Can't get to internet from behind router 2

[aneelley]

I have a Windows 2003 server connected to a Cisco 3500XL switch and then the switch is connected to a Cisco 2621 router and then the router is connected to my corporate network.
FastEthernet 0/0 is connected to the corporate network.
FastEthernet 0/1 is connected to the private network where my Windows 2003 server resides.
I am using the network 192.168.220.0 255.255.255.0 for the inside and FE0/0 is fetching a DHCP address.
The inside IP addressed are as follows:
192.168.220.1 - router
192.168.220.2 - switch
192.168.220.3 - Windows server
I am using 8.8.8.8 for the nameserver (Google's free DNS address).
From the router console, I can ping 8.8.8.8 and the 220.1,220.2 and 220.3 addresses just fine as well as ping google.com and it looks up and pings just fine.
The problem I am having is this:
When I am on the Windows server, I try to ping google.com and it will lookup the IP just find but it will not ping. It times out. Also, do I need to be using "ip classless"?

Here is my router configuration:
oasis#sh run
Building configuration...

Current configuration : 872 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname oasis
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip http server
ip http secure-server
ip classless
!
ip dns server
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end

 

[burtsbees]

With a /30 mask, the network addresses start at .0 and go every 4, so .4, .8, .12, .16, .20, etc.

nw=network address, ua=usable addresses, ba=broadcast address

oasis(config-if)#ip add 10.61.32.58 255.255.255.252
nw=.56 ua=.57, .58 ba=.59

oasis(config-if)#ip add 10.61.32.39 255.255.255.252
nw=.36 ua=.37, .38 ba=.39

oasis(config-if)#ip add 10.61.32.52 255.255.255.252
nw=.52 ua=.53, .54 ba=.55

You get the point...so on and so on, do the math, literally...

You need to describe the corporate network better than that. Like this...

Internet---then what?---then what?---then what?

I need to see the first device that has a public IP address on it. All inside private RFC1918 addresses have to be NATted in the edge device. If your corporate edge device is natting the inside addresses, we need to find out what is being natted on the inside. For example, if they are natting the entire 10.61.0.0/16 subnet, then you VLSM that into further subnets...so you need to ask your network "team" that knows subnetting like the back of their hands (LOL!!! HAHAHAHAHA!!!!!!!! I CRACK ME UP!!!!...anyway...*AHEM*..ok, back to normal, whatever that is...)---to

1.Give you a range of addresses, contiguous, say with a 255.255.255.240 mask, which will allow for 12 servers, within the already NATted range

2.Add whatever addresses you give your servers, like 172.31.1.0/24, 192.168.221.0/24, whatever---add that subnet to the NAT pool for the edge router that goes out to the Innernets

then, which you need to do anyway, get rid of ALL NAT statements in the router, no ip nat out on fa0/0, no ip nat in on fa0/1, and the ip nat inside source list blabla int fa0/0 over statement. Your router cannot NAT if the corporate edge already is! Well, you can, but not for what you are trying to accomplish.

*******OR************

Get rid of the router and just add all the servers into the 10.61.x.x subnet, which is what you don't want to do. Adding secondary addresses to the fa0/1 interface makes no sense whatsoever---just add ONE to the inside interface (fa0/1) and the servers get the rest.

/






tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[aneelley]

I'll let you re-read the thread first. I asked for 7 static IP addresses and that is what they assigned me and listed 255.255.255.252 as the netmask. They didn't mention any gateway. They just asked me where I was and what floor and asked for me to make up a host name for each IP requested. Then they gave me 7 of them and that one netmask.

 

[aneelley]

Hmm, after reading burts reply I am thinking I should just rip out the router and just go with the 3500Xl switch and plug everything into that and be done with it. What do you guys think? The heck with all this routing stuff if I have static IP addresses, right? I mean, as long as I don't set up a DHCP server on one of the lab boxes the carpet lab should be ok.

