[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

cisco 2600 v11.3 Dynamic nat How to?

Posted on 2008-11-07
40
Medium Priority
?
564 Views
Last Modified: 2012-05-05
I have ver 11.3 software in a cisco 2611
 I am trying to use it to do NAT. I found this here:
.....
//I assume you have interface e0 with valid ip address
Router(config)#int e0
Router(config-if)#ip nat inside   //this is to your trusted network - LAN
//I assume you have interface s0 with valid ip address
Router(config-if)#int s0
Router(config-if)#ip nat out       //this is to untrusted network - WAN
Router(config-if)#exit
//Here we go - static addresses for your servers. I assume you want people to find them
//without calling you every time you make changes in your network
Router(config)#ip nat inside source static 192.xxx.xxx.xxx 207.xxx.xxx.xxx  //Webserver
Router(config)#ip nat inside source static 192.xxx.xxx.xxx 207.xxx.xxx.xxx  //Email
Router(config)#ip nat inside source static 192.xxx.xxx.xxx 207.xxx.xxx.xxx  //DNS
Now if you want your workstation to have static IP, it is totally fine. (Use above statements for it)
But in case you want ~4000 (theoretically) workstations to use single public ip address, you might consider using PAT translations:
Router(config)#access-list 1 permit 192.xxx.xxx.xxx 0.0.0.255
Router(config)#ip nat inside source list 1 interface serial 0 overload
Just specify the right pool, excluding your statically assigned IP addresses.
Hope this helps
....

But I get stuck at the part "IP NAT INSIDE SOURCE STATIC... it flags the word "static" as being invalid.  I suspect it may be because of the firmware version.

I also use DHCP inside the lan. so how would this set of commands dynamically NAT? Is that possible?
I am a total newbie but very tenacious so please be gentle.
0
Comment
Question by:Salad-Dodger
  • 22
  • 17
40 Comments
 
LVL 23

Expert Comment

by:that1guy15
ID: 22907094
Type IP NAT INSIDE SOURCE ? and what are the options?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22907141
Can you upgrade?

For dynamic NAT, you don't need to use the "ip nat inside source static" command.

Create the access-list specifying your inside/LAN subnets.

access-list 1 permit 192.xxx.xxx.xxx 0.0.0.255

Then use the "ip nat inside source list 1 interface <wan interface> overload" command for dynamic NAT.

Make sure you have defined "ip nat inside" on the LAN interface and "ip nat outside" on the "wan interface".

Hopefully these commands are available in 11.3.
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22907717
that1guy
response is:
 list  Specify access list describing local addresses

Jfred
I would be happy to upgrade if it's not too terribly expensive, but I have tried to get the "How to" and "where do I buy" from Cisco and the hoops they run me through was madenning. I couldn't get a straight answer anywhere, always forwarded around so I gave up. It should be easier.

I have an existing access list and when I tried to add it this is what I get:
Router(config)#ip nat inside source 103
                                                        ^
% Invalid input detected at '^' marker.

what is the proper syntax? How will the NAT workfrom an ACL?
I will dhcp from an inside win2k server so what addresses to I put in the ACL? Can I use a different ACL from the one that exists now?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 22907738
Yes, put the DHCP addresses in the ACL.  If 103 has already has those IP addresses, you can use it.  You forgot the "list" keyword:

ip nat inside source list 103 interface <wan interface> overload

<wan interface> is your Internet facing interface on the router connected to your ISP (the interface with "ip nat outside" applied).
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22907818
Creating the ACL:

Router(config)#access-list 104 permit 192.168.125.1 0.0.0.255
                                                                 ^
% Invalid input detected at '^' marker.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22907850
Should be:

Router(config)#access-list 104 permit ip 192.168.125.0 0.0.0.255 any
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22907946
this is what I have now, how does it look? What can be removed/changed?:

ip subnet-zero
no ip source-route
ip nat inside source list 104 interface Serial0/0 overload
ip name-server 216.xx.xx.27 (our local LAN DNS server)
ip multicast-routing
ip dvmrp route-limit 7000
clock timezone PST -8
clock summer-time PDT recurring
!
!
interface Ethernet0/0
 description connection to LAN
 ip address 216.xxx.xx.xx 255.255.255.0 (this routers IP)
 ip nat inside
 ip pim dense-mode
 no ip mroute-cache
!
interface Serial0/0
 description PB-CKT#
 no ip address
 ip access-group 103 in
 ip nat outside
 encapsulation frame-relay IETF
 no ip mroute-cache
 ntp disable
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description Connection to SBC
 ip address 207.xxx.xxx.xx 255.255.255.252
 ip access-group 103 in
 no ip mroute-cache
 ntp disable
 frame-relay interface-dlci 16
!
interface Ethernet0/1 (these were earlier attempts I need to delete (I think)
 ip address 192.168.100.2 255.255.255.0
 no ip mroute-cache
 shutdown
!
interface Ethernet0/1.1
 description Attempt at VLAN for 192 segment
!
router rip
 version 2
 passive-interface Serial0/0.1
 network 216.xxx.xx.0 (currently our local Lan IP scheme, trying to change that)
 no auto-summary
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22908029
Okay, you need to reference the serial subinterface in you NAT config:

conf t
no ip nat inside source list 104 interface Serial0/0 overload
ip nat inside source list 104 interface Serial0/0.1 overload

int s0/0.1
ip nat outside

Does the router have a default route?

ip route 0.0.0.0 0.0.0.0 207.xxx.xxx.xx or
ip route 0.0.0.0 0.0.0.0 s0/0.1

It needs one if not.

Can you also post a "show access-list 103"?
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22908176
I think this is what you want.
Note that we used to host out own DNS for the Websites and Exchnage Server  that we hosted. We don't do any of that anymore but we have retained the T1 line and the static IP's (216.x.x.x)

ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 192.168.100.0 255.255.255.0 216.xxx.xx.20
ip route 206.xxxx.xx.0 255.255.255.224 216.xxx.xx.20

logging buffered 4096 debugging
logging trap debugging
logging 216.xxx.xx.xx
access-list 103 permit icmp 207.214.68.0 0.0.1.255 any
access-list 103 permit udp 207.214.68.0 0.0.1.255 any
access-list 103 permit icmp 151.164.62.0 0.0.0.255 any
access-list 103 permit udp 151.164.62.0 0.0.0.255 any
access-list 103 permit icmp 64.164.104.0 0.0.0.255 any
access-list 103 permit udp 64.164.104.0 0.0.0.255 any
access-list 103 permit icmp 206.13.1.0 0.0.0.255 any
access-list 103 permit udp 206.13.1.0 0.0.0.255 any
access-list 103 permit icmp 66.65.188.0 0.0.0.255 any
access-list 103 permit tcp any 206.xxx.xx.0 0.0.0.255 eq domain
access-list 103 permit udp any 206.xxx.xx.0 0.0.0.255 eq domain
access-list 103 permit tcp any host 192.168.100.225 eq domain (probably not needed)?
access-list 103 permit ip any host 216.xxx.xxx.20
access-list 103 permit tcp any host 216.xxx.xx.20
access-list 103 permit udp any host 216.xxx.xx.20
access-list 103 permit icmp any host 216.xxx.xx.20
access-list 103 permit tcp any host 216.xxx.xx.27 eq www
access-list 103 permit tcp any host 216.xxx.xx.27 eq smtp
access-list 103 permit tcp any host 216.xxx.xx.27 eq pop3
access-list 103 permit tcp any host 216.xxx.xx.27 eq 143
access-list 103 permit tcp any host 216.xxx.xx.27 eq 993
access-list 103 permit tcp any host 216.xxx.xx.27 eq domain
access-list 103 permit udp any host 216.xxx.xx.27 eq domain
access-list 103 permit udp any host 216.xxx.xx.27 gt 1023
access-list 103 permit tcp any host 216.xxx.xx.27 eq 1755
access-list 103 permit tcp any host 216.xxx.xx.27 eq nntp
access-list 103 permit tcp any host 216.xxx.xx.27 eq 3389
access-list 103 permit udp any host 216.xxx.xx.27 eq 3389
access-list 103 permit tcp any host 216.xxx.xx.27 eq ftp
access-list 103 permit tcp any host 216.xxx.xx.25 eq domain
access-list 103 permit udp any host 216.xxx.xx.25 eq domain
access-list 103 permit tcp any host 216.xxx.xx.25 eq 1755
access-list 103 permit udp any host 216.xxx.xx.25 gt 1023
access-list 103 permit udp any host 216.xxx.xx.222 eq domain
access-list 103 permit tcp any host 216.xxx.xx.222 eq domain
access-list 103 permit udp any host 216.xxx.xx.253 eq domain
access-list 103 permit tcp any host 216.xxx.xx.253 eq domain
access-list 103 permit tcp any host 216.xxx.xx.17 eq www
access-list 103 permit tcp any host 216.xxx.xx.17 eq 37777
access-list 103 permit tcp any any eq 1723
access-list 103 permit gre any any
access-list 103 permit tcp any any established
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any timestamp-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any mask-reply
access-list 103 deny   tcp any any log
access-list 103 deny   udp any any log
access-list 103 deny   ip any any log
access-list 104 permit ip 192.168.100.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22908201
That looks good.  Make sure the 216.xxx.xx.20 device isn't NAT'ing the 192.168.100.0/24 traffic.  Is it working?
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22908248
That device was a TZ190 Firewall from Sonicwall that I just couldn't make work. Hours with tech support only resulted in thier saying that my router at .19 was blocking the device from working properly. Today in a fit I removed the sonicwall, plugged in a Linksys wrt54G I had sitting here, configured it at a .20 and it worked right away. Not a single hiccup! So at this moment it is doing the NAT, but I am expecting that if I now plug around it, directly to eth switch connected to eth cisco, I will get the same effect from the cisco but I will be seen as a .19 IP to the outside world. Is that right?
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22908279
And sadly, no it's not working yet... no resolution of names
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22908280
Yeah, you can plug the switch directly into the Ethernet0/1 interface.  You need the following config on it:

interface Ethernet0/1
ip nat inside
ip add 192.168.100.x 255.255.255.0
no shut

Where 192.168.100.x is the IP address of the 192.168.100.0/24's default gateway.  You can specify a different IP on the 192.168.100.0/24 subnet but you will need to change the 192.168.100.0/24 hosts default gateway to the cisco e0/1 IP address.  The 192.168.100.0/24 hosts will appear to the Internet as the IP address of the serial0/0.1 interface (this can be changed).
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22908312
You need to add DNS return traffic for resolution to access-list 103:

access-list 103 permit udp any eq 53 any

With 11.3, you probably need to remove the entire list and then paste it back in for proper ordering.  Will cause a brief interruption in traffic:

no access-list 103
access-list 103 permit icmp 207.214.68.0 0.0.1.255 any
access-list 103 permit udp 207.214.68.0 0.0.1.255 any
access-list 103 permit icmp 151.164.62.0 0.0.0.255 any
access-list 103 permit udp 151.164.62.0 0.0.0.255 any
access-list 103 permit icmp 64.164.104.0 0.0.0.255 any
access-list 103 permit udp 64.164.104.0 0.0.0.255 any
access-list 103 permit icmp 206.13.1.0 0.0.0.255 any
access-list 103 permit udp 206.13.1.0 0.0.0.255 any
access-list 103 permit icmp 66.65.188.0 0.0.0.255 any
access-list 103 permit tcp any 206.xxx.xx.0 0.0.0.255 eq domain
access-list 103 permit udp any 206.xxx.xx.0 0.0.0.255 eq domain
access-list 103 permit tcp any host 192.168.100.225 eq domain (probably not needed)?
access-list 103 permit ip any host 216.xxx.xxx.20
access-list 103 permit tcp any host 216.xxx.xx.20
access-list 103 permit udp any host 216.xxx.xx.20
access-list 103 permit icmp any host 216.xxx.xx.20
access-list 103 permit tcp any host 216.xxx.xx.27 eq www
access-list 103 permit tcp any host 216.xxx.xx.27 eq smtp
access-list 103 permit tcp any host 216.xxx.xx.27 eq pop3
access-list 103 permit tcp any host 216.xxx.xx.27 eq 143
access-list 103 permit tcp any host 216.xxx.xx.27 eq 993
access-list 103 permit tcp any host 216.xxx.xx.27 eq domain
access-list 103 permit udp any host 216.xxx.xx.27 eq domain
access-list 103 permit udp any host 216.xxx.xx.27 gt 1023
access-list 103 permit tcp any host 216.xxx.xx.27 eq 1755
access-list 103 permit tcp any host 216.xxx.xx.27 eq nntp
access-list 103 permit tcp any host 216.xxx.xx.27 eq 3389
access-list 103 permit udp any host 216.xxx.xx.27 eq 3389
access-list 103 permit tcp any host 216.xxx.xx.27 eq ftp
access-list 103 permit tcp any host 216.xxx.xx.25 eq domain
access-list 103 permit udp any host 216.xxx.xx.25 eq domain
access-list 103 permit tcp any host 216.xxx.xx.25 eq 1755
access-list 103 permit udp any host 216.xxx.xx.25 gt 1023
access-list 103 permit udp any host 216.xxx.xx.222 eq domain
access-list 103 permit tcp any host 216.xxx.xx.222 eq domain
access-list 103 permit udp any host 216.xxx.xx.253 eq domain
access-list 103 permit tcp any host 216.xxx.xx.253 eq domain
access-list 103 permit tcp any host 216.xxx.xx.17 eq www
access-list 103 permit tcp any host 216.xxx.xx.17 eq 37777
access-list 103 permit tcp any any eq 1723
access-list 103 permit gre any any
access-list 103 permit udp any eq 53 any
access-list 103 permit tcp any any established
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any timestamp-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any mask-reply
access-list 103 deny   tcp any any log
access-list 103 deny   udp any any log
access-list 103 deny   ip any any log
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22908434
OK thats working... (wow, you are a genius!) now I am showing up to the outside world at the 207.x.x.x IP address... I thought that was one assigned to me by my ISP rather than one I had control over, i.e. owned by virtue of my Class C from the T1.  
I browse to the GRC site that checks for ports open and I am completely stealthed. Interesting.

But the 2 other machines on that same switch can't browse at all.
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22908447
might have jumped the gun, none are browsing new sites, just cached data.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22908464
You can leave it as the 207.x.x.x address or you can assign one of the 216.xxx.xx.x addresses to a NAT pool and hide the 192.168.100.0/24 hosts behind that if you want.  So one machine in the 192.168.100.0/24 subnet works but the other 2 don't?  Is their default gateway the ethernet0/1 interface on the Cisco?
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22908594
If that IP is OK I'll leave it alone. At some point I'll want a VPN from home,  but not today.

I spoke too soon, none will browse to a new site, googles IP was cached so it would search but no new sites could be browsed. I would guess because DNS couldn't be resolved.
Could it be an access list issue?
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22908726
I have placed the Linksys back into position and the machines work through that. I have an appt so I'll return to this tonight. Thank you for your help thus far. If you think of anything else. Please let me know.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22909990
Can you post a "show run" from the router.  I would use one of your 216 addresses for the NAT:

conf t
ip nat pool natpool 216.x.x.100 216.x.x.100 netmask 255.255.255.0
ip nat inside source list 104 pool natpool overload

Where 216.x.x.100 is a free IP address in the 216.x.x.x subnet.

Are you using 216.x.x.27 for the 192.168.100.0/24 hosts DNS server?  Does it have a route back to the 192.168.100.0/24 subnet?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22910084
Forgot, you need to remove this command:

no ip nat inside source list 104 interface Serial0/0 overload

Also, remove this route:

no ip route 192.168.100.0 255.255.255.0 216.xxx.xx.20
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22910329
I am heading back there right now to get this info for you.
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22910717
"nat pool" not working out so well, doesn't like that "pool":
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip nat pool natpool 216.xxx.xx.1 216.xxx.xx.1 netmask 255.255.255.0
                         ^
% Invalid input detected at '^' marker.

Router(config)#ip natpool 216.xxx.xx.1 216.xxx.xx.1 netmask 255.255.255.0
                        ^
% Invalid input detected at '^' marker.

Router(config)#ip nat pool 216.xxx.xx.1 216.xxx.xx.1 netmask 255.255.255.0
                         ^
% Invalid input detected at '^' marker.

Router(config)#
---------------
Router(config)#ip nat ?
  inside       Inside address translation
  service      Special translation for application using non-standard port
  translation  NAT translation entry configuration
Router(config)#ip natpool ?
% Unrecognized command
--------------------
-----heres the show run:-------------------------------------------------------
Router#show run
Building configuration...

