Solved

Problem with ip address pool routing

Posted on 2006-10-22
29
808 Views
Last Modified: 2008-01-09
Hello !!

I have one very wired problem, I don`t understand. Below I will use the example ip addresses in my scenario.
My ISP has assigned me ONE static WAN IP address: 83.261.45.11 and gateway: 83.261.45.1

Than after couple days I called my isp again and asked for 2 more ip addresses which are in the same subnet.
Also not in the same subnet as the first ip I got but those other 2 ip addresses I will them in the same subnet.

So I got than these ip addresses: 213.156.45.113 - 114
Than when I got the email from ISP this is what they told me:

"now we have routet the new subnet on to your ip 83.261.45.11 (my first static ip I got) the new subnet is:

Subnet: 213.156.45.112
Broadcast: 213.156.45.115
Subnet mask: 255.255.255.252
Hosts: 213.156.45.113 - 213.156.45.114

also they tol me that THIS SUBNET IS ROUTET TO MY FIRST IP 83.261.45.11

And than I have configured my Cisco 2600 series router on this way:
I NAT-ed the wan ip 213.156.45.113 on to internal server which host DNS server.
Than I have created the access list and opened the port 53 both UDP and TCP.
After I did this I scaned this ip 213.156.45.113 from outside and I got the message that there is a service on the port 53
so this is ok this means that port 53 is opened and there is a dns server.

BUT IT WILL NOT WORK ! I tryed to run "cmd" "telnet" open  213.156.45.113 53 and I could not connect.
Below is my config :
_______________________________________________________________________________________

 interface FastEthernet0/0.30
 encapsulation dot1Q 30
 ip address 83.261.45.11 255.255.255.192
 ip access-group ACL_CBAC in
 ip nat outside
 ip inspect cbac_in_to_out out
 crypto map clientmap

ip nat pool outbound 213.156.45.112 213.156.45.115 netmask 255.255.255.252
ip nat inside source route-map RM_NAT pool outbound overload

ip access-list extended ACL_NAT
  permit ip 172.16.0.0 0.0.0.255 any
  permit ip 10.0.0.0 0.0.0.255 any

route-map RM_NAT permit 20
 match ip address ACL_NAT

ip nat inside source static tcp 10.0.0.7 53 213.156.45.113 53 extendable

ip access-list extended ACL_CBAC
  permit udp any eq 53 any
  permit tcp any eq 53 any
  permit tcp any any eq 53
  permit udp any any eq 53

ip cef
ip inspect udp idle-time 15
ip inspect dns-timeout 7
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect name cbac_in_to_out cuseeme timeout 3600
ip inspect name cbac_in_to_out ftp timeout 3600
ip inspect name cbac_in_to_out h323 timeout 3600
ip inspect name cbac_in_to_out netshow timeout 3600
ip inspect name cbac_in_to_out rcmd timeout 3600
ip inspect name cbac_in_to_out realaudio timeout 3600
ip inspect name cbac_in_to_out rtsp timeout 3600
ip inspect name cbac_in_to_out smtp timeout 3600
ip inspect name cbac_in_to_out sqlnet timeout 3600
ip inspect name cbac_in_to_out streamworks timeout 3600
ip inspect name cbac_in_to_out tcp timeout 3600
ip inspect name cbac_in_to_out tftp timeout 30
ip inspect name cbac_in_to_out udp timeout 15
ip inspect name cbac_in_to_out vdolive timeout 3600
ip inspect name cbac_in_to_out fragment maximum 256 timeout 1
ip audit po max-events 100
____________________________________________________________________

So I am not able to use DNS server it will not work, so I think the problem may be :

the ip 213.156.45.113 have not its DIRECT Gateway which the my first ip address uses.
Ip address: 83.261.45.11
gateway: 83.261.45.1

BUT WHEN I CHANGE THE NAT, for example if I NAT from IP 83.261.45.11 WHICH is assigned to an interface than it WORKS.

So in all case NAT an ip address that is assigned to an router interface and which have its direct gateway it works fine.
BUT if I nat from addresses from POOL than the DNS will not work.

Any idea what the problem is ??

