -- very perplexing. Other than the 2611, I currently do not have anything between the external gateway and the internal host.

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 79

Expert Comment

by:lrmoore
ID: 9633471

Can ping outside interface.
Can telnet to natted host, but can't ping it.

Two things that will stop it:
Any firewall software on the server that won't respond to a ping?

I go back to my original statement that many ISP's are blocking ICMP. They don't block to the "transit" IP that you have on the external interface, otherwise they could not manage their own network very well..
0
 
LVL 3

Accepted Solution

by:
t1n0m3n earned 250 total points
ID: 9633601
OK so, the .64 address doesn't really exist anywhere yet.

So my solution is valid.

Route the .64 box internal and use it only for NAT.

The point of routing the .64 addresses internally is to get your router to say "Hey these addresses are for me." And once they come across the outside interface, they are natted or dropped per your ACL/NAT policy.
0
 
LVL 3

Expert Comment

by:t1n0m3n
ID: 9633612
They are routing the .64 /28 addresses to the 209.xx.xx.8 /30 address block.
------------------------------------------------------------

I hope they are routing the .64/28 addresses to the IP address of your outside interface....because if not, you will never get this to work.
0
 

Author Comment

by:ljucas
ID: 9633620
Thanks for the help.
0
 
LVL 3

Expert Comment

by:t1n0m3n
ID: 9633633
The route
ip route 219.xx.xx.64 255.255.255.240 219.xx.xx.9
should read
ip route 219.xx.xx.64 255.255.255.240 10.1.1.1
0
 
LVL 3

Expert Comment

by:t1n0m3n
ID: 9633636
try it an let us know how it works

0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
How to setup VPN onCisco RV016 8 41
Routing VLANs 5 47
Configuring EIGRP with neighbor command 25 44
EIGRP Full Mesh 2 37
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now