The PCs can ping both of the router´s ethernet interfaces, but CANNOT go beyond that.

Answered Question
Dec 2nd, 2009

Hi everyone

I have a 2514 and I´m using both ethernet ports (config below).

One is attached to the LAN and the other to a cable modem with a FIXED ip address.

I can make the router see the internet (pings anything) by just adding the classic "ip route 0.0.0.0 0.0.0.0 (gateway´s ip address)"

The PCs can ping both of the router´s ethernet interfaces, but CANNOT go beyond that.

I know it´s a simple matter to solve (probably just another "ip route" command) and thus I thank you!


Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.0(28c), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 30-Mar-05 16:33 by pwade
Image text-base: 0x0303E2D4, data-base: 0x00001000

ROM: System Bootstrap, Version 11.0(10c), SOFTWARE
BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c), RELEASE SOFTWARE (fc1)

189-57-241-178 uptime is 19 hours, 52 minutes
System restarted by reload
System image file is "flash:c2500-is-l.120-28c.bin"

cisco 2500 (68030) processor (revision L) with 6144K/2048K bytes of memory.
Processor board ID 05689092, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read ONLY)

Configuration register is 0x2102

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 1 month ago

galongagalonga wrote:

No, I do not own the address  189.57.etc

But since I´m a total ******* when it comes to routing I guess that means I did not know I just can´t use that address and have to retort to the 192.168....blablabla

Actually, I did try that as well with the same results, but I can do it again and let you know in a coupla minutes

You do own the 201.17.6.x addressing though right ?

Assuming your internal addressing for PCs was changed to 192.168.1.0/24 your config should look like

int eth0

ip address 192.168.1.1 255.255.255.0

ip nat inside

int eth1

ip address 201.17.6.16 255.255.255.0

ip nat outside

ip nat inside source list 101 interface eth1 overload

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Wed, 12/02/2009 - 11:51

galongagalonga wrote:

Hi everyone

I have a 2514 and I´m using both ethernet ports (config below).

One is attached to the LAN and the other to a cable modem with a FIXED ip address.

I can make the router see the internet (pings anything) by just adding the classic "ip route 0.0.0.0 0.0.0.0 (gateway´s ip address)"

The PCs can ping both of the router´s ethernet interfaces, but CANNOT go beyond that.

I know it´s a simple matter to solve (probably just another "ip route" command) and thus I thank you!


Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.0(28c), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 30-Mar-05 16:33 by pwade
Image text-base: 0x0303E2D4, data-base: 0x00001000

ROM: System Bootstrap, Version 11.0(10c), SOFTWARE
BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c), RELEASE SOFTWARE (fc1)

189-57-241-178 uptime is 19 hours, 52 minutes
System restarted by reload
System image file is "flash:c2500-is-l.120-28c.bin"

cisco 2500 (68030) processor (revision L) with 6144K/2048K bytes of memory.
Processor board ID 05689092, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read ONLY)

Configuration register is 0x2102

If the PCs are using private addressing then have you set up NAT on the router. You will need to because private addressing is not routable on the Internet.

Can you post router config and also the addressing used by the PCs.

Jon

galongagalonga Wed, 12/02/2009 - 12:04

Yes, I know that in order to be able to use intranet numbers such as (192.168.0.1-255) it´s necessary to use NAT.

But I tried with both IP intranet numbers (using the commands ip nat inside etc) and regular IP numbers and got the same results: the router can ping everyone, but the internet users can only ping both ethernet ports and do not even reach the default gateway

Jon Marshall Wed, 12/02/2009 - 12:19

galongagalonga wrote:

Yes, I know that in order to be able to use intranet numbers such as (192.168.0.1-255) it´s necessary to use NAT.

Good, glad to hear it

Now could you post details as per last post ie. config + pc addressing.

Jon

galongagalonga Wed, 12/02/2009 - 12:19

The PC that I want to access the internet has an IP number of 189.57.231.227 mask 255.255.255.0 and a gateway 189.57.231.22

The 2514 has the following configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
!
ip subnet-zero
!
!
!
interface Ethernet0
ip address 189.57.231.225 255.255.255.248
no ip directed-broadcast
!
interface Ethernet1
ip address 201.17.6.16 255.255.255.0
no ip directed-broadcast
!
interface Serial0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
no fair-queue
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 201.17.6.1
!
!
line con 0
transport input none
line aux 0
line vty 0 4
!
end

Jon Marshall Wed, 12/02/2009 - 12:28

galongagalonga wrote:

The PC that I want to access the internet has an IP number of 189.57.231.227 mask 255.255.255.0 and a gateway 189.57.231.22

The 2514 has the following configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
!
ip subnet-zero
!
!
!
interface Ethernet0
ip address 189.57.231.225 255.255.255.248
no ip directed-broadcast
!
interface Ethernet1
ip address 201.17.6.16 255.255.255.0
no ip directed-broadcast
!
interface Serial0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
no fair-queue
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 201.17.6.1
!
!
line con 0
transport input none
line aux 0
line vty 0 4
!
end

Firstly, have these addresses been allocated to you ie. both public on eth0 and eth1 ?