Current configuration:
!
! Last configuration change at 06:00:43 PST Fri Nov 7 2008
! NVRAM config last updated at 23:36:45 PST Thu Nov 6 2008
!
version 11.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Router
!
enable secret 5
enable password 7
!
ip subnet-zero
no ip source-route
ip name-server 216.xxx.xx.27
ip multicast-routing
ip dvmrp route-limit 7000
clock timezone PST -8
clock summer-time PDT recurring
!
!
!
interface Ethernet0/0 -----> routers IP
 description Connected to Lan
 ip address 216.xxx.xx.19 255.255.255.0
 ip nat inside
 ip pim dense-mode
 no ip mroute-cache
!
interface Serial0/0
 description PB-CKT# -----> T1 Interface
 no ip address
 ip access-group 103 in
 ip nat outside
 encapsulation frame-relay IETF
 no ip mroute-cache
 ntp disable
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description Connection to SBC
 ip address 207.xxx.xxx.94 255.255.255.252
 ip access-group 103 in
 ip nat outside
 no ip mroute-cache
 ntp disable
 frame-relay interface-dlci 16
!
interface Ethernet0/1
 ip address 192.168.123.1 255.255.255.0
 ip nat inside
 no ip mroute-cache
!
interface Ethernet0/1.1
 description Attempt at VLAN for 192 segment
!
router rip
 version 2
 passive-interface Serial0/0.1
 network 216.xxx.xx.0
 no auto-summary
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 206.xxx.xx.0 255.255.255.224 216.xxx.xx.20
!
logging buffered 4096 debugging
logging trap debugging
logging 216.xxx.xx.27
access-list 103 permit udp any eq domain any
access-list 103 permit icmp 207.xxx.xx.0 0.0.1.255 any
access-list 103 permit udp 207.xx.xx.0 0.0.1.255 any
access-list 103 permit icmp 151.xxx.xx.0 0.0.0.255 any
access-list 103 permit udp 151.xx.xx.0 0.0.0.255 any
access-list 103 permit icmp 64.xx.xx.0 0.0.0.255 any
access-list 103 permit udp 64.xx.xx.0 0.0.0.255 any
access-list 103 permit icmp 206.xx.x.0 0.0.0.255 any
access-list 103 permit udp 206.xx.x.0 0.0.0.255 any
access-list 103 permit icmp 66.xx.xxx.0 0.0.0.255 any
access-list 103 permit tcp any 206.xxx.xx.0 0.0.0.255 eq domain
access-list 103 permit udp any 206.xxx.xx.0 0.0.0.255 eq domain
access-list 103 permit tcp any host 192.168.123.225 eq domain
access-list 103 permit ip any host 216.xxx.xx.20
access-list 103 permit tcp any host 216.xxx.xx.20
access-list 103 permit udp any host 216.xxx.xx.20
access-list 103 permit icmp any host 216.xxx.xx.20
access-list 103 permit tcp any host 216.xxx.xx.27 eq www
access-list 103 permit tcp any host 216.xxx.xx.27 eq smtp
access-list 103 permit tcp any host 216.xxx.xx.27 eq pop3
access-list 103 permit tcp any host 216.xxx.xx.27 eq 143
access-list 103 permit tcp any host 216.xxx.xx.27 eq 993
access-list 103 permit tcp any host 216.xxx.xx.27 eq domain
access-list 103 permit udp any host 216.xxx.xx.27 eq domain
access-list 103 permit udp any host 216.xxx.xx.27 gt 1023
access-list 103 permit tcp any host 216.xxx.xx.27 eq 1755
access-list 103 permit tcp any host 216.xxx.xx.27 eq nntp
access-list 103 permit tcp any host 216.xxx.xx.27 eq 3389
access-list 103 permit udp any host 216.xxx.xx.27 eq 3389
access-list 103 permit tcp any host 216.xxx.xx.27 eq ftp
access-list 103 permit tcp any host 216.xxx.xx.25 eq domain
access-list 103 permit udp any host 216.xxx.xx.25 eq domain
access-list 103 permit tcp any host 216.xxx.xx.25 eq 1755
access-list 103 permit udp any host 216.xxx.xx.25 gt 1023
access-list 103 permit udp any host 216.xxx.xx.222 eq domain
access-list 103 permit tcp any host 216.xxx.xx.222 eq domain
access-list 103 permit udp any host 216.xxx.xx.253 eq domain
access-list 103 permit tcp any host 216.xxx.xx.253 eq domain
access-list 103 permit tcp any host 216.xxx.xx.17 eq www
access-list 103 permit tcp any host 216.xxx.xx.17 eq 37777
access-list 103 permit tcp any any eq 1723
access-list 103 permit gre any any
access-list 103 permit tcp any any established
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any timestamp-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any mask-reply
access-list 103 deny   tcp any any log
access-list 103 deny   udp any any log
access-list 103 deny   ip any any log
access-list 104 permit ip 192.168.123.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
snmp-server community public RO
snmp-server location my location
snmp-server contact My Location, xxx-xxx-xxxx
!
line con 0
 exec-timeout 0 0
 password 7
 login
line aux 0
line vty 0 4
 password 7
 login
!
ntp server 128.9.2.129
ntp server 216.xxx.xx.27
ntp server 132.249.16.1
ntp server 204.74.68.55
no scheduler allocate
end
Router#

