NAT On a Stick 2516 config difficulties

Discussion in 'Cisco' started by iram, Dec 13, 2004.

  1. iram

    iram Guest

    Hello,

    I'm hoping someone can help me with a configuration problem that I'm
    having on a Cisco 2516 Router. This router has 1 ethernet port, 14 hub
    ports, a couple of serial interfaces, and BRI interface. The problem
    that I'm having is with setting up so called 'NAT on a Stick'. I read
    about this at:

    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml


    I recognize that the 2516 router is probably not the best choice for my
    set up but I'm trying to learn Cisco routers and this is all I have so
    I have to make due. My set up is a bit different than the one
    described on the guide. I have a the cisco router connected directly
    to a DSL modem. I have Statice IP 216.231.59.199 and 216.231.59.200
    and I can get a couple of more if I need to. My default gateway is
    216.231.59.1.

    According to the guide, I need to set up a loopback interface and use
    policy routing to set up my NAT. I thought I had configured this
    correctly but my NAT is not working. (configuration at end below)
    Here is what I'm up against: If I am in the Cisco router, I can ping
    addresses in the 192.168.1.0 and 192.168.2.0 subnets. I can also ping
    the 216.231.59.200 addresss which I assigned to the ethernet 0
    interface and 216.231.59.1 which is my gateway. However, when I try
    pinging from a host computer with address 192.168.1.99, I can't reach
    the gateway. All other pings work fine. What am I missing or what am
    I doing wrong?

    I enabled NAT debugging with:
    debug ip nat detailed

    I get the following results when pinging from my host:
    PING 192.168.1.1
    00:56:55: NAT: o: icmp (192.168.1.1, 512) -> (192.168.1.99, 512) [3540]
    00:56:56: NAT: o: icmp (192.168.1.1, 512) -> (192.168.1.99, 512) [3541]
    00:56:57: NAT: o: icmp (192.168.1.1, 512) -> (192.168.1.99, 512) [3542]
    00:57:06: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3543]

    PING 192.168.2.1
    00:57:06: NAT: address not stolen for 192.168.1.99, proto 1 port 512
    00:57:06: NAT: installing alias for address 216.231.59.199
    00:57:06: NAT: ipnat_allocate_port: wanted 512 got 512
    00:57:06: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
    [3543]
    00:57:07: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3544]
    00:57:07: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
    [3544]
    00:57:08: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3545]
    00:57:08: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
    [3545]
    00:57:09: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3546]
    00:57:09: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
    [3546]

    PING 216.231.59.1
    Nothing

    PING 216.231.59.200
    00:58:28: NAT: o: tcp (216.231.59.200, 135) -> (70.56.186.106, 4245)
    [284]
    00:58:28: NAT: o: tcp (216.231.59.200, 135) -> (70.56.186.106, 4245)
    [285]
    00:58:29: NAT: o: tcp (216.231.59.200, 135) -> (70.56.186.106, 4245)
    [286]
    00:59:03: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
    [3568]
    00:59:04: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
    [3569]
    00:59:05: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
    [3570]
    00:59:06: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
    [3571]

    !
    version 12.0
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname Router
    !
    !
    ip subnet-zero
    ip name-server 66.93.87.2
    ip name-server 216.231.41.2
    !
    !
    !
    hub ether 0 1
    link-test
    auto-polarity
    !
    hub ether 0 2
    link-test
    auto-polarity
    !
    hub ether 0 3
    link-test
    auto-polarity
    !
    hub ether 0 4
    link-test
    auto-polarity
    !
    hub ether 0 5
    link-test
    auto-polarity
    !
    hub ether 0 6
    link-test
    auto-polarity
    !
    hub ether 0 7
    link-test
    auto-polarity
    !
    hub ether 0 8
    link-test
    auto-polarity
    !
    hub ether 0 9
    link-test
    auto-polarity
    !
    hub ether 0 10
    link-test
    auto-polarity
    !
    hub ether 0 11
    link-test
    auto-polarity
    !
    hub ether 0 12
    link-test
    auto-polarity
    !
    hub ether 0 13
    link-test
    auto-polarity
    !
    hub ether 0 14
    link-test
    auto-polarity
    !
    interface Loopback0
    ip address 192.168.2.1 255.255.255.252
    no ip directed-broadcast
    ip nat outside
    !
    interface Ethernet0
    ip address 192.168.1.1 255.255.255.0 secondary
    ip address 216.231.59.200 255.255.255.0
    no ip directed-broadcast
    ip nat inside
    !
    interface Serial0
    no ip address
    no ip directed-broadcast
    no ip mroute-cache
    shutdown
    !
    interface Serial1
    no ip address
    no ip directed-broadcast
    shutdown
    !
    interface BRI0
    no ip address
    no ip directed-broadcast
    shutdown
    !
    ip nat pool external 216.231.59.199 216.231.59.199 netmask
    255.255.255.0
    ip nat inside source list 10 pool external overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 216.231.59.1
    ip route 216.231.59.0 255.255.255.0 Ethernet0
    !
    access-list 10 permit 192.168.1.0 0.0.0.255
    access-list 102 permit ip any 216.231.59.0 0.0.0.255
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    route-map nat-loop permit 10
    match ip address 102
    set ip next-hop 192.168.2.1
    !
    !
    line con 0
    transport input none
    line aux 0
    line vty 0 4
    !
    end
     
    iram, Dec 13, 2004
    #1
    1. Advertising

  2. iram

    PES Guest

    iram wrote:
    > Hello,
    >
    > I'm hoping someone can help me with a configuration problem that I'm
    > having on a Cisco 2516 Router. This router has 1 ethernet port, 14 hub
    > ports, a couple of serial interfaces, and BRI interface. The problem
    > that I'm having is with setting up so called 'NAT on a Stick'. I read
    > about this at:
    >
    > http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
    >
    >
    > I recognize that the 2516 router is probably not the best choice for my
    > set up but I'm trying to learn Cisco routers and this is all I have so
    > I have to make due. My set up is a bit different than the one
    > described on the guide. I have a the cisco router connected directly
    > to a DSL modem. I have Statice IP 216.231.59.199 and 216.231.59.200
    > and I can get a couple of more if I need to. My default gateway is
    > 216.231.59.1.
    >
    > According to the guide, I need to set up a loopback interface and use
    > policy routing to set up my NAT. I thought I had configured this
    > correctly but my NAT is not working. (configuration at end below)
    > Here is what I'm up against: If I am in the Cisco router, I can ping
    > addresses in the 192.168.1.0 and 192.168.2.0 subnets. I can also ping
    > the 216.231.59.200 addresss which I assigned to the ethernet 0
    > interface and 216.231.59.1 which is my gateway. However, when I try
    > pinging from a host computer with address 192.168.1.99, I can't reach
    > the gateway. All other pings work fine. What am I missing or what am
    > I doing wrong?
    >
    > I enabled NAT debugging with:
    > debug ip nat detailed
    >
    > I get the following results when pinging from my host:
    > PING 192.168.1.1
    > 00:56:55: NAT: o: icmp (192.168.1.1, 512) -> (192.168.1.99, 512) [3540]
    > 00:56:56: NAT: o: icmp (192.168.1.1, 512) -> (192.168.1.99, 512) [3541]
    > 00:56:57: NAT: o: icmp (192.168.1.1, 512) -> (192.168.1.99, 512) [3542]
    > 00:57:06: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3543]
    >
    > PING 192.168.2.1
    > 00:57:06: NAT: address not stolen for 192.168.1.99, proto 1 port 512
    > 00:57:06: NAT: installing alias for address 216.231.59.199
    > 00:57:06: NAT: ipnat_allocate_port: wanted 512 got 512
    > 00:57:06: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
    > [3543]
    > 00:57:07: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3544]
    > 00:57:07: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
    > [3544]
    > 00:57:08: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3545]
    > 00:57:08: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
    > [3545]
    > 00:57:09: NAT: i: icmp (192.168.1.99, 512) -> (192.168.2.1, 512) [3546]
    > 00:57:09: NAT: o: icmp (192.168.2.1, 512) -> (216.231.59.199, 512)
    > [3546]
    >
    > PING 216.231.59.1
    > Nothing
    >
    > PING 216.231.59.200
    > 00:58:28: NAT: o: tcp (216.231.59.200, 135) -> (70.56.186.106, 4245)
    > [284]
    > 00:58:28: NAT: o: tcp (216.231.59.200, 135) -> (70.56.186.106, 4245)
    > [285]
    > 00:58:29: NAT: o: tcp (216.231.59.200, 135) -> (70.56.186.106, 4245)
    > [286]
    > 00:59:03: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
    > [3568]
    > 00:59:04: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
    > [3569]
    > 00:59:05: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
    > [3570]
    > 00:59:06: NAT: o: icmp (216.231.59.200, 512) -> (192.168.1.99, 512)
    > [3571]
    >


    To really test this, you should ping something outside, not something in
    the pool or the interfaces themself.