Best regards
Steve_I
0
Comment
Question by:Steve_I
  • 18
  • 11
29 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
ID: 17784923
>ip nat pool outbound 213.156.45.112 213.156.45.115 netmask 255.255.255.252
You cannot use .112 or .115 in the pool

no ip nat pool outbound 213.156.45.112 213.156.45.115 netmask 255.255.255.252
>interface loopback 0
  ip address 213.156.45.114 255.255.255.252
ip nat inside source route-map RM_NAT interface loopback0 overload
ip nat inside source static udp 10.0.0.7 53 213.156.45.113 53 extendable  <== DNS is UDP, not TCP



0
 

Author Comment

by:Steve_I
ID: 17784979
THANK YOU for reply !!!

Sorry my mistake I told You wrong !!!!

I have not udes 112 and 115 in the pool ofcourse this is the network and broadcast !
My mistake on the router is configured like this:

ip nat pool outbound 213.156.45.113 213.156.45.114 netmask 255.255.255.252 THIS IS ON THE ROUTER !

So I need the interface loopback 0 with ip 114 ??
But what if I will use the ip .114 too ?? or if I had more than 2 hosts 113 and 114 ?? what in this case ??

And I need to remove THE
no ip nat pool outbound 213.156.45.112 213.156.45.115 netmask 255.255.255.252

AND NOT USE THE POOL at all ?? just put the ip addresses on the interfaces ??

Best regards
Steve_I

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17785015
Just options....

Option 1 - should be OK. You don't *need* the loopback interface
 >ip nat pool outbound 213.156.45.113 213.156.45.114 netmask 255.255.255.252
 >ip nat inside source route-map RM_NAT pool outbound overload

Option 2 - works, too. It hink it's just cleaner to use the interface
 >interface loopback 0
 >ip address 213.156.45.114 255.255.255.252
 >ip nat inside source route-map RM_NAT interface loopback0 overload

Yes, you can still use both .114 and .113 to port-forward, even with one of them assigned to the loopback i.e.
ip nat inside source static udp 10.0.0.7 53 213.156.45.113 53 extendable
ip nat inside source static tcp 10.0.0.7 80 213.156.45.114 80 extendable
ip nat inside source static tcp 10.0.0.24 80 213.156.45.113 80 extendable
ip nat inside source static tcp 10.0.0.24 443 213.156.45.113 443 extendable
     
 

0
 

Author Comment

by:Steve_I
ID: 17785036
Ok, so as I understand You it may work better if ONE of the ip addresses from the POOL is assigned to loopback interface ?? and than just nad on the same way ??

but the option one WIL NOT WORK in my case ?? why ??

Option 1 - should be OK. You don't *need* the loopback interface
 >ip nat pool outbound 213.156.45.113 213.156.45.114 netmask 255.255.255.252
 >ip nat inside source route-map RM_NAT pool outbound overload

I use thiv option now which does not work.

What is LOOPBACK interface and why this is used at all ?? I always use int fa0/0.30 or what ever as sub interface.

Steve_I
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17785674
Just different techniques to accomplish the same thing. A loopback is an interface that will never be down and you can use it for any number of different things.
Unless I can see your complete config, it's really difficult to know why what you have does not work.
0
 

Author Comment

by:Steve_I
ID: 17785723
Ok, I understand. So here below is my complette config AS IT IS RIGHT NOW and THIS is NOT working I don`t know where the problem is:

In the config below I used option 1 as You told without loopback interface
_________________________________________________________________

