Can't get to internet from behind router 2

[aneelley]

I have a Windows 2003 server connected to a Cisco 3500XL switch and then the switch is connected to a Cisco 2621 router and then the router is connected to my corporate network.
FastEthernet 0/0 is connected to the corporate network.
FastEthernet 0/1 is connected to the private network where my Windows 2003 server resides.
I am using the network 192.168.220.0 255.255.255.0 for the inside and FE0/0 is fetching a DHCP address.
The inside IP addressed are as follows:
192.168.220.1 - router
192.168.220.2 - switch
192.168.220.3 - Windows server
I am using 8.8.8.8 for the nameserver (Google's free DNS address).
From the router console, I can ping 8.8.8.8 and the 220.1,220.2 and 220.3 addresses just fine as well as ping google.com and it looks up and pings just fine.
The problem I am having is this:
When I am on the Windows server, I try to ping google.com and it will lookup the IP just find but it will not ping. It times out. Also, do I need to be using "ip classless"?

Here is my router configuration:
oasis#sh run
Building configuration...

Current configuration : 872 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname oasis
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip http server
ip http secure-server
ip classless
!
ip dns server
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end

 

[aneelley]

Ok, I'm done. Going with a simple Linksys WRT54GL router and a Linksys switch. Works for other people here should work for my application as well. Or I may just use the Linksys switch and nothing else. Put all of the 10.61.32.x addresses in and be done with it.

 

[burtsbees]

I can foresee the nw being brought to its knees...wait...the crystal ball is becoming clearer...now I see all interface link lights on the distribution switch steadily lit...many people loading the call line to the help desk...can't get through...VoIP system down...many people crawling out of cubicles...now running to the it dept. with aluminum baseball bats...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ISPKing]

burts he can nat. He wants a separate network behind this router, Which will have one interface on his "normal" lan and one on his new private. Then When he wants to rdp to those servers on his new private, he simply rdp's to the 10.x address mapped to the appropriate server on his new private.

Why is this so difficult for everyone to grasp?

CCNP

 

[aneelley]

I mean, without all the mapping crap, I had everything working except for RDP and Vcenter Client. I really don't see why what I am trying to do is so difficult especially when I have static IP addresses for everything now. :shrug:

 

[ISPKing]

Its not everyone is confusing you here. just statically map those statics to the servers you choose. Then For vecnter and rdp you must use those statics you recived.

CCNP

 

[Viconsul]

This works for me and not difficult. All the guy wants is to be able to double nat -not ideal but it works.

 

[ISPKing]

^^yes Correct.

CCNP

 

[aneelley]

Okie dokie. I'll work with it and let you know my findings/send the new config, etc. Thanks for hanging in there with me.

 

[Viconsul]

TESTED AND WORKS 100%

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1841
!
boot-start-marker
boot-end-marker
!

!
no aaa new-model
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address 10.61.32.39 255.255.255.0 secondary
ip address 10.61.32.52 255.255.255.0 secondary
ip address 10.61.32.55 255.255.255.0 secondary
ip address 10.61.32.58 255.255.255.0
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.61.32.1
!
!
ip http server
no ip http secure-server
ip nat inside source static 192.168.220.4 10.61.32.39
ip nat inside source static 192.168.220.3 10.61.32.52
ip nat inside source static 192.168.220.5 10.61.32.55
!
!
!
!
control-plane
!


!
line con 0

line aux 0

line vty 0 4

line vty 5 181

!
scheduler allocate 20000 1000
end



The only assumption in the above is that I have predicted your corporate lan router address but you can get that from any machine in your corporate lan in the same subnet (10.61.32.0) as your lab router.

 

[burtsbees]

And you have a router that is connected to all of this that goes out to the internet, Vic?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ISPKing]

Yes, i labbed it myself/ No issues.



CCNP

 

[Viconsul]

Yes Burt, works like a charm.

 

[aneelley]

Should I upgrade the 2621's IOS? I had asked this before and didn't get an answer. I am still working on the configuration and will hopefully have that in the next couple of hours (gotta head home shortly and will log back in once there).

