bdhtechnology
asked on
Cisco 1750 NAT Problems
I just added a WIC-IDSU-T1 card (as Serial 1) to a Cisco 1750 router for a dedicated T1 line for Internet access. The router was an existing one that the customer already had a WIC-IDSU-T1 (as Serial 0) configured for a fractional T1 that connected to another site out of state (Serial 0.1) and Internet access (Serial 0.2). They are keeping the fractional T1 to connect to their out of state site but want to use the new dedicated T1 for Internet access. I set everything up and the router was working fine (I could ping everything across Serial 0 & 1 as well as Internet IP addresses) on the router. The problem is that no one could access the Internet on any PC's on the LAN. So I am guessing there is something wrong with my NAT configuration, but I am not sure.
Here is the information the ISP gave me for the new dedicated T1 line (I removed the first octet on each IP and replaced it with an *, but the numbers the * is replacing are the same on all of the addresses):
IP info
ISP Serial: *.127.134.93/30 ( 255.255.255.252 )
Customer Serial: *.127.134.94/30 ( 255.255.255.252 )
Encapsulation: CISCO-HDLC
LAN IP Block: *.125.135.176/29 ( 255.255.255.248 )
Routing Type: Static
They want to use the addresses as follows:
*.125.135.176 -> network
*.125.135.177 -> web server
*.125.135.178 -> terminal server
*.125.135.179 -> video conf. server
*.125.135.180 & *.125.135.181 -> for Internet traffic
*.125.135.182 -> router address
*.125.135.183 -> broadcast
And here is the configuration from the 1750:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname WAUKEE
!
enable secret 5 *********
enable password *******
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
!
!
!
!
interface Serial0
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 timeslots 1-24
!
interface Serial0.1 point-to-point
ip address 10.1.5.1 255.255.255.0
ip nat inside
frame-relay interface-dlci 16
!
interface Serial0.2 point-to-point
ip address 10.0.103.2 255.255.255.0
ip nat outside
frame-relay interface-dlci 17
!
interface Serial1
ip address *.127.134.94 255.255.255.252
ip nat outside
!
interface FastEthernet0
ip address *.125.135.182 255.255.255.248 secondary
ip address 10.1.1.1 255.255.255.0
ip nat inside
speed auto
half-duplex
!
ip nat pool internet *.125.135.180 *.125.135.181 netmask 255.255.255.248
ip nat inside source list 1 pool internet overload
ip nat inside source static tcp 10.1.1.4 80 *.125.135.177 80 extendable
ip nat inside source static tcp 10.1.1.3 3389 *.125.135.178 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 *.127.134.93
ip route 10.0.103.0 255.255.255.0 Serial0.2
ip route 10.1.2.0 255.255.255.0 10.1.5.2
no ip http server
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 10.1.2.0 0.0.0.255
access-list 1 permit 10.1.5.0 0.0.0.255
access-list 102 permit tcp host <some address> host *.125.135.177 eq www
!
line con 0
transport input none
line aux 0
line vty 0 4
password *********
login
!
no scheduler allocate
end
So is there something I am missing? I adapted the configuration from what they already had setup in the Cisco 1750.
Here is the information the ISP gave me for the new dedicated T1 line (I removed the first octet on each IP and replaced it with an *, but the numbers the * is replacing are the same on all of the addresses):
IP info
ISP Serial: *.127.134.93/30 ( 255.255.255.252 )
Customer Serial: *.127.134.94/30 ( 255.255.255.252 )
Encapsulation: CISCO-HDLC
LAN IP Block: *.125.135.176/29 ( 255.255.255.248 )
Routing Type: Static
They want to use the addresses as follows:
*.125.135.176 -> network
*.125.135.177 -> web server
*.125.135.178 -> terminal server
*.125.135.179 -> video conf. server
*.125.135.180 & *.125.135.181 -> for Internet traffic
*.125.135.182 -> router address
*.125.135.183 -> broadcast
And here is the configuration from the 1750:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname WAUKEE
!
enable secret 5 *********
enable password *******
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
!
!
!
!
interface Serial0
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 timeslots 1-24
!
interface Serial0.1 point-to-point
ip address 10.1.5.1 255.255.255.0
ip nat inside
frame-relay interface-dlci 16
!
interface Serial0.2 point-to-point
ip address 10.0.103.2 255.255.255.0
ip nat outside
frame-relay interface-dlci 17
!
interface Serial1
ip address *.127.134.94 255.255.255.252
ip nat outside
!
interface FastEthernet0
ip address *.125.135.182 255.255.255.248 secondary
ip address 10.1.1.1 255.255.255.0
ip nat inside
speed auto
half-duplex
!
ip nat pool internet *.125.135.180 *.125.135.181 netmask 255.255.255.248
ip nat inside source list 1 pool internet overload
ip nat inside source static tcp 10.1.1.4 80 *.125.135.177 80 extendable
ip nat inside source static tcp 10.1.1.3 3389 *.125.135.178 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 *.127.134.93
ip route 10.0.103.0 255.255.255.0 Serial0.2
ip route 10.1.2.0 255.255.255.0 10.1.5.2
no ip http server
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 10.1.2.0 0.0.0.255
access-list 1 permit 10.1.5.0 0.0.0.255
access-list 102 permit tcp host <some address> host *.125.135.177 eq www
!
line con 0
transport input none
line aux 0
line vty 0 4
password *********
login
!
no scheduler allocate
end
So is there something I am missing? I adapted the configuration from what they already had setup in the Cisco 1750.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I should mention that the remote site coming in on the fractional T1 is going to be using the new dedicated T1 for Internet access as well, so I think that I still need the other access-lists, or at least for the 10.1.2.0 network as that is the network address for the remote site. The 10.1.5.0 network (used on Serial0.1) is for the connection between the two routers over the fractional T1 for the remote site. The 10.0.103.0 network (used on Serial0.2) is for the connection to the old ISP which was used for Internet access previously.
So if that is the case should I use these lines?
ip nat inside source list 1 interface serial0.1 overload
ip nat inside source list 1 interface serial0.2 overload
I wasn't sure what the secondary IP on the FastEthernet0 line was for, but it was in the old config I adapated this one from. Basically I tried just replacing all of the old IP information with the new info from the new ISP and adding the Serial1 connection.
So if that is the case should I use these lines?
ip nat inside source list 1 interface serial0.1 overload
ip nat inside source list 1 interface serial0.2 overload
I wasn't sure what the secondary IP on the FastEthernet0 line was for, but it was in the old config I adapated this one from. Basically I tried just replacing all of the old IP information with the new info from the new ISP and adding the Serial1 connection.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well apparently the problem was with the ISP. They didn't activate the line, which apparently they need 24 hour notice to do. So I am guessing that they didn't add the routes in for the static IPs they ordered. I won't be back to work on it until Monday so I guess we will see then.
Thanks for all the help everyone..
Thanks for all the help everyone..
ASKER
So the problem was that the ISP never routed the static LAN IP's, so thanks for everyone's help. I suppose since everyone's response was technically correct I'll split points between everyone.
Glad to be of help!
ASKER