Cisco cannot route externally - Blonde tech needs help :) 3

[fonegirl]

I can ping the ISP gateway and the nameservers. If i select the source interface as 10.1.1.1 I can ping but in general none of the clients can ping or surf external addresses.

Here is the config - appreciate any suggestions

boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret
enable password
!
clock timezone GMT 0
no aaa new-model
ip subnet-zero
!
!
ip name-server 207.230.75.34
ip name-server 207.230.75.50
!
no ip bootp server
!
!
!
!
interface Loopback0
no ip address
!
interface Ethernet0/0
description internal 1ix network
ip address 10.0.0.1 255.255.255.0 secondary
ip address 97.xxx.xxx.129 255.255.255.224
ip access-group Outbound-Rules in
ip access-group Inbound-Rules out
ip nat inside
full-duplex
!
interface Serial0/0
description link to isp
no ip address
encapsulation frame-relay
fair-queue
service-module t1 timeslots 1-24
cdp enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description internal network
ip address 10.xxx.xxx.162 255.255.255.252
ip nat outside
frame-relay interface-dlci 100 IETF
!
interface Ethernet1/0
no ip address
no ip redirects
shutdown
half-duplex
no cdp enable
!
interface Ethernet1/1
no ip address
no ip redirects
shutdown
half-duplex
no cdp enable
!
interface Ethernet1/2
no ip address
shutdown
half-duplex
!
interface Ethernet1/3
no ip address
shutdown
half-duplex
!
ip nat inside source list 10 interface Serial0/0.1 overload
ip nat inside source static 10.0.0.1 97.xxx.xxx.129
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 10.xxx.xxx.161
!
!
!
ip access-list extended Inbound-Rules
permit tcp any any eq smtp
permit tcp any any eq 22
permit tcp any any eq 47
permit tcp any any eq 50
permit tcp any any eq pop3
permit tcp any any eq 123
permit tcp any any eq 143
permit tcp any any eq 220
permit tcp any any eq 443
permit tcp any any eq 444
permit tcp any any eq 1025
permit tcp any any eq 1701
permit tcp any any eq 1723
permit tcp any any eq 3389
permit tcp any any eq 4125
permit tcp any any eq 4500
permit tcp any any eq 5631
permit tcp any any eq 5632
permit tcp any any eq 6001
permit icmp any any
permit tcp any any eq www
ip access-list extended Outbound-Rules
permit ip any any
access-list 10 permit 10.0.0.0 0.0.0.255

 

[burtsbees]

int s0/0
ip nat inside
ip nat inside source list 10 int s0/0 overload

Not on the subinterface, but the physical interface. If this does not work, then remove the extended acl Inbound-Rules from int e0/0.

Burt

 

[plshlpme]

do you think your inbound access-list may be blocking traffic destined for your lan?
maybe ad a deny ip any any log to the end of it.. or remove it and see if your traffic starts to flow.

 

[fonegirl]

Thanks for your replies.

When I put the statement 'ip nat outside' on the s0/0 I can't ping out at all. I also removed the Inbound Access Rules With the ip nat outside statement on s0/0.1 I can do the following:

ix_colo#ping
Protocol [ip]:
Target IP address: 69.147.114.210
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.147.114.210, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms

 

[burtsbees]

Your setup is strange---looks backwards...you have a public IP address on the LAN interface and a private IP address on the WAN interface...please explain your topology.

Burt

 

[fonegirl]

We have a t-1 from our ISP that comes right from the smartjack and plugs into the csu/dsu wic (i am calling that Serial 0/0) Then I have a cable plugged into ethernet0/0 and connected to our internal network via a switch.

The ISP's gateway is 10.4.xx.161 - Do I have it setup backwards?

I static mapped an internal address to 97.xxx.xxx.130 and I can access that remotely. I still can't browse or ping out though.

 

[plshlpme]

so s0/0 is ip nat outside
and e0/0 is ip nat inside

i guess ---

interface Serial0/0.1 point-to-point
description internal network

the description is throwing people off since that is a wan link not an internal link...

so put your nat statements back.. if you can ping the internet nat is working..
did you try to remove the access-list on e0/0

 

[fonegirl]

Sorry - when I cleaned up the text to hide my IP addresses I must have mixed it up.

Here is the interface config:
interface Ethernet0/0
description internal 1ix network
ip address 10.xxx.xxx.1 255.255.255.0 secondary
ip address 97.xxx.xxx.129 255.255.255.224
ip access-group Outbound-Rules in
ip nat inside
full-duplex
!
interface Serial0/0
description link to deltacom
no ip address
encapsulation frame-relay
fair-queue
service-module t1 timeslots 1-24
cdp enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description 1ix
ip address 10.4.xxx.162 255.255.255.252
ip nat outside
frame-relay interface-dlci 100 IETF

And yes - as you can see from above I took off the Inbound Rules.

Are my routes correct?:
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 10.4.xxx.161

 

[burtsbees]

10.4.xxx.162---is this NOT a private IP, or am I having a serious brainfart???
Private IP to private IP does NOT need to NAT!

