Cisco issues

[biggs2003]

I'm having an issue with this config. Trying to make a border router config with this.

Hardware:
Cisco 2621 router

Connection:
Wireless isp connection (dhcp, MAC address required)

Problem:
Can't get traffic from inside nat to outside nat. DHCP works, but can't ping outside network from internal network. Can ping core router of ISP, but nothing else. Thinking it's a NAT/Route issue, but don't know enough to say what it is. HELP!

config file:

show ver
Cisco Internetwork Operating System Software 
IOS (tm) C2600 Software (C2600-BINO3S3-M), Version 12.2(15)T,  RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 11-Mar-03 14:16 by ccai
Image text-base: 0x80008098, data-base: 0x8180C4FC

ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)

Router uptime is 1 hour, 32 minutes
System returned to ROM by power-on
System image file is "flash:c2600-bino3s3-mz.122-15.T.bin"

cisco 2621 (MPC860) processor (revision 0x00) with 60416K/5120K bytes of memory.
Processor board ID JAD07020GMK (3144114430)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102

Router#show run
Building configuration...

Current configuration : 1596 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
logging queue-limit 100
enable secret 5 $1$7z1C$voBjmB3wbEvgJFB7H1hVv0
enable password password
!
clock timezone CST -6
no ip subnet-zero
!
!
ip domain name helloworld.local
!
ip dhcp pool home_lan
   network 172.16.0.0 255.255.252.0
   default-router 172.16.0.1 
   dns-server 4.2.2.2 
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination 
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
description Outside interface
 mac-address 000f.66d2.3926
 ip address dhcp
 ip nat outside
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 no ip mroute-cache
 shutdown
!
interface FastEthernet0/1
 description Internal interface
 ip address 172.16.0.1 255.255.252.0
 ip nat inside
 no ip mroute-cache
 duplex auto
 speed auto
 no mop enabled
!
router eigrp 1
 network 172.16.0.0
 network 209.103.0.0
 auto-summary
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip http server
ip classless
!
!
!
access-list 1 permit 172.16.0.0 0.0.3.255
access-list 1 deny   any log
access-list 100 remark Inside Source Address for NAT Translation
access-list 100 permit ip 172.16.0.0 0.0.3.255 any
!
snmp-server community public RO
snmp-server enable traps tty
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password password
 login
!
!
end

Router#

 

[Vito_Corleone]

If you do "sh ip nat trans" do you see anything? What's "sh ip route" look like?

 

[biggs2003]

Router#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

Router#show ip nat tr
Router#show ip nat translations

Router#

 

[miraportuga]

Try to do a

ip route 0.0.0.0 0.0.0.0 Fast0/0

on global config mode.

Cheers

 

[calvinj]

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

Edit: Damn I've been beat.

Also not that it matters but why 2 access lists. They almost do the same thing. I would have left access list 1 there to take care of all of your nat stuff

 

[biggs2003]

testing changes....

 

[biggs2003]

still have the same issue

Router#
Router#show ip nat sta
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
  FastEthernet0/0
Inside interfaces:
  FastEthernet0/1
Hits: 409  Misses: 12
Expired translations: 12
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 100 interface FastEthernet0/0 refcount 0
Router#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

Router#

 

[Vito_Corleone]

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

Edit: Damn I've been beat.

Also not that it matters but why 2 access lists. They almost do the same thing. I would have left access list 1 there to take care of all of your nat stuff

Doing this is bad, your router assumes all destinations are directly connected, so it send out unneeded ARP requests for everything.

He's only using ACL 100, so maybe ACL 1 is for something else.

 

[Vito_Corleone]

Need to see "sh ip interface brief". It doesn't look like you're getting an IP.

 

[Lightworker]

Just curious why you've included the 209.x.x.x network in your EIGRP process...

 

[p0rt21]

Need to see "sh ip interface brief". It doesn't look like you're getting an IP.

Must be getting an IP if he can ping his ISP.

Try "ip route 0.0.0.0 0.0.0.0 dhcp"

 

[biggs2003]

Just curious why you've included the 209.x.x.x network in your EIGRP process...

That's my ISP's network. 209.103.23x.x

 

[calvinj]

Doing this is bad, your router assumes all destinations are directly connected, so it send out unneeded ARP requests for everything.

While I Agree with you 100%, I've found it easier in case your isp likes to change your dhcp lease often you don't have to keep changing your default route.

 

[calvinj]

That's my ISP's network. 209.103.23x.x

ANy reason to put your isp network in eigrp?

 

[biggs2003]

ANy reason to put your isp network in eigrp?

Should I have used RIP?

 

[Lightworker]

^You shouldn't include it at all.

Also, there is also no need to manually enter a static route, the DHCP client on the router will enter one for you automatically. The tricky part is that this automatic route will have an administrative distance of 254, so any other more specific or lower distance routes will override it and you'll have WAN connectivity problems.

Cheers

 

[Vito_Corleone]

While I Agree with you 100%, I've found it easier in case your isp likes to change your dhcp lease often you don't have to keep changing your default route.

You don't have to enter a default route when using DHCP, it is set for you. Pointing a default out a static is stupid in most cases.

 

[Vito_Corleone]

Must be getting an IP if he can ping his ISP.

Try "ip route 0.0.0.0 0.0.0.0 dhcp"

I don't know how he's pinging anything with an empty routing table... Also, your command shouldn't be necessary.