 

[ISPKing]

yeah burts, he wants a second rfc1918 behind his already private network, there is no harm in double natting. i agree that a contiguous block would be best, but /30 will work as well. there are more ways to do this, but this what seems to me as the easiest.

So he wants his vm's on a separate network, now as i said if they will not add a route to there main gateway, as a icmp redirect, they will need a 1to1 nat. unless they make perm static routes on their machines accessing this subnet

CCNP

 

[burtsbees]

Then they gave me 7 of them and that one netmask."

Then they are retarded, no question.

Your second private subnet can be a part of the already subnetted 10 dot nw, like what they were trying to give you. Can you not ask them for a contiguous block? The /30 will not work with those addresses, and I explained why...well, like 2 of them fall within the usable range...

Why can they not add your subnet, 192 dot nw, to the NATted acl in the edge router? Are they that stupid?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Viconsul]

It seems your IT dept don't understand your requirement.
Can you go back and ask for a 8 ip addresses from the same subnet as your dhcp range of addresses. They can either reserve it on the dhcp scope or exclude them from the dhcp range. Once you have the 8 ip addresses, assign them to your router. Say you were given 10.61.32.11 to 10.61.32.18 and subnet mask 255.255.255.0
You will assign the ip as follows;
oasis(config)#int f0/0
oasis(config-if)#description connected to CorporateNetwork
oasis(config-if)#ip add 10.61.32.11 255.255.255.0
oasis(config-if)#ip add 10.61.32.12 255.255.255.0 secondary
oasis(config-if)#ip add 10.61.32.13 255.255.255.0 secondary
oasis(config-if)#ip add 10.61.32.14 255.255.255.0 secondary
oasis(config-if)#ip add 10.61.32.15 255.255.255.0 secondary
oasis(config-if)#ip add 10.61.32.16 255.255.255.0 secondary
oasis(config-if)#ip add 10.61.32.17 255.255.255.0 secondary
oasis(config-if)#ip add 10.61.32.18 255.255.255.0 secondary
oasis(config-if)#ip nat outside
oasis(config-if)#no shut
Once you have all the above configured, we can then create the nat rules. That way, when you want to rdp to server1 in your lab you would rdp to e.g 10.61.32.12 from your corporate lan, for server2 rdp to 10.61.32.13....

 

[aneelley]

So there are a couple of things going on for this and I need to be honest about it. Our regular tech department where we have equipment to assist us gets played with by students a LOT. As a result when we try to use it, its never in good shape and we have to blow configurations away and reload them, etc. This is a very time consuming process. In a attempt to eliminate this, I wanted an environment of my own, so I bought the servers with my own money and built one. One that my coworkers and I can share and know exactly what state the environment is in at all times. I just have to be careful about putting this on the network and the business gets real ancy about putting routers and switches on the network. I have heard stories about people taking down the network by putting a DHCP server on it. So I have to be a bit "obscure" when asking for a crapload of IP addresses. Luckily, they haven't asked what they are for. That is why I can't go ask for them to modify other routers in the business and I have to work with what I got. I hope you guys can understand that. And by putting this on my own private network, I am hoping to keep everything contained, etc.

About the same subnet IP's...I doubt they will provide those. I can ask though.

 

[aneelley]

I found a nice network calculator and plugged all the IP addresses they gave me into it. Man you are right...those guys are retards:

10.61.32.58 would work.
10.61.32.39 would NOT work because it is a broadcast address.
10.61.32.52 would NOT work because it is the address of the network.
10.61.32.55 would NOT work because it is a broadcast address.
10.61.32.68 would NOT work because it is the address of the network.
10.61.32.78 would work.
10.61.32.81 would work.

Whiskey Tango Foxtrot, over?

