1720 Configuration/NAT

[carlmeister]

I am trying to configure a Qwest T-1/Managed VPN setup and think I may be a little confused by this (nothing new there). I currently have the configuration shown below. Note that Qwest has given us a block of addresses to use for NAT on a different subnet than the Serial IP address. This configuration lets me traceroute from the 1720 to anywhere on the Internet. However, if I traceroute from one of the LAN PCs with a static NAT address, I see the Router and the first hop (the x.x.x.125 address). The trace seems to stop there.

I cannot traceroute TO the router from outside, but I want to get the outbound part working before I determine if that is a Qwest routing problem.

I have tried several variations on this and can't seem to create any difference other than having the LAN PC not even seeing the first hop after the router. At this point I am not sure if I am messing up the NAT configuration or if it is something more basic than that.....

I would appreciate anyone's help.

Carl Neumann

interface Serial0
description connected to Internet
ip address x.x.x.126 255.255.255.252
ip nat outside
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
!
interface FastEthernet0
description connected to EthernetLAN
ip address 192.168.200.252 255.255.255.0
ip nat inside
speed auto
!
router rip
version 2
passive-interface Serial0
network 192.168.200.0
no auto-summary
!
ip nat pool inet_pool x.x.y.98 x.x.y.98 prefix-length 24
ip nat inside source list 1 pool inet_pool overload
ip nat inside source static 192.168.200.6 x.x.y.104
ip nat inside source static 192.168.200.5 x.x.y.103
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.125
ip route x.x.y.96 255.255.255.240 FastEthernet0
no ip http server
!
access-list 1 permit 192.168.200.0 0.0.0.255

 

[jeter]

something looks very erong here. Your trying to setup a private lan ip to a public, but you have a private ip on the ethernet port. If quest is giving these ip you must the static as a secondary ip with the correct subnet

interface ethernet0/0
ip address 206.xxx.xxx.10 255.255.255.224 secondary
ip address 172.16.1.1 255.255.255.0
ip nat inside Jeter@LasVegas.com
Fisher CCNA,(Routing)
UOP Student BSIT

 

[carlmeister]

Hi,
thanks for the reply- actually this WAS a bit screwed up, although I still don't have it working, and Qwest is struggling with it also.

We are using their managed VPN product, so we are not supposed to set up NAT at all-they supposedly do the translation for us.

I am not sure what you mean by your comment though. Don't I need to assign the address my internal network will use as their gateway as the Ethernet address of the router? I think they did add the public addresses they are managing for us as secondary on the Ethernet interface as you suggest, but it still does not work. They have escalated it up their support chain, since you can't traceroute to the public address(es) they have assigned beyond the last router outside their VPN border router.

If you have any other pointers, they would be appreciated,
Thanks again

 

[ITnetworker]

the normal thing is that you cant ping any ip inside your subnet to check the the real ips is working ok try to traceroute the ip of the serial interface from outside using

http://www.visualroute.com

live demo it replies and gives the destination of the ip of the serial ip is working ok the wrong in you configuration is that dont use the rip routing with passive serial interface because it will not know how to route the data from the ethernet interface to the serial interface its better to use a static route that is :
ip route 0.0.0.0 0.0.0.0 serial 0
and try it the natting and routing will work normally

 

[ChrisAC]

What address are you trying to NAT your inside users to? Your serial0 interface has a /30 link to your ISP's core router, which is odd as most use IP unnumbered these days to save on addresses, but that's beside the point!

On the inside of your router you should have the first live routable address from your assigned range. If Quest are putting in a VPN gateway device then that should be doing NAT for your network. Your routers ethernet0 has a live address (eg. 206.x.x.x) and then the outside of the gateway has the next live address and the inside of the gateway has your private internal range with an IP address that becomes your clients gateway IP. The VPN/gateway device has a route out via the live address on the ethernet0 on the router and the router has a default route 0.0.0.0 0.0.0.0 serial0.

It all looks arse about face to me!

Chris.

;-)

************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[routerhead]

The reason why you can't trace route from inside with the static IP's is because they are private addresses. Qwest is probably blocking traceroute to prevent anyone from tracing back to you to try and prevent spoofing. Remember, private addresses can be anyone and therefore cannot be traced. The 1720 has public addresses not NAT translation therefore it is allowed to be traced back.