Re: moved a working network, now it doesn't work



On Jan 2, 5:07 am, bod43 <Bo...@xxxxxxxxxxxxx> wrote:
On 2 Jan, 02:10, "kevindt...@xxxxxxxxx" <kevindt...@xxxxxxxxx> wrote:



I can ping 64.0.0.228 (fa0/0) from inside, but nothing else. From the
router I can ping the internet with no problem.

On Jan 1, 6:35 pm, "Thrill5" <nos...@xxxxxxxxxxxxx> wrote:

First you need to determine if you have a LAN, WAN or NAT problem.
From one of your Linux machines can you ping the FA 0/1 interface (default
gateway) AND ping the FA 0/0 interface. If not you have a problem with the
connectivity between you LAN and the router, and could have config problem
on the switch, or the FA0/1 interface on the router.

From the router, can you ping any internet addresses? If no, then you have
a problem with you Internet connectivity. When pinging from the router, you
are NOT natting so if CAN ping from the router, you have a NAT problem.
Without seeing the rest of the config, I can't offer any advice as to why
the NAT wouldn't be working.

<kevindt...@xxxxxxxxx> wrote in message

news:6bb7cb19-6284-41a0-99eb-c29918b88f42@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Our office moved from one facility to another (different cities).

We took a working lan from one site, and reconstituted it at the new
site. Now it only sort of works. (BTW, all linux machines)

I have a 2611 router w/VPN module, 12.2(8r) IOS:

1) fast0/0 connects to the internet (straight up, no firewall)
2) fast0/1 connects to our internal network

interface FastEthernet0/0
ip address 64.0.0.228 255.255.255.248
ip nat outside
no ip route-cache
no ip mroute-cache
speed auto
duplex auto
crypto map nolan
!
interface FastEthernet0/1
ip address 192.168.25.1 255.255.255.0
ip nat inside
speed auto
duplex auto
!
ip route 0.0.0.0 0.0.0.0 64.0.0.225

from the router console, I can ping anything I would like (yahoo
google 4.2.2.1)
from the internal network (192.168.25.47) I can ping 192.168.25.XXX
without trouble

Output of netstat is :

Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.25.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.25.1 0.0.0.0 UG 0 0 0 eth0

I cannot ping anything outside (for example 4.2.2.1) . And, anytime I
try to traceroute locally (besides the router), I get very weird
results:

traceroute to 192.168.25.180 (192.168.25.180), 30 hops max, 40 byte
packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 192.168.25.180 1.544 ms 1.581 ms 1.564 ms

traceroute 4.2.2.1 to the internet returns nothing

traceroute to 4.2.2.1 (4.2.2.1), 30 hops max, 40 byte packets
1 ausrouter (192.168.25.1) 2.965 ms 4.437 ms 4.936 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
....
30 * * *

I've run wireshark on this network and it doesn't appear to ever hit
the router (192.168.25.1)
I've done the same test on a functionally identical network (machine
192.168.35.120, router 192.168.35.1) and find that I get a TTL
exceeded from 192.168.35.1 after the 4th attempt

The strangest part? This worked for a couple of days two weeks ago but
someone power cycled before a write mem and so it can't be retrieved.
My only recollection from those edits was that I changed the speed and
duplex of the 0/0 and 0/1 (but I can't be sure)- Hide quoted text -

As Thrill5 says -
It looks as if NAT is not working for some reason.

Idea!
Have you changed your Internet Address for the move?
Maybe you have
ip nat inside source list xx old.internet.address overload
change it to
ip nat inside source list xx interface fa 0/0 overload

Remember and save the new config
copy runn start

or "wr" if you are typing averse:)

Failing that please post the whole config.
Obviously you should not post passwords/usernames
and most people hide their real internet addresses.

also:-
try a ping from the inside to the internet
and immediately (you have plenty time to do the
command but dont delay).

sh ip nat tr

post that too.

debug ip nat

is pretty cool.

You need to arrange to see the messages and
remember to turn it off.

logging buffered debug
log buff 100000
sh log

and/or
logg console debug

telnet to router
term monitor

term no mon

no logg console
Is good practise for production since
a lot or messages can absorb signiifcant CPU.
One interrupt per character that is attempted to be
output.


Old cisco config (ip addresses have been obfuscated)

==========================================================

interface Ethernet0/0
ip address 4.0.1.2 255.255.255.240
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
crypto map nolan
!
interface Ethernet0/1
ip address 192.168.25.1 255.255.255.0
ip nat inside
half-duplex
!

ip nat pool swb 4.0.1.3 4.0.1.3 netmask 255.255.255.240
ip nat inside source route-map nonat pool swb overload

==========================================================
New cisco config
==========================================================

interface Ethernet0/0
ip address 64.0.0.228 255.255.255.240
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
crypto map nolan
!
interface Ethernet0/1
ip address 192.168.25.1 255.255.255.0
ip nat inside
half-duplex
!

ip nat pool swb 4.0.1.3 4.0.1.3 netmask 255.255.255.240
ip nat inside source route-map nonat pool swb overload

==========================================================

the swb (I'm pretty sure) stands for southwestern bell (or old
provider) and you can notice that I don't change the pool and inside
source lines


.



Relevant Pages

  • Re: moved a working network, now it doesnt work
    ... router I can ping the internet with no problem. ... From one of your Linux machines can you ping the FA 0/1 interface (default ... are NOT natting so if CAN ping from the router, ...
    (comp.dcom.sys.cisco)
  • Re: Access from internal hosts to internal servers using external address
    ... I have a Cisco 386 in a NAT configuration. ... Internal hosts can access the Internet in a NAT'ed fashion ... interface Ethernet0 ...
    (comp.dcom.sys.cisco)
  • Re: Routing with iproute2
    ... via an ADSL modem/router that is acting like a router. ... Doesn't your router do NAT? ... internet routable subnet, they can't. ...
    (uk.comp.os.linux)
  • Simultaneous NAT overload (internet) and NAT overlapping for IPsec
    ... There is a pure IPsec tunnel between SITE1 and SITE2. ... SITE1 also has an internet connection via ISP1 which is used to ... the NAT overload from SITE1. ... interface on ISP1) its "also" translating the addresses across to ...
    (comp.dcom.sys.cisco)
  • Re: router help needed ....urgent
    ... now what i need is that all my traffic for internet ... >> routing or PBR on cisco, ... If both links are to the same ISP router then you can use BGP ... Why not just put the 2 internet feeds into a hub/switch and connect the router by 1 ethernet port and use IP routing and NAT to determine the best route to use. ...
    (comp.dcom.sys.cisco)