I'm not pretending to know what a lot of that is for but some I do. the first few on the access list are from our T1 provider for monitoring our line.
Many of the 216 addresses are leftovers and can be culled once I (you:-) ) make this work.  
If new firmware would help, Just tell me how to get it and I'll make that happen.
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22910758
"Are you using 216.x.x.27 for the 192.168.100.0/24 hosts DNS server?  Does it have a route back to the 192.168.100.0/24 subnet?"

The 216.x.x.27 address is the forwarding DNS server for the existing, and still functional LAN (~40 Pc's) where all the PC's are on public IP's in that range.  Having them that way surely is a bad idea and this change is to get them off the public IP range. But they must continue to function while I work this out.  Then the only 216.x.x.x address left will be the router, and perhaps a VPN or another machine in the future.  

Using this second port on the back of this router for this should allow two seperate segments, one public and one private. , whichever one you plug into is what you get. At least in my mind it works like that. You can straighten me out if need be.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22912245
Okay, the config looks good.  Forget about the NAT pool, no big deal.

Let's do some tests:

From a 192.168.123.x host, please post an "ipconfig /all".

Then, from a command prompt on the 192.168.123.x host, try each of these:

ping 192.168.123.1
ping 216.x.x.27
ping www.google.com
ping 74.125.95.104
telnet 74.125.95.104 80
telnet www.google.com 80
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22926227
Hmm, last post isn't showing up,
Sorry for the delay, Took a mental health day. I will be back at it in about 4 hours. I'll post back then.
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22927426
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\salad>ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : fred
   Primary Dns Suffix  . . . . . . . : My.Domain
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : My.Domain

Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . : My.Domain
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-1D-09-Ff-8c-00
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.123.201
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.123.1
   DNS Servers . . . . . . . . . . . : 192.168.123.225
                                       192.168.123.226
   Primary WINS Server . . . . . . . : 192.168.123.225

C:\Documents and Settings\salad>ping 192.168.123.1
Pinging 192.168.123.1 with 32 bytes of data:
Reply from 192.168.123.1: bytes=32 time=5ms TTL=255
Reply from 192.168.123.1: bytes=32 time=4ms TTL=255
Reply from 192.168.123.1: bytes=32 time=3ms TTL=255
Reply from 192.168.123.1: bytes=32 time=3ms TTL=255
  Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

C:\Documents and Settings\salad>ping 216.x.x.27
Pinging 216.x.x.27 with 32 bytes of data:
Reply from 216.x.x.27: bytes=32 time=8ms TTL=127
Reply from 216.x.x.27: bytes=32 time=5ms TTL=127
Reply from 216.x.x.27: bytes=32 time=5ms TTL=127
Reply from 216.x.x.27: bytes=32 time=4ms TTL=127
   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),


C:\Documents and Settings\salad>ping www.google.com
Ping request could not find host www.google.com. Please check the name and try again.

C:\Documents and Settings\salad>ping 74.125.95.104
Pinging 74.125.95.104 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
   Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\salad>telnet 74.125.95.104 80
Connecting To 74.125.95.104...Could not open connection to the host, on port 80:
 Connect failed

C:\Documents and Settings\salad>telnet www.google.com 80
Connecting To www.google.com...Could not open connection to the host, on port 80
: Connect failed
C:\Documents and Settings\salad>

My feeble brain is telling me DNS isn't getting through.
You did notice I am using 2 access lists right? 103 and 104. I don't know if thats OK, can it use both of the lists like this? 104 has this 192 segment attached to it. 103 does not.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22930064
Access-list 103 is allowing the return traffic and 104 is specific to the NAT rule so the access-lists are good.  DNS isn't resolving that is for sure.  So, 192.168.123.225 and 192.168.123.226 have a forwarder setup for 216.x.x.27?

