mrobert2127
asked on
Setting up Cisco route with out a defalut gateway
We are setting up a Cisco Router behind a DSL modem using DHCP Spoofing.
How ever the DSL provider does not provide a Default Gateway address. They say you do not need one.
I can not ping the external network with out an Ip route set.
My router is assigned and ip address of 213.123.200.50
If i make my ip route say, ip route 0.0.0.0 0.0.0.0 213.123.200.1 I can ping the ouside network from with in the Cisco box. If I try to ping from my computer I can see the 213.123.200.50 address but nothing past it.
I also change the ip route to 0.0.0.0 0.0.0.0 213.123.200.49
My router is assigned and ip address of 213.123.200.50
If i make my ip route say, ip route 0.0.0.0 0.0.0.0 213.123.200.49 I can ping the ouside network from with in the Cisco box. If I try to ping from my computer I can see the 213.123.200.50 address but nothing past it.
My computer is set to have the deafult getway as the internal IP on my Cisco box.
I have several simliar routers around the US but all the ISP have provided a default gateway. Is there a way to set this up with our a default gateway?
How ever the DSL provider does not provide a Default Gateway address. They say you do not need one.
I can not ping the external network with out an Ip route set.
My router is assigned and ip address of 213.123.200.50
If i make my ip route say, ip route 0.0.0.0 0.0.0.0 213.123.200.1 I can ping the ouside network from with in the Cisco box. If I try to ping from my computer I can see the 213.123.200.50 address but nothing past it.
I also change the ip route to 0.0.0.0 0.0.0.0 213.123.200.49
My router is assigned and ip address of 213.123.200.50
If i make my ip route say, ip route 0.0.0.0 0.0.0.0 213.123.200.49 I can ping the ouside network from with in the Cisco box. If I try to ping from my computer I can see the 213.123.200.50 address but nothing past it.
My computer is set to have the deafult getway as the internal IP on my Cisco box.
I have several simliar routers around the US but all the ISP have provided a default gateway. Is there a way to set this up with our a default gateway?
ASKER
Still Not working.
Below is the config from the router. Of course the names have been change to protect the innocent.
The setup is almost exactly like 3 other routers we have.
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Test_Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 aaaaaaaa
enable password aaaaaaaa
!
username username password 0 password
aaa new-model
!
!
aaa authentication login testauth local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
!
ip cef
ip inspect name mcns smtp timeout 45
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
!
crypto isakmp policy 3
authentication pre-share
group 2
crypto isakmp key password address xx.xx.xx.xx no-xauth
crypto isakmp keepalive 30 3
!
crypto isakmp client configuration group Test
key password
dns 197.1.3.102
domain test.usa
pool ippool
acl 102
!
!
crypto ipsec transform-set myset esp-des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list testauth
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 15 ipsec-isakmp
set peer xxx.xx.xx.xx
set transform-set myset
match address 100
crypto map clientmap 100 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address dhcp
ip access-group 115 out
no ip unreachables
ip nat outside
ip route-cache flow
half-duplex
no cdp enable
crypto map clientmap
!
interface FastEthernet0
ip address 197.1.3.220 255.255.255.0
ip nat inside
ip inspect mcns in
ip route-cache flow
speed auto
half-duplex
no cdp enable
!
ip local pool ippool 10.1.254.1 10.1.254.254
ip nat inside source route-map nonat interface FastEthernet0 overload
ip nat inside source static tcp 197.1.3.56 1352 197.1.20.189 1352 extendable
ip nat inside source static tcp 197.1.3.56 25 .213.123.200.50 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 213.123.200.49
no ip http server
no ip http secure-server
!
!
!
access-list 100 permit ip 197.1.3.0 0.0.0.255 197.1.0.0 0.0.0.255
access-list 101 deny ip 197.1.3.0 0.0.0.255 10.1.254.0 0.0.0.255
access-list 101 deny ip 197.1.3.0 0.0.0.255 197.1.0.0 0.0.0.255
access-list 101 permit ip 197.1.3.0 0.0.0.255 any
access-list 102 permit ip 197.1.3.0 0.0.0.255 10.1.254.0 0.0.0.255
access-list 115 permit ip any any
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq netbios-ns
access-list 115 deny udp any any eq netbios-dgm
access-list 115 deny udp any any eq netbios-ss
access-list 115 deny udp any any eq 445
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 139
access-list 115 deny tcp any any eq 593
access-list 115 deny tcp any any eq 4444
access-list 115 deny tcp any any eq 4751
access-list 115 deny udp any any eq 4751
no cdp run
!
route-map nonat permit 10
match ip address 101
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password password
!
no scheduler allocate
!
end
Thanks
Mark
Below is the config from the router. Of course the names have been change to protect the innocent.
