mikey250
asked on
ip nat dhcp query - pc ping isp unsuccessful
hi I have setup the following and configured (nat pool) on sanjose1 and xp is allocated automatically 192.168.0.12/24
important: currently my broadband is down but below is a test first.
isp-1 - 10.0.0.5/24 & loopback0 10.0.1.2/24
|
sanjose1 (ip nat pool configured here)
|
lan-a switch - (int vlan 1, 192.168.0.2/24 set here)
|
xp - (autodetect: 192.168.0.12/24)
step 1. if I add the following then question 1 is successful:
- no nat pool or access-list 2 permit 192.168.0.0 0.0.0.255
- xp - manually set to 192.168.0.21/24
- interfaces configured as usual
- Ip route 0.0.0.0 0.0.0.0 10.0.0.6
- ping 10.0.0.5 - successful
- ping 10.0.1.2 - successful
step 2. if I add the following:
- ip nat pool added as per config on sanjose1
- ip route 42.0.0.48 255.255.255.240 10.0.0.6 - question 1 step 2 unsuccessful
- ip route 0.0.0.0 0.0.0.0 10.0.0.6 - question 1 step 2 unsuccessful
- ping 10.0.0.5 - fail
- ping 10.0.1.2 - fail
important: xp autodetects & shows - default gateway set as 192.168.0.2 - I assume this is because the dhcp is configured via ip nat pool on the sanjose1 router and the sanjose1 int s0/0 is set as 192.168.0.1/24 - so ok as ip nat pool should automatically allocate addresses to lan-a.
question 1. step 1 above - successful but step 2 - fail - I wish to be able to allow xp to ping isp-1, loopback0 & int s0 10.0.0.5, but it cannot ?
question 2. I think I need to configure some dhcp command on lan-a 2950 switch ?
pri-acc-server-lan-a.TXT
sanjose1.TXT
ISP-1.TXT
important: currently my broadband is down but below is a test first.
isp-1 - 10.0.0.5/24 & loopback0 10.0.1.2/24
|
sanjose1 (ip nat pool configured here)
|
lan-a switch - (int vlan 1, 192.168.0.2/24 set here)
|
xp - (autodetect: 192.168.0.12/24)
step 1. if I add the following then question 1 is successful:
- no nat pool or access-list 2 permit 192.168.0.0 0.0.0.255
- xp - manually set to 192.168.0.21/24
- interfaces configured as usual
- Ip route 0.0.0.0 0.0.0.0 10.0.0.6
- ping 10.0.0.5 - successful
- ping 10.0.1.2 - successful
step 2. if I add the following:
- ip nat pool added as per config on sanjose1
- ip route 42.0.0.48 255.255.255.240 10.0.0.6 - question 1 step 2 unsuccessful
- ip route 0.0.0.0 0.0.0.0 10.0.0.6 - question 1 step 2 unsuccessful
- ping 10.0.0.5 - fail
- ping 10.0.1.2 - fail
important: xp autodetects & shows - default gateway set as 192.168.0.2 - I assume this is because the dhcp is configured via ip nat pool on the sanjose1 router and the sanjose1 int s0/0 is set as 192.168.0.1/24 - so ok as ip nat pool should automatically allocate addresses to lan-a.
question 1. step 1 above - successful but step 2 - fail - I wish to be able to allow xp to ping isp-1, loopback0 & int s0 10.0.0.5, but it cannot ?
question 2. I think I need to configure some dhcp command on lan-a 2950 switch ?
pri-acc-server-lan-a.TXT
sanjose1.TXT
ISP-1.TXT
ASKER
hi, my pc is connected to my switch, the switch is connected to my router/sanjose1 and router/sanjose1 is connected to another router which simulates the isp-1 once live.
Not according to your attached configuration, your PC is not attached to switch.
ASKER
hi thanks for taking a look....appreciated....!!!
requirement: I just want my pc to be able to ping 10.0.0.5 & 10.0.1.2 - that is it.
the below is what I have just cut & paste from those configs just as below. I have also attached a basic topology.
hostname pri-access-server-lan-a
!
interface fastethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
speed 10
duplex full
!
interface fastethernet0/2
description connected to server-a
switchport mode access
duplex full
spanning-tree portfast
!
!
interface vlan1
ip address 192.168.0.2 255.255.255.0
!
-------------------------- ---------- ---------- ------
hostname sanjose1
!
!
interface serial0/0
description connected to isp-1
ip address 10.0.0.6 255.255.255.252
ip nat outside
clock rate 56000
no fair-queue
!
interface ethernet1/0
description connected to pri-acc-server-lan-a
ip address 192.168.0.1 255.255.255.0
ip nat inside
full-duplex
!
