cisco 2600 v11.3 Dynamic nat How to?

I have ver 11.3 software in a cisco 2611
 I am trying to use it to do NAT. I found this here:
.....
//I assume you have interface e0 with valid ip address
Router(config)#int e0
Router(config-if)#ip nat inside   //this is to your trusted network - LAN
//I assume you have interface s0 with valid ip address
Router(config-if)#int s0
Router(config-if)#ip nat out       //this is to untrusted network - WAN
Router(config-if)#exit
//Here we go - static addresses for your servers. I assume you want people to find them
//without calling you every time you make changes in your network
Router(config)#ip nat inside source static 192.xxx.xxx.xxx 207.xxx.xxx.xxx  //Webserver
Router(config)#ip nat inside source static 192.xxx.xxx.xxx 207.xxx.xxx.xxx  //Email
Router(config)#ip nat inside source static 192.xxx.xxx.xxx 207.xxx.xxx.xxx  //DNS
Now if you want your workstation to have static IP, it is totally fine. (Use above statements for it)
But in case you want ~4000 (theoretically) workstations to use single public ip address, you might consider using PAT translations:
Router(config)#access-list 1 permit 192.xxx.xxx.xxx 0.0.0.255
Router(config)#ip nat inside source list 1 interface serial 0 overload
Just specify the right pool, excluding your statically assigned IP addresses.
Hope this helps
....

But I get stuck at the part "IP NAT INSIDE SOURCE STATIC... it flags the word "static" as being invalid.  I suspect it may be because of the firmware version.

I also use DHCP inside the lan. so how would this set of commands dynamically NAT? Is that possible?
I am a total newbie but very tenacious so please be gentle.
LVL 1
Salad-DodgerInstrumentationAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

that1guy15Commented:
Type IP NAT INSIDE SOURCE ? and what are the options?
0
JFrederick29Commented:
Can you upgrade?

For dynamic NAT, you don't need to use the "ip nat inside source static" command.

Create the access-list specifying your inside/LAN subnets.

access-list 1 permit 192.xxx.xxx.xxx 0.0.0.255

Then use the "ip nat inside source list 1 interface <wan interface> overload" command for dynamic NAT.

Make sure you have defined "ip nat inside" on the LAN interface and "ip nat outside" on the "wan interface".

Hopefully these commands are available in 11.3.
0
Salad-DodgerInstrumentationAuthor Commented:
that1guy
response is:
 list  Specify access list describing local addresses

Jfred
I would be happy to upgrade if it's not too terribly expensive, but I have tried to get the "How to" and "where do I buy" from Cisco and the hoops they run me through was madenning. I couldn't get a straight answer anywhere, always forwarded around so I gave up. It should be easier.

I have an existing access list and when I tried to add it this is what I get:
Router(config)#ip nat inside source 103
                                                        ^
% Invalid input detected at '^' marker.

what is the proper syntax? How will the NAT workfrom an ACL?
I will dhcp from an inside win2k server so what addresses to I put in the ACL? Can I use a different ACL from the one that exists now?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

JFrederick29Commented:
Yes, put the DHCP addresses in the ACL.  If 103 has already has those IP addresses, you can use it.  You forgot the "list" keyword:

ip nat inside source list 103 interface <wan interface> overload

<wan interface> is your Internet facing interface on the router connected to your ISP (the interface with "ip nat outside" applied).
0
Salad-DodgerInstrumentationAuthor Commented:
Creating the ACL:

Router(config)#access-list 104 permit 192.168.125.1 0.0.0.255
                                                                 ^
% Invalid input detected at '^' marker.
0
JFrederick29Commented:
Should be:

Router(config)#access-list 104 permit ip 192.168.125.0 0.0.0.255 any
0
Salad-DodgerInstrumentationAuthor Commented:
this is what I have now, how does it look? What can be removed/changed?:

ip subnet-zero
no ip source-route
ip nat inside source list 104 interface Serial0/0 overload
ip name-server 216.xx.xx.27 (our local LAN DNS server)
ip multicast-routing
ip dvmrp route-limit 7000
clock timezone PST -8
clock summer-time PDT recurring
!
!
interface Ethernet0/0
 description connection to LAN
 ip address 216.xxx.xx.xx 255.255.255.0 (this routers IP)
 ip nat inside
 ip pim dense-mode
 no ip mroute-cache
!
interface Serial0/0
 description PB-CKT#
 no ip address
 ip access-group 103 in
 ip nat outside
 encapsulation frame-relay IETF
 no ip mroute-cache
 ntp disable
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description Connection to SBC
 ip address 207.xxx.xxx.xx 255.255.255.252
 ip access-group 103 in
 no ip mroute-cache
 ntp disable
 frame-relay interface-dlci 16
!
interface Ethernet0/1 (these were earlier attempts I need to delete (I think)
 ip address 192.168.100.2 255.255.255.0
 no ip mroute-cache
 shutdown
!
interface Ethernet0/1.1
 description Attempt at VLAN for 192 segment
!
router rip
 version 2
 passive-interface Serial0/0.1
 network 216.xxx.xx.0 (currently our local Lan IP scheme, trying to change that)
 no auto-summary
0
JFrederick29Commented:
Okay, you need to reference the serial subinterface in you NAT config:

conf t
no ip nat inside source list 104 interface Serial0/0 overload
ip nat inside source list 104 interface Serial0/0.1 overload

int s0/0.1
ip nat outside

Does the router have a default route?

ip route 0.0.0.0 0.0.0.0 207.xxx.xxx.xx or
ip route 0.0.0.0 0.0.0.0 s0/0.1

It needs one if not.

Can you also post a "show access-list 103"?
0
Salad-DodgerInstrumentationAuthor Commented:
I think this is what you want.
Note that we used to host out own DNS for the Websites and Exchnage Server  that we hosted. We don't do any of that anymore but we have retained the T1 line and the static IP's (216.x.x.x)

ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 192.168.100.0 255.255.255.0 216.xxx.xx.20
ip route 206.xxxx.xx.0 255.255.255.224 216.xxx.xx.20

