ip nat dhcp query - pc ping isp unsuccessful

This is very confusing setup, could you explain what exactly you are trying to achieve?
Can you please create your network topology with more details (drawing would be nice with IP addresses marked on picture)?

Your 2950 is router in your configuration not a switch (ip routing command, and only 4 ports are there, routing table is present). So in your current topology a lot of details are problematic, there is no problematic DHCP command, at least not from current configuration perspective.

You did configure NAT pool, but you don't have ip address configured on serial interface to support your IP NAT pool, so looks like your NAT pool is hanging in the air.

ip nat pool MIKENATPOOL 42.0.0.55 42.0.0.57 netmask 255.255.255.240
ip nat inside source list 2 pool MIKENATPOOL
!
interface Serial0/0
 description connected to ISP-1
 ip address 10.0.0.6 255.255.255.252
 ip nat outside
 clock rate 56000
 no fair-queue

Maybe I am wrong, but as much as I can remember, you need to assign one of ip addresses from pool to your outside interface.

question 1.  step 1 above - successful but step 2 - fail - I wish to be able to allow xp to ping isp-1, loopback0 & int s0 10.0.0.5, but it cannot ?

Reason - XP is attached to a router and there is nothing in router's routing table except VLAN1, so there is no way it can work without configuring router properly.

question 2. I think I need to configure some dhcp command on lan-a 2950 switch  ?

It has nothing to do with configuring DHCP.

hi, my pc is connected to my switch, the switch is connected to my router/sanjose1 and router/sanjose1 is connected to another router which simulates the isp-1 once live.

Not according to your attached configuration, your PC is not attached to switch.

hi thanks for taking a look....appreciated....!!!

requirement: I just want my pc to be able to ping 10.0.0.5 & 10.0.1.2 - that is it.

the below is what I have just cut & paste from those configs just as below.  I have also attached a basic topology.

hostname pri-access-server-lan-a
!
interface fastethernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 speed 10
 duplex full
!
interface fastethernet0/2
 description connected to server-a
 switchport mode access
 duplex full
 spanning-tree portfast
!
!
interface vlan1
 ip address 192.168.0.2 255.255.255.0
!
----------------------------------------------------

hostname sanjose1
!
!
interface serial0/0
 description connected to isp-1
 ip address 10.0.0.6 255.255.255.252
 ip nat outside
 clock rate 56000
 no fair-queue
!
interface ethernet1/0
description connected to pri-acc-server-lan-a
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 full-duplex
!

!
ip nat pool mikenatpool 42.0.0.55 42.0.0.57 netmask 255.255.255.240
ip nat inside source list 2 pool mikenatpool
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.5
!
!
access-list 2 permit 192.168.0.0 0.0.0.255

----------------------------------------

!
interface loopback0
 ip address 10.0.1.2 255.255.255.252
!
interface fastethernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface serial0/0
 description connected to sanjose1
 ip address 10.0.0.5 255.255.255.252
 no fair-queue
!
interface serial0/1
 no ip address
 shutdown
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 10.0.0.6
ip route 42.0.0.48 255.255.255.240 10.0.0.6

ive attached a basic topology.
ip-nat-diagram-001.jpg

CAT3550 can have ip routing command configured (CAT2500 can't have it). :)
If you want to use 3550 in L2 mode (the easiest way) is to issue
#no ip routing
on switch. You can leave it in L3 mode and leave all ports in VLAN 1 and that should also work, but in both cases you should configure PCs with ip address of int Eth 0 as default gateway.
That should solve one part of your problem - PCs should be able to ping other devices.

hi first of all, I forgot to remove 'ip routing' as I was troubleshooting.

the ip nat pool automatically allocated 192.168.0.12/24 to my pc but it was detecting 192.168.0.2/24 as the default gateway, which got me confused..

question1.  are you saying if I do 'no ip routing' this should then allow me to ping from pc to 10.0.0.5 & 10.0.1.2  ?

question1.  are you saying if I do 'no ip routing' this should then allow me to ping from pc to 10.0.0.5 & 10.0.1.2  ?

Not, really. Ability to use router as your default gateway should allow you to ping those devices. Disabling ip routing is just easy way to demonstrate it(reduce switch functionality to just L2). Eth 0 and PCs need to be in the same ip range, and eth 0 should be set as default gateway on PCs. :)

If i set manual ip on pc for eg 192.168.0.5/24 & dg: 192.168.0.1 pointing to router/sanjose1.