I suspect the issue is that there is no route back to your LAN addressing. So when you ping from the router itself it works because the router uses the source address of eth1.  Try doing an extended ping on the router using the source ip on eth0 and see if ping works.

If the 189.57 addressing has been allocated to you then you can either -

1) Nat them to the eth1 ip address

OR

2) add a route to the next hop device ie. 201.17.6.1 for your LAN addressing pointing back to 201.17.6.16

if you don't own the 189.57 addressing you only have the choice of natting your LAN addresses to eth1

You say you have tried NAT already, what was the config you tried ?

Jon

galongagalonga Wed, 12/02/2009 - 12:33

No, I do not own the address  189.57.etc

But since I´m a total dumbass when it comes to routing I guess that means I did not know I just can´t use that address and have to retort to the 192.168....blablabla

Actually, I did try that as well with the same results, but I can do it again and let you know in a coupla minutes

Correct Answer
Jon Marshall Wed, 12/02/2009 - 12:36

galongagalonga wrote:

No, I do not own the address  189.57.etc

But since I´m a total ******* when it comes to routing I guess that means I did not know I just can´t use that address and have to retort to the 192.168....blablabla

Actually, I did try that as well with the same results, but I can do it again and let you know in a coupla minutes

You do own the 201.17.6.x addressing though right ?

Assuming your internal addressing for PCs was changed to 192.168.1.0/24 your config should look like

int eth0

ip address 192.168.1.1 255.255.255.0

ip nat inside

int eth1

ip address 201.17.6.16 255.255.255.0

ip nat outside

ip nat inside source list 101 interface eth1 overload

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Jon

galongagalonga Wed, 12/02/2009 - 12:48

THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU!!!!!!!!!!!!!!!!!

(SOB) BOHOOOOO (TEARS)

galongagalonga Wed, 12/02/2009 - 13:11

Yes it is and I thank you again.

I get the feeling the problem was the lack of the "access-list 101 permit ip 192.168.1.0 0.0.0.255 any" command

my gut tells me that cisco products policy are "you can´t do jack unless you especifically allow so", which is nice for security but sucks if you are a newbie

tomorrow I´m going to try to connect the serial port as well (have 2 internet connections): hope I can count on your support should you be around ok?

Jon Marshall Wed, 12/02/2009 - 13:19

galongagalonga wrote:

Yes it is and I thank you again.

I get the feeling the problem was the lack of the "access-list 101 permit ip 192.168.1.0 0.0.0.255 any" command

my gut tells me that cisco products policy are "you can´t do jack unless you especifically allow so", which is nice for security but sucks if you are a newbie

tomorrow I´m going to try to connect the serial port as well (have 2 internet connections): hope I can count on your support should you be around ok?

The acl as you probably realised is what tells the router which packets to NAT. Without that having "ip nat inside" and "ip nat outside" configured wasn't actually doing anything.

It certainly can be a steep learning curve if your'e new to Cisco products

I'll be glad to help out if i'm around but the good news is that there are loads of people on these forums that can do the same so you should be able to get help no matter.

If you do need help make sure you post the config you are working with as this saves both you and the people who might answer some time.

Jon

ok I´m back (this time with another moniker as cisco´s site keeps deleting mine)

This time I´ve also set up the serial connection in order to allow 2 connections to the internet (one cable and the other optic)

The config is as follows:

version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable password abc123
!
ip subnet-zero
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Ethernet1
ip address 201.17.6.16 255.255.255.0
no ip directed-broadcast
ip nat outside
!
interface Serial0
ip address 189.57.241.178 255.255.255.252
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
ip nat inside source list 101 interface Ethernet1 overload
ip nat inside source static tcp 192.168.1.21 80 201.17.6.16 80 extendable
ip nat inside source static tcp 192.168.1.21 21 201.17.6.16 21 extendable
ip nat inside source static tcp 192.168.1.21 25 201.17.6.16 25 extendable
ip nat inside source static tcp 192.168.1.21 110 201.17.6.16 110 extendable
ip nat inside source static tcp 192.168.1.21 5060 201.17.6.16 5060 extendable
ip nat inside source static tcp 192.168.1.21 65000 201.17.6.16 65000 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 201.17.6.1
!
!
ip access-list extended WebServer
permit tcp any host 201.17.6.16 eq www
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
line con 0
password abc123
login
transport input none
line aux 0
line vty 0 4
password abc123
login