logging buffered 4096 debugging
logging trap debugging
logging 216.xxx.xx.xx
access-list 103 permit icmp 207.214.68.0 0.0.1.255 any
access-list 103 permit udp 207.214.68.0 0.0.1.255 any
access-list 103 permit icmp 151.164.62.0 0.0.0.255 any
access-list 103 permit udp 151.164.62.0 0.0.0.255 any
access-list 103 permit icmp 64.164.104.0 0.0.0.255 any
access-list 103 permit udp 64.164.104.0 0.0.0.255 any
access-list 103 permit icmp 206.13.1.0 0.0.0.255 any
access-list 103 permit udp 206.13.1.0 0.0.0.255 any
access-list 103 permit icmp 66.65.188.0 0.0.0.255 any
access-list 103 permit tcp any 206.xxx.xx.0 0.0.0.255 eq domain
access-list 103 permit udp any 206.xxx.xx.0 0.0.0.255 eq domain
access-list 103 permit tcp any host 192.168.100.225 eq domain (probably not needed)?
access-list 103 permit ip any host 216.xxx.xxx.20
access-list 103 permit tcp any host 216.xxx.xx.20
access-list 103 permit udp any host 216.xxx.xx.20
access-list 103 permit icmp any host 216.xxx.xx.20
access-list 103 permit tcp any host 216.xxx.xx.27 eq www
access-list 103 permit tcp any host 216.xxx.xx.27 eq smtp
access-list 103 permit tcp any host 216.xxx.xx.27 eq pop3
access-list 103 permit tcp any host 216.xxx.xx.27 eq 143
access-list 103 permit tcp any host 216.xxx.xx.27 eq 993
access-list 103 permit tcp any host 216.xxx.xx.27 eq domain
access-list 103 permit udp any host 216.xxx.xx.27 eq domain
access-list 103 permit udp any host 216.xxx.xx.27 gt 1023
access-list 103 permit tcp any host 216.xxx.xx.27 eq 1755
access-list 103 permit tcp any host 216.xxx.xx.27 eq nntp
access-list 103 permit tcp any host 216.xxx.xx.27 eq 3389
access-list 103 permit udp any host 216.xxx.xx.27 eq 3389
access-list 103 permit tcp any host 216.xxx.xx.27 eq ftp
access-list 103 permit tcp any host 216.xxx.xx.25 eq domain
access-list 103 permit udp any host 216.xxx.xx.25 eq domain
access-list 103 permit tcp any host 216.xxx.xx.25 eq 1755
access-list 103 permit udp any host 216.xxx.xx.25 gt 1023
access-list 103 permit udp any host 216.xxx.xx.222 eq domain
access-list 103 permit tcp any host 216.xxx.xx.222 eq domain
access-list 103 permit udp any host 216.xxx.xx.253 eq domain
access-list 103 permit tcp any host 216.xxx.xx.253 eq domain
access-list 103 permit tcp any host 216.xxx.xx.17 eq www
access-list 103 permit tcp any host 216.xxx.xx.17 eq 37777
access-list 103 permit tcp any any eq 1723
access-list 103 permit gre any any
access-list 103 permit tcp any any established
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any timestamp-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any mask-reply
access-list 103 deny   tcp any any log
access-list 103 deny   udp any any log
access-list 103 deny   ip any any log
access-list 104 permit ip 192.168.100.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
0
JFrederick29Commented:
That looks good.  Make sure the 216.xxx.xx.20 device isn't NAT'ing the 192.168.100.0/24 traffic.  Is it working?
0
Salad-DodgerInstrumentationAuthor Commented:
That device was a TZ190 Firewall from Sonicwall that I just couldn't make work. Hours with tech support only resulted in thier saying that my router at .19 was blocking the device from working properly. Today in a fit I removed the sonicwall, plugged in a Linksys wrt54G I had sitting here, configured it at a .20 and it worked right away. Not a single hiccup! So at this moment it is doing the NAT, but I am expecting that if I now plug around it, directly to eth switch connected to eth cisco, I will get the same effect from the cisco but I will be seen as a .19 IP to the outside world. Is that right?
0
Salad-DodgerInstrumentationAuthor Commented:
And sadly, no it's not working yet... no resolution of names
0
JFrederick29Commented:
Yeah, you can plug the switch directly into the Ethernet0/1 interface.  You need the following config on it:

interface Ethernet0/1
ip nat inside
ip add 192.168.100.x 255.255.255.0
no shut

Where 192.168.100.x is the IP address of the 192.168.100.0/24's default gateway.  You can specify a different IP on the 192.168.100.0/24 subnet but you will need to change the 192.168.100.0/24 hosts default gateway to the cisco e0/1 IP address.  The 192.168.100.0/24 hosts will appear to the Internet as the IP address of the serial0/0.1 interface (this can be changed).
0
JFrederick29Commented:
You need to add DNS return traffic for resolution to access-list 103:

access-list 103 permit udp any eq 53 any

With 11.3, you probably need to remove the entire list and then paste it back in for proper ordering.  Will cause a brief interruption in traffic:

no access-list 103
access-list 103 permit icmp 207.214.68.0 0.0.1.255 any
access-list 103 permit udp 207.214.68.0 0.0.1.255 any
access-list 103 permit icmp 151.164.62.0 0.0.0.255 any
access-list 103 permit udp 151.164.62.0 0.0.0.255 any
access-list 103 permit icmp 64.164.104.0 0.0.0.255 any
access-list 103 permit udp 64.164.104.0 0.0.0.255 any
access-list 103 permit icmp 206.13.1.0 0.0.0.255 any
access-list 103 permit udp 206.13.1.0 0.0.0.255 any
access-list 103 permit icmp 66.65.188.0 0.0.0.255 any
access-list 103 permit tcp any 206.xxx.xx.0 0.0.0.255 eq domain
access-list 103 permit udp any 206.xxx.xx.0 0.0.0.255 eq domain
access-list 103 permit tcp any host 192.168.100.225 eq domain (probably not needed)?
access-list 103 permit ip any host 216.xxx.xxx.20
access-list 103 permit tcp any host 216.xxx.xx.20
access-list 103 permit udp any host 216.xxx.xx.20
access-list 103 permit icmp any host 216.xxx.xx.20
access-list 103 permit tcp any host 216.xxx.xx.27 eq www
access-list 103 permit tcp any host 216.xxx.xx.27 eq smtp
access-list 103 permit tcp any host 216.xxx.xx.27 eq pop3
access-list 103 permit tcp any host 216.xxx.xx.27 eq 143
access-list 103 permit tcp any host 216.xxx.xx.27 eq 993
access-list 103 permit tcp any host 216.xxx.xx.27 eq domain
access-list 103 permit udp any host 216.xxx.xx.27 eq domain
access-list 103 permit udp any host 216.xxx.xx.27 gt 1023
access-list 103 permit tcp any host 216.xxx.xx.27 eq 1755
access-list 103 permit tcp any host 216.xxx.xx.27 eq nntp
access-list 103 permit tcp any host 216.xxx.xx.27 eq 3389
access-list 103 permit udp any host 216.xxx.xx.27 eq 3389
access-list 103 permit tcp any host 216.xxx.xx.27 eq ftp
access-list 103 permit tcp any host 216.xxx.xx.25 eq domain
access-list 103 permit udp any host 216.xxx.xx.25 eq domain
access-list 103 permit tcp any host 216.xxx.xx.25 eq 1755
access-list 103 permit udp any host 216.xxx.xx.25 gt 1023
access-list 103 permit udp any host 216.xxx.xx.222 eq domain
access-list 103 permit tcp any host 216.xxx.xx.222 eq domain
access-list 103 permit udp any host 216.xxx.xx.253 eq domain
access-list 103 permit tcp any host 216.xxx.xx.253 eq domain
access-list 103 permit tcp any host 216.xxx.xx.17 eq www
access-list 103 permit tcp any host 216.xxx.xx.17 eq 37777
access-list 103 permit tcp any any eq 1723
access-list 103 permit gre any any
access-list 103 permit udp any eq 53 any
access-list 103 permit tcp any any established
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any timestamp-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any mask-reply
access-list 103 deny   tcp any any log
access-list 103 deny   udp any any log
access-list 103 deny   ip any any log
0
Salad-DodgerInstrumentationAuthor Commented:
OK thats working... (wow, you are a genius!) now I am showing up to the outside world at the 207.x.x.x IP address... I thought that was one assigned to me by my ISP rather than one I had control over, i.e. owned by virtue of my Class C from the T1.  
I browse to the GRC site that checks for ports open and I am completely stealthed. Interesting.

But the 2 other machines on that same switch can't browse at all.
0
Salad-DodgerInstrumentationAuthor Commented:
might have jumped the gun, none are browsing new sites, just cached data.
0
JFrederick29Commented:
You can leave it as the 207.x.x.x address or you can assign one of the 216.xxx.xx.x addresses to a NAT pool and hide the 192.168.100.0/24 hosts behind that if you want.  So one machine in the 192.168.100.0/24 subnet works but the other 2 don't?  Is their default gateway the ethernet0/1 interface on the Cisco?
0
Salad-DodgerInstrumentationAuthor Commented:
If that IP is OK I'll leave it alone. At some point I'll want a VPN from home,  but not today.

