| Author |
Message |
iram
Guest
|
 Posted:
Mon Dec 13, 2004 9:34 am Post subject:
NAT On a Stick 2516 config difficulties |
|
|
Hello,
I'm hoping someone can help me with a configuration problem that I'm
having on a Cisco 2516 Router. This router has 1 ethernet port, 14 hub
ports, a couple of serial interfaces, and BRI interface. The problem
that I'm having is with setting up so called 'NAT on a Stick'. I read
about this at:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
I recognize that the 2516 router is probably not the best choice for my
set up but I'm trying to learn Cisco routers and this is all I have so
I have to make due. My set up is a bit different than the one
described on the guide. I have a the cisco router connected directly
to a DSL modem. I have Statice IP 216.231.59.199 and 216.231.59.200
and I can get a couple of more if I need to. My default gateway is
216.231.59.1.
According to the guide, I need to set up a loopback interface and use
policy routing to set up my NAT. I thought I had configured this
correctly but my NAT is not working. (configuration at end below)
Here is what I'm up against: If I am in the Cisco router, I can ping
addresses in the 192.168.1.0 and 192.168.2.0 subnets. I can also ping
the 216.231.59.200 addresss which I assigned to the ethernet 0
interface and 216.231.59.1 which is my gateway. However, when I try
pinging from a host computer with address 192.168.1.99, I can't reach
the gateway. All other pings work fine. What am I missing or what am
I doing wrong?
I enabled NAT debugging with:
debug ip nat detailed
I get the following results when pinging from my host:
PING 192.168.1.1
00:56:55: NAT: o: icmp (192.168.1.1, 512) -> (192.168.1.99, 512) [3540]
00:56:56: NAT: o: icmp (192.168.1.1, 512) -> (192.168.1.99, 512) [3541]
00:56:57: NAT: o: icmp (192.168.1.1, 512) -> (192.168.1.99, 512) [3542]
00:57:06: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3543]
PING 192.168.2.1
00:57:06: NAT: address not stolen for 192.168.1.99, proto 1 port 512
00:57:06: NAT: installing alias for address 216.231.59.199
00:57:06: NAT: ipnat_allocate_port: wanted 512 got 512
00:57:06: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
[3543]
00:57:07: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3544]
00:57:07: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
[3544]
00:57:08: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3545]
00:57:08: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
[3545]
00:57:09: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3546]
00:57:09: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
[3546]
PING 216.231.59.1
Nothing
PING 216.231.59.200
00:58:28: NAT: o: tcp (216.231.59.200, 135) -> (70.56.186.106, 4245)
[284]
00:58:28: NAT: o: tcp (216.231.59.200, 135) -> (70.56.186.106, 4245)
[285]
00:58:29: NAT: o: tcp (216.231.59.200, 135) -> (70.56.186.106, 4245)
[286]
00:59:03: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
[3568]
00:59:04: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
[3569]
00:59:05: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
[3570]
00:59:06: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
[3571]
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
!
ip subnet-zero
ip name-server 66.93.87.2
ip name-server 216.231.41.2
!
!
!
hub ether 0 1
link-test
auto-polarity
!
hub ether 0 2
link-test
auto-polarity
!
hub ether 0 3
link-test
auto-polarity
!
hub ether 0 4
link-test
auto-polarity
!
hub ether 0 5
link-test
auto-polarity
!
hub ether 0 6
link-test
auto-polarity
!
hub ether 0 7
link-test
auto-polarity
!
hub ether 0 8
link-test
auto-polarity
!
hub ether 0 9
link-test
auto-polarity
!
hub ether 0 10
link-test
auto-polarity
!
hub ether 0 11
link-test
auto-polarity
!
hub ether 0 12
link-test
auto-polarity
!
hub ether 0 13
link-test
auto-polarity
!
hub ether 0 14
link-test
auto-polarity
!
interface Loopback0
ip address 192.168.2.1 255.255.255.252
no ip directed-broadcast
ip nat outside
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0 secondary
ip address 216.231.59.200 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
interface BRI0
no ip address
no ip directed-broadcast
shutdown
!
ip nat pool external 216.231.59.199 216.231.59.199 netmask
255.255.255.0
ip nat inside source list 10 pool external overload
ip classless
ip route 0.0.0.0 0.0.0.0 216.231.59.1
ip route 216.231.59.0 255.255.255.0 Ethernet0
!
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 102 permit ip any 216.231.59.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map nat-loop permit 10
match ip address 102
set ip next-hop 192.168.2.1
!