I didn't even notice that your NAT statement is missing from your running-config now.  Add this:

conf t
ip nat inside source list 104 interface Serial0/0.1 overload
end
wr mem

Try the tests again...
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22930389
192.168.123.225 and .226 are not pointing to 216.x.x.27, they are pointing to my ISP's and OPENDNS servers.  216.x.x.27 is what the current LAN uses and it points to the same DNS servers.

This machine (.27) and all others in the 216 segment will not be involved with the 192 segment. At best 216 will be in a DMZ type of arrangment where as 192 will be protected.

That IP Nat line sure looks familiar, not sure what happened to it, but I'll put that back in there this evening.

I have usually used just "wr" to write to eeprom. Is "wr mem" a different command or just another way to do the same thing?

You have also never suggested that I update the IOS. Is it simply not worth doing at all or just not needed here?

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22930572
Understood on the DNS setup.  "wr mem" and "wr" are the same command so that works fine.  Without the NAT line, you aren't getting out to the Internet, period, so we'll see if that takes care of it.  Not sure where in the troubleshooting process it was removed.

Updating the IOS would be nice but isn't absolutely necessary to get this to work.  Obviously there is cost involved and to be honest, you would be better off replacing the 2611 (if it isn't a 2611XM) with a 2800 series.
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22941831
You are a Genius.  The two machines work just like they should, everything out a single 207.x.x.x IP. The "Shields Up" test shows no exposed ports. Life is Good! I assume that I can put 40 other machines on this connection with the same results?

Is there any reason I shouldn't use the 207.x.x.x IP for this? I know you said I could change it but if there is no real reason to I won't.
I am only familiar with the 216.x.x.x IP which was what we hosted our web and email servers on and I'm not clear on where that 207 IP came from? The reverse DNS has our name in the prefix so it must be ours but I wonder why I haven't seen it before.

interface Ethernet0/0 -----> routers IP
 description Connected to Lan
 ip address 216.xxx.xx.19 255.255.255.0
 ip nat inside
 ip pim dense-mode
 no ip mroute-cache
!
interface Serial0/0.1 point-to-point
 description Connection to SBC
 ip address 207.xxx.xxx.94 255.255.255.252
 ip access-group 103 in
 ip nat outside
 no ip mroute-cache
 ntp disable
 frame-relay interface-dlci 16

And let me just add that I can't thank you enough!
I wish I could award more points!
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 22942286
Excellent, glad to hear!

The 207.x.x.x IP is free to use and should be 207.xxx.xxx.94 (the serial0/0.1 interface IP).  Typically you get a /30 subnet from your ISP which in this case is the 207.x.x.x IP which is used for the WAN interface connection between you and your ISP.  Your ISP then routes you a subnet or block of addresses to be used for inbound connections/servers etc...(the 206.x.x.x subnet).  There is no issue using the 207.x.x.x IP.  If you want to use the 216.xxx.xx.19 address instead you can simply change the NAT statement to reference the Ethernet0/0 interface instead of the Serial0/0.1 interface, i.e.

conf t
no ip nat inside source list 104 interface Serial0/0.1 overload
ip nat inside source list 104 interface Ethernet0/0 overload

And yes, you can put 40 other hosts on the 192.168.123.x subnet and experience the same results.
0
 
LVL 1

Author Closing Comment

by:Salad-Dodger
ID: 31514469
I have to say it again, I can't thank you enough for your help. I wish I could give you something besides just points. You have certainly earned it.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22942424
I accept personal checks.  Just Kidding! :-)

You're welcome by the way.
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22942430
Thank you, Thank You, Thank You! You are indeed a Genius!... The Man... 'Da Bomb!

I'll probably be back when I try to configure a VPN through this ;-) But that will be a couple days!
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 22942456
Just tell me where to send it!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22942511
Nah, I do this for free.  Thanks is enough.
0
 
LVL 1

Author Comment

by:Salad-Dodger
ID: 23533839
Are you still around? I could use more help with a VPN.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23536999
Yes, sir.  I can help, send me the link to the question if you have one open already and I'll take a look at it.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question