I hope someone can help. I have inherated a network with a business
class Cable connection and a Cisco 2960G switch. Between the Cable
modem and the switch is a netgear wireless router. The network has 25
hardwired connections and 2 wireless access points. The problem is
that the Netgear router is being overloaded and dropping the internet
connection. I have purchased a Cisco 2621 router to replace the
netgear as the router. I have configured the Router with a static
address for ethernet port 0/0 of 192.168.1.1( the address of the
internal network) and have set ethernet port 0/1 to recieve its
address from DHCP( from the cable modem). My problem is that I can
not get out from any of the computers on the network. I can ping from
the router and do a traceroute, but can't figure out how to connect
the 2 lan ports. I have been reading alot about the router and its
configuration and can not find the piece that explains how to setup
routing between the 2 lan ports. Do I need to use NAT on both ports
one pointing in and one pointing out? Or do I need to set a static
route between the ports? Or do I need a combination of the 2 options?
Thank you for any assistance.
Daryl
Most likely you will need NAT in your config. You could post some of
your config and let us look at it? From the router can you ping to the
internet?
Re-reading the post, it looks like the router is getting an IP from the
cable service so most likely is a NAT issue. Do you also have any route
statement configured?
Do your internal users have IP configurations ?
Your internal computers were probably obtaining thier IP addresses / gateway
information
from the Netgear router, which you have replaced.
You will need to look into configuring your new Cisco as a DHCP server
so your internal users can obtain what they need.
Once the above is verified, you will need to NAT your inside interface to
your outside interface.
The network has it own DHCP and DNS server on it. All the clients
recieve thier address from it. The netgear is just a router at this
point. What I am hoping to accomplish is, Keep the internal network
as it is and use the 2621 and its 2 LAN ports to allow the clients to
connect to the internet.
I have been trying to figure out how to set the routing between the 2
port on the 2621 so it passes internet traffic from the outside world
to my internal network. Below is a show ip interface output. I don't
know if this will help
Library#show ip interface
FastEthernet0/0 is up, line protocol is down
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.1 224.0.0.2 224.0.0.9
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is enabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Serial0/0 is administratively down, line protocol is down
Internet protocol processing disabled
FastEthernet0/1 is up, line protocol is down
Internet address will be negotiated using DHCP
Broadcast address is 255.255.255.255
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Hope this give some view ito how I have tried to set it up and where I
have messed up.
Thanks
Daryl
Thanks
Daryl
Your "line protocol is down" indicates the Ethernets are not terminated
correctly.
Are there hubs / switches involved ? You may have the wrong cable type.
(crossover vs straigh through issues)
Also, it would help to see a "show run" output.
The setup goes from a comcast cable modem to the cisco 2621 router
then to a 2960G 48 port switch. I will get a Show run and post this
morning. Right now I have a strait thru cable from the modem to the
router and a strait thru to the switch.
Comcast Modem Cisco 2621 Cisco
2060G 48
___ Strait thru _________ Strait thru
___________
| | ------------------- |
|--------------------------- | |-------------
Inside Network
------- Port 0/1 ---------------- Port
0/0 ------------------
Sorry for the lame artwork, but this is the basic setup I have put
togeather. I have had a netgear router inplace of the Cisco for
several weeks now and it has functioned,not reliablly, but functioned.
Thanks for all the help.
Daryl
OK here is a SHOW RUN.
Library#show run
Building configuration...
Current configuration : 917 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Library
!
enable secret 5 $1$H2KO$nJxIjx6nLnkvtEvvIPi/c0
enable password T0rnad0
!
ip subnet-zero
!
!
!
ip dhcp-client network-discovery informs 2 discovers 0
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat outside
ip irdp
speed auto
full-duplex
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
ip address dhcp
ip route-cache same-interface
speed auto
full-duplex
!
router rip
network 192.168.1.0
!
ip classless
ip default-network 192.168.1.0
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list dynamic-extended
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
line aux 0
line vty 0 4
password T0rnad0
login
!
end
Hope this give some more information.
Daryl
>OK here is a SHOW RUN.
>interface FastEthernet0/0
> ip address 192.168.1.1 255.255.255.0
> ip nat outside
This is the only "ip nat xxxside" - Statement.
They mostly come in pairs: Inside-Outside.
In my opinion, *this* interface points to your INside?!
> ip irdp
> speed auto
> full-duplex
>interface FastEthernet0/1
> ip address dhcp
and this will be the OUTside?
> ip route-cache same-interface
> speed auto
> full-duplex
> password T0rnad0
I would change this word...
perhaps to 'hurr1ca3' :-)
And I'd miss some 'nat pool' statement as well?