Hey OP, how about posting the output of "sh ip int b" like I asked.

 

[biggs2003]

show ip int b

Router#show ip interface brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
FastEthernet0/0            172.16.0.1      YES manual up                    down

FastEthernet0/1            209.103.235.139 YES manual up                    down

Serial0/0                  unassigned      YES unset  administratively down down

Virtual-Access1            unassigned      YES unset  up                    up

Router#

Latest running config

show run
Building configuration...

Current configuration : 1454 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging queue-limit 100
enable password 7 04591805072049480C0B
!
ip subnet-zero
!
!
no ip domain lookup
!
ip dhcp pool home_lan
   network 172.16.0.0 255.255.252.0
   default-router 172.16.0.1 
   dns-server 4.2.2.2 
!
 --More--         ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination 
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
 description connected to Cisco1548
 ip address 172.16.0.1 255.255.252.0
 --More--          ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 description connected to Internet
 mac-address 000f.66d2.3926
 ip address 209.103.235.139 255.255.0.0
 ip nat outside
 duplex auto
 speed auto
!
router rip
 version 2
 passive-interface FastEthernet0/1
 network 172.16.0.0
 no auto-summary
!
 --More--         ip nat inside source list 1 interface FastEthernet0/1 overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
!
!
access-list 1 permit 172.16.0.0 0.0.3.255
!
snmp-server community public RO
snmp-server enable traps tty
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
 exec-timeout 0 0
 --More--          password 7 0204175803070A27495C
 login
line aux 0
line vty 0 4
 password 7 1415010804052F2D213A
 login
!
!
end

Router#
Router#

 

[Lightworker]

You need to make up your mind on a config before asking for help. Changing it around every 12 hours isn't helping the troubleshooting process...

Additionally, you just posted a level 7 password for anyone to see and that can be cracked in about half a second. I'd do two things, A. Edit your post and get rid of it, and B. Start using "enable secret" instead of "enable password"

 

[biggs2003]

Enter in:

no ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

See if that helps.

Additionally, you just posted a level 7 password for anyone to see and that can be cracked in about half a second. I'd do two things, A. Edit your post and get rid of it, and B. Start using "enable secret" instead of "enable password"

will be rolling the password after the install. Thanks for the concern though.

 

[Vito_Corleone]

So now you're using a static IP with a /16 mask? That's definitely not right. Do you have anyone you can get to help you?

 

[biggs2003]

So now you're using a static IP with a /16 mask? That's definitely not right. Do you have anyone you can get to help you?

I know that's my IP given from my ISP. Hasn't rolled in years. I think i fat fingered that subnet mask, supposed to be /24 i think.

I called my ISP to ask for help and they said they didn't know CISCO configs well. I'm kind of stuck...

 

[Vito_Corleone]

I doubt your ISP is giving you a /24 unless you're paying a good amount per month.

Your config is totally effed at this point. Just start over. Post your (exact) IP information for both inside and outside interfaces and I'll give you a basic config to start from.

 

[biggs2003]

I doubt your ISP is giving you a /24 unless you're paying a good amount per month.

Your config is totally effed at this point. Just start over. Post your (exact) IP information for both inside and outside interfaces and I'll give you a basic config to start from.

Here's what my smoothwall (trying to move away from it) conf is.

eth1 (Red)
  	IP Address: 	209.103.235.139 	Broadcast 	209.103.235.255
Netmask 	255.255.255.0 	MTU 	1500
MAC Address 	00:0F:66:D2:39:26 	Status 	UP

inside i want a 172.16.0.0 255.255.252.0 network with a dhcp server. Outside needs the mac cloning to make it work with my ISP.

Here's my current routing table (dhcp made this, i didn't)

Destination 	Gateway 	Genmask 	Flags 	Metric 	Ref 	Use 	Interface
209.103.235.0 	0.0.0.0 	255.255.255.0 	U 	0 	0 	0 	Red
192.168.0.0 	0.0.0.0 	255.255.255.0 	U 	0 	0 	0 	Green
0.0.0.0 	209.103.235.1 	0.0.0.0 	UG 	0 	0 	0 	Red

You can see now that i'm on a 192.168 network that i want to migrate away from. Is that everything you need?

 

[Vito_Corleone]

I thought you said you were getting an IP via DHCP from your provider?

 

[biggs2003]

I thought you said you were getting an IP via DHCP from your provider?

Correct, I am. Is there a command to instantiate a dhcp offer/request? Couldn't get an address on the interface so I set the ip.

 

[Vito_Corleone]

Here's a basic config:

!
ip dhcp pool home_lan
   network 172.16.0.0 255.255.255.0
   default-router 172.16.0.1 
   dns-server 4.2.2.2 
!
!
interface FastEthernet0/0
 description connected to Cisco1548
 ip address 172.16.0.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
!
interface FastEthernet0/1
 description connected to Internet
 mac-address 000f.66d2.3926
 ip address dhcp
 ip nat outside
 duplex auto
 speed auto
!
!
ip access-list extended NAT
 permit ip 172.16.0.0 0.0.0.255 any
!
!
ip nat inside source list NAT interface Fa0/1 overload
!

Get rid of all your other stuff and just use that. Then do "sh ip int b" and see if you're getting an IP from your provider. If not, there are issues beyond your config.