I spoke too soon, none will browse to a new site, googles IP was cached so it would search but no new sites could be browsed. I would guess because DNS couldn't be resolved.
Could it be an access list issue?
0
Salad-DodgerInstrumentationAuthor Commented:
I have placed the Linksys back into position and the machines work through that. I have an appt so I'll return to this tonight. Thank you for your help thus far. If you think of anything else. Please let me know.
0
JFrederick29Commented:
Can you post a "show run" from the router.  I would use one of your 216 addresses for the NAT:

conf t
ip nat pool natpool 216.x.x.100 216.x.x.100 netmask 255.255.255.0
ip nat inside source list 104 pool natpool overload

Where 216.x.x.100 is a free IP address in the 216.x.x.x subnet.

Are you using 216.x.x.27 for the 192.168.100.0/24 hosts DNS server?  Does it have a route back to the 192.168.100.0/24 subnet?
0
JFrederick29Commented:
Forgot, you need to remove this command:

no ip nat inside source list 104 interface Serial0/0 overload

Also, remove this route:

no ip route 192.168.100.0 255.255.255.0 216.xxx.xx.20
0
Salad-DodgerInstrumentationAuthor Commented:
I am heading back there right now to get this info for you.
0
Salad-DodgerInstrumentationAuthor Commented:
"nat pool" not working out so well, doesn't like that "pool":
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip nat pool natpool 216.xxx.xx.1 216.xxx.xx.1 netmask 255.255.255.0
                         ^
% Invalid input detected at '^' marker.

Router(config)#ip natpool 216.xxx.xx.1 216.xxx.xx.1 netmask 255.255.255.0
                        ^
% Invalid input detected at '^' marker.

Router(config)#ip nat pool 216.xxx.xx.1 216.xxx.xx.1 netmask 255.255.255.0
                         ^
% Invalid input detected at '^' marker.

Router(config)#
---------------
Router(config)#ip nat ?
  inside       Inside address translation
  service      Special translation for application using non-standard port
  translation  NAT translation entry configuration
Router(config)#ip natpool ?
% Unrecognized command
--------------------
-----heres the show run:-------------------------------------------------------
Router#show run
Building configuration...