Greetings, Holger
ok, I have redone the setup of the router. I have ethernet0/0 as my
link to the Cable modem getting its address from DHCP and having NAT
pointing inside. And etherent0/1 is my internal port with a static
address with NAT pointing out. Does that seem correct? I am going to
work this thru and make sure it is correct. need to learn how to set
this stuff up correctly. Any help is greatly appreaciated.
Building configuration...
Current configuration : 708 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Library
!
enable secret 5 $1$aVwD$IZlEoK1HBuf8xmlHqUzcw.
enable password ********
!
ip subnet-zero
no ip routing
!
!
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat inside
no ip route-cache
no ip mroute-cache
shutdown
duplex auto
speed auto
!
interface Serial0/0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat outside
no ip route-cache
no ip mroute-cache
speed auto
full-duplex
!
ip classless
ip http server
!
!
line con 0
line aux 0
line vty 0 4
password ********
login
!
end
And "hurr1ca3" will be a good one to remember in the future :-)
> !
> ip subnet-zero
> no ip routing
You need a routing protocol.
you still do not have any NAT statement
http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093fd2.shtml
ip nat inside source list 101 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
no ip http server
!
access-list 101 permit ip 192.168.1.0 0.255.255.255 any
Building configuration...
Current configuration : 788 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Library
!
enable secret 5 $1$aVwD$IZlEoK1HBuf8xmlHqUzcw.
enable password
!
ip subnet-zero
!
!
!
!
!
!
interface FastEthernet0/0
description WAN-Connection-C2621-DCHP
ip address dhcp
ip nat inside
no ip mroute-cache
shutdown
duplex auto
speed auto
!
interface Serial0/0
no ip address
no ip mroute-cache
shutdown
!
interface FastEthernet0/1
description LAN-Connection-Library-Patrons
ip address 192.168.1.1 255.255.255.0
ip nat outside
no ip mroute-cache
speed auto
full-duplex
!
ip nat pool patrons 192.168.1.2 192.168.1.254 netmask 255.255.255.0
ip classless
ip http server
!
!
line con 0
line aux 0
line vty 0 4
password
login
!
end
Still need a route statement,
Building configuration...
Current configuration : 883 bytes
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip http server
!
access-list 101 permit ip 192.0.0.0 0.255.255.255 any
Looks better..
Thank you for all yoru help. I won't be able to test until to morrow
morning. Hopefully you won't hear from me again :-)
Daryl
>ok, I have redone the setup of the router. I have ethernet0/0 as my
>link to the Cable modem getting its address from DHCP and having NAT
>pointing inside.
So this interface gets " IP NAT OUTSIDE " iirc.
> And etherent0/1 is my internal port with a static
>address with NAT pointing out.
And ther goes " IP NAT INSIDE "
> Does that seem correct?
Other way! Look from the router:
cable (and Internet) is 'outside'
LAN is 'inside'
And don't miss the other mentioned "ip nat pool ..." statements...
good luck, Holger
OK, Have fixed the IP NAT statements to have out going to the cable
modem and i going to the LAN. I have the NAT POOL created and the
Access list for PERMIT IP 192.*.*.* 0.255.255.255 any.
Current configuration : 935 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Library
!
enable secret 5 $1$aVwD$IZlEoK1HBuf8xmlHqUzcw.
enable password
!
ip subnet-zero
!
!
!
!
!
!
interface FastEthernet0/0
description WAN-Connection-C2621-DCHP
ip address dhcp
ip nat outside
no ip mroute-cache
shutdown
duplex auto
speed auto
!
interface Serial0/0
no ip address
no ip mroute-cache
shutdown
!
interface FastEthernet0/1
description LAN-Connection-Library-Patrons
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
full-duplex
!
ip nat pool patrons 192.168.1.2 192.168.1.254 netmask 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip http server
!
access-list 101 permit ip 192.0.0.0 0.255.255.255 any
access-list 101 permit ip 0.0.0.0 192.168.1.254 any
!
line con 0
line aux 0
line vty 0 4
password
login
!
end
Better?
>interface FastEthernet0/1
> description LAN-Connection-Library-Patrons
> ip address 192.168.1.1 255.255.255.0
> ip nat inside
> no ip mroute-cache
> speed auto
> full-duplex
>!
>ip nat pool patrons 192.168.1.2 192.168.1.254 netmask 255.255.255.0
May be correct...
>access-list 101 permit ip 192.0.0.0 0.255.255.255 any
^^^
>access-list 101 permit ip 0.0.0.0 192.168.1.254 any
^^^
>Better?
But not 'best' ?
Or does it work?
Holger
no it doesn't. Just plugged it in and get address for both port, but
no routing between them. do I need to remove the access lists? or did
I mess something else up.