 

[aneelley]

Forgot to link the network calculator:

http://tuxgraphics.org/toolbox/network_address_calculator_add.html

 

[Caspiansails]

In any event depending on where you want to advertise or reach these servers from you have different NAT requirements. While using the 10.x.x.x address space may enable you to reach the servers internally you would not be able to reach those from an external network as you would need private addressing for that. You can do conditional NAT using route maps such that if the source address is internal, such as your pc at the location, the servers get NATed to one address or not NATed at all, and if the source is from an outside network then the NAT does occur. If you want to be able to reach these from an external network, ie not an intranet, you need public addressing for each server an overload for the public addressing will not work unless you can map the port address translations. If you can do that you would need to access the servers using the port as well as the IP address. I have never tried that and don't really know offhand if it is a supported solution or not.

It is the drawback of using PAT which is what you are really using with overload.

 

[aneelley]

I just heard back from the network team. They informed me that the netmask should be 255.255.252.0. That looks better. So knowing that, I'll try to get the secondary addresses added today.

 

[aneelley]

Ok, here is the latest configuration. I need help with the NAT rules if you don't mind.

Current configuration : 1366 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname oasis
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address 10.61.32.39 255.255.252.0 secondary
ip address 10.61.32.52 255.255.252.0 secondary
ip address 10.61.32.55 255.255.252.0 secondary
ip address 10.61.32.68 255.255.252.0 secondary
ip address 10.61.32.78 255.255.252.0 secondary
ip address 10.61.32.81 255.255.252.0 secondary
ip address 10.61.32.58 255.255.252.0
ip nat outside
shutdown
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
ip dns server
!
!
ip access-list extended NAT
permit ip 192.168.220.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end

 

[Viconsul]

First do no shut on int fa0/0

Then if server1 has ip address 192.168.220.3 then to rdp to it you will need the command below in global config mode.

ip nat inside source static tcp 192.168.220.3 3389 10.61.32.39 3389

Then server2( 192.168.220.4)

ip nat inside source static tcp 192.168.220.4 3389 10.61.32.52 3389

and the list goes on.

 

[aneelley]

Makes sense. Is there a way to just allow all ports to each IP address?

 

[aneelley]

Also, which IP address do I use for the Windows server? 192.168.220.3? And do I point it to the router's inside IP 192.168.220.1 for the default gateway and the DNS?

 

[aneelley]

For some reason, I now cannot ping 8.8.8.8 or google.com from the router:

oasis#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
oasis#

oasis#ping google.com
Translating "google.com"...domain server (8.8.8.8)
% Unrecognized host or address, or protocol not running.

oasis#

 

[Viconsul]

ip nat inside source static 192.168.220.3 10.61.32.39

or

ip nat outside source static 10.61.32.39 192.168.220.3

depending on source point for the translation.

 

[aneelley]

Here is the new configuration:

Current configuration : 1435 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname oasis
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address 10.61.32.39 255.255.252.0 secondary
ip address 10.61.32.52 255.255.252.0 secondary
ip address 10.61.32.55 255.255.252.0 secondary
ip address 10.61.32.68 255.255.252.0 secondary
ip address 10.61.32.78 255.255.252.0 secondary
ip address 10.61.32.81 255.255.252.0 secondary
ip address 10.61.32.58 255.255.252.0
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.220.3 3389 10.61.32.52 3389 extendable
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
ip dns server
!
!
ip access-list extended NAT
permit ip 192.168.220.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end

 

[Viconsul]

Windows server ip config:

ip : 192.168.220.2
sm : 255.255.255.0
gw : 192.168.220.1
dns: 8.8.8.8

You won't be able to ping 8.8.8.8 from the router or even your servers until your router knows the ip address of your internet router. What default gateway were you given with the bunch of addresses you got from you Tech guys? That is what you need to use inplace of fa0/0 in the statement below.

[COLOR=red]ip route 0.0.0.0 0.0.0.0 FastEthernet0/0[/color]

 

[burtsbees]

Wow...this will NOT work! I explained why, about NAT, etc. Caspiansails (Narnia reference?) is exactly right, just as I said before. You need to add your private LAN addresses to the NAT acl in the edge internet router, PERIOD! Or this will NOT WORK!!!

Do NOT NAT in your ROUTER!!!

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!