!
line con 0
transport input none
line aux 0
line vty 0 4
!
end |
|
| Back to top |
|
 |
PES
Guest
|
| Posted:
Mon Dec 13, 2004 3:50 pm Post subject:
Re: NAT On a Stick 2516 config difficulties |
|
|
iram wrote:
| Quote: | Hello,
I'm hoping someone can help me with a configuration problem that I'm
having on a Cisco 2516 Router. This router has 1 ethernet port, 14 hub
ports, a couple of serial interfaces, and BRI interface. The problem
that I'm having is with setting up so called 'NAT on a Stick'. I read
about this at:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
I recognize that the 2516 router is probably not the best choice for my
set up but I'm trying to learn Cisco routers and this is all I have so
I have to make due. My set up is a bit different than the one
described on the guide. I have a the cisco router connected directly
to a DSL modem. I have Statice IP 216.231.59.199 and 216.231.59.200
and I can get a couple of more if I need to. My default gateway is
216.231.59.1.
According to the guide, I need to set up a loopback interface and use
policy routing to set up my NAT. I thought I had configured this
correctly but my NAT is not working. (configuration at end below)
Here is what I'm up against: If I am in the Cisco router, I can ping
addresses in the 192.168.1.0 and 192.168.2.0 subnets. I can also ping
the 216.231.59.200 addresss which I assigned to the ethernet 0
interface and 216.231.59.1 which is my gateway. However, when I try
pinging from a host computer with address 192.168.1.99, I can't reach
the gateway. All other pings work fine. What am I missing or what am
I doing wrong?
I enabled NAT debugging with:
debug ip nat detailed
I get the following results when pinging from my host:
PING 192.168.1.1
00:56:55: NAT: o: icmp (192.168.1.1, 512) -> (192.168.1.99, 512) [3540]
00:56:56: NAT: o: icmp (192.168.1.1, 512) -> (192.168.1.99, 512) [3541]
00:56:57: NAT: o: icmp (192.168.1.1, 512) -> (192.168.1.99, 512) [3542]
00:57:06: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3543]
PING 192.168.2.1
00:57:06: NAT: address not stolen for 192.168.1.99, proto 1 port 512
00:57:06: NAT: installing alias for address 216.231.59.199
00:57:06: NAT: ipnat_allocate_port: wanted 512 got 512
00:57:06: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
[3543]
00:57:07: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3544]
00:57:07: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
[3544]
00:57:08: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3545]
00:57:08: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
[3545]
00:57:09: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3546]
00:57:09: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
[3546]
PING 216.231.59.1
Nothing
PING 216.231.59.200
00:58:28: NAT: o: tcp (216.231.59.200, 135) -> (70.56.186.106, 4245)
[284]
00:58:28: NAT: o: tcp (216.231.59.200, 135) -> (70.56.186.106, 4245)
[285]
00:58:29: NAT: o: tcp (216.231.59.200, 135) -> (70.56.186.106, 4245)
[286]
00:59:03: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
[3568]
00:59:04: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
[3569]
00:59:05: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
[3570]
00:59:06: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
[3571]
|
To really test this, you should ping something outside, not something in
the pool or the interfaces themself.
| Quote: | !
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
!
ip subnet-zero
ip name-server 66.93.87.2
ip name-server 216.231.41.2
!
!
!
hub ether 0 1
link-test
auto-polarity
!
hub ether 0 2
link-test
auto-polarity
!
hub ether 0 3
link-test
auto-polarity
!
hub ether 0 4
link-test
auto-polarity
!
hub ether 0 5
link-test
auto-polarity
!
hub ether 0 6
link-test
auto-polarity
!
hub ether 0 7
link-test
auto-polarity
!
hub ether 0 8
link-test
auto-polarity
!
hub ether 0 9
link-test
auto-polarity
!
hub ether 0 10
link-test
auto-polarity
!
hub ether 0 11
link-test
auto-polarity
!
hub ether 0 12
link-test
auto-polarity
!
hub ether 0 13
link-test
auto-polarity
!
hub ether 0 14
link-test
auto-polarity
!
interface Loopback0
ip address 192.168.2.1 255.255.255.252
no ip directed-broadcast
ip nat outside
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0 secondary
ip address 216.231.59.200 255.255.255.0
no ip directed-broadcast
ip nat inside
|
ip policy route-map nat-loop
Also, in their example, they list the public ip as the secondary,
however it should work the way you have it.
| Quote: | !
interface Serial0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
interface BRI0
no ip address
no ip directed-broadcast
shutdown
!
ip nat pool external 216.231.59.199 216.231.59.199 netmask
255.255.255.0
ip nat inside source list 10 pool external overload
ip classless
ip route 0.0.0.0 0.0.0.0 216.231.59.1
ip route 216.231.59.0 255.255.255.0 Ethernet0
|
You don't need the route to 216.231.59.0 it is directly connected.
| Quote: | !