The address for my lan side should be 192.168.1.1. It is also my
default gateway out, set by DHCP on the server. The pool of address
that shoulod be allow to send out should be everything in the
192.168.1.0 network. Did I not do that? From your question I am
assuming I didn't. If I remove access list 101 and create on the is
"permit ip 192.168.1.0 192.168.1.254" would that be correct, or should
I add to aqccess list 101 and put in that range?
Daryl
OK, here is a "show ip interface" output. I have an address for the
therenetporty0/0 from DHCP and a static address from my setup. But I
still can not get out to the internet from a system behind the
router. I bellieve it is setup to froward all traffic from the
192.168.1.0 netwrok to etherent port 0/0. any ideas?
#show ip interface
FastEthernet0/0 is up, line protocol is down
Internet address is 71.237.188.162/22
Broadcast address is 255.255.255.255
Address determined by DHCP
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is enabled, interface in domain outside
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Serial0/0 is administratively down, line protocol is down
Internet protocol processing disabled
FastEthernet0/1 is up, line protocol is down
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Did I miss something or not set something ?
Daryl
>-
>>
>> - Show quoted text -
>OK, here is a "show ip interface" output. I have an address for the
>therenetporty0/0 from DHCP and a static address from my setup.
That's good.
But let ud take a look at
show IP nat translations
>Did I miss something or not set something ?
You did not read the message from Artie(sp?):
| http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093fd2.shtml
|
|
| ip nat inside source list 101 interface FastEthernet0/0 overload
| ip classless
| ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
| no ip http server
| !
| access-list 101 permit ip 192.168.1.0 0.255.255.255 any
Why do you have _two_ access-list?
good luck, Holger
From the router can you ping 4.2.2.2 ?
Yes I could. I can ping out from the router and do a trace route
out. I believe I have it set to route all traffic to the
Fastethernet0/0.(ip route 0.0.0.0 0.0.0.0 FastEthernet0/0) I have the
nat pool set as anything from 192.168.1.2 - 192.168.1.254. Have
Insdie NAT pointing to fastethernet port 0/1 and outside pointing to
Fastetherent 0/0. Both interfaces show in the "show ip route" command
as connected. I have redone the router from scratch last night
thinking I messed something up with my playing around. here is how it
is configured right now. It should be back to where I was yesterday
morning before i started tweeking it.
Current configuration : 873 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Library
!
enable secret 5 $1$aVwD$IZlEoK1HBuf8xmlHqUzcw.
enable password
!
ip subnet-zero
!
!
!
!
!
!
interface FastEthernet0/0
description WAN-Connection-C2621-DCHP
ip address dhcp
ip nat outside
no ip mroute-cache
duplex auto
speed auto
!
interface Serial0/0
no ip address
no ip mroute-cache
shutdown
!
interface FastEthernet0/1
description LAN-Connection-Library-Patrons
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
full-duplex
!
ip nat pool patrons 192.168.1.2 192.168.1.254 netmask 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip http server
!
access-list 103 permit ip 192.0.0.0 0.255.255.255 any
!
line con 0
line aux 0
line vty 0 4
password
login
!
end
I still can not get out to the internet from a laptop behind the
router. I can ping the outside port (Fastethernet0/0) from the laptop
and can ping the laptop from the router. I can also bing the inside
port(fastehternet0/1) from the laptop. To my limited knowledge it
sound like I can route from fastethernet0/1 to fastethernet0/0, but
can not get beyond that point from the laptop from behind the router.
Do I need a "IP route" for fastethernet0/0?
Try this
no ip nat pool patrons 192.168.1.2 192.168.1.254 netmask 255.255.255.0
ip nat pool patrons 192.168.1.0 netmask 255.255.255.0
then issue show IP nat translations and paste results.
>!
>ip nat pool patrons 192.168.1.2 192.168.1.254 netmask 255.255.255.0
You might try a little less...
>ip classless
>ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
>ip http server
>!
>access-list 103 permit ip 192.0.0.0 0.255.255.255 any
And try this:
access-list 103 permit ip 192.168.1.0 0.255.255.255 any
^^^^^^
But: The list '103' is not referenced anymore?
just guessing, Holger
>baron1211 <res0...@verizon.net> writes:
There is your line from yesterday gone:
| ip nat inside source list 101 interface FastEthernet0/0 overload
But you have to decide on "101" or "103"..!
>just guessing, Holger
When I tr to use th "ip nat pool patrons 192.168.1.0 netmask
255.255.255.0" I get
Library(config)#ip nat pool patrons 192.168.1.0 netmask 255.255.255.0
^
% Invalid input detected at '^' marker.
I have used the "?" while typing the command and it is telling me I
need an ending address.