Current configuration:
!
! Last configuration change at 06:00:43 PST Fri Nov 7 2008
! NVRAM config last updated at 23:36:45 PST Thu Nov 6 2008
!
version 11.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Router
!
enable secret 5
enable password 7
!
ip subnet-zero
no ip source-route
ip name-server 216.xxx.xx.27
ip multicast-routing
ip dvmrp route-limit 7000
clock timezone PST -8
clock summer-time PDT recurring
!
!
!
interface Ethernet0/0 -----> routers IP
 description Connected to Lan
 ip address 216.xxx.xx.19 255.255.255.0
 ip nat inside
 ip pim dense-mode
 no ip mroute-cache
!
interface Serial0/0
 description PB-CKT# -----> T1 Interface
 no ip address
 ip access-group 103 in
 ip nat outside
 encapsulation frame-relay IETF
 no ip mroute-cache
 ntp disable
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description Connection to SBC
 ip address 207.xxx.xxx.94 255.255.255.252
 ip access-group 103 in
 ip nat outside
 no ip mroute-cache
 ntp disable
 frame-relay interface-dlci 16
!
interface Ethernet0/1
 ip address 192.168.123.1 255.255.255.0
 ip nat inside
 no ip mroute-cache
!
interface Ethernet0/1.1
 description Attempt at VLAN for 192 segment
!
router rip
 version 2
 passive-interface Serial0/0.1
 network 216.xxx.xx.0
 no auto-summary
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 206.xxx.xx.0 255.255.255.224 216.xxx.xx.20
!
logging buffered 4096 debugging
logging trap debugging
logging 216.xxx.xx.27
access-list 103 permit udp any eq domain any
access-list 103 permit icmp 207.xxx.xx.0 0.0.1.255 any
access-list 103 permit udp 207.xx.xx.0 0.0.1.255 any
access-list 103 permit icmp 151.xxx.xx.0 0.0.0.255 any
access-list 103 permit udp 151.xx.xx.0 0.0.0.255 any
access-list 103 permit icmp 64.xx.xx.0 0.0.0.255 any
access-list 103 permit udp 64.xx.xx.0 0.0.0.255 any
access-list 103 permit icmp 206.xx.x.0 0.0.0.255 any
access-list 103 permit udp 206.xx.x.0 0.0.0.255 any
access-list 103 permit icmp 66.xx.xxx.0 0.0.0.255 any
access-list 103 permit tcp any 206.xxx.xx.0 0.0.0.255 eq domain
access-list 103 permit udp any 206.xxx.xx.0 0.0.0.255 eq domain
access-list 103 permit tcp any host 192.168.123.225 eq domain
access-list 103 permit ip any host 216.xxx.xx.20
access-list 103 permit tcp any host 216.xxx.xx.20
access-list 103 permit udp any host 216.xxx.xx.20
access-list 103 permit icmp any host 216.xxx.xx.20
access-list 103 permit tcp any host 216.xxx.xx.27 eq www
access-list 103 permit tcp any host 216.xxx.xx.27 eq smtp
access-list 103 permit tcp any host 216.xxx.xx.27 eq pop3
access-list 103 permit tcp any host 216.xxx.xx.27 eq 143
access-list 103 permit tcp any host 216.xxx.xx.27 eq 993
access-list 103 permit tcp any host 216.xxx.xx.27 eq domain
access-list 103 permit udp any host 216.xxx.xx.27 eq domain
access-list 103 permit udp any host 216.xxx.xx.27 gt 1023
access-list 103 permit tcp any host 216.xxx.xx.27 eq 1755
access-list 103 permit tcp any host 216.xxx.xx.27 eq nntp
access-list 103 permit tcp any host 216.xxx.xx.27 eq 3389
access-list 103 permit udp any host 216.xxx.xx.27 eq 3389
access-list 103 permit tcp any host 216.xxx.xx.27 eq ftp
access-list 103 permit tcp any host 216.xxx.xx.25 eq domain
access-list 103 permit udp any host 216.xxx.xx.25 eq domain
access-list 103 permit tcp any host 216.xxx.xx.25 eq 1755
access-list 103 permit udp any host 216.xxx.xx.25 gt 1023
access-list 103 permit udp any host 216.xxx.xx.222 eq domain
access-list 103 permit tcp any host 216.xxx.xx.222 eq domain
access-list 103 permit udp any host 216.xxx.xx.253 eq domain
access-list 103 permit tcp any host 216.xxx.xx.253 eq domain
access-list 103 permit tcp any host 216.xxx.xx.17 eq www
access-list 103 permit tcp any host 216.xxx.xx.17 eq 37777
access-list 103 permit tcp any any eq 1723
access-list 103 permit gre any any
access-list 103 permit tcp any any established
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any timestamp-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any mask-reply
access-list 103 deny   tcp any any log
access-list 103 deny   udp any any log
access-list 103 deny   ip any any log
access-list 104 permit ip 192.168.123.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
snmp-server community public RO
snmp-server location my location
snmp-server contact My Location, xxx-xxx-xxxx
!
line con 0
 exec-timeout 0 0
 password 7
 login
line aux 0
line vty 0 4
 password 7
 login
!
ntp server 128.9.2.129
ntp server 216.xxx.xx.27
ntp server 132.249.16.1
ntp server 204.74.68.55
no scheduler allocate
end
Router#

I'm not pretending to know what a lot of that is for but some I do. the first few on the access list are from our T1 provider for monitoring our line.
Many of the 216 addresses are leftovers and can be culled once I (you:-) ) make this work.  
If new firmware would help, Just tell me how to get it and I'll make that happen.
0
Salad-DodgerInstrumentationAuthor Commented:
"Are you using 216.x.x.27 for the 192.168.100.0/24 hosts DNS server?  Does it have a route back to the 192.168.100.0/24 subnet?"

