Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Routing or NAT problem?

I've got a network behind a cisco 2811 running the config below...Note: The Fast/Ethernet0/1 is now my external connection and serial is disabled.

I can connect to the internet, and the internet can see me, but I am unable to see my external ips from the internet. I recently had an ip change from t1 to fiber, and that's why I've disabled the serial and I'm using the fasteth01. Do you think there is just a simple routing issue I haven't accomodated for, or do you think there is a remnant somewhere deep in the config I am not seeing?

Thanks in advance!

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service sequence-numbers

ip subnet-zero

no ip source-route

ip tcp synwait-time 10

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool default

import all

network 10.10.10.0 255.255.255.0

dns-server 209.244.0.3 209.244.0.4

default-router 10.10.10.1

!

interface FastEthernet0/0

description $ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_LAN$$FW_INSIDE$$ETH-LAN$

ip address 10.10.10.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description $FW_OUTSIDE$$ETH-LAN$

ip address 64.100.200.174 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

duplex full

speed 100

no mop enabled

!

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 permanent

ip route 10.10.10.0 255.255.255.0 FastEthernet0/0 permanent

!

ip http server

ip http access-class 3

ip http authentication local

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat pool DynamicIPPool 64.100.200.97 64.100.200.102 netmask 255.255.255.224

ip nat inside source list 1 pool DynamicIPPool overload

ip nat inside source static tcp 10.10.10.129 80 64.100.200.103 80 extendable

!

logging trap debugging

access-list 1 remark INSIDE_IF=FastEthernet0/0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 3 remark Auto generated by SDM Management Access feature

access-list 3 remark SDM_ACL Category=1

access-list 3 permit 10.10.10.0 0.0.0.255

access-list 100 remark Auto generated by SDM Management Access feature

access-list 100 remark SDM_ACL Category=1

access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq telnet

access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22

access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq www

access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq cmd

access-list 100 deny tcp any host 10.10.10.1 eq telnet

access-list 100 deny tcp any host 10.10.10.1 eq 22

access-list 100 deny tcp any host 10.10.10.1 eq www

access-list 100 deny tcp any host 10.10.10.1 eq 443

access-list 100 deny tcp any host 10.10.10.1 eq cmd

access-list 100 deny udp any host 10.10.10.1 eq snmp

access-list 100 permit ip any any

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

no cdp run

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

access-class 101 in

privilege level 15

login local

transport input telnet

line vty 5 15

access-class 102 in

privilege level 15

login local

transport input telnet

!

scheduler allocate 20000 1000

1 ACCEPTED SOLUTION

Accepted Solutions
Blue

Re: Routing or NAT problem?

Will,

Usually encapsulation failed means no reply to the ARP request. Try changing your default route to point to the next hop address. Currently you are depending on the ISP router to proxy ARP which it is apparently not doing for the 64.100.200.103.

ip route 0.0.0.0 0.0.0.0 64.100.200.173

Dave

10 REPLIES
Blue

Re: Routing or NAT problem?

Try enabling IP proxy-arp on your outside interface. If the ISP has a static route for the 64.100.200.103 that uses the interface (like your routes) instead of the next hop router address you need the router to proxy arp since the NAT global address is not within the subnet on your outside interface.

If that doesn't work have your ISP doublecheck the static route back to you.

Please rate helpful posts.

New Member

Re: Routing or NAT problem?

Unfortunately enabling the IP proxy-arp didn't work. Any other thoughts?

Thanks,

Will

Blue

Re: Routing or NAT problem?

William,

You need to know if the 64.100.200.103 packets are getting to your router.

First build an access list to use with debugging:

access-list 10 permit host 64.100.200.103

access-list 10 permit host X.X.X.X

The 2nd address will be the public address you are testing from.

term mon

debug ip packet 10

If you see the packets coming in then:

debug ip nat 10

Let me know what happens.

Dave

New Member

Re: Routing or NAT problem?

Dave,

I know the packets are getting to my router, as I am able to access the site from anywhere outside of my network.

When I try to get to the site 64.100.200.103 from inside my network though, I cannot get to it.

Thanks,

Will

Re: Routing or NAT problem?

Hi

I had once faced similar problem.That came out to be routing issue from the ISP end.They had removed the routes for my pool of live IPs and I was not able to access my VoIP devices from internet.My internet through NAT was working fine.

Once they had defined the routes, everything was normal.

I think this is the same prob. is in your case.Try talking this with ur ISP.

Hope that helps

Regards

JD

Blue

Re: Routing or NAT problem?

Will,

But the difference is that the packets are coming from your NAT pool addresses. The ISP may be blocking this from going back to the 64.100.200.103.

How about the debug NAT?

This will tell you what NAT is trying to do with those packets -- if they are getting to you.

Dave

Bronze

Re: Routing or NAT problem?

Hi,

Your statements

ip nat pool DynamicIPPool 64.100.200.97 64.100.200.102 netmask 255.255.255.224

ip nat inside source list 1 pool DynamicIPPool overload

ip nat inside source static tcp 10.10.10.129 80 64.100.200.103 80 extendable

and

access-list 1 remark INSIDE_IF=FastEthernet0/0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.10.10.0 0.0.0.255

your using dynamic natting for 10.10.10.0 network using ur DynamicIPPool range. which is specified by ur access list 1

Then ur using the same network ip for static translation

May be ur dynamic nat has overtaken ur static nat statements.

Try to deny the 10.10.10.129 host in access list 1

Hope this helps you,

Thanks

Raj

New Member

Re: Routing or NAT problem?

Below are the results of the debug output for NAT.

Thanks,

Will

116767: *Dec 26 12:48:21.140 PCTime: NAT: s=10.10.10.2->64.100.200.97, d=64.100.

200.103 [932]

116768: *Dec 26 12:48:21.140 PCTime: IP: s=64.100.200.97 (FastEthernet0/0), d=64

.100.200.103 (FastEthernet0/1), g=64.100.200.103, len 48, forward

116769: *Dec 26 12:48:21.140 PCTime: IP: s=64.100.200.97 (FastEthernet0/0), d=64

.100.200.103 (FastEthernet0/1), len 48, encapsulation failed

Blue

Re: Routing or NAT problem?

Will,

Usually encapsulation failed means no reply to the ARP request. Try changing your default route to point to the next hop address. Currently you are depending on the ISP router to proxy ARP which it is apparently not doing for the 64.100.200.103.

ip route 0.0.0.0 0.0.0.0 64.100.200.173

Dave

New Member

Re: Routing or NAT problem?

Thanks Dave, that was it! Appreciate the help!

205
Views
5
Helpful
10
Replies
CreatePlease to create content