Current configuration : 5971 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret REMOVED
!
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 10.0.0.1 10.0.0.5
ip dhcp excluded-address 172.16.0.1 172.16.0.5
!
ip dhcp pool VLAN10_pool
   network 10.0.0.0 255.255.255.0
   domain-name vlan10.com
   dns-server IP_REMOVED
   default-router 10.0.0.2
   lease infinite
!
ip dhcp pool vlan20_pool
   network 172.16.0.0 255.255.255.0
   domain-name vlan20.com
   dns-server IP_REMOVED
   default-router 172.16.0.2
   lease infinite
!
ip cef
ip inspect udp idle-time 15
ip inspect dns-timeout 7
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect name cbac_in_to_out cuseeme timeout 3600
ip inspect name cbac_in_to_out ftp timeout 3600
ip inspect name cbac_in_to_out h323 timeout 3600
ip inspect name cbac_in_to_out netshow timeout 3600
ip inspect name cbac_in_to_out rcmd timeout 3600
ip inspect name cbac_in_to_out realaudio timeout 3600
ip inspect name cbac_in_to_out rtsp timeout 3600
ip inspect name cbac_in_to_out smtp timeout 3600
ip inspect name cbac_in_to_out sqlnet timeout 3600
ip inspect name cbac_in_to_out streamworks timeout 3600
ip inspect name cbac_in_to_out tcp timeout 3600
ip inspect name cbac_in_to_out tftp timeout 30
ip inspect name cbac_in_to_out udp timeout 15
ip inspect name cbac_in_to_out vdolive timeout 3600
ip inspect name cbac_in_to_out fragment maximum 256 timeout 1
ip audit po max-events 100
!
!
!
!
!        
!
!
!
!
!
!
!
username REMOVED password REMOVED
!
!
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group 3000client
 key cisco123
 dns 10.0.0.8
 domain lan.com
 pool ippool
 acl ACL_CRYPTO_VPN_CLIENTS
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 10.0.0.2 255.255.255.0
 ip nat inside
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 172.16.0.2 255.255.255.0
 ip nat inside
!
interface FastEthernet0/0.30
 encapsulation dot1Q 30
 ip address 83.261.45.11 255.255.255.192
 ip access-group ACL_CBAC in
 ip nat outside
 ip inspect cbac_in_to_out out
 crypto map clientmap
!
interface Serial0/0
 no ip address
 shutdown
 no fair-queue
!
interface Serial0/1
 no ip address
 shutdown
!
ip local pool ippool 192.168.0.1 192.168.0.100
ip nat pool outbound 213.156.45.113 213.156.45.114 netmask 255.255.255.252
ip nat inside source route-map RM_NAT pool outbound overload
ip nat inside source static tcp 10.0.0.7 80 213.156.45.113 80 extendable
ip nat inside source static tcp 10.0.0.7 25 213.156.45.113 25 extendable
ip nat inside source static tcp 10.0.0.7 110 213.156.45.113 110 extendable
ip nat inside source static tcp 10.0.0.7 21 213.156.45.113 21 extendable
ip nat inside source static tcp 10.0.0.7 53 213.156.45.113 53 extendable

no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.30 83.261.45.1
!
!
!
ip access-list extended ACL_CBAC
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 permit tcp any any eq www
 permit tcp any any eq domain
 permit tcp any any eq smtp
 permit tcp any any eq pop3
 permit tcp any any eq ftp
 permit tcp any any eq 7612
 permit tcp any any eq 7615
 permit tcp any any eq 443
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit udp any eq 5060 any
 permit udp any eq 16300 any
 permit udp any eq 16700 any
 permit tcp any any eq 5060
 permit tcp any any eq 16300
 permit tcp any any eq 16700
 permit udp any eq 5063 any
 permit tcp any any eq 5063
 permit udp any any eq domain
 permit udp any eq domain any
 permit tcp any eq domain any
ip access-list extended ACL_CRYPTO_VPN_CLIENTS
 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended ACL_NAT
 deny   ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
 deny   ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 172.16.0.0 0.0.0.255 any
 permit ip 10.0.0.0 0.0.0.255 any
!
route-map RM_NAT permit 20
 match ip address ACL_NAT
!
!        
radius-server host 10.0.0.8 auth-port 1812 acct-port 1813 key cisco123
!
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
____________________________________________________________

The DNS is not working, the email is not working too. BUT whn I configure it :

NAT from IP 83.261.45.11 to internal server THAN it work. This ip 83.261.45.11 is assigned on the sub interface 0/0.30
I don`t understand what the problem is.

I hope YOu have an answer.

Thank You again !!!
Best regards
Steve_I

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17787835
What kind of switch are you connected to that gives you the 3 vlans?
Suggest removing the acl and the inspect from the fast 0/0.30 while troubleshooting.
I would put the inspect on Fast0/0.10 and 0/0.20 "in"
If that doesn't work, talk to the ISP and make sure they have the routing enabled properly.
0
 

Author Comment

by:Steve_I
ID: 17788022
I am connected via Cisco Catalyst Switch 2950. On the switch I have configured the VLAN10 and VLAN20. VLAN30 is only one port and the cable from this port is connected to an MODEM/BRIDGE. So there is no pc`s on this vlan JUST one port number 22 on the switch and this is DIRECTLY connected to a bridge.