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 102 permit ip any 216.231.59.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map nat-loop permit 10
match ip address 102
set ip next-hop 192.168.2.1
|
The next hop should be set to a valid ip out the loopback, not the ip
itself. set the next hop to 192.168.2.1. You may want to negate this
command first. Otherwise, it may set a redundant next hop.
| Quote: | !
!
line con 0
transport input none
line aux 0
line vty 0 4
!
end
|
--
-------------------------
Paul Stewart
Lexnet Inc.
Email address is in ROT13 |
|
| Back to top |
|
|
iram
Guest
|
| Posted:
Wed Dec 15, 2004 4:25 am Post subject:
Re: NAT On a Stick 2516 config difficulties |
|
|
Thanks for the help, I'm still having trouble but I have fixed some
boneheaded things. See below for comments and additional info at
bottom.
PES wrote:
| Quote: | iram wrote:
Hello,
I'm hoping someone can help me with a configuration problem that
I'm |
<SNIP>
| Quote: | To really test this, you should ping something outside, not something
in
the pool or the interfaces themself.
|
Yeah, I've been pinging from a host and from the router itself.
<SNIP>
| Quote: | interface Ethernet0
ip address 192.168.1.1 255.255.255.0 secondary
ip address 216.231.59.200 255.255.255.0
no ip directed-broadcast
ip nat inside
ip policy route-map nat-loop
|
Whoops, missed that one. Pretty important.
| Quote: | Also, in their example, they list the public ip as the secondary,
however it should work the way you have it.
|
Well, the strange part is that if I reverse them, then pings stop
working.
<SNIP>
| Quote: | ip route 0.0.0.0 0.0.0.0 216.231.59.1
ip route 216.231.59.0 255.255.255.0 Ethernet0
You don't need the route to 216.231.59.0 it is directly connected.
|
I removed the route and things work fine. I left it out.
| Quote: | !
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 102 permit ip any 216.231.59.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map nat-loop permit 10
match ip address 102
set ip next-hop 192.168.2.1
The next hop should be set to a valid ip out the loopback, not the ip
itself. set the next hop to 192.168.2.1. You may want to negate
this
command first. Otherwise, it may set a redundant next hop.
|
In reading the comment above, I think you meant 'set the next hop to
192.168.2.2' or something like that. I went ahead and did that but
nothign worked. Then I tried ' set interface loopback 0' which is
supposed to be equivilant, but that stil doesn't work. For kicks, I
changed my loopback netmask 255.255.255.252 to 255.255.255.0. Same
thing. Not working.
<SNIP>
| Quote: | --
-------------------------
Paul Stewart
Lexnet Inc.
Email address is in ROT13
|
OK, so here is the configuration commands I'm using now are at the
bottom of this message. I have also turned on debugging with:
debug ip nat
debug ip policy
debug ip packet 177 detail
When I ping from my host (192.168.1.99) to 192.168.1.1, 192.168.2.1,
216.231.59.200, things work as expected. However, when I ping
216.231.59.1 (the default gateway at my ISP) it doesn't work and I
generage the following debug messages:
00:31:36: IP: s=192.168.1.99 (Ethernet0), d=216.231.59.1, len 60,
policy match
00:31:36: IP: route map nat-loop, item 10, permit
00:31:36: IP: s=192.168.1.99 (Ethernet0), d=216.231.59.1 (Loopback0),
len 60, policy routed
00:31:36: IP: Ethernet0 to Loopback0 216.231.59.1
00:31:36: NAT: s=192.168.1.99->216.231.59.199, d=216.231.59.1 [27543]
00:31:36: IP: s=216.231.59.199 (Ethernet0), d=216.231.59.1 (Loopback0),
g=216.231.59.1, len 60, forward
00:31:36: IP: s=216.231.59.199 (Loopback0), d=216.231.59.1 (Ethernet0),
g=216.231.59.1, len 60, forward
00:31:36: IP: s=216.231.59.1 (Ethernet0), d=216.231.59.199 (Ethernet0),
len 60, rcvd 3
I'm not sure whats going on. It seems NAT is working, and the policy
is being matched and routed. Oh, I'm so close...
--Config Commands--
ip name-server 66.93.87.2
ip name-server 216.231.41.2
interface Ethernet0
ip address 216.231.59.200 255.255.255.0
ip address 192.168.1.1 255.255.255.0 secondary
ip nat inside
ip policy route-map nat-loop
no shutdown
interface Loopback0
ip address 192.168.2.1 255.255.255.0
ip nat outside
ip nat pool external 216.231.59.199 216.231.59.199 netmask
255.255.255.0
ip nat inside source list 10 pool external overload
ip classless
ip route 0.0.0.0 0.0.0.0 216.231.59.1
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 102 permit ip any 216.231.59.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 177 permit icmp any any
route-map nat-loop permit 10
match ip address 102
set interface loopback 0 |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in