Strange NAT issue

Unanswered Question

Quick Summary of a problem: I have a Cisco PIX 515 that I am eliminating from the environment. We purchased a Cisco 2851 Router with a HWIC Fast Ethernet card for a DMZ. Issue is, when I setup nat, everything works EXCEPT outside connections coming inbound. I setup basic static mappings however, when I use an IP address in our block of IP's that was not previously configured, it works. It's as if something is still holding those old IP's. We physically turned off the PIX, rebooted the Routers, ISP connection...same issue.


interface gigabit 0/0


description TWC Internet - OUTSIDE


ip address xxx.xxx.204.50 255.255.255.224


ip nat outside

no shut


!


!


interface gigabit 0/1


description Network 192.100.100.0 - INSIDE


ip address 192.100.100.1 255.255.255.0


ip nat inside

no shut


!


!


interface fastethernet 0/2/0


ip address 192.168.1.1 255.255.255.0


ip nat inside

no shut


!


!


ip route outside 0.0.0.0 0.0.0.0 xxx.xxx.204.33


!


!


!


ip nat inside source list NONAT-NAT interface gigabit 0/0 overload


ip nat inside source static 192.168.1.3 xxx.xxx.204.35


ip nat inside source static 192.168.1.2 xxx.xxx.204.36


ip nat inside source static 192.100.100.8 xxx.xxx.204.37


ip nat inside source static 192.100.100.22 xxx.xxx.204.38


ip nat inside source static 192.100.100.53 xxx.xxx.204.39


ip nat inside source static 192.100.1.7 xxx.xxx.204.40


!


!


ip access-list extended NONAT-NAT


deny ip 192.100.100.0 0.0.0.255 192.168.150.0 0.0.0.255


deny ip 192.168.1.0 0.0.0.255 192.168.150.0 0.0.0.255


deny ip 192.168.1.0 0.0.0.255 10.13.1.0 0.0.0.255


deny ip 192.100.100.0 0.0.0.255 10.13.1.0 0.0.0.255


permit ip 192.168.1.0 0.0.0.255 any


permit ip 192.100.100.0 0.0.0.255 any

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Mon, 11/19/2007 - 13:57
User Badges:
  • Purple, 4500 points or more

I would look at the ARP table in each device. Do they look correct?

milan.kulik Tue, 11/20/2007 - 04:33
User Badges:
  • Red, 2250 points or more

Hi,


I'd guess rebooting the cable modem might not be enough.

What kind of device is it exactly?

Is there a router (L3 device) inside?

I can imagine if it were only L2, there might be an ARP cache still not cleared on the remote ISP router containing your PIX MAC address.


But the default ARP cache timer is 4 hours.

Have you tried to replace the PIX in the evening and test if the router works next morning?


BR,

Milan

well, I guess I could convince them to try this. TimeWarner cable hands off their Internet as Ethernet. I sent a TAC request and they immediately sent a replacement router?!?!?! All I need is some ideas/suggestions of why this is happening, not a new box. Has anyone else experienced this before?


-->ISP--->Switch--->Router--->InsideSwitch


I have powered off everything except for the InsideSwitch.

Collin Clark Tue, 11/20/2007 - 06:08
User Badges:
  • Purple, 4500 points or more

Did you clear arp on the inside switch when you put in the new router?

Actions

This Discussion