So the Sub Interface fa0/0.30 on the 2600 router is OUTSIDE INTERFACE (NAT OUTSIDE).
So I think it would be wrong to remoce ACL and INSPECT because I tryed once before and I was not able to access the internet if I remove the INSPECT or acl. I got the post from more users on the forum that ACL and INSPECT should be assigned to "IP NAT OUTSIDE" interface. The inspect will than allow some stuff back in when the users are surfing, so I think there is no good idea to remove it.

And on these 2 vlans 10 and 20 I think there is no need for acl or inspect, because as long I don`t have acl or inspect there ALL traffic is permited.
The ISP told me that those IP addresses ARE routed on Your static IP as I wrote in the 1. post.

hmm very wired isn`t it ?

Best regards
Steve_I
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17788212
>So I think it would be wrong to remoce ACL and INSPECT
I disagree with you. In order to properly troubleshoot the issue, if you remove both then we can narrow down the issue. If it works, then it's a problem with the acls, if not then it's a problem with the ISP. I know that you said they said they are routing. I'm suggesting that you contact them and have an engineer make sure the routing is correct on their end.
 
0
 

Author Comment

by:Steve_I
ID: 17788219
Well dude, as You say I will try to do so and I will let You know.

Thank You for suggestions and helping !!
Best regards
Steve_I
0
 

Author Comment

by:Steve_I
ID: 17789072
But what You think about to try option 2 before I contact the ISP or remove the acl and inspect ??

Option 2 - works, too. It hink it's just cleaner to use the interface
 >interface loopback 0
 >ip address 213.156.45.114 255.255.255.252
 >ip nat inside source route-map RM_NAT interface loopback0 overload

Steve_I

0
 

Author Comment

by:Steve_I
ID: 17789080
Is it than possible to create one more loopback interfaces and than I can put the 114 ip on the other ?? is yes any examples ?

interface loopbac 0  (and or ) 2,3 ??

Steve_I
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17792524
If I thought that trying option 2 was a better solution before removing the acls/inspect I would have suggested it.
Step 1: remove ip inspect. What changes? what breaks?
Step 2: remove acl from interface. Any change?
Step 3: With acl and inspect removed, add a static nat:
  ip nat inside static 10.10.10.9 213.156.45.113
Assuming that 10.10.10.9 is a live host - Now can the ISP ping this public IP address? If not, they have a routing problem.
If yes, then it's not the ISP.

Due to the subnet mask being used, there is no value in adding another loopback interface for the other address. It's covered in the mask of loopack 0

0
 

Author Comment

by:Steve_I
ID: 17793755
Well, first of all I tryed again using the same configuration, BUT JUST IIS web server too this time.

ip nat inside source static udp 10.0.0.7 53 213.156.45.113 53 extendable
ip nat inside source static udp 10.0.0.7 80 213.156.45.113 80 extendable

Than I have scanned the opened ports from outside of my network, and the port scanning software reported that there is a service operating on port 80 and 53. So, so far so good. Than I tryed to open an web page on ip http://213.156.45.113/index.html and this work, I am able to open the web page and download the files from the web server http://213.156.45.113/somefile.exe And when I run a ping for the ip 213.156.45.113 I GOT the response, of course I run the ping command outside of my network. (from other pc on the internet)


Than I did as You told me. I removed the acls/inspect than I was not able to communicate with internet at all. So in this case I was not able to test any thing, even when I have added ip nat inside static 10.10.10.9 213.156.45.113


So I think as long the web server works, there is no need to contact my ISP.
What I think the problem may be in som traffic that must out from the DNS and that traffic does not hmm I don`t know how to explain
The problem fro DNS is that it uses the ip address WHICH does not have its own gateway but it uses the gateway of my primary ip address which is assigned to an interface 83.261.45.11with gateway 83.261.45.1.

Is it the normal is You ask the ISP for one subnet, that than they give You ONE primary IP and than they route the subnet on to that ip address ??

Steve_I
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 79

Expert Comment

by:lrmoore
ID: 17794866
If the web server works, then dns should also work.
Yes, it is perfectly normal for an ISP to assign you one IP address and route another subnet to you through that IP.
0
 

Author Comment

by:Steve_I
ID: 17794988
hmm very wired things...
also remember when You told me that DNS use UDP and not TCP in the NAT command ??
I configured the nat on that way and than I created the access list which permit the 53 UDP port.

Than when I have scanned my network NO ports where opened to DNS (53)
So than I created one more NAT command which defines TCP port too, than I added the permit TCP in the acl too.