Then if i only use:

Ip route 0.0.0.0 0.0.0.0 10.0.0.6 - on Isp-1 router

The above allows pc on 192.168.0.0/24 to ping 10.0.0.5 & 10.0.1.2/24 so why can i ping successful here as sanjose1router also has static route pointing to also 10.0.0.5 ?

Yes pc & eth & fastethernet are in same 192.168.0.0/24 range.

Exactly.. so why wen i remove static route

Ip route 0.0.0.0 0.0.0.0 10.0.0.6 & then add

Ip route 42.0.0.8 255.255.255.240 10.0.0.6 using also ip nat pool which automatically allocates ip to pc instead of manually does it not let me ping ?

Thats what i do not understand.

To understand that you need to check 2 things on routers - routing table #sh ip route and nat translations # sh IP nat translation
What is your Inside global address?

When used ip route 0.0.0.0 0.0.0.0 10.0.0.6 & manually configured pc then ip nat translations showed 192.168.0.5 for example if i remember correctly.

No, that is inside local address.
You configured nat without statically assign host to IP address, and without overload command (port address translation).
And you already have IP address on your serial port from other IP address range. That can create a lot of problems.
Issue #debug ip ICMP packet
 on both of your routers and then try ping ISP from xp host ( I guess you are not in production network)

ok global would have been then: 42.0.0.48.

I removed ip nat static for example

Ip nat inside source static 192.168.0.5 42.0.0.49 - for example but then decided on dynamic nat.

Yes correct i have not done 'overload' yet.

I will run debug tomorrow and let you know findings..
Once tested then it will be a production.

hi ive just realised through your advice why the ping from pc to 10.0.0.5 & 10.0.1.2 was not successful.

ip route 42.0.0.48 255.255.255.240 10.0.0.6 - although this is the correct public ip address pointing to my internal address, the public address does not yet exist.  so a way of confirming ping would be successful would be to add:

ip route 0.0.0.0 0.0.0.0 10.0.0.6 - this allowed the ping mentioned above to be successful

question 1.  one thing that confuses me is why my pc detects the gateway as below instead of 192.168.0.1, but even if I set: 3550 to: int vlan 1 - 192.168.0.1/24 and sanjose1/router to: 192.168.0.2/24 this does not change the pc default-gateway so although cisco ios knows of the ip addressing scheme, why does the pc detect that gateway  ?

pc
192.168.0.12 - allocated automatically via the dynamic nat pool
255.255.255.0
192.168.0.2

my 3550 that is setup as a layer 2 not layer 3 is as follows:

int fa0/1
description connected to sanjose1
switchport mode trunk - for example

int fa0/2
description connected to pc
spanning-tree portfast - for eg

int vlan
ip address 192.168.0.2 /24


sanjose1/router

int eth0
description connected to 3550 acting as a layer 2 not layer 3 switch
ip address 192.168.0.1/24

int s0/0
description connected to my isp-1 test router
ip address 10.0.0.6/24

one thing that confuses me is why my pc detects the gateway as below instead of 192.168.0.1, but even if I set: 3550 to: int vlan 1 - 192.168.0.1/24 and sanjose1/router to: 192.168.0.2/24 this does not change the pc default-gateway so although cisco ios knows of the ip addressing scheme, why does the pc detect that gateway  ?

PC don't detect IP address of default gateway, it is configured on DHCP server or manually assigned on PC. So, check configuration of DHCP server.

192.168.0.12 - allocated automatically
255.255.255.0
192.168.0.2 <- also allocated via DHCP

add bpduguard to edge ports as loop prevention mechanism
int fa0/2
description connected to pc
spanning-tree portfast bpduguard

If there will be just one VLAN there is no need for configuring trunk on link to router (access port would be fine).
int fa0/1
description connected to sanjose1
switchport mode trunk - for example

If there should be more than one VLAN and there should be no intervlan traffic than trunk would be OK, however if you would configure more than one VLAN and you need intervlan traffic then, I guess preferred configuration would be to configure Cat 3550 in L3 mode.

hi regarding 192.168.0.2/24, my sanjose1/router is configured for:

int s0/0
description connected to 3550 layer 2 & not configured as layer 3
192.168.0.1/24

when I plugged my pc into 3550 layer 2 switch, I then checked auto ip address on pc which gave:

192.168.0.12
255.255.255.0
192.168.0.2

I was expecting the (dg) above to be 192.168.0.1.................if I add the below manually:

192.168.0.12
255.255.255.0
192.168.0.1 - as expected

note:  I cannot see anything in my config that would force the pc to auto detect dg: 192.168.0.2.

note:  (i did not configure) any dhcp, except the (ip nat pool) configs which is a form of dhcp

----------------------------------------
If there will be just one vlan there is no need for configuring trunk on link to router (access port would be fine). - ok i did wonder so i left as 'trunk'... i will change back to 'switchport mode access' .

bpduguard, - yes i have left out all other spanning-tree configs as dealing specifically with nat first.

appreciated.

PC gets IP address from DHCP server if it is not manually configured.
ip nat pool MIKENATPOOL has nothing with assigning ip address to PC.

Anyway, you can  easily configure DHCP server on router.

hi if you look at my configs you will not see any dhcp configs.

my 3550 layer 2 is blank switch while configuring this nat connected to my sanjose1/router that only has 'ip nat pool' range in place, when configuring 'static/dynamic nat/overload' only.

i disabled and renabled my pc ip addressing but still the pc auto detected an ip address and there is no internet access either.

Still, if you get ip address on your network card from 192.168.0.0/24 network range it must be getting ip address from a DHCP server (or by some script that will autoconfigure network card) otherwise network card would have ip address from 169.254.0.0/16 network range.

ok.....!

& by the way I also then added a 'static server' address in nat
& then configured dhcp on sanjose1/router which detected my laptop when plugged into int fa0/3 & gave it an address.

:)

hi predrag,  i am not sure if you can still respond to this thread which you helped me with, but after working on nat... i realised i did not save the snmp config and i have re-read through your answers and i then added the following:

snmp-server community xxxxx r0 1
ip access-list standard 1
access-list 2 permit 192.168.3.2 log


question 1.  my prtg monitoring tool will no longer detect 192.168.3.2 - have i missed something  ?

appreciated if you can!

192.168.3.2 is the only host that will be able to get snmp data according to that configuration, so monitoring tool should be installed on 192.168.3.2 or modify your ACL to permit ip address of host with PRTG installed (ip address as router sees it - if PRTG is behind nat that can be different ip address than it is configured on host itself).
In PRTG you need to configure IP address of router (again the same story about nat), maybe you will need to configure port forward on your router(s).

hi, my prtg is separate from (nat) and on another router & switch!!

i have returned back to the snmp routers because i forgot to save the config to get prtg monitoring tool to sync which was successful, but for some reason after reading through above notes and adding the below it will not sync so i think i have missed part of the config off  ?

- snmp-server community xxxxx r0 1
- ip access-list standard 1
- access-list 2 permit 192.168.3.2 log

No, that's all that needs to be configured. For testing you can remove access-list from snmp configuration and configure only
# snmp-server community xxxxx r0
That should be enough. ACL is there so no one else can get your snmp data.

hi,  well at the moment i do not want anyone else to get to my snmp data.

for some reason it has not connected and it is the same identical routers as below and all can ping vice versa successfully.... i have re-installed but same issue.

not sure why then.

Temporary remove ACL for troubleshooting. Double check community string.

Yes i have removed acl but adjusted key chain dates to 22 dec 2015 to 23 dec 2016.

I will remove key chain tomorrow although after adjusting dates i did: debug & no authentication or mismatch issues.

Will let you know tomorrow.

Thanks for replying.

Ntp clock is correct& clock as all routers clock have auto sync'd correct time.

Key chain is used for EIGRP authentication (for routing - and ping is working, so routes are OK) and have nothing with snmp, so no need to remove key chain.

Ok.

After uninstall of prtg software & deleted folders & re-stalled the prtg detected my routers correctly as expected.

Sound advice.  After reading your advice i realised that

- ip route 0.0.0.0 0.0.0.0 10.0.0.6 - allows pc to ping & because the below is not actually active that is the reason why the pc fails its ping.  So using the other static address stated above confirms the ping to be successful as a test until 42.0.0.48 becomes live:

Ip route 42.0.0.48 255.255.255.240 10.0.0.6