• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1888
  • Last Modified:

Router command

I am sure that there is something I am missing...  If I leave the config like it is below, I can't get out to the internet.  The router can still ping external but anyone behind the router cannot.  If I go into config mode & type in "ip nat inside source list 2 interface Ethernet0", my computer can get out to the internet. It replaces my "ip nat inside source list 2 pool Cisco1720-natpool-1 overload" entry. I cannot have both entries running at the same time. I believe that I need the second entry for my NAT pool to work correctly but the net will not work until I replace it with the first command. Does anyone know what I need to do??

Thanks!!

Current configuration : 1049 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco1720
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$5JE3$PWCi5R9IfZslLn/Ub53za0
enable password 7 06141A22475B1A0A
!
memory-size iomem 25
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip name-server 69.39.35.228
!
!
!
!
interface Ethernet0
 ip address 159.120.144.172 255.255.255.192
 ip nat outside
 ip virtual-reassembly
 half-duplex
!
interface FastEthernet0
 ip address 192.168.100.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
!
router rip
 passive-interface Ethernet0
 network 192.168.100.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 159.120.144.190
no ip http server
ip http port 12337
!
ip nat pool Cisco1720-natpool-1 159.120.144.17 159.120.144.22 netmask 255.255.25
5.248
ip nat inside source list 2 pool Cisco1720-natpool-1 overload
!
access-list 2 permit 192.168.100.0 0.0.0.255
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password 7 070C205E5D0617
 login
!
end

Cisco1720#
0
8lackd0g
Asked:
8lackd0g
  • 7
  • 5
  • 3
  • +2
3 Solutions
 
christsisCommented:
I know this is simple but is 159.120.144.16/29 properly routed to 159.120.144.172?
0
 
BILJAXCommented:
conf t
no router rip

Also,

Your IP route is wrong, if your other information is correct.



0
 
BILJAXCommented:
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
8lackd0gAuthor Commented:
So I need to get rid of Router Rip? Ok.  My IP route is wrong? Are you talking about "ip route 0.0.0.0 0.0.0.0 159.120.144.190"? It is pointing at my ISP's gateway. What should it be pointing at? The 159 part of the IP is not the real one.  I changed it when I posted.

Thanks!
0
 
rshooper76Commented:
Try getting rid of the following line
ip nat pool Cisco1720-natpool-1 159.120.144.17 159.120.144.22 netmask 255.255.255.248

and change ip nat inside source list 2 pool Cisco1720-natpool-1 overload to

ip nat inside source list 2 interface Ethernet0 overload

I find this works better than the pools.  And if you need to use the public addess you can create static nats.  Do you in fact need to use the public addresses in your internal network?

You may also want to check your default gateway like BILJAX said, but it looks ok to me, but verify it with your ISP.  Also, why do you have RIP enabled?



0
 
christsisCommented:
Umm... this is just getting out of control...

1: he said it DOES WORK if he changes to running PAT with the Ethernet0 interface. Yes, that should work fine, unless there's a specific reason he wants a pool. His question was how to make it work WITH THE POOL.

2: We don't know the network setup. That default route and gateway could be fine. Makes sense if all his stuff is working when he does the PAT setup.

3: The RIP isn't needed, but it's not going to kill anything either.

4: Back to my question, for the pool you have listed to work your ISP would need to make sure 159.120.144.16/29 is routed to his router 159.120.144.172.



0
 
8lackd0gAuthor Commented:
RIP was enabled by accident.... Long story.... The default gateway is correct. I thought you had to use NAT pools. I have a 2 pools running on my other Cisco. It works flawlessly. I do need to use 4 of the public addresses in my internal network. Static NAT? You are not referring to a 1 to 1 NAT are you?

Thanks!
0
 
christsisCommented:
Nope, pools are not necessary. What that normally does is take the pool and create a 1 to 1 connection dynamically. However when you add the overload it automatically kicks over to PAT and works the same way as using the interface.

As far as the static, yes creating static mappings between the public & static IP. This could be done based on IP to IP or even done IP & port to IP & port. Really depends on what you want to do. Generally doing the port option is a little better because it only opens up the ports you want instead of the whole machine.
0
 
rburns50Commented:
The reason your pool isn't working is that it is set outside of the subnet of the e0 interface (and probably outside the subnet given to you by your ISP). Your subnet mask of 255.255.255.192 on the e0 interface does not include the addresses in your pool. Change the pool to be included in that subnet (or chnage the mask on e0), and you'll probably be okay.

Or just use e0 instead of the pool, as everyone else is saying.
0
 
christsisCommented:
---RANT ON----
What is with this? All these statements are being made that's something's wrong w/o knowing the network or subnet setup?