Than when I have scanned the network again I got that there is a service running on the port 53. BUT no metter the DNS will not work :(
While the WEB works fine. Is it maybe something special with Windows DNS ? because I readed about DNS ports and IANA says that DNS use both TCP and UDP ports. Can this problem have something to do with that ??
I don`t know what to say ..

Steve_I
0
 

Author Comment

by:Steve_I
ID: 17795002
hmm in the config above the commands:


ip inspect name cbac_in_to_out udp timeout 15

could this be a problem if the DNS have another timeout ??

Steve_I
0
 

Author Comment

by:Steve_I
ID: 17795055
My isp told me that if I will they can do it on another way for me:

They said that it is possible for them to just give me 2 static ip addresses, BUT not route them as SUBNET bur route them AS one and ONE IP.
so than each ip must be set on one interface for example now I have:

IP:   83.261.45.11    so I have this ip on the subinterface fa0/0.30
GW: 83.261.45.1
SB: 255.255.255.192

so the routed these ip addresses 213.156.45.113 and 213.156.45.114 AS A SUBNET ! So they are than used in the pool.
________________________________________________________________________________________________

But now the told me that is possible to do on this way to:
ROUTE ONE AND ONE IP :

IP:   83.261.45.11      so again this ip will remain on the interface where it is now fa0/0.30
GW: 83.261.45.1
SB: 255.255.255.192

IP:   83.261.45.12     so I need to set this ip on the another interface example fa0/0.31
GW: 83.261.45.1
SB: 255.255.255.192

IP:   83.261.45.13    so I need to set this ip on the another interface example fa0/0.32
GW: 83.261.45.1
SB: 255.255.255.192

BUT !!  I told them that this will not work, because when I try to se ip 83.261.45.12 on the interface fa0/0.31
than I will receive the error message from the router which will tell me "this ip overlaps with ip 83.261.45.0 on the interface 0/0.30.

And in this case where I have same gateway for all ip addresses so I am lucky for that only, because than I would get the new prblem for definition of the gateway: ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.30 83.261.45.1 but this command wil work in my case because I have the same gateway.


Any suggestions ?? should I tell my isp to route one and one ip to me ??
Steve_I

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17795275
The timeout should not affect the dns.
Even when your scan shows service listening on port 53 you DNS server will not respond to anyone outside the network?
When you say "the DNS will not work" - what do you mean. Can you browse the internet from that server? Is DNS setup with forwarders to ISP or root hints?
TCP is rarely used for DNS and typically only for zone transfers. If you're not a secondary DNS server to another primary, then you don't do zone xfers anyway.


0
 

Author Comment

by:Steve_I
ID: 17795392
I have my own DNS server on my network, and my friend have another (secondary dns)
So everything I configure on my is replicated on his.

Well ok forget now the TCP and UDP ports. MY DNS WORKS, because when I scan the network, than I got the message "there is service operating on port53" BUT when I configure than my ip on the DNS which my friend have, and than I try to transfer from master, NO WAY.
This only works if I NAT from my primary static ip address, but if I use on of the ip addresses that are on the pool and nat to my dns server than it will not work, he is not able op TRANSFER FROM MASTER DNS.

So actually the port to dns is OPENED successfull the scanner showed me that. But any he can not transfer from my primary dns server.
Therfore I have opened both TCP and UDP ports. My computer on the LAN uses my dns to surf the internet but ofcourse it work to surf my dns have a internal ip address and is on the same lan as the other pc`s.

steve_I
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17795446
Perhaps your friend's DNS server is set up only to do zone xfers with your primary static IP and needs to add your new IP address to his server as an authorized secondary.
0
 

Author Comment

by:Steve_I
ID: 17795492
I reconfigured it, he uses the new ip address, address from pool 213.156.45.113. He can open the WEB server from this ip, ping ang get resopnse, scan it and see that port 80 and 53 are opened, BUT no way for zone transfer it will not work.

And my server is configured to allow zone transfer to any server.

Steve_I
0
 

Author Comment

by:Steve_I
ID: 17826824
Hello again Irmoore !

Well I found something in the CCNP book. Take a look on this.

Unsupported Traffic Types
NAT does not support some traffic types, including the following:

Routing table updates

DNS zone transfers  This may be my problem, because I notoced that zone transfer will not work when I NAT the traffic from my ip address on the wan pool addresses on to my internal dns server.