The 216.x.x.27 address is the forwarding DNS server for the existing, and still functional LAN (~40 Pc's) where all the PC's are on public IP's in that range.  Having them that way surely is a bad idea and this change is to get them off the public IP range. But they must continue to function while I work this out.  Then the only 216.x.x.x address left will be the router, and perhaps a VPN or another machine in the future.  

Using this second port on the back of this router for this should allow two seperate segments, one public and one private. , whichever one you plug into is what you get. At least in my mind it works like that. You can straighten me out if need be.
0
JFrederick29Commented:
Okay, the config looks good.  Forget about the NAT pool, no big deal.

Let's do some tests:

From a 192.168.123.x host, please post an "ipconfig /all".

Then, from a command prompt on the 192.168.123.x host, try each of these:

ping 192.168.123.1
ping 216.x.x.27
ping www.google.com
ping 74.125.95.104
telnet 74.125.95.104 80
telnet www.google.com 80
0
Salad-DodgerInstrumentationAuthor Commented:
Hmm, last post isn't showing up,
Sorry for the delay, Took a mental health day. I will be back at it in about 4 hours. I'll post back then.
0
Salad-DodgerInstrumentationAuthor Commented:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\salad>ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : fred
   Primary Dns Suffix  . . . . . . . : My.Domain
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : My.Domain

Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . : My.Domain
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-1D-09-Ff-8c-00
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.123.201
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.123.1
   DNS Servers . . . . . . . . . . . : 192.168.123.225
                                       192.168.123.226
   Primary WINS Server . . . . . . . : 192.168.123.225

C:\Documents and Settings\salad>ping 192.168.123.1
Pinging 192.168.123.1 with 32 bytes of data:
Reply from 192.168.123.1: bytes=32 time=5ms TTL=255
Reply from 192.168.123.1: bytes=32 time=4ms TTL=255
Reply from 192.168.123.1: bytes=32 time=3ms TTL=255
Reply from 192.168.123.1: bytes=32 time=3ms TTL=255
  Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

C:\Documents and Settings\salad>ping 216.x.x.27
Pinging 216.x.x.27 with 32 bytes of data:
Reply from 216.x.x.27: bytes=32 time=8ms TTL=127
Reply from 216.x.x.27: bytes=32 time=5ms TTL=127
Reply from 216.x.x.27: bytes=32 time=5ms TTL=127
Reply from 216.x.x.27: bytes=32 time=4ms TTL=127
   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),


C:\Documents and Settings\salad>ping www.google.com
Ping request could not find host www.google.com. Please check the name and try again.

C:\Documents and Settings\salad>ping 74.125.95.104
Pinging 74.125.95.104 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
   Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\salad>telnet 74.125.95.104 80
Connecting To 74.125.95.104...Could not open connection to the host, on port 80:
 Connect failed

C:\Documents and Settings\salad>telnet www.google.com 80
Connecting To www.google.com...Could not open connection to the host, on port 80
: Connect failed
C:\Documents and Settings\salad>

My feeble brain is telling me DNS isn't getting through.
You did notice I am using 2 access lists right? 103 and 104. I don't know if thats OK, can it use both of the lists like this? 104 has this 192 segment attached to it. 103 does not.
0
JFrederick29Commented:
Access-list 103 is allowing the return traffic and 104 is specific to the NAT rule so the access-lists are good.  DNS isn't resolving that is for sure.  So, 192.168.123.225 and 192.168.123.226 have a forwarder setup for 216.x.x.27?

I didn't even notice that your NAT statement is missing from your running-config now.  Add this:

conf t
ip nat inside source list 104 interface Serial0/0.1 overload
end
wr mem

Try the tests again...
0
Salad-DodgerInstrumentationAuthor Commented:
192.168.123.225 and .226 are not pointing to 216.x.x.27, they are pointing to my ISP's and OPENDNS servers.  216.x.x.27 is what the current LAN uses and it points to the same DNS servers.