"The reason your pool isn't working is that it is set outside of the subnet of the e0 interface "
Who cares if the pool is not in the same setup. If an additional subnet was given it doesn't matter as long as it's properly routed to him.

"Your subnet mask of 255.255.255.192 on the e0 interface does not include the addresses in your pool"
Again, who cares. We don't know how the network is setup, that may be 100% correct how it's supposed to be setup.

"Change the pool to be included in that subnet (or chnage the mask on e0"
And another... there's no information we've been given that remotely makes even a good idea. We have no idea what the network setup is like on e0.
---/RANT OFF---
0
 
8lackd0gAuthor Commented:
This is what I have now for a config. I have a computer that is IP'd at 192.168.100.2.  It is running IIS 5 & Serv-U. If I create this NAT "ip nat inside source static 192.168.100.2 159.120.144.17", The server 192.168.100.2 cannot get on the net.  If I change it's IP to .3, the net works.

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco1720
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$5JE3$PWCi5R9IfZslLn/Ub53za0
enable password 7 06141A22475B1A0A
!
memory-size iomem 25
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip name-server 69.39.35.228
!
!
!
!
interface Ethernet0
 ip address 159.120.144.172 255.255.255.192
 ip nat outside
 ip virtual-reassembly
 half-duplex
!
interface FastEthernet0
 ip address 192.168.100.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 159.120.144.190
no ip http server
ip http port 12337
!
ip nat inside source list 2 interface Ethernet0 overload
!
access-list 2 permit 192.168.100.0 0.0.0.255
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password 7 070C205E5D0617
 login
!
end

Cisco1720#
0
 
rburns50Commented:
No rant...if the mask on e0 is 255.255.255.192, then it stands to reason that the ISP has assigned them that block of Public addresses. Maybe not, but it's a good assumption. If that's the case, it matters A LOT what the pool is set to, as those addresses that are not in his ISP-assigned block will never get traffic routed back to them from the Internet.

Besides, the fact that using e0 as his hide address is working, tends to suggest that that address is valid on the "net, and the others in the pool aren't.

The whole idea of thiese forums is to address questions. If they aren't clear, you try to surmise things and make educated guesses. If I'm wrong, no harm. But at least I'm not suggesting workarounds...try to address his original question. Take a deep breath christsis...sorry you didn't notice the mask mismatch...
0
 
christsisCommented:
Again, I'm going to point to the same issue. The 159.120.144.17 - 22 is not being routed to your router.

This is what's causing your problem. Either your ISP didn't route it properly, or you are trying to use it and it's not available.
0
 
christsisCommented:
rburns50:
There's no subnet mismatch, they're completely different subnets. Therefore they are both valid and with proper routing on the E0 side from the ISP there should be no problem.
0
 
8lackd0gAuthor Commented:
This setup with two different subnets has worked fine before. This is what my ISP has given me.  I sent in an email about 2 minutes ago to see if my ISP has any routing issues.
0
 
BILJAXCommented:
christsis, this is now the third post you have personally attacked me or my post.   THAT is not productive in helping the askers.   Please refrain from belittling fellow experts and focus on the topic at hand.   Thease assumptions have been made on the basis that the asker is not an expert in this area, therefore just setup a network with a basic scheme.




AC
0
 
christsisCommented:
Sorry 8lackd0g for this thread getting hijacked this way...

BILJAX, I have not directed a single thing to you or your posts. This is the only thread where I did anything of the sort and it was because everything continued to get away from the original question and problem, this included mutliple posts, not only yours. That was not productive in helping this asker. I also included a proper netiquette surrounding the rant so that it may be ignored for those that didn't want to read it.

0
 
rshooper76Commented:
I guess we are all getting away from the original issue.  Lets clarify a few things.  Has your ISP properly provisioned all of these IP Addresses to you?  Also, help us understand how your network is setup, or how you want it setup so that we don't give you bad advice.
0
 
8lackd0gAuthor Commented:
Thanks for everyone's help.  Christis was correct, my ISP emailed me last night & said that he has found a routing problem & fixed it. I did not know that if I NAT an external address that is basically dead, it causes the local machine to die also. I figured that it would still use the ip route gateway. I am splitting up the points I upped the value. Calling the ISP is always my last resort.

Thanks everyone!
0
 
rburns50Commented:
You are right about using the IP gateway, except that if your IP address isn't valid (i.e. your ISP isn't routing it to you anymore), the traffic will go out okay, but replies won't come back (the Internet won't know where to send the replies to, due to the missing route).
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 7
  • 5
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now