Talk

BOOTP and DHCP

Ntalk

Simple Network Management Protocol (SNMP)

NetShow

So I think this may be an answer ?

Best regards
Steve_I
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17826891
Well . . . I still don't think that's the problem. We do zone xfers to natted dns servers all the time..

>ip nat inside source static tcp 10.0.0.7 53 213.156.45.113 53 extendable

What I don't see in your config is another static nat for UDP/53
Try adding this.
 ip nat inside source static udp 10.0.0.7 53 213.156.45.113 53 extendable

0
 

Author Comment

by:Steve_I
ID: 17826972
Yes I have added the nat command for UDP too.
But it still will not work.

I think there is no way to fix this problem, so since I know that my dns is working
WHEN I NAT FROM AN STATIC IP that is assigned to an interface than I will ask my isp to:

Give me 2 new static ip addresses that are not in the same subnet and range.
Example below:

ip : 213.134.156.24 I will use this ip for DNS and I will put this ip on fa 0/.30
sb: 255.255.255.192
gw: 213.134.156.1

ip nat inside source static tcp 10.0.0.7 53  213.134.156.24 53 extendable
ip nat inside source static udp 10.0.0.7 53  213.134.156.24 53 extendable

ip route 10.0.0.0 0.0.0.255 FastEthernet0/0.30 213.134.156.1
____________________________________________________________________________

ip: 212.45.67.23     I will use this ip for other servers fa 0/0.31
sb: 255.255.255.0
gw: 212.45.67.1

ip route 172.16.0.0 0.0.0.255 FastEthernet0/0.31 212.45.67.1

____________________________________________________________________________

Can the config above work fine if I have different range ip addresses ??
Both ip addresses are routed one and one not as a subnet, so both are assigned on the its interface.
My DNS will work if there is NAT from IP address that are assigned on the interface BT NOT if that
address is on the wan address pool. There is a problems maybe because the ip which is routed trough
primary ip than that ip have not its own gateway it uses the same as primaty ip, because that ip is routed
to primaty ip.

I think this is only solution in my case. It is totally impossible to find out the problem
why dns will not work within ip from wan pool which is routed trough primay ip address.

Best regards
Steve_I

      
0
 

Author Comment

by:Steve_I
ID: 17829111
Well now I found out the following too:

The routed I have, the DNS can not work on it when I use the NAT.
I use Cisco 2600 series (2620) with soft version : Version 12.3(20), RELEASE SOFTWARE (fc2)

I noticed even if I set the external ip address on the routers interface and nat it to internal DNS server, IT WILL NOT WORK. I just don`t understand. So I think this is not just case when using the ip address from wan pool.

Any suggestions ?my ISP did it 100 % correct.
I just don`t understand.

Should I maybe update to nex version ?? can You suggest ? I need firewall inspection on the software.
Maybe the new version have fixed this problem I don`t know.There is something but I don`t know what.
Best regards
Steve_I
0
 

Author Comment

by:Steve_I
ID: 17837505
Hi again Irmoore,

I DID IT !!!!!!!!!!!!!!!!!!!!!!

I found the problem and I fixed it. I upgraded the RAM on my 2600 series router from 96 MB to 128, so I could install the latest Cisco IOS software that requires 128 MB of the ram. So I had right about the DNS when I wrote above that DNS is not fully suported by older Cisco IOS software.

Once I did the Cisco IOS update from 12.3.20 GD to 12.4.10(a) LD the DNS begin to work just fine.

So in my case the DNS had a problems on the version 12.3.20 GD, but it work just fine as it should on the latest version
I use now 12.4.10(a) .

This is what I found out, so I would let You and other on the forum to know about this isue.

PS: This new Cisco IOS solved the problem for VPN too, You remember that I only could access the internal servers and PC`s if they are member of the Domain Controller, and not when I use the IP addresses ?? THIS IS ALSO FIXED with this lates version.
I could only access the internal servers and PS`s with their name and when they are member of the DC, but not using the clean ip address \\server_ip


Thank You for all helping !!!!
Best regards
Steve_I
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17837965
Whew, that was a lot of work.
Thanks for the update.
 - Cheers!
0
 

Author Comment

by:Steve_I
ID: 17838318
You are welcome, the only way to learn is to share with others. All of us have different experiences and there is always someone who get an idea how to fix the problem. I got help many times from EE forum, so I will share everything with other users of the EE.

Best regards
Steve_I
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now