04-22-2015 08:49 AM - edited 03-05-2019 01:18 AM
I have a question similar to another asked in this forum but have never found or seen an answer. Thank you in advance for any assistance you can provide.
I have a Cisco 7301 that I need to use as a gateway to my private SIP network. I have configured PAT using the numerous examples I have found searching the net. Please see attached config. I can ping 8.8.8.8 from within the router using the "inside" interface as the source. I cannot get through the router from the inside LAN. I cannot even ping the WAN "outside" interface of the router.
If there is not an obvious solution to this problem can someone please suggest a different product. An ASA perhaps that will allow me to NAT 10.7.0.0/16 to a single public IP.
Thank you,
Kevin
04-22-2015 08:55 AM
Hi Kevin,
The file attachment which you included in this discussion includes public ip address details in the running configuration. Can you please remove those public ip addresses so we can get this discussion posted.
Thanks.
04-23-2015 05:42 AM
The attachment has been edited. Thanks.
04-23-2015 02:37 AM
hi,
your config looks good.
can you ping10.7.0.1 from a host on the LAN?
04-23-2015 05:41 AM
Hi,
I have two hosts on the private LAN, 10.7.0.2 and 10.7.0.50. Both can ping each other and they can ping 10.7.0.1. They cannot ping the WAN interface of the router or anywhere beyond that.
04-23-2015 10:37 AM
Kevin
I agree with John that there are no obvious issues in the config that you posted. I have two questions for you.
1) I am sure that your 7301 can ping the hosts on the LAN when using the normal source address but can the 7301 ping the hosts if it uses the WAN interface as the source? I suspect that it can not and that leads to my second question.
2) can you check and see if the hosts have their default gateway set as 10.7.0.1?
HTH
Rick
04-23-2015 03:57 PM
Hi Rick,
Thank you for your response. I verified the host on the internal LAN as a gateway address of 10.7.0.1. Here are my results from different pings:
E7_SIP#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
E7_SIP#ping 8.8.8.8 source g0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.7.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
E7_SIP#ping 8.8.8.8 source g0/2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 66.11x.xx.xx
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
E7_SIP#ping 10.7.0.1 source g0/2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.7.0.1, timeout is 2 seconds:
Packet sent with a source address of 66.11x.xx.xx
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
04-23-2015 06:04 PM
hi,
could you post a brief network diagram/topology and a tracert 8.8.8.8 output from a machine on your LAN?
also, is the 7301 on a live network? maybe you could schedule a quick downtime, copy the config from your 7301 to a spare router and see if the same problem gets replicated.
04-23-2015 07:15 PM
04-23-2015 07:30 PM
hi,
are you running any dynamic routing protocol on your 7604?
does the 7604 have a route to your 10.7.0.0/16?
could you try adding this on your 7604 and test again?
ip route 10.7.0.0 255.255.0.0 66.11x.xx.80
04-24-2015 08:48 AM
No dynamic routing on my 7604 and I did not build a route to 10.7.0.0 on the 7604 because it should never see any of those addresses, correct? I would think it would only see 66.11x.xx.80 and the associated port but I will give it a try if you think it will help.
Thanks,
04-23-2015 04:50 PM
Everything I read indicates that I have the PAT config correct. I guess I have to lean toward a routing problem at this point? Looking at my routing table I see something I do not understand:
E7_SIP#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 66.11x.xx.1 to network 0.0.0.0
66.0.0.0/24 is subnetted, 1 subnets
C 66.11x.xx.0 is directly connected, GigabitEthernet0/2
10.0.0.0/16 is subnetted, 1 subnets
C 10.7.0.0 is directly connected, GigabitEthernet0/1
S* 0.0.0.0/0 [1/0] via 66.11x.xx.1
E7_SIP#
Is the text in red above correct? Shouldn't it say 66.0.0.0/8 and not /24? Shouldn't it also say it's variably subnetted?
Thanks.
04-23-2015 07:29 PM
Kevin
The configuration of the interface Gig0/2 has a mask of 255.255.255.0. And this router knows of only one subnet in that network. So the entry in the routing table showing a /24 is exactly the expected behavior. And as far as the router is concerned it is not variable subnetted, there is only one subnet that the router knows about for that network. So the sunbathing is consistent and not variable.
I suspect that you are correct that you are dealing with some kind of routing problem. You gave us quite a few ping results but not results of the pings that I asked for. I asked you to try to ping 10.7.0.2 and 10.7.0.50 using Gig0/2 as the source. Would you please do those pings and post the results.
HTH
Rick
04-23-2015 07:34 PM
Kevin
Would you post the output of ipconfig from the host at 10.7.0.2 (and perhaps from 10.7.0.50 also)? And perhaps also the output of route print.
HTH
Rick
04-24-2015 09:47 AM
OK. Now I'm thoroughly confused. The only thing I have done this morning is to log in to the router and run a ping from the "outside" source to an IP on the "inside" LAN. "ping 10.7.0.2 source g0/2" Then, as you suggested, I was logging in to the host on the inside LAN to look at ifconfig and run a traceroute to the outside and see where it was getting stopped.
To my amazement the traceroute ran from 10.7.0.2 to www.ibm.com without fail. First time that I have been able to get beyond the router. I have been able to go anywhere else ever since. "sho ip nat trans" looks good too:
E7_SIP#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
udp 66.1x.xx.80:123 10.7.0.2:123 129.6.15.30:123 129.6.15.30:123
udp 66.11x.xx.80:123 10.7.0.2:123 132.163.4.101:123 132.163.4.101:123
udp 66.11x.xx.80:123 10.7.0.2:123 152.2.133.55:123 152.2.133.55:123
udp 66.11x.xx.80:123 10.7.0.2:123 198.60.22.240:123 198.60.22.240:123
tcp 66.11x.xx.80:36788 10.7.0.2:36788 184.51.115.9:80 184.51.115.9:80
E7_SIP#
Is it possible that my ping from outside source to inside host forced the 7301 to finally "learn" that it was supposed to do PAT? If not, I have no idea what made it work and what to do if it stops working...
Thanks,
Kevin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: