Can't get to internet from behind router 2

[aneelley]

I have a Windows 2003 server connected to a Cisco 3500XL switch and then the switch is connected to a Cisco 2621 router and then the router is connected to my corporate network.
FastEthernet 0/0 is connected to the corporate network.
FastEthernet 0/1 is connected to the private network where my Windows 2003 server resides.
I am using the network 192.168.220.0 255.255.255.0 for the inside and FE0/0 is fetching a DHCP address.
The inside IP addressed are as follows:
192.168.220.1 - router
192.168.220.2 - switch
192.168.220.3 - Windows server
I am using 8.8.8.8 for the nameserver (Google's free DNS address).
From the router console, I can ping 8.8.8.8 and the 220.1,220.2 and 220.3 addresses just fine as well as ping google.com and it looks up and pings just fine.
The problem I am having is this:
When I am on the Windows server, I try to ping google.com and it will lookup the IP just find but it will not ping. It times out. Also, do I need to be using "ip classless"?

Here is my router configuration:
oasis#sh run
Building configuration...

Current configuration : 872 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname oasis
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip http server
ip http secure-server
ip classless
!
ip dns server
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end

 

[ISPKing]

you are acctually not natting

router#conf t
router(config)ip nat inside source list NAT interface FastEthernet0/0 overload
router(config)ip access-list extended NAT
permit ip 192.168.220.0 0.0.0.255 any
exit


CCNP

 

[aneelley]

Ok, now I can't RDP from a PC on my desk to the Windows 2003 server (192.168.200.3). If I take out the two statements you provided, RDP works fine. I have a static route set on the PC as follows:

Network Destination Netmask Gateway Interface Metric
192.168.220.0 255.255.255.0 10.61.33.150 10.61.33.193 2

Where 10.61.33.150 is the DHCP address of the f0/0 interface of the router and 10.61.33.193 is the address of the PC I am trying to connect from.

 

[aneelley]

Here is the new running configuration:

oasis#sh run
Building configuration...

Current configuration : 1006 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname oasis
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip http server
ip http secure-server
ip classless
!
ip dns server
!
!
ip access-list extended NAT
permit ip 192.168.220.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end

oasis#

 

[ISPKing]

ip route 0.0.0.0 0.0.0.0 fa 0/0
ip nat inside source static tcp 192.168.220.3 3389 interface fa0/0 3389

CCNP

 

[aneelley]

I thought this might help also:

oasis#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 10.61.33.150:3409 192.168.220.3:3409 10.61.34.52:9084 10.61.34.52:9084
tcp 10.61.33.150:3410 192.168.220.3:3410 10.61.34.52:9084 10.61.34.52:9084
tcp 10.61.33.150:5 192.168.220.3:80 10.61.33.193:2904 10.61.33.193:2904
tcp 10.61.33.150:6 192.168.220.3:80 10.61.33.218:3481 10.61.33.218:3481
oasis#

 

[ISPKing]

you can remove the static route from the server since the router will handle that with the default route i provided.


CCNP

 

[ISPKing]

so its working now right?

CCNP

 

[aneelley]

Ok now I can't ping google.com from the router and RDP still isn't working from my desk pc to the 192.168.200.3 Windows server.

oasis#ping google.com
Translating "google.com"...domain server (8.8.8.8) (10.99.245.16) (10.64.2.88)
% Unrecognized host or address, or protocol not running.

oasis#

Here is the new router configuration:

Current configuration : 1129 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname oasis
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.220.3 3389 interface FastEthernet0/0 3389
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
ip dns server
!
!
ip access-list extended NAT
permit ip 192.168.220.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end

oasis#

 

[aneelley]

I even bumped up the metric to 10 on the pc on my desk:
Active Routes:
Network Destination Netmask Gateway Interface Metric
192.168.220.0 255.255.255.0 10.61.33.150 10.61.33.193 10

 

[aneelley]

Let me also draw a quick diagram:

<my pc>-<company network>-<router>-<switch>-<windows server>

 

[ISPKing]

is it 192.168.220 or .200 you keep changing it. whatever it is adjust the access list for that.
then add
ip domain-lookup

CCNP

 

[aneelley]

I stand corrected. It is 192.168.220.3 for the Windows server.

 

[aneelley]

Still can't ping google.com from the router. The Windows server pings fine. I still can't RDP from my desk to my Windows server:

oasis#ping google.com
Translating "google.com"...domain server (8.8.8.8) (10.99.245.16) (10.64.2.88)
% Unrecognized host or address, or protocol not running.

oasis#ping 192.168.220.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.220.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
oasis#


Here is the latest config:

oasis#sh run
Building configuration...

Current configuration : 1129 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname oasis
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.220.3 3389 interface FastEthernet0/0 3389
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
ip dns server
!
!
ip access-list extended NAT
permit ip 192.168.220.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end

oasis#

 

[ISPKing]

can you ping from the server to your machine, if so then rdp to the external ip of the router.

CCNP

 

[aneelley]

Well, that works, but I am going to have more than one Windows server I need to RDP to on the private network so always going to the router's external IP and getting forwarded to just a certain Windows server won't work for this.

My end goal is to have a Windows 2003 VMware Vcenter Server on the 192.168.220.3, a ESX 3.5 server on the 192.168.220.4, and a couple of other Windows servers and maybe a Hp StorageWorks. I basically want everything on a private network and my coworkers and I will just add the static route to our pc's and get to the private network from there, if that makes sense.

 

[ISPKing]

well then, your best bet is to add a static route to your main gateway ( the router your computer talks to for internet) and point it to the router that we are configuring now. Then basically remove everything we just did. except the static route.

so your computer>> dflt gateway>>redirect to 2nd gateway

CCNP

 

[aneelley]

Ack, yeah unfortunately they would probably frown on that. Ok, so basically there isn't a way to accomplish this without having to modify the company's router settings? All I want is to have a couple of coworkers and myself be able to access some servers but the servers need to be on their own private network. This will be our troubleshooting lab.

 

[aneelley]

Also, if I RDP to the router's outside address and get to the 192.168.220.3 Windows server, that works but I still can't ping google.com from the Windows server:

C:\>ping google.com
Ping request could not find host google.com. Please check the name and try again
.

C:\>

 

[ISPKing]

can you spare more of those 10. addresses that way we can do 1to1 nat


CCNP