Please see my previous message on which versions are available. I need to know which one I should use as there are like 13 of them. =/

 

[Viconsul]

The ios you currently have should be ok, I would imagine. However should you wish to upgrade, then you need to check that you have enough flash and memory on the router for the new ios. Could you post a sho ver.

 

[aneelley]

Sure, here you go:

Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(5b), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 16-Jan-04 02:17 by kellythw
Image text-base: 0x80008098, data-base: 0x819E5004

ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)

oasis uptime is 1 day, 3 hours, 54 minutes
System returned to ROM by power-on
System image file is "flash:c2600.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

cisco 2621 (MPC860) processor (revision 0x102) with 61440K/4096K bytes of memory.
Processor board ID JAB04130B41 (2059755997)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
2 FastEthernet/IEEE 802.3 interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

 

[aneelley]

I can't ping google.com from the router. It was working before I set the address on f0/0 from dhcp to 10.61.32.58. I am guessing there is a static route missing. Here is the latest configuration:

Current configuration : 1347 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hostxx01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip domain name xx.xx.com
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address 10.61.32.39 255.255.252.0 secondary
ip address 10.61.32.52 255.255.252.0 secondary
ip address 10.61.32.55 255.255.252.0 secondary
ip address 10.61.32.68 255.255.252.0 secondary
ip address 10.61.32.78 255.255.252.0 secondary
ip address 10.61.32.81 255.255.252.0 secondary
ip address 10.61.32.58 255.255.252.0
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip http server
ip http secure-server
ip classless
!
ip dns server
!
!
ip access-list extended NAT
permit ip 192.168.220.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end

 

[aneelley]

I figured it out:

ip route 0.0.0.0 0.0.0.0 10.61.32.1

hostxx01#ping google.com

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.14.204.103, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms
hostxx01#

 

[aneelley]

SUCCESS! I can now RDP and I can ping from the Windows box and ping from the router. Here is the final configuration less the NAT stuff for the Vcenter client and the ESX server stuff. Working on that now...


Current configuration : 1462 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hostdp01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip domain name hq.netapp.com
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address 10.61.32.39 255.255.252.0 secondary
ip address 10.61.32.52 255.255.252.0 secondary
ip address 10.61.32.55 255.255.252.0 secondary
ip address 10.61.32.68 255.255.252.0 secondary
ip address 10.61.32.78 255.255.252.0 secondary
ip address 10.61.32.81 255.255.252.0 secondary
ip address 10.61.32.58 255.255.252.0
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.220.3 3389 10.61.32.52 3389 extendable
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.61.32.1
!
ip dns server
!
!
ip access-list extended NAT
permit ip 192.168.220.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end

 

[aneelley]

VSphere client is working now. Added the following:

ip nat inside source static tcp 192.168.220.3 443 10.61.32.52 443
ip nat inside source static tcp 192.168.220.3 902 10.61.32.52 902

 

[aneelley]

Well, I hit another speedbump. I can't bring up the consoles on the VMs when I am looking at the ESX server/VMs from the VSphere client. Any idea on what ports to forward for that? I can provide a 'deb ip nat' output if needed. Here is my latest config output:

Current configuration : 1616 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hostdp01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$I.4r$MG4o5inCNijBkCQ1VDl551
!
no aaa new-model
ip subnet-zero
!
!
ip domain name hq.netapp.com
ip name-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to CorporateNetwork
ip address 10.61.32.39 255.255.252.0 secondary
ip address 10.61.32.52 255.255.252.0 secondary
ip address 10.61.32.55 255.255.252.0 secondary
ip address 10.61.32.68 255.255.252.0 secondary
ip address 10.61.32.78 255.255.252.0 secondary
ip address 10.61.32.81 255.255.252.0 secondary
ip address 10.61.32.58 255.255.252.0
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.220.3 3389 10.61.32.52 3389 extendable
ip nat inside source static tcp 192.168.220.3 443 10.61.32.52 443 extendable
ip nat inside source static tcp 192.168.220.3 902 10.61.32.52 902 extendable
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.61.32.1
!
ip dns server
!
!
ip access-list extended NAT
permit ip 192.168.220.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password password
login
line aux 0
line vty 0 4
password password
login
!
!
!
end