!
ip nat pool mikenatpool 42.0.0.55 42.0.0.57 netmask 255.255.255.240
ip nat inside source list 2 pool mikenatpool
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.5
!
!
access-list 2 permit 192.168.0.0 0.0.0.255
-------------------------- ---------- ----
!
interface loopback0
ip address 10.0.1.2 255.255.255.252
!
interface fastethernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface serial0/0
description connected to sanjose1
ip address 10.0.0.5 255.255.255.252
no fair-queue
!
interface serial0/1
no ip address
shutdown
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 10.0.0.6
ip route 42.0.0.48 255.255.255.240 10.0.0.6
requirement: I just want my pc to be able to ping 10.0.0.5 & 10.0.1.2 - that is it.
the below is what I have just cut & paste from those configs just as below. I have also attached a basic topology.
hostname pri-access-server-lan-a
!
interface fastethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
speed 10
duplex full
!
interface fastethernet0/2
description connected to server-a
switchport mode access
duplex full
spanning-tree portfast
!
!
interface vlan1
ip address 192.168.0.2 255.255.255.0
!
--------------------------
hostname sanjose1
!
!
interface serial0/0
description connected to isp-1
ip address 10.0.0.6 255.255.255.252
ip nat outside
clock rate 56000
no fair-queue
!
interface ethernet1/0
description connected to pri-acc-server-lan-a
ip address 192.168.0.1 255.255.255.0
ip nat inside
full-duplex
!
!
ip nat pool mikenatpool 42.0.0.55 42.0.0.57 netmask 255.255.255.240
ip nat inside source list 2 pool mikenatpool
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.5
!
!
access-list 2 permit 192.168.0.0 0.0.0.255
--------------------------
!
interface loopback0
ip address 10.0.1.2 255.255.255.252
!
interface fastethernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface serial0/0
description connected to sanjose1
ip address 10.0.0.5 255.255.255.252
no fair-queue
!
interface serial0/1
no ip address
shutdown
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 10.0.0.6
ip route 42.0.0.48 255.255.255.240 10.0.0.6
ASKER
ive attached a basic topology.
ip-nat-diagram-001.jpg
ip-nat-diagram-001.jpg
CAT3550 can have ip routing command configured (CAT2500 can't have it). :)
If you want to use 3550 in L2 mode (the easiest way) is to issue
#no ip routing
on switch. You can leave it in L3 mode and leave all ports in VLAN 1 and that should also work, but in both cases you should configure PCs with ip address of int Eth 0 as default gateway.
That should solve one part of your problem - PCs should be able to ping other devices.
If you want to use 3550 in L2 mode (the easiest way) is to issue
#no ip routing
on switch. You can leave it in L3 mode and leave all ports in VLAN 1 and that should also work, but in both cases you should configure PCs with ip address of int Eth 0 as default gateway.
That should solve one part of your problem - PCs should be able to ping other devices.
ASKER
hi first of all, I forgot to remove 'ip routing' as I was troubleshooting.
the ip nat pool automatically allocated 192.168.0.12/24 to my pc but it was detecting 192.168.0.2/24 as the default gateway, which got me confused..
question1. are you saying if I do 'no ip routing' this should then allow me to ping from pc to 10.0.0.5 & 10.0.1.2 ?
the ip nat pool automatically allocated 192.168.0.12/24 to my pc but it was detecting 192.168.0.2/24 as the default gateway, which got me confused..
question1. are you saying if I do 'no ip routing' this should then allow me to ping from pc to 10.0.0.5 & 10.0.1.2 ?
question1. are you saying if I do 'no ip routing' this should then allow me to ping from pc to 10.0.0.5 & 10.0.1.2 ?Not, really. Ability to use router as your default gateway should allow you to ping those devices. Disabling ip routing is just easy way to demonstrate it(reduce switch functionality to just L2). Eth 0 and PCs need to be in the same ip range, and eth 0 should be set as default gateway on PCs. :)
ASKER
If i set manual ip on pc for eg 192.168.0.5/24 & dg: 192.168.0.1 pointing to router/sanjose1.
Then if i only use:
Ip route 0.0.0.0 0.0.0.0 10.0.0.6 - on Isp-1 router
The above allows pc on 192.168.0.0/24 to ping 10.0.0.5 & 10.0.1.2/24 so why can i ping successful here as sanjose1router also has static route pointing to also 10.0.0.5 ?
Yes pc & eth & fastethernet are in same 192.168.0.0/24 range.