The router is a 2514 with the following config:

Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.0(28c), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 30-Mar-05 16:33 by pwade
Image text-base: 0x0303E2D4, data-base: 0x00001000

ROM: System Bootstrap, Version 11.0(10c), SOFTWARE
BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c), RELEASE SOFT
WARE (fc1)

Router uptime is 19 minutes
System restarted by power-on
System image file is "flash:c2500-is-l.120-28c.bin"

cisco 2500 (68030) processor (revision L) with 6144K/2048K bytes of memory.
Processor board ID 05689092, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read ONLY)

Configuration register is 0x2102

I can´t seem to make both work. It only accesses through the cable and it seems that after a while it loses connection so I have to reboot the router (rebooting the cable modem will not do the trick)

I really tried everything because I hate bothering others, but newbies + cisco = trouble!

Jon Marshall Sat, 12/05/2009 - 15:50

[email protected]

ok I´m back (this time with another moniker as cisco´s site keeps deleting mine)

This time I´ve also set up the serial connection in order to allow 2 connections to the internet (one cable and the other optic)

The config is as follows:

version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable password abc123
!
ip subnet-zero
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Ethernet1
ip address 201.17.6.16 255.255.255.0
no ip directed-broadcast
ip nat outside
!
interface Serial0
ip address 189.57.241.178 255.255.255.252
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
ip nat inside source list 101 interface Ethernet1 overload
ip nat inside source static tcp 192.168.1.21 80 201.17.6.16 80 extendable
ip nat inside source static tcp 192.168.1.21 21 201.17.6.16 21 extendable
ip nat inside source static tcp 192.168.1.21 25 201.17.6.16 25 extendable
ip nat inside source static tcp 192.168.1.21 110 201.17.6.16 110 extendable
ip nat inside source static tcp 192.168.1.21 5060 201.17.6.16 5060 extendable
ip nat inside source static tcp 192.168.1.21 65000 201.17.6.16 65000 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 201.17.6.1
!
!
ip access-list extended WebServer
permit tcp any host 201.17.6.16 eq www
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
line con 0
password abc123
login
transport input none
line aux 0
line vty 0 4
password abc123
login


Okay, first things first - do you own the address on your serial interface

Assuming you do there are a couple of things you need to add to your config

1) you need an "ip nat outside" statement under the serial interface ie.

int serial0

ip nat outside

2) You only have one default route on our router pointing to 201.17.6.1 so it will only ever use that link. You need to add another default route so the router will alternate between the  -

ip route 0.0.0.0 0.0.0.0  189.57.241.77

Also bear in mind, your static NATs use 201.17.6.16  so any inbound traffic to your servers will use that link.

Jon

Jon Marshall Sat, 12/05/2009 - 15:51

oops !

you also need another nat line ie.

ip nat inside source list 101 interface serial0 overload

Jon

Yes, I do own the serial ip number 189.57.241.178 255.255.255.252: it was the one attached to the serial port at and old configuration I had with a 2500 that worked

I also own the number 189.57.231.225 255.255.255.248: it was attached to the ethernet0 in the defunct 2500 and I no longer use it (bought a 2514 to replace it)

I tried to insert the command you said "ip nat inside source list 101 interface serial0 overload" but it claims "Dynamic mapping in use, cannot change"

Then I found out in http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094422.shtml what to do

It only solved when I turned off the damn thing and plugued both AUIs from it

However, after I insert the commands you told me we are back to step 1: the router can ping but the client cannot.

Don´t we need another command like "access-list 101 permit ip 192.168.1.0 0.0.0.255 any" for the new interface? It seems that did the trick before right?

Jon Marshall Sun, 12/06/2009 - 05:52

[email protected]

Yes, I do own the serial ip number 189.57.241.178 255.255.255.252: it was the one attached to the serial port at and old configuration I had with a 2500 that worked

I also own the number 189.57.231.225 255.255.255.248: it was attached to the ethernet0 in the defunct 2500 and I no longer use it (bought a 2514 to replace it)

I tried to insert the command you said "ip nat inside source list 101 interface serial0 overload" but it claims "Dynamic mapping in use, cannot change"

Then I found out in http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094422.shtml what to do

It only solved when I turned off the **** thing and plugued both AUIs from it

However, after I insert the commands you told me we are back to step 1: the router can ping but the client cannot.

Don´t we need another command like "access-list 101 permit ip 192.168.1.0 0.0.0.255 any" for the new interface? It seems that did the trick before right?

