Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco Router as a Gateway

Status
Not open for further replies.

ITbeast

IS-IT--Management
Jul 25, 2006
67
US
I have a Cisco 851 router that I would like to use as my gateway. I can get to the point where it uses DHCP to obtain an address from the modem and can ping externally from the router. But I can't seem to get the routing set up correctly because I can't ping externally from my laptop.

Basically I will have a public address on the fa4 interface. Then I want an internal network of 10.1.1.0 /24 on interfaces fa0 - fa3

Do I have to set up a routing protocol such as RIP or EIGRP? Or do I have to set up static routes that specify a default gateway? I'm guessing I have to setup NAT, but I'm not sure about that either.
 
router(config)#ip route 0.0.0.0 0.0.0.0 fa4
router(config)#ip nat inside source list 1 protocol ip permit
router(config)#access-list 1 permit 10.1.1.0 0.0.0.255
router(config)#int fa4 (if this is the outside interface)
router(config-if)#ip nat outside
router(config-if)#exit
router(config)#int fa1
router(config-if)#ip nat inside
and do the ip nat inside for int fa2 and fa3 as well---what kind of connection is it to the internet? Also, only do NAT in the router if the modem does NOT nat...

Burt
 
Thanks for the reply burtsbees. The second command that you give me an error.

If i do: ip nat inside source list 1 ?

it says my two options are interface or pool



I'm not sure what that command is doing.
 
This is what I get with those commands:

costanza(config)#ip route 0.0.0.0 0.0.0.0 fa4
costanza(config)#ip nat inside source list 1 int fa4 overload
costanza(config)#access-list 1 permit 10.1.1.0 0.0.0.255
costanza(config)#int fa4
costanza(config-if)#ip nat outside
%NAT: Error activating CNBAR on the interface FastEthernet4
costanza(config-if)#


How do I setup fa0-fa3 to communicate with 10.1.1.0 /24 devices?
 
is this dsl or cable?
if dsl,is your modem in bridged or router mode?


the above document says that fa0-fa3 are going to reside in vlan1 so you should put an ip in that subnet that you wish the vlan to be in and then i think your communication will work fine as those will be switch ports not routed ports.

so ip nat inside goes on the vlan interface.
ip nat outside should go on your fa4
 
Actually it's on an internal network at the moment. I'm doing testing before I replace the current gateway I have. So really the external port is just plugged into the network and I have a default gw that specifies our current router (linux server)


I did assign vlan 1 an ip address and activated the port. I can now communicate between my laptop and the router.

I'm guessing I'll have to set up some static routes so I can ping outside the LAN I created.

router ip: 192.168.2.1 /24
laptop ip: 192.168.2.3 /24

from laptop:
ping 192.168.2.1 Success
ping google.com Fail
 
Here's my config btw:

Using 1026 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname costanza
!
boot-start-marker
boot-end-marker
!
enable password XXXXX
!
no aaa new-model
!
resource policy
!
clock timezone EST -5
!
!
ip cef
ip name-server 10.200.0.254
!
!
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description External ethernet adapter
ip address 10.200.0.130 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.200.0.254
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password XXXXXXX
login
!
scheduler max-task-time 5000
end

 
so did the all of those nat commands take?
does fa4 have ip nat outside
and vlan1 have ip nat inside?

you might have to post your config now...
 
Nope, the nat commands didn't take. That config i just posted is my most current one. If it try the commands, this is the output:

costanza(config-if)#ip nat outside
%NAT: Error activating CNBAR on the interface FastEthernet4
costanza(config)#int fa0
costanza(config-if)#ip nat inside
^
% Invalid input detected at '^' marker.


 
Your config shows that ip nat outside is on fa4...

interface FastEthernet4
description External ethernet adapter
ip address 10.200.0.130 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

Burt
 
Ahh, you are correct. This is interesting because I actaully cleared my configuration and started over. Then the first time I used the "ip nat outside" command it gave an error. It must have accepted it though.

 
so are you saying on the vlan1 interface it doesn't need this configuration:

ip nat inside source list 1 interface FastEthernet4 overload
 
Hello ITbeast
These new series 800 are a bit tricky with the built in switch.I haven't got the chance to configure one as yet,but the idea is same.
First find your WAN port!I think it is Fastethernet0.So you should put your modem here,and use the "ip nat outside" on your WAN interface.Then configure the fastethernet1 with a LAN address and use the ip nat inside command.
Regards
 
ip nat inside source list 1 interface FastEthernet4 overload

is a global config command

you need to tell the router though what your internal and external interfaces are for the nat process to work.

that command above command is needed to allow your clients to get out..
 
Hello
Just did some reading up!Looks like Fastethernet4 is the WAN interface.So ip outside nat is fine here,did find much on the error.
It also seems that Fa0-fa3 are level 2 switch ports.So as plshlpme has said.The "ip nat inside" goes under "interface vlan 1"As I said before these new routers are tricky.
Regards
 
thanks for the responses. indeed this router is tricky. i believe i have the correct setup, but still can't ping outside when connected to fa0. pings from the router work, and pings from laptop to router (192.168.2.1) work, but it's not passing through


Using 1026 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname costanza
!
boot-start-marker
boot-end-marker
!
enable password xxxxxx
!
no aaa new-model
!
resource policy
!
clock timezone EST -5
!
!
ip cef
ip name-server 10.200.0.254
!
!
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description External ethernet adapter
ip address 10.200.0.130 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.200.0.254
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password xxxxx
login
!
scheduler max-task-time 5000
end
 
In order to truly test NAT, you must have a public IP address on the outside interface. 10.200.0.130 255.255.255.0 is a private IP address. Since the Linux box is probably doing the NAT, this won't work anyway. Also, VLAN 1 has an IP address of 192.168.2.1/24, and your NAT statement allows 10.1.1.0/24, which is nowhere in the configuration of the router.

Burt
 
so basically you're telling me that I can't use a cisco router to segment my network? it's not possible to have two totally different subnets and use a cisco router to allow them to inter-operate?

yeah, i noticed that nat statement. not sure how to get rid of it once i mistyped it. "no access-list 1 permit 10.1.1.0 0.0.0.255" doesn't get rid of it.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top