Can't get to internet from behind router 2

[aneelley]

I have a Windows 2003 server connected to a Cisco 3500XL switch and then the switch is connected to a Cisco 2621 router and then the router is connected to my corporate network.
FastEthernet 0/0 is connected to the corporate network.
FastEthernet 0/1 is connected to the private network where my Windows 2003 server resides.
I am using the network 192.168.220.0 255.255.255.0 for the inside and FE0/0 is fetching a DHCP address.
The inside IP addressed are as follows:
192.168.220.1 - router
192.168.220.2 - switch
192.168.220.3 - Windows server
I am using 8.8.8.8 for the nameserver (Google's free DNS address).
From the router console, I can ping 8.8.8.8 and the 220.1,220.2 and 220.3 addresses just fine as well as ping google.com and it looks up and pings just fine.
The problem I am having is this:
When I am on the Windows server, I try to ping google.com and it will lookup the IP just find but it will not ping. It times out. Also, do I need to be using "ip classless"?

Here is my router configuration:
oasis#sh run
Building configuration...

Current configuration : 872 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname oasis
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip http server
ip http secure-server
ip classless
!
ip dns server
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end

 

[aneelley]

Probably. I can request some company static addresses if that would help?

 

[ISPKing]

yep then we assign those as secondary addresses on int fa0/0
and map each server to those ip address.

CCNP

 

[aneelley]

Ok, here is a list of devices:

1 router
1 switch
5 servers

I think I'll just request 7 static IP addresses and turn the router's fa0/0 into static from dhcp.

 

[ISPKing]

right, sounds good/
thanks for the star/

CCNP

 

[aneelley]

Ok, I have now obtained the following IP addresses and need some help backing out the other changes and then making the new configuration based on static IP addresses. Here are the new static IP addresses (I have masked part of them for security reasons):

Name: hostxx01.xx.xx.com
Address: 10.61.32.58

Name: hostxx02.xx.xx.com
Address: 10.61.32.39

Name: hostxx03.xx.xx.com
Address: 10.61.32.52

Name: hostxx04.xx.xx.com
Address: 10.61.32.55

Name: hostxx05.xx.xx.com
Address: 10.61.32.68

Name: hostxx06.xx.xx.com
Address: 10.61.32.78

Name: hostxx07.xx.xx.com
Address: 10.61.32.81

Netmask: 255.255.255.252

Current config of the router is as follows:

oasis#sh run
Building configuration...

Current configuration : 1129 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname oasis
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.220.3 3389 interface FastEthernet0/0 3389
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
ip dns server
!
!
ip access-list extended NAT
permit ip 192.168.220.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end

oasis#

 

[burtsbees]

If your outside interface is connected to the corporate network, and it is a private IP address, you cannot NAT in that device. The edge device is what needs to NAT/PAT, as well as statically NAT ("port forward"). Please describe your topology, including the internet.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[aneelley]

Topology is as follows:
<corporate network>-<Cisco router>-<Cisco switch>-<5 hosts>

I was getting the router IP via DHCP and then just assigning a 192.168.220.0 network inside the router but when speaking to ISPKing the other night, he advised to just get static IP addresses and do it that way.

Does that make sense?

 

[aneelley]

My goal is to have all of the hosts on their own private network that we can get to by just adding a static route on our desktops.

 

[aneelley]

For what it's worth, this is the switch configuration:

desert#sh run
Building configuration...

Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname desert
!
enable secret 5 $1$S0FR$fdMSYuFlHLEQqkHSLSGGe0
!
!
!
!
!
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface FastEthernet0/25
!
interface FastEthernet0/26
!
interface FastEthernet0/27
!
interface FastEthernet0/28
!
interface FastEthernet0/29
!
interface FastEthernet0/30
!
interface FastEthernet0/31
!
interface FastEthernet0/32
!
interface FastEthernet0/33
!
interface FastEthernet0/34
!
interface FastEthernet0/35
!
interface FastEthernet0/36
!
interface FastEthernet0/37
!
interface FastEthernet0/38
!
interface FastEthernet0/39
!
interface FastEthernet0/40
!
interface FastEthernet0/41
!
interface FastEthernet0/42
!
interface FastEthernet0/43
!
interface FastEthernet0/44
!
interface FastEthernet0/45
!
interface FastEthernet0/46
!
interface FastEthernet0/47
!
interface FastEthernet0/48
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface VLAN1
ip address 192.168.220.2 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
ip default-gateway 192.168.220.1
snmp-server engineID local 0000000902000004C147F700
snmp-server community private RW
snmp-server community public RO
!
line con 0
transport input none
stopbits 1
line vty 0 4
password password
login
line vty 5 15
login
!
end

 

[aneelley]

I was going to upgrade the IOS to the latest and there are many to choose from. Which one should I get?

TELCO FEATURE SET
c2600-telco-mz.123-26.bin
Release Date: 18/Mar/2008

Size: 10694.03 KB (10950680 bytes)
Minimum Memory: DRAM:48 MB Flash:16 MB

ENTERPRISE BASIC
c2600-j1s3-mz.123-26.bin
Release Date: 18/Mar/2008

Size: 15708.87 KB (16085876 bytes)
Minimum Memory: DRAM:64 MB Flash:16 MB

IP/H323
c2600-ix-mz.123-26.bin
Release Date: 18/Mar/2008

Size: 8601.74 KB (8808180 bytes)
Minimum Memory: DRAM:48 MB Flash:16 MB

IP PLUS BASIC W/O HD ANALOG/AIM ATM/VOICE
c2600-is5-mz.123-26.bin
Release Date: 18/Mar/2008

Size: 15150.63 KB (15514236 bytes)
Minimum Memory: DRAM:64 MB Flash:16 MB

IP PLUS BASIC W/O SWITCHING
c2600-is4-mz.123-26.bin
Release Date: 18/Mar/2008

Size: 15857.36 KB (16237928 bytes)
Minimum Memory: DRAM:64 MB Flash:16 MB

IP/H323 PLUS BASIC
c2600-is3x-mz.123-26.bin
Release Date: 18/Mar/2008

Size: 14686.16 KB (15038624 bytes)
Minimum Memory: DRAM:64 MB Flash:16 MB

IP PLUS
c2600-is-mz.123-26.bin
Release Date: 18/Mar/2008

Size: 17646.56 KB (18070068 bytes)
Minimum Memory: DRAM:64 MB Flash:32 MB

IP/FW/IDS
c2600-io3-mz.123-26.bin
Release Date: 18/Mar/2008

Size: 7908.33 KB (8098120 bytes)
Minimum Memory: DRAM:32 MB Flash:16 MB

IP/FW/IDS PLUS IPSEC 3DES BASIC
c2600-ik9o3s3-mz.123-26.bin
Release Date: 18/Mar/2008

Size: 15706.82 KB (16083780 bytes)
Minimum Memory: DRAM:64 MB Flash:16 MB

IP
c2600-i-mz.123-26.bin
Release Date: 18/Mar/2008

Size: 7572.84 KB (7754580 bytes)
Minimum Memory: DRAM:32 MB Flash:8 MB

REMOTE ACCESS SERVER
c2600-c-mz.123-26.bin
Release Date: 18/Mar/2008

Size: 7306.58 KB (7481936 bytes)
Minimum Memory: DRAM:32 MB Flash:8 MB

IP/IPX/AT/FW/IDS PLUS BASIC
c2600-bino3s3-mz.123-26.bin
Release Date: 18/Mar/2008

Size: 15087.29 KB (15449376 bytes)
Minimum Memory: DRAM:64 MB Flash:16 MB

IP/IPX/APPLETALK
c2600-bin-mz.123-26.bin
Release Date: 18/Mar/2008

Size: 8072.02 KB (8265744 bytes)
Minimum Memory: DRAM:32 MB Flash:16 MB

 

[aneelley]

Ok, I ripped out all the changes and got back to basics. This is almost working but there is just a little something that is missing and I am wondering if it is a ip helper-address maybe? Here is the current config:

Current configuration : 872 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname oasis
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip http server
ip http secure-server
ip classless
!
ip dns server
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end


Topology is as follows:

<corporate network>-<router>-<switch>-<5 hosts>

I have f0/0 going to the corporate network.
I have f0/1 going to the private network.
I am using 8.8.8.8 for DNS.

I am at my desktop and I have a serial cable going from it to the router's console port. I can ping google.com just fine:

oasis#ping google.com
Translating "google.com"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.85.225.103, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/48/48 ms
oasis#

I currently only have one host connected to the private network which I gave it IP address 192.168.220.3. I can RDP to it from my desktop (it is a Windows 2003 server). The problem is that the Windows server can't ping google.com:

C:\>ping google.com

Pinging google.com [209.85.225.106] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 209.85.225.106:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>

Here is the Windows server ipconfig/all output:

C:\>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : vmwvcsdp
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Network Co
nnection
Physical Address. . . . . . . . . : 00-11-25-19-C2-AC
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.220.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.220.1
DNS Servers . . . . . . . . . . . : 192.168.220.1

Ethernet adapter Local Area Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Network Co
nnection #2
Physical Address. . . . . . . . . : 00-11-25-19-C2-AD

C:\>

The IPs are configured as follows:

fa0/0 - DHCP
fa0/1 - 192.168.220.1

192.168.220.2 - 3500XL switch.
192.168.220.3 - Windows server.