This machine (.27) and all others in the 216 segment will not be involved with the 192 segment. At best 216 will be in a DMZ type of arrangment where as 192 will be protected.

That IP Nat line sure looks familiar, not sure what happened to it, but I'll put that back in there this evening.

I have usually used just "wr" to write to eeprom. Is "wr mem" a different command or just another way to do the same thing?

You have also never suggested that I update the IOS. Is it simply not worth doing at all or just not needed here?

0
JFrederick29Commented:
Understood on the DNS setup.  "wr mem" and "wr" are the same command so that works fine.  Without the NAT line, you aren't getting out to the Internet, period, so we'll see if that takes care of it.  Not sure where in the troubleshooting process it was removed.

Updating the IOS would be nice but isn't absolutely necessary to get this to work.  Obviously there is cost involved and to be honest, you would be better off replacing the 2611 (if it isn't a 2611XM) with a 2800 series.
0
Salad-DodgerInstrumentationAuthor Commented:
You are a Genius.  The two machines work just like they should, everything out a single 207.x.x.x IP. The "Shields Up" test shows no exposed ports. Life is Good! I assume that I can put 40 other machines on this connection with the same results?

Is there any reason I shouldn't use the 207.x.x.x IP for this? I know you said I could change it but if there is no real reason to I won't.
I am only familiar with the 216.x.x.x IP which was what we hosted our web and email servers on and I'm not clear on where that 207 IP came from? The reverse DNS has our name in the prefix so it must be ours but I wonder why I haven't seen it before.

interface Ethernet0/0 -----> routers IP
 description Connected to Lan
 ip address 216.xxx.xx.19 255.255.255.0
 ip nat inside
 ip pim dense-mode
 no ip mroute-cache
!
interface Serial0/0.1 point-to-point
 description Connection to SBC
 ip address 207.xxx.xxx.94 255.255.255.252
 ip access-group 103 in
 ip nat outside
 no ip mroute-cache
 ntp disable
 frame-relay interface-dlci 16

And let me just add that I can't thank you enough!
I wish I could award more points!
0
JFrederick29Commented:
Excellent, glad to hear!

The 207.x.x.x IP is free to use and should be 207.xxx.xxx.94 (the serial0/0.1 interface IP).  Typically you get a /30 subnet from your ISP which in this case is the 207.x.x.x IP which is used for the WAN interface connection between you and your ISP.  Your ISP then routes you a subnet or block of addresses to be used for inbound connections/servers etc...(the 206.x.x.x subnet).  There is no issue using the 207.x.x.x IP.  If you want to use the 216.xxx.xx.19 address instead you can simply change the NAT statement to reference the Ethernet0/0 interface instead of the Serial0/0.1 interface, i.e.

conf t
no ip nat inside source list 104 interface Serial0/0.1 overload
ip nat inside source list 104 interface Ethernet0/0 overload

And yes, you can put 40 other hosts on the 192.168.123.x subnet and experience the same results.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Salad-DodgerInstrumentationAuthor Commented:
I have to say it again, I can't thank you enough for your help. I wish I could give you something besides just points. You have certainly earned it.
0
JFrederick29Commented:
I accept personal checks.  Just Kidding! :-)

You're welcome by the way.
0
Salad-DodgerInstrumentationAuthor Commented:
Thank you, Thank You, Thank You! You are indeed a Genius!... The Man... 'Da Bomb!

I'll probably be back when I try to configure a VPN through this ;-) But that will be a couple days!
0
Salad-DodgerInstrumentationAuthor Commented:
Just tell me where to send it!
0
JFrederick29Commented:
Nah, I do this for free.  Thanks is enough.
0
Salad-DodgerInstrumentationAuthor Commented:
Are you still around? I could use more help with a VPN.
0
JFrederick29Commented:
Yes, sir.  I can help, send me the link to the question if you have one open already and I'll take a look at it.
0
Salad-DodgerInstrumentationAuthor Commented:
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.