The setup is almost exactly like 3 other routers we have.
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Test_Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 aaaaaaaa
enable password aaaaaaaa
!
username username password 0 password
aaa new-model
!
!
aaa authentication login testauth local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
!
ip cef
ip inspect name mcns smtp timeout 45
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
!
crypto isakmp policy 3
authentication pre-share
group 2
crypto isakmp key password address xx.xx.xx.xx no-xauth
crypto isakmp keepalive 30 3
!
crypto isakmp client configuration group Test
key password
dns 197.1.3.102
domain test.usa
pool ippool
acl 102
!
!
crypto ipsec transform-set myset esp-des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list testauth
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 15 ipsec-isakmp
set peer xxx.xx.xx.xx
set transform-set myset
match address 100
crypto map clientmap 100 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address dhcp
ip access-group 115 out
no ip unreachables
ip nat outside
ip route-cache flow
half-duplex
no cdp enable
crypto map clientmap
!
interface FastEthernet0
ip address 197.1.3.220 255.255.255.0
ip nat inside
ip inspect mcns in
ip route-cache flow
speed auto
half-duplex
no cdp enable
!
ip local pool ippool 10.1.254.1 10.1.254.254
ip nat inside source route-map nonat interface FastEthernet0 overload
ip nat inside source static tcp 197.1.3.56 1352 197.1.20.189 1352 extendable
ip nat inside source static tcp 197.1.3.56 25 .213.123.200.50 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 213.123.200.49
no ip http server
no ip http secure-server
!
!
!
access-list 100 permit ip 197.1.3.0 0.0.0.255 197.1.0.0 0.0.0.255
access-list 101 deny ip 197.1.3.0 0.0.0.255 10.1.254.0 0.0.0.255
access-list 101 deny ip 197.1.3.0 0.0.0.255 197.1.0.0 0.0.0.255
access-list 101 permit ip 197.1.3.0 0.0.0.255 any
access-list 102 permit ip 197.1.3.0 0.0.0.255 10.1.254.0 0.0.0.255
access-list 115 permit ip any any
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq netbios-ns
access-list 115 deny udp any any eq netbios-dgm
access-list 115 deny udp any any eq netbios-ss
access-list 115 deny udp any any eq 445
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 139
access-list 115 deny tcp any any eq 593
access-list 115 deny tcp any any eq 4444
access-list 115 deny tcp any any eq 4751
access-list 115 deny udp any any eq 4751
no cdp run
!
route-map nonat permit 10
match ip address 101
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password password
!
no scheduler allocate
!
end
Thanks
Mark
Do you own the 197.1.x.x block of IP addresses? or are you changing them in your posted config? These are registered addresses so you don't need to run NAT on them yet you are via the route-map. You also have registered to registered address static NAT's which is a little confusing.
ASKER
The address where change on my posted config.
What did you mean by,
You also have registered to registered address static NAT's
What did you mean by,
You also have registered to registered address static NAT's
The addresses are private right? 192.168.x.x addresses? or 10.x.x.x?
Nevermind the registered to registered address static NAT's since you changed the addresses in your config.
>ip nat inside source route-map nonat interface FastEthernet0 overload
This should be:
ip nat inside source route-map nonat interface Ethernet0 overload
Nevermind the registered to registered address static NAT's since you changed the addresses in your config.
>ip nat inside source route-map nonat interface FastEthernet0 overload
This should be:
ip nat inside source route-map nonat interface Ethernet0 overload
You can also set your default route to point to the interface connected to your ISP if you're not sure on the next hop address.
ip route 0.0.0.0 0.0.0.0 ethernet0
ip route 0.0.0.0 0.0.0.0 ethernet0
ASKER
We tried the ip route to the interface. We were not able to ping anything.
I have done a traceroute an found the first hope. We enter that in the ip route. We were able to ping the external network but we still could not ping from the internal trough the router. Also we had success sending external email through the NAT and into the internel email server could not send internal to external.