Then if i only use:
Ip route 0.0.0.0 0.0.0.0 10.0.0.6 - on Isp-1 router
The above allows pc on 192.168.0.0/24 to ping 10.0.0.5 & 10.0.1.2/24 so why can i ping successful here as sanjose1router also has static route pointing to also 10.0.0.5 ?
Yes pc & eth & fastethernet are in same 192.168.0.0/24 range.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Exactly.. so why wen i remove static route
Ip route 0.0.0.0 0.0.0.0 10.0.0.6 & then add
Ip route 42.0.0.8 255.255.255.240 10.0.0.6 using also ip nat pool which automatically allocates ip to pc instead of manually does it not let me ping ?
Thats what i do not understand.
Ip route 0.0.0.0 0.0.0.0 10.0.0.6 & then add
Ip route 42.0.0.8 255.255.255.240 10.0.0.6 using also ip nat pool which automatically allocates ip to pc instead of manually does it not let me ping ?
Thats what i do not understand.
To understand that you need to check 2 things on routers - routing table #sh ip route and nat translations # sh IP nat translation
What is your Inside global address?
What is your Inside global address?
ASKER
When used ip route 0.0.0.0 0.0.0.0 10.0.0.6 & manually configured pc then ip nat translations showed 192.168.0.5 for example if i remember correctly.
No, that is inside local address.
You configured nat without statically assign host to IP address, and without overload command (port address translation).
And you already have IP address on your serial port from other IP address range. That can create a lot of problems.
Issue #debug ip ICMP packet
on both of your routers and then try ping ISP from xp host ( I guess you are not in production network)
You configured nat without statically assign host to IP address, and without overload command (port address translation).
And you already have IP address on your serial port from other IP address range. That can create a lot of problems.
Issue #debug ip ICMP packet
on both of your routers and then try ping ISP from xp host ( I guess you are not in production network)
ASKER
ok global would have been then: 42.0.0.48.
I removed ip nat static for example
Ip nat inside source static 192.168.0.5 42.0.0.49 - for example but then decided on dynamic nat.
Yes correct i have not done 'overload' yet.
I will run debug tomorrow and let you know findings..
Once tested then it will be a production.
I removed ip nat static for example
Ip nat inside source static 192.168.0.5 42.0.0.49 - for example but then decided on dynamic nat.
Yes correct i have not done 'overload' yet.
I will run debug tomorrow and let you know findings..
Once tested then it will be a production.
ASKER
hi ive just realised through your advice why the ping from pc to 10.0.0.5 & 10.0.1.2 was not successful.
ip route 42.0.0.48 255.255.255.240 10.0.0.6 - although this is the correct public ip address pointing to my internal address, the public address does not yet exist. so a way of confirming ping would be successful would be to add:
ip route 0.0.0.0 0.0.0.0 10.0.0.6 - this allowed the ping mentioned above to be successful
question 1. one thing that confuses me is why my pc detects the gateway as below instead of 192.168.0.1, but even if I set: 3550 to: int vlan 1 - 192.168.0.1/24 and sanjose1/router to: 192.168.0.2/24 this does not change the pc default-gateway so although cisco ios knows of the ip addressing scheme, why does the pc detect that gateway ?
pc
192.168.0.12 - allocated automatically via the dynamic nat pool
255.255.255.0
192.168.0.2
my 3550 that is setup as a layer 2 not layer 3 is as follows:
int fa0/1
description connected to sanjose1
switchport mode trunk - for example
int fa0/2
description connected to pc
spanning-tree portfast - for eg
int vlan
ip address 192.168.0.2 /24
sanjose1/router
int eth0
description connected to 3550 acting as a layer 2 not layer 3 switch
ip address 192.168.0.1/24
int s0/0
description connected to my isp-1 test router
ip address 10.0.0.6/24
ip route 42.0.0.48 255.255.255.240 10.0.0.6 - although this is the correct public ip address pointing to my internal address, the public address does not yet exist. so a way of confirming ping would be successful would be to add:
ip route 0.0.0.0 0.0.0.0 10.0.0.6 - this allowed the ping mentioned above to be successful
question 1. one thing that confuses me is why my pc detects the gateway as below instead of 192.168.0.1, but even if I set: 3550 to: int vlan 1 - 192.168.0.1/24 and sanjose1/router to: 192.168.0.2/24 this does not change the pc default-gateway so although cisco ios knows of the ip addressing scheme, why does the pc detect that gateway ?
