Strange NAT issue

jfinley · ‎11-19-2007

Quick Summary of a problem: I have a Cisco PIX 515 that I am eliminating from the environment. We purchased a Cisco 2851 Router with a HWIC Fast Ethernet card for a DMZ. Issue is, when I setup nat, everything works EXCEPT outside connections coming inbound. I setup basic static mappings however, when I use an IP address in our block of IP's that was not previously configured, it works. It's as if something is still holding those old IP's. We physically turned off the PIX, rebooted the Routers, ISP connection...same issue.

interface gigabit 0/0

description TWC Internet - OUTSIDE

ip address xxx.xxx.204.50 255.255.255.224

ip nat outside

no shut

!

interface gigabit 0/1

description Network 192.100.100.0 - INSIDE

ip address 192.100.100.1 255.255.255.0

ip nat inside

no shut

!

interface fastethernet 0/2/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

no shut

!

ip route outside 0.0.0.0 0.0.0.0 xxx.xxx.204.33

!

ip nat inside source list NONAT-NAT interface gigabit 0/0 overload

ip nat inside source static 192.168.1.3 xxx.xxx.204.35

ip nat inside source static 192.168.1.2 xxx.xxx.204.36

ip nat inside source static 192.100.100.8 xxx.xxx.204.37

ip nat inside source static 192.100.100.22 xxx.xxx.204.38

ip nat inside source static 192.100.100.53 xxx.xxx.204.39

ip nat inside source static 192.100.1.7 xxx.xxx.204.40

!

ip access-list extended NONAT-NAT

deny ip 192.100.100.0 0.0.0.255 192.168.150.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 192.168.150.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 10.13.1.0 0.0.0.255

deny ip 192.100.100.0 0.0.0.255 10.13.1.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.100.100.0 0.0.0.255 any

Collin Clark · ‎11-19-2007

I would look at the ARP table in each device. Do they look correct?

jfinley · ‎11-19-2007

Well, I rebooted every device except for the switches in the inside, but I don't see why this would occur after 2 separate attempts to do this.

ISP CableModem-->transparent bridge-->Cisco Router-->Inside

Before someone suggests removing the bridge, I had this issue before implementing it also.

milan.kulik · ‎11-20-2007

Hi,

I'd guess rebooting the cable modem might not be enough.

What kind of device is it exactly?

Is there a router (L3 device) inside?

I can imagine if it were only L2, there might be an ARP cache still not cleared on the remote ISP router containing your PIX MAC address.

But the default ARP cache timer is 4 hours.

Have you tried to replace the PIX in the evening and test if the router works next morning?

BR,

Milan

jfinley · ‎11-20-2007

well, I guess I could convince them to try this. TimeWarner cable hands off their Internet as Ethernet. I sent a TAC request and they immediately sent a replacement router?!?!?! All I need is some ideas/suggestions of why this is happening, not a new box. Has anyone else experienced this before?

-->ISP--->Switch--->Router--->InsideSwitch

I have powered off everything except for the InsideSwitch.

Collin Clark · ‎11-20-2007

Did you clear arp on the inside switch when you put in the new router?

jfinley · ‎11-20-2007

No I did not clear it. They have unmanaged switches on the inside (3Com 24 ports, yeah I know). I will attempt to have them recycle the power on those also. Seems this is the sentiment, arp cache?