NAT Routing

[jasahasch]

Hello:

I have a Cisco 2621 router, a Cisco sf 300 switch.

The switch is configured with two VLANs. Network1 is subnetted and related to VLAN1, it makes the internet connection via a NATed Linux server acting as a router. The Linux server is connected to a Netgear router via standard 192.x.x.x address system.

I am running a sandbox test to accomplish routing via a NATed 2621 Cisco router. This is the reason for the second VLAN. I have secluded a computer to be part of the 192.168.2.0 network, the computer is connected via "inside" INT FA0/0 (192.168.2.25) and router "outside" interface to INT FA0/1 (192.168.1.254). VLAN port set under switchport mode access, belonging to VLAN-TWOY. it takes about four ports to make the connection to the internet- the same Netgear router (gateway).

With this setup, from the TWOY computer I am able to ping inside (192.168.2.25) and to the outside int fa0/1 (192.168.1.254)but unable to reach the netgear router.

From the Cisco router I can ping the netgear router, the inside address (192.168.2.25) and also back to TWOY computer.

This is driving me mad. I have set staic routes to TWOY on the Cisco router, both interfaces are seen as Connected to direct networks 192.168.1.0 and 192.168.2.0. I have set up NAT on the Cisco router in order to to translate (INT FA0/1) 192.168.1.254 > 192.168.1.25 and while it is translating the source ip correctly, I am still not able to ping netgear from TWOY computer (I figure without NATting TWOY computer's ip address, it is hitting the netgear as 192.168.2.0). I have enabled ip routing on Cisco router, I have set up a routing table on TWOY to include static routes to INT FA0/1 and the netgear router.

Arp is sending the proper reply and response from INT FA0/0 and INT FA0/1 back to TWOY, no arp from netgear. I do not know what I am missing or overlooking.

Thank you.

 

[burtsbees]

Why are you NATting between private IPs in the first place? Just trying to understand...

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY

 

[jasahasch]

Thanks for your time.

I think my troubleshooting is off a bit. I'm natting between private IPs because I can not figure out why I can not get to the router from the computer. It was worth a try? LOL. Do you have any idea what I could do-either different, or do research in a new direction. I simply want to connect through the Cisco router, to my Netgear router and practice all the cool cisco stuff.

I understand the routing part, the Cisco jargon and all, the inter-relationship between Switch and Vlan and routing protocal and routers, I have just about gone though everything I can think, to over come the problem of why I fail when pinging across the router's two interfaces, and yet from the router go in any direction completely. I should be able to with simple router and switch configs, but I haven't been able to. I out of ideas or I dont have the complete idea in the first place.

 

[burtsbees]

Post a sh run. Also, say if they were all Cisco...

2620a---2620b---2620c---2620d

you'd have ip nat out on the outside interface and ip nat inside on allinside interfaces, i.e. inside and outside interfaces on a, b, c and inside on d

but I would simply NAT only on the outside to xlate public to private, and statics between all privates

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY

 

[jasahasch]

Thanks:

This is the router config, the switch is set to wide open I have removed that from the equation ...

I have tried just static routing and it did not work either ... I get your point, how do you know what ip is the correct WAN address to nat. How would I get that information to be sure I am going to the right place?

!
!
!
interface FastEthernet0/0
description Inside Nat
ip address 192.168.2.25 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description Outside Nat
ip address 192.168.1.125 255.255.255.0
ip access-group 199 in
ip access-group 199 out
ip nat outside
duplex auto
speed auto
!
ip nat pool test 192.168.2.20 192.168.2.20 prefix-length 24
ip nat inside source list 10 pool test overload
ip classless
ip route 192.168.1.1 255.255.255.255 FastEthernet0/1
ip route 192.168.2.1 255.255.255.255 FastEthernet0/0
ip http server
!
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 199 permit ip any any
access-list 177 permit icmp any any
!
!
end


I have included a copy of ip sh routes

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
S 192.168.1.1/32 is directly connected, FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet0/1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, FastEthernet0/0
S 192.168.2.1/32 is directly connected, FastEthernet0/0

Regards

 

[burtsbees]

With acl 199, it's doing nothing...don't need it unless you have it tied to some PBR, CBAC etc that we're not seeing.

You have a static route pointing to an address the router should know how to get to by virtue of being directly connected

Also, there is this: Gateway of last resort is not set

You need to fix the last item at least...ip route 0.0.0.0 0.0.0.0 next hop, etc.

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY

 

[jasahasch]

Thanks for your help. I'll add the ip route 0.0.0.0 to set gateway of last resort.

Could you tell me how to find the correct WAN ip address to NAT towards.

Regards

 

[imbadatthis]

your WAN is not DHCP ? ie it wont inject a default route?
if not use the interface ... so ip route 0.0.0.0 0.0.0.0 interface XXXX

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.