Burt

 

[fonegirl]

That is the Deltacom ISP gateway IP. Do I have something backwards?

 

[burtsbees]

Here is what I don't understand...
interface Ethernet0/0
description internal 1ix network
ip address 10.0.0.1 255.255.255.0 secondary
ip address 97.xxx.xxx.129 255.255.255.224
ip access-group Outbound-Rules in
ip access-group Inbound-Rules out
ip nat inside
full-duplex
What's with the ip address of 97.x.x.129? That's on the inside interface, and this is the INSIDE network, the LAN...right? A public IP address usually goes on the outside interface...what is this address?
Also, 10.4.xxx.162 is a private IP address---your internal network can only communicate with this address without NAT. But first, please explain the 97.x.x.x address...we'll work from there and get this thing working. Just because I have never seen a setup like this does not mean that it won't work...
My guess is that 97.x.x.x is a public IP so that users from the outside can hit a webserver from the outside or something...right???

Burt

 

[fonegirl]

Burt -
Yes the 97.xxx.xxx.xxx is the public static ip address we have been assigned. We have a block of 32.

Deltacom sales told me that 97.xxx.xxx.129 is our gateway and first public is .130

Deltacom sent me this configuration and that is why it is done this way.

Should the ethernet 0/0 have only one address of 10.1.1.1 for our internal network (no secondary) and the Serial0/0 have the 97.xxx.xxx.129 for our gateway?

Should the IProute still point to the Deltacom internal 10.4.97.161?

Thanks for your help.

 

[burtsbees]

I'm not familiar with the Deltacom box...does it have an inside network address and an outside network address?
I'm guessing that the secondary IP should just be the Ip address, and I'm also thinking the 97.x.x.x is already on the Deltacom box. Therefore, NAT is not needed at all. Is this how it is?
Also, if this is how it is, and you have a DMZ, then static NAT can be configured to get to the servers from the outside. Let me know...

Burt

 

[Minue]

Hello
I have seen your kind of config before.Some ISP use this method.I have never understood the real reason why.
Any I think you will have to NAT the public address,for the clients to get outside.
I will try to find something more on this and let you know.
Regards

 

[Minue]

Also your default route should be

ip route 0.0.0.0 0.0.0.0 Serial0/0.1
or
ip route 0.0.0.0 0.0.0.0 10.4.xxx.161


Regards

 

[plshlpme]

so the picture is a little more clear now and as minue say you will likely have to use your public address range to get to the net..

so youll need to create a nat pool and something like this..

you can change the wan pool to whatever name you want.. and you dont need to put all of the addresses into the pool if you dont want either...

no ip route 0.0.0.0 0.0.0.0 Serial0/0

ip nat pool WAN 97.xxx.xxx.129 97.xxx.xxx.163 prefix-length 27

no ip nat inside source list 10 interface Serial0/0.1 overload
ip nat inside source list 10 pool WAN overload

try that

 

[burtsbees]

The static route
ip route 0.0.0.0 0.0.0.0 s0/0 10.4.xxx.161
works best, in my opinion---the intrface won't have to do the arp thing...

Burt

 

[fonegirl]

I have made some changes based on all suggestions, and it works!! Thanks for all of your input and sticking with me.

fyi here is the current config :
ip name-server 207.230.75.34
ip name-server 207.230.75.50
!
no ip bootp server
!
!
!
!
interface Loopback0
no ip address
!
interface Ethernet0/0
description internal 1ix network
ip address 10.1.1.1 255.255.255.0 secondary
ip address 97.xxx.xxx.129 255.255.255.224
ip access-group Outbound-Rules in
ip nat inside
full-duplex
!
interface Serial0/0
description link to deltacom
no ip address
encapsulation frame-relay
fair-queue
service-module t1 timeslots 1-24
cdp enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description Deltacom connection
ip address 10.4.97.162 255.255.255.252
ip nat outside
frame-relay interface-dlci 100 IETF
!
interface Ethernet1/0
no ip address
no ip redirects
shutdown
half-duplex
no cdp enable
!
interface Ethernet1/1
no ip address
no ip redirects
shutdown
half-duplex
no cdp enable
!
interface Ethernet1/2
no ip address
shutdown
half-duplex
!
interface Ethernet1/3
no ip address
shutdown
half-duplex
!
ip nat pool WAN 97.xxx.xxx.130 97.xxx.xxx.130 prefix-length 27
ip nat inside source list 10 pool WAN overload
ip nat inside source static 10.1.1.1 97.xxx.xxx.129
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.4.97.161
!
!
!
ip access-list extended Outbound-Rules
permit ip any any
access-list 10 permit 10.1.1.0 0.0.0.255
dialer-list 1 protocol ip permit

 

[Minue]

Hi
and where's my star ;-(

 

[namesrhard2pick]

Very impressed with the knowledge displayed here and the willingness to help each other. I am beginning my CCNA studies and reading this thread has me pumped up.