I have a static route set up on my desktop so I can get over to the private network as follows:

Network Address Netmask Gateway Address Metric
192.168.220.0 255.255.255.0 10.61.33.150 10

The 10.61.33.150 is the DHCP address of f0/0 on the router.

Hope all of this helps as I have been working on it for days.

 

[aneelley]

Here is another question....since I have static IP addresses, should I just rip out the router and just put everything on the switch and give it a static IP? I am just wondering why I need the router, I guess. Originally, I wanted to have everything on it's own private network, but maybe it just won't work that way? I am at my wits end with this and feel like I am going in circles.

 

[Viconsul]

To be able to use your router as a proxy dns server you need the following commands on the router in global config mode;

ip domain-lookup.
ip domain-name YOURLAB.COM (optional)

However, the lab is not isolated from the rest of your corporate network this way.

 

[aneelley]

ispKing mentioned this:

"yep then we assign those as secondary addresses on int fa0/0
and map each server to those ip address. "

That is what I need to know how to do based on my static IP addresses I provided earlier.

Here is the current config:

Current configuration : 1006 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname oasis
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip http server
ip http secure-server
ip classless
!
ip dns server
!
!
ip access-list extended NAT
permit ip 192.168.220.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end


If I connect a monitor, keyboard, and mouse to the Windows server, I can get to the internet and ping internet addresses just fine. What is not working now is being able to RDP from my desktop to the server and also bring up the VMware Vsphere client from my desktop to the Windows server.

 

[Viconsul]

oasis#conf t
oasis(config)#int fa0/0 (your router outside inteface)
oasis(config-if)#ip add 10.61.32.AA netmask -this is your primary outside inteface ip address.
oasis(config-if)# ip add 10.66.32.BB netmask secondary -this is your 1st secondary outside interface ip address.
Repeat the last command until you have enough ips for you rdp hosts in your lab. Then follow the insruction on ISP's second post above but change the statement to reflect each server you want to rdp to.

 

[aneelley]

Ok this is odd. Why is it complaining about the netmask on some of the IP addresses?

oasis(config)#int f0/0
oasis(config-if)#ip add 10.61.32.58 255.255.255.252
oasis(config-if)#ip add 10.61.32.39 255.255.255.252
Bad mask /30 for address 10.61.32.39
oasis(config-if)#ip add 10.61.32.52 255.255.255.252
Bad mask /30 for address 10.61.32.52
oasis(config-if)#ip add 10.61.32.55 255.255.255.252
Bad mask /30 for address 10.61.32.55
oasis(config-if)#ip add 10.61.32.68 255.255.255.252
Bad mask /30 for address 10.61.32.68
oasis(config-if)#ip add 10.61.32.78 255.255.255.252
oasis(config-if)#ip add 10.61.32.81 255.255.255.252
oasis(config-if)#

 

[ISPKing]

you have to add secondary to the end of each ip address statement, after the first primary


on the addresses that it is complaining on , it is because the address you typed in is the network address. add +1 to each number. so 10.61.32.68 is actually is 10.61.32.69

then you need to add static nat to each of those ip addresses to match to each server.

Thus if server one is ip 192.168.220.50 your statement is

ip nat inside source static tcp 192.168.220.50 3389 ip 10.61.32.69 3389

and so on

as for dns, just use 4.2.2.2

CCNP

 

[burtsbees]

on the addresses that it is complaining on , it is because the address you typed in is the network address. add +1 to each number. so 10.61.32.68 is actually is 10.61.32.69"

That is only for the even numbered addresses. For the odd numbered addresses it complains about, he must SUBTRACT by one, as the odd number would be the broadcast. Come on, "Mr. King"...jeez...

I will read this post tomorrow and correct everyone's mistakes and come up with a final good working solution...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[aneelley]

So then...the network guys assigned me the wrong IP addresses for that netmask? I don't want to start stepping on somebody else's IP addresses.

 

[ISPKing]

i apologize. i wasn't really looking/ iphone screen so small..
and no they assigned you the network. but confirm with them what ip is yours and what ip is your gateways;

btw. my solution is the ONLY solution. But burts you may clarify it if you like

CCNP