Solved: Multiple External IP static routes on older 1700

jimhood82 · ‎04-02-2014

I have a somewhat older 1712 I picked up, understanding that it should do what I am looking for.

I have a 5 IP block from my provider that I need to map out 1:1. The way I understand this is to first assign the interfaces their IP address, then create the static NAT maps using:

ip nat inside source static (source ip) (destination ip)

I then set a default route 0.0.0.0 0.0.0.0 75.140.236.209 (my gateway) and set the default-gateway command as well.

When all is said and done, I can only reach the internet with ONE IP address.

I have tried many different things, assigning all the necessary IPs to the interface (as secondary IP's), assigning them to a VLAN, and translating to/from the vlan, or even simply swapping the interfaces used so that the 4 port wic holds the external connection, and the locals on the integrated FE.

At this point I am at a loss, any help will be appreciated.

I am including all the logs - the system info, running config, ip route, ip nat table, and ping results. As this is fairly long, I hope you all don't mind if I simply attatch it as a document.

Jon Marshall · ‎04-02-2014

Can you -

access-list 101 permit ip host 75.140.236.211 any

access-list 101 permit ip any any

access-list 102 permit ip any host 75.140.236.211

access-list 102 permit ip any any

int fa0

ip access-group 101 out

ip access-group 102 in

then try to connect again and then see what hits you get on the acls.

Jon

View solution in original post

Jon Marshall · ‎04-02-2014

Your config looks okay.

A couple of things -

1) your routing table shows the vlan subnet as 168.10.0.0/24 ?

2) can you remove the ip default-gateway ... command as you don't need it.

Can you then "clear ip nat translations *"

and then try and connect only from 192.168.100.3 and post the results ie. did it work and also the NAT translation table.

Jon

jimhood82 · ‎04-02-2014

This is an error resulting from the console line speed being set too high... at 115k I get occasional errors in what it reports - that is one of those errors I didn't catch.

The actual table looks like this:

Gateway of last resort is 75.140.236.209 to network 0.0.0.0

C 192.168.100.0/24 is directly connected, Vlan1

75.0.0.0/29 is subnetted, 1 subnets

C 75.140.236.208 is directly connected, FastEthernet 0

S 0.0.0.0/0 [1/0] via75.140.236.209

Will clear the translations, and report back shortly.

EDIT: Here it is:

Router#sho ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 75.140.236.210     192.168.100.2      ---                ---
icmp 75.140.236.211:1 192.168.100.3:1    75.140.236.209:1   75.140.236.209:1
udp 75.140.236.211:60442 192.168.100.3:60442 8.8.8.8:53    8.8.8.8:53
--- 75.140.236.211     192.168.100.3      ---                ---
--- 75.140.236.212     192.168.100.4      ---                ---
--- 75.140.236.213     192.168.100.5      ---                ---
--- 75.140.236.214     192.168.100.6      ---                ---

SECOND EDIT:

To clarify, no, it could not ping through, either to the gateway, or out to the DNS.

Reza Sharifi · ‎04-02-2014

In the output of "sh ver"

I see

Configuration register is 0x3922

Can you change it 0x2102, save and reboot the router?

HTH

jimhood82 · ‎04-02-2014

I gave it the command change-register 0x2102, then saved and reloaded - it started back up in 0x3922...

EDIT: Trying again using Rommon to make the change.

EDIT 2: Yep - that did it! Got it to 0x2102. Sadly, no change in behavior - only console line speed.

Jon Marshall · ‎04-02-2014

So the translations are being built correctly but presumably the connectivity is not working ?

What is the 75.140.236.209 device ?

Jon

jimhood82 · ‎04-02-2014

That is the gateway provided by the ISP.

Jon Marshall · ‎04-02-2014

Like i say, there does not appear to be anything wrong with your config.

It could be an issue with the ISP device ie. wrong subnet mask on the interface connecting to your router.

The range the ISP assigned to you, was it with a 255.255.255.248 subnet mask ?

Jon

jimhood82 · ‎04-02-2014

Yes, and I did call and confirm that as well. I have also confirmed that all addresses are working correctly when directly connected.

Jon Marshall · ‎04-02-2014

Can you -

access-list 101 permit ip host 75.140.236.211 any

access-list 101 permit ip any any

access-list 102 permit ip any host 75.140.236.211

access-list 102 permit ip any any

int fa0

ip access-group 101 out

ip access-group 102 in

then try to connect again and then see what hits you get on the acls.

Jon

jimhood82 · ‎04-02-2014

Ok, applied the list - no change in status.

Can still ping local network, and not the gateway or remote network.

Jon Marshall · ‎04-02-2014

Sorry, it wasn't to see if it would work, it was to see what is happening to the traffic.

So if you do a "sh ip access-list 101" and see hits it means the traffic left your router.

If you do the same for acl 102 and there are no hits it means no traffic is returning.

If this is the case probably time to have another conversation with your ISP.

If you see no hits on acl 101 then there is an issue with your router.

Jon

jimhood82 · ‎04-02-2014

Ok, there are several matches on the outgoing interface, but none on the incoming interface.

But my question here, is what are we learning from this that we did not already know? So far as I can tell - the router is the issue - not thier equipment.

The address gets translated, but never forwarded so far as I can tell.

I will set up a PC shortly, to mimick the router (with the same IP's on the main interface) and see what happens there.

EDIT: I'll be damned - you are correct. I am not sure what their equipment is doing, but my PC respondes exactly as it should.

Jon Marshall · ‎04-02-2014

Ok, there are several matches on the outgoing interface, but none on the incoming interface.

Can you be specific as to exactly what you see ie. are you saying in acl 101 you see hits for the first line, the one with the host IP address as the source ?

If so are you also saying for acl 102 you do not see any hits in the first line ?

If so what we have learnt is your router is working as far as i can see.

We already know it is doing the NAT from the translation tables and now we know the router is also forwarding the traffic to the ISP device.

We don't know where the traffic is failing but we know traffic isn't getting back to your router.

If the acls are not showing what i described above can you clarify ?

Jon

jimhood82 · ‎04-02-2014

Ok, it doesn't show any details, just the number of hits - and yes, zero hits on the return interface, with 100+ on the outgoing interface.

I did manage to prove the router is working though - by using a PC with the gateway address and testing connectivity to it using all the addresses in use (210-214). I am troubleshooting the gateway now.

I appreaciate your help!