pc
192.168.0.12 - allocated automatically via the dynamic nat pool
255.255.255.0
192.168.0.2
my 3550 that is setup as a layer 2 not layer 3 is as follows:
int fa0/1
description connected to sanjose1
switchport mode trunk - for example
int fa0/2
description connected to pc
spanning-tree portfast - for eg
int vlan
ip address 192.168.0.2 /24
sanjose1/router
int eth0
description connected to 3550 acting as a layer 2 not layer 3 switch
ip address 192.168.0.1/24
int s0/0
description connected to my isp-1 test router
ip address 10.0.0.6/24
one thing that confuses me is why my pc detects the gateway as below instead of 192.168.0.1, but even if I set: 3550 to: int vlan 1 - 192.168.0.1/24 and sanjose1/router to: 192.168.0.2/24 this does not change the pc default-gateway so although cisco ios knows of the ip addressing scheme, why does the pc detect that gateway ?PC don't detect IP address of default gateway, it is configured on DHCP server or manually assigned on PC. So, check configuration of DHCP server.
192.168.0.12 - allocated automatically
255.255.255.0
192.168.0.2 <- also allocated via DHCP
add bpduguard to edge ports as loop prevention mechanism
int fa0/2
description connected to pc
spanning-tree portfast bpduguard
If there will be just one VLAN there is no need for configuring trunk on link to router (access port would be fine).
int fa0/1
description connected to sanjose1
switchport mode trunk - for example
If there should be more than one VLAN and there should be no intervlan traffic than trunk would be OK, however if you would configure more than one VLAN and you need intervlan traffic then, I guess preferred configuration would be to configure Cat 3550 in L3 mode.
ASKER
hi regarding 192.168.0.2/24, my sanjose1/router is configured for:
int s0/0
description connected to 3550 layer 2 & not configured as layer 3
192.168.0.1/24
when I plugged my pc into 3550 layer 2 switch, I then checked auto ip address on pc which gave:
192.168.0.12
255.255.255.0
192.168.0.2
I was expecting the (dg) above to be 192.168.0.1............... ..if I add the below manually:
192.168.0.12
255.255.255.0
192.168.0.1 - as expected
note: I cannot see anything in my config that would force the pc to auto detect dg: 192.168.0.2.
note: (i did not configure) any dhcp, except the (ip nat pool) configs which is a form of dhcp
-------------------------- ---------- ----
If there will be just one vlan there is no need for configuring trunk on link to router (access port would be fine). - ok i did wonder so i left as 'trunk'... i will change back to 'switchport mode access' .
bpduguard, - yes i have left out all other spanning-tree configs as dealing specifically with nat first.
appreciated.
int s0/0
description connected to 3550 layer 2 & not configured as layer 3
192.168.0.1/24
when I plugged my pc into 3550 layer 2 switch, I then checked auto ip address on pc which gave:
192.168.0.12
255.255.255.0
192.168.0.2
I was expecting the (dg) above to be 192.168.0.1...............
192.168.0.12
255.255.255.0
192.168.0.1 - as expected
note: I cannot see anything in my config that would force the pc to auto detect dg: 192.168.0.2.
note: (i did not configure) any dhcp, except the (ip nat pool) configs which is a form of dhcp
--------------------------
If there will be just one vlan there is no need for configuring trunk on link to router (access port would be fine). - ok i did wonder so i left as 'trunk'... i will change back to 'switchport mode access' .
bpduguard, - yes i have left out all other spanning-tree configs as dealing specifically with nat first.
appreciated.
PC gets IP address from DHCP server if it is not manually configured.
ip nat pool MIKENATPOOL has nothing with assigning ip address to PC.
Anyway, you can easily configure DHCP server on router.
ip nat pool MIKENATPOOL has nothing with assigning ip address to PC.
Anyway, you can easily configure DHCP server on router.
ASKER
hi if you look at my configs you will not see any dhcp configs.
ASKER
my 3550 layer 2 is blank switch while configuring this nat connected to my sanjose1/router that only has 'ip nat pool' range in place, when configuring 'static/dynamic nat/overload' only.
i disabled and renabled my pc ip addressing but still the pc auto detected an ip address and there is no internet access either.
i disabled and renabled my pc ip addressing but still the pc auto detected an ip address and there is no internet access either.
Still, if you get ip address on your network card from 192.168.0.0/24 network range it must be getting ip address from a DHCP server (or by some script that will autoconfigure network card) otherwise network card would have ip address from 169.254.0.0/16 network range.
ASKER
ok.....!
& by the way I also then added a 'static server' address in nat
& then configured dhcp on sanjose1/router which detected my laptop when plugged into int fa0/3 & gave it an address.
& by the way I also then added a 'static server' address in nat
& then configured dhcp on sanjose1/router which detected my laptop when plugged into int fa0/3 & gave it an address.
