NAT Troubles

Unanswered Question
Mar 13th, 2008
User Badges:

Hello everyone,


Thank you for looking at this post. I have a bit of an issue that I cannot figure out.


I am attempting to setup a NAT configuration for an Internet provider but something is going on. I have changed the IP's below so they are not those for the actual provider.


FA0/0 is set to ip nat inside and Mult1 is set to ip nat outside (three T1's multilinked together).


I have setup the FA0/0 with a secondary address of 192.168.5.1/24.


The range for NAT is 1.1.1.248 - 254 with a /30 subnet. I have tried both with an overload configuration and without an overload.


When I do a sh ip nat trans on the router, I can see where a user 192.168.5.2 is translated to the first IP - 1.1.1.248. However, the user is not able to get to the Internet. They can ping actual IP addresses but anything requring a DNS lookup doesn't appear to be working.


The DNS server is working, however. The user does an nslookup and gets to their DNS server and can do lookups.


Here is some more information:


The provider has two Class C ranges:

1.1.1.0/24

2.1.1.0/24


FA0/0 is set with the following IPs:

2.1.1.1/24

1.1.1.1/24 secondary

192.168.5.1/24 secondary

192.168.6.1/24 secondary


IP access list 1 is set to permit 192.168.5.0 0.0.0.255


DNS servers are 2.1.1.3 and 2.1.1.4


When the user sets their IP to 192.168.5.2, they can ping anything in the 2.1.1.0/24 and 1.1.1.0/24 range without any problem - as well as the 192.168.5.0/24 range.


The provider has current users setup with static IPs in the 1.1.1.0/24 network range up until the NAT pool as listed above. There are also static IP users in the 2.1.1.0/24 network.


NAT settings:

timeout 300

tcp-timeout 300

finrst-timeout 300

dns-timeout 300



I am completely at a loss as to what is going on because I have looked through several other NAT resources to no avail. The user can ping and trace route to IP addresses on the Internet - but not DNS-based although DNS lookups are working without any problem.


Thank you!

Brian S.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lamav Thu, 03/13/2008 - 11:09
User Badges:
  • Blue, 1500 points or more

Brian:


It would be nice to see the actual configs. However, I did notice one thing. If you want your NAT pool to span 1.1.1.248 -.254, the subnet mask you should be using is /29, not /30.


I am wondering if this one user has a browser configuration that uses a proxy server or a configuration script that is overriding the manual settings. Yes, he is successful when he tries to access Internet addresses from a DOS screen (nslookup), but when doing so with the browser, it seems to be failing. I would like to see another user get on the network and run some tests with him.


have you tried TELNETing to an Internet address on port 80 to see if the conenction goes through?


example: PC DOS PROMPT> telnet 69.147.114.210 80


This is what I can think of so far. I hope this can help you.


Victor

vitaltouch Thu, 03/13/2008 - 12:21
User Badges:

Thank you for the reply, Victor.


Yes, it was my mistake with the subnet mask. I was one off and it is 29 bits; 255.255.255.248 is the mask.


The NAT pool is 1.1.1.249 - 254 as well.


So you do believe that the config is setup correctly then. Here is a copy of the config - with pertinent information changed.


hostname

!

enable secret 5

!

ip subnet-zero

!

!

ip name-server 2.1.1.3

!

!

!

!

interface Multilink1

ip address 2.112.69.166 255.255.255.252

ip nat outside

no cdp enable

ppp multilink

no ppp multilink fragmentation

multilink-group 1

!

interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.0 secondary

ip address 192.168.32.1 255.255.255.0 secondary

ip address 192.168.33.1 255.255.255.0 secondary

ip address 192.168.34.1 255.255.255.0 secondary

ip address 192.168.35.1 255.255.255.0 secondary

ip address 192.168.36.1 255.255.255.0 secondary

ip address 192.168.37.1 255.255.255.0 secondary

ip address 192.168.38.1 255.255.255.0 secondary

ip address 192.168.39.1 255.255.255.0 secondary

ip address 192.168.40.1 255.255.255.0 secondary

ip address 192.168.41.1 255.255.255.0 secondary

ip address 192.168.42.1 255.255.255.0 secondary

ip address 192.168.43.1 255.255.255.0 secondary

ip address 192.168.44.1 255.255.255.0 secondary

ip address 192.168.45.1 255.255.255.0 secondary

ip address 192.168.46.1 255.255.255.0 secondary

ip address 2.1.1.1 255.255.255.0

ip nat inside

speed 100

full-duplex

!

interface Serial0/0

no ip address

encapsulation ppp

no fair-queue

service-module t1 timeslots 1-24

ppp multilink

multilink-group 1

!

interface Serial0/1

no ip address

encapsulation ppp

no fair-queue

service-module t1 timeslots 1-24

ppp multilink

multilink-group 1

!

interface Serial1/0

no ip address

encapsulation ppp

no fair-queue

service-module t1 timeslots 1-24

ppp multilink

multilink-group 1

!

ip nat translation timeout 300

ip nat translation tcp-timeout 300

ip nat translation finrst-timeout 300

ip nat translation dns-timeout 300

ip nat pool private 1.1.1.249 1.1.1.254 netmask 255.255.255.248

ip nat inside source list 1 pool private

ip classless

ip route 0.0.0.0 0.0.0.0 2.112.69.165

no ip http server

ip pim bidir-enable

!

!

access-list 1 permit 192.168.32.0 0.0.31.255

banner login ^C

- T1 Router

Unauthorized access is prohibited by law

For assistance, contact ^C

!

line con 0

password 7

login

line aux 0

line vty 0 4

password 7

login

!

!

end

lamav Thu, 03/13/2008 - 17:30
User Badges:
  • Blue, 1500 points or more

Brian:


Im not catching anything wrong with your config.


Did you ever check the things I suggested you check in my first post?


Browser settings...other users...etc....?


Victor

vitaltouch Thu, 03/13/2008 - 17:33
User Badges:

Thank you for taking time to troubleshoot this, Victor.


After all this time, it was discovered the problem.


The owner had blocks on his DNS server to only allow those two Class C ranges to to DNS lookups. After adding the new range for the private IPs, he was able to connect and have no problems at all.


Apparently when they had a private IP and were doing DNS lookups, the DNS server was returning the top-level servers such as a-z.gltd...


Brian S.

lamav Thu, 03/13/2008 - 18:40
User Badges:
  • Blue, 1500 points or more

You're welcome, Brian

Glad you got it beat.


victor

Actions

This Discussion