Well, you could try with a different acl ie.

access-list 102 permit 192.168.1.0 0.0.0.255 any

ip nat inside source list 102 interface s0 overload

try that and see if it works. If not can you post full config again.

Jon

Eugene Khabarov Sun, 12/06/2009 - 12:00

Hmmm... Why use NAT?  Maybe you just forgotten to configure "ip routing" on this old platform

Jon Marshall Sun, 12/06/2009 - 12:17

ekhabarov wrote:

Hmmm... Why use NAT?  Maybe you just forgotten to configure "ip routing" on this old platform

Because the LAN addressing is 192.168.1.x

Jon

ok, I put both commands:

access-list 102 permit 192.168.1.0 0.0.0.255 any

ip nat inside source list 102 interface s0 overload

actually, apparently the command was access-list 101 permit IP 192.168.1.0 0.0.0.255 any, as it did not work

either way, as soon as I unplug the cable modem the connection drops. any ideas?

shouldn´t there be some kind of command to tell the router to switch between both connections based on some how of weight/rule/something?

Below the config as it is now:

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!

ip subnet-zero
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Ethernet1
ip address 201.17.6.16 255.255.255.0
no ip directed-broadcast
ip nat outside
!
interface Serial0
ip address 189.57.241.178 255.255.255.252
no ip directed-broadcast
ip nat outside
no ip mroute-cache
no fair-queue
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
ip nat inside source list 101 interface Ethernet1 overload
ip nat inside source list 102 interface Serial0 overload
ip nat inside source static tcp 192.168.1.21 8080 201.17.6.16 8080 extendable
ip nat inside source static tcp 192.168.1.199 65000 201.17.6.16 65000 extendable

ip nat inside source static tcp 192.168.1.21 65003 201.17.6.16 65003 extendable
ip nat inside source static tcp 192.168.1.21 80 201.17.6.16 80 extendable
ip nat inside source static tcp 192.168.1.21 21 201.17.6.16 21 extendable
ip nat inside source static tcp 192.168.1.21 25 201.17.6.16 25 extendable
ip nat inside source static tcp 192.168.1.21 110 201.17.6.16 110 extendable
ip nat inside source static tcp 192.168.1.21 5060 201.17.6.16 5060 extendable
ip nat inside source static tcp 192.168.1.21 65000 201.17.6.16 65000 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 201.17.6.1
ip route 0.0.0.0 0.0.0.0 189.57.241.77
!
!
ip access-list extended WebServer
permit tcp any host 201.17.6.16 eq www
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
!
line con 0
login
transport input none
line aux 0
line vty 0 4
login

Jon Marshall Sun, 12/06/2009 - 15:22

[email protected]

ok, I put both commands:

access-list 102 permit 192.168.1.0 0.0.0.255 any

ip nat inside source list 102 interface s0 overload

actually, apparently the command was access-list 101 permit IP 192.168.1.0 0.0.0.255 any, as it did not work

either way, as soon as I unplug the cable modem the connection drops. any ideas?




interface Serial0
ip address 189.57.241.178 255.255.255.252
no ip directed-broadcast
ip nat outside
no ip mroute-cache
no fair-queue
!
i1
ip route 0.0.0.0 0.0.0.0 189.57.241.77
!
!

Good catch on the access-list, sorry i was probably typing a bit fast

Also think the other issue is down to my typing as well -

can you change make the following change -

no ip route 0.0.0.0 0.0.0.0 189.57.241.77

ip route 0.0.0.0 0.0.0.0 189.57.241.177

Jon

Jon Marshall Sun, 12/06/2009 - 16:02

[email protected]

ok, after those 2 commands I can ping from the router after I unplug the cable modem, but not from the lan client

as soon as I plug the cable modem back in I can ping from the lan client again

so we are getting closer: I think we all we need is that ACL command again and we are set (hopefully!)

Not sure where we are with the config but what might be happening is you ping from the PC with the cable modem connected and it makes a NAT translation. Then you unplug it but the NAT translation is still there.

When you unplug the cable modem, before you ping again can you do this

router# clear ip nat translation *

Jon

I did better: unplugged the cable modem and rebooted the router while pinging constantly from a lan PC.

Curiously enough, it would alternate between a couple of "Reply from 192.168.1.1: Destination host unreachable" and some "Request timed out."

As soon as I plugged the cable modem back in the conextion was restored.

During that time with no cable modem (only the serial connection) however I could ping anything from the router.

(I also did your method with identical results)

Tha´s why I think it´s again the NAT-ACL issue, as it is the same that was happening with the cable modem connection in the first place.

Actions

This Discussion