:)
ASKER
hi predrag, i am not sure if you can still respond to this thread which you helped me with, but after working on nat... i realised i did not save the snmp config and i have re-read through your answers and i then added the following:
snmp-server community xxxxx r0 1
ip access-list standard 1
access-list 2 permit 192.168.3.2 log
question 1. my prtg monitoring tool will no longer detect 192.168.3.2 - have i missed something ?
appreciated if you can!
snmp-server community xxxxx r0 1
ip access-list standard 1
access-list 2 permit 192.168.3.2 log
question 1. my prtg monitoring tool will no longer detect 192.168.3.2 - have i missed something ?
appreciated if you can!
192.168.3.2 is the only host that will be able to get snmp data according to that configuration, so monitoring tool should be installed on 192.168.3.2 or modify your ACL to permit ip address of host with PRTG installed (ip address as router sees it - if PRTG is behind nat that can be different ip address than it is configured on host itself).
In PRTG you need to configure IP address of router (again the same story about nat), maybe you will need to configure port forward on your router(s).
In PRTG you need to configure IP address of router (again the same story about nat), maybe you will need to configure port forward on your router(s).
ASKER
hi, my prtg is separate from (nat) and on another router & switch!!
i have returned back to the snmp routers because i forgot to save the config to get prtg monitoring tool to sync which was successful, but for some reason after reading through above notes and adding the below it will not sync so i think i have missed part of the config off ?
- snmp-server community xxxxx r0 1
- ip access-list standard 1
- access-list 2 permit 192.168.3.2 log
i have returned back to the snmp routers because i forgot to save the config to get prtg monitoring tool to sync which was successful, but for some reason after reading through above notes and adding the below it will not sync so i think i have missed part of the config off ?
- snmp-server community xxxxx r0 1
- ip access-list standard 1
- access-list 2 permit 192.168.3.2 log
No, that's all that needs to be configured. For testing you can remove access-list from snmp configuration and configure only
# snmp-server community xxxxx r0
That should be enough. ACL is there so no one else can get your snmp data.
# snmp-server community xxxxx r0
That should be enough. ACL is there so no one else can get your snmp data.
ASKER
hi, well at the moment i do not want anyone else to get to my snmp data.
for some reason it has not connected and it is the same identical routers as below and all can ping vice versa successfully.... i have re-installed but same issue.
not sure why then.
for some reason it has not connected and it is the same identical routers as below and all can ping vice versa successfully.... i have re-installed but same issue.
not sure why then.
Temporary remove ACL for troubleshooting. Double check community string.
ASKER
Yes i have removed acl but adjusted key chain dates to 22 dec 2015 to 23 dec 2016.
I will remove key chain tomorrow although after adjusting dates i did: debug & no authentication or mismatch issues.
Will let you know tomorrow.
Thanks for replying.
I will remove key chain tomorrow although after adjusting dates i did: debug & no authentication or mismatch issues.
Will let you know tomorrow.
Thanks for replying.
ASKER
Ntp clock is correct& clock as all routers clock have auto sync'd correct time.
Key chain is used for EIGRP authentication (for routing - and ping is working, so routes are OK) and have nothing with snmp, so no need to remove key chain.
ASKER
Ok.
ASKER
After uninstall of prtg software & deleted folders & re-stalled the prtg detected my routers correctly as expected.
ASKER
Sound advice. After reading your advice i realised that
- ip route 0.0.0.0 0.0.0.0 10.0.0.6 - allows pc to ping & because the below is not actually active that is the reason why the pc fails its ping. So using the other static address stated above confirms the ping to be successful as a test until 42.0.0.48 becomes live:
Ip route 42.0.0.48 255.255.255.240 10.0.0.6
- ip route 0.0.0.0 0.0.0.0 10.0.0.6 - allows pc to ping & because the below is not actually active that is the reason why the pc fails its ping. So using the other static address stated above confirms the ping to be successful as a test until 42.0.0.48 becomes live:
Ip route 42.0.0.48 255.255.255.240 10.0.0.6
Can you please create your network topology with more details (drawing would be nice with IP addresses marked on picture)?
Your 2950 is router in your configuration not a switch (ip routing command, and only 4 ports are there, routing table is present). So in your current topology a lot of details are problematic, there is no problematic DHCP command, at least not from current configuration perspective.
You did configure NAT pool, but you don't have ip address configured on serial interface to support your IP NAT pool, so looks like your NAT pool is hanging in the air. Maybe I am wrong, but as much as I can remember, you need to assign one of ip addresses from pool to your outside interface.
Reason - XP is attached to a router and there is nothing in router's routing table except VLAN1, so there is no way it can work without configuring router properly. It has nothing to do with configuring DHCP.