Seems as though the nat is working okay from the external interface internal is were the problem must be.
I have done a traceroute an found the first hope. We enter that in the ip route. We were able to ping the external network but we still could not ping from the internal trough the router. Also we had success sending external email through the NAT and into the internel email server could not send internal to external.
Seems as though the nat is working okay from the external interface internal is were the problem must be.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Um, you guys are going to laff....yoju are missing a very basic command in the config :)
(the following is excerpted from Cisco's website)
Enabling IP Routing
IP routing is automatically enabled in the Cisco IOS software. If you choose to set up the router to bridge rather than route IP datagrams, you must disable IP routing. To re-enable IP routing if it has been disabled, use the following command in global configuration mode:
Command Purpose
Router(config)# ip routing
Enables IP routing.
When IP routing is disabled, the router will act as an IP end host for IP packets destined for or sourced by it, whether or not bridging is enabled for those IP packets not destined for the device. To re-enable IP routing, use the ip routing command.
(the following is excerpted from Cisco's website)
Enabling IP Routing
IP routing is automatically enabled in the Cisco IOS software. If you choose to set up the router to bridge rather than route IP datagrams, you must disable IP routing. To re-enable IP routing if it has been disabled, use the following command in global configuration mode:
Command Purpose
Router(config)# ip routing
Enables IP routing.
When IP routing is disabled, the router will act as an IP end host for IP packets destined for or sourced by it, whether or not bridging is enabled for those IP packets not destined for the device. To re-enable IP routing, use the ip routing command.
I have the exact same problem as well, when i check the "show ip route" it says that no default gateway defined, i know that i need a gateway to route the packet, but why is the cisco doesn't put it automatically ?
i am using ppoe dialer, and have "ip route 0.0.0.0 0.0.0.0 dialer 1" in my config file.
!
ip subnet-zero
no ip routing
!
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
interface Ethernet0
ip address 192.168.0.15 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
hold-queue 32 in
hold-queue 100 out
!
interface ATM0
no ip address
no ip route-cache
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxx
ppp chap password xxxx
!
ip nat inside source list 101 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
access-list 101 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
Any help or coments ?
cheers
i am using ppoe dialer, and have "ip route 0.0.0.0 0.0.0.0 dialer 1" in my config file.
!
ip subnet-zero
no ip routing
!
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
interface Ethernet0
ip address 192.168.0.15 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
hold-queue 32 in
hold-queue 100 out
!
interface ATM0
no ip address
no ip route-cache
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxx
ppp chap password xxxx
!
ip nat inside source list 101 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
access-list 101 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
Any help or coments ?
cheers
sriwi, you're even worse off. The 2nd line in your config says "no ip routing." And as to default gateways, the only time you ever get one automatically is when you get a routing update from another router (OSPF, EIGRP, RIP, etc) giving you a default route. You never want an automatic default route generated unless you are in a simple, soho kind of environment.
Folks, if you want the router to route IP packets, you must explicitly turn on IP ROUTING with the "ip routing" command.
same applies to IPX, Appletalk, DECnet, Vines, etceteras......
Folks, if you want the router to route IP packets, you must explicitly turn on IP ROUTING with the "ip routing" command.
same applies to IPX, Appletalk, DECnet, Vines, etceteras......
sriwi what would you think the defualt gateway should be in your case? How would Cisco know this?
i've got it working after take out the no ip routing statement, 'show ip route' command give a default gateway straight away.
cheers
cheers
I'm laffing....sriwi, too bad I don't get the points for it :)
I can spare some 50 point if you want, not 500, i am not that rich yet.
Cheers
Cheers
LOL...I was kidding, it doesn't really matter, just glad the answers are helping....enjoy :)
Cheers and thx
ip route 0.0.0.0 0.0.0.0 ethernet0
You could do a traceroute as well to see what the next hop IP address is.
If you are able to ping from the router but not your PC, NAT may not be setup on the router.
For example:
Outside interface:
interface ethernet0
ip nat outside
Inside interface:
interface ethernet1
ip nat inside
Setup NAT access list to permit inside network:
access-list 1 permit 192.168.0.0 0.0.0.255
Setup NAT overload statement:
ip nat inside source list 1 interface ethernet0 overload