    > !
    > version 12.0
    > service timestamps debug uptime
    > service timestamps log uptime
    > no service password-encryption
    > !
    > hostname Router
    > !
    > !
    > ip subnet-zero
    > ip name-server 66.93.87.2
    > ip name-server 216.231.41.2
    > !
    > !
    > !
    > hub ether 0 1
    > link-test
    > auto-polarity
    > !
    > hub ether 0 2
    > link-test
    > auto-polarity
    > !
    > hub ether 0 3
    > link-test
    > auto-polarity
    > !
    > hub ether 0 4
    > link-test
    > auto-polarity
    > !
    > hub ether 0 5
    > link-test
    > auto-polarity
    > !
    > hub ether 0 6
    > link-test
    > auto-polarity
    > !
    > hub ether 0 7
    > link-test
    > auto-polarity
    > !
    > hub ether 0 8
    > link-test
    > auto-polarity
    > !
    > hub ether 0 9
    > link-test
    > auto-polarity
    > !
    > hub ether 0 10
    > link-test
    > auto-polarity
    > !
    > hub ether 0 11
    > link-test
    > auto-polarity
    > !
    > hub ether 0 12
    > link-test
    > auto-polarity
    > !
    > hub ether 0 13
    > link-test
    > auto-polarity
    > !
    > hub ether 0 14
    > link-test
    > auto-polarity
    > !
    > interface Loopback0
    > ip address 192.168.2.1 255.255.255.252
    > no ip directed-broadcast
    > ip nat outside
    > !
    > interface Ethernet0
    > ip address 192.168.1.1 255.255.255.0 secondary
    > ip address 216.231.59.200 255.255.255.0
    > no ip directed-broadcast
    > ip nat inside


    ip policy route-map nat-loop

    Also, in their example, they list the public ip as the secondary,
    however it should work the way you have it.

    > !
    > interface Serial0
    > no ip address
    > no ip directed-broadcast
    > no ip mroute-cache
    > shutdown
    > !
    > interface Serial1
    > no ip address
    > no ip directed-broadcast
    > shutdown
    > !
    > interface BRI0
    > no ip address
    > no ip directed-broadcast
    > shutdown
    > !
    > ip nat pool external 216.231.59.199 216.231.59.199 netmask
    > 255.255.255.0
    > ip nat inside source list 10 pool external overload
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 216.231.59.1
    > ip route 216.231.59.0 255.255.255.0 Ethernet0


    You don't need the route to 216.231.59.0 it is directly connected.

    > !
    > access-list 10 permit 192.168.1.0 0.0.0.255
    > access-list 102 permit ip any 216.231.59.0 0.0.0.255
    > access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    > route-map nat-loop permit 10
    > match ip address 102
    > set ip next-hop 192.168.2.1


    The next hop should be set to a valid ip out the loopback, not the ip
    itself. set the next hop to 192.168.2.1. You may want to negate this
    command first. Otherwise, it may set a redundant next hop.

    > !
    > !
    > line con 0
    > transport input none
    > line aux 0
    > line vty 0 4
    > !
    > end
    >



    --
    -------------------------
    Paul Stewart
    Lexnet Inc.
    Email address is in ROT13
     
    PES, Dec 13, 2004
    #2
    1. Advertising

  3. iram

    iram Guest

    Thanks for the help, I'm still having trouble but I have fixed some
    boneheaded things. See below for comments and additional info at
    bottom.

    PES wrote:
    > iram wrote:
    > > Hello,
    > >
    > > I'm hoping someone can help me with a configuration problem that

    I'm
    <SNIP>
    > To really test this, you should ping something outside, not something

    in
    > the pool or the interfaces themself.


    Yeah, I've been pinging from a host and from the router itself.

    <SNIP>
    > > interface Ethernet0
    > > ip address 192.168.1.1 255.255.255.0 secondary
    > > ip address 216.231.59.200 255.255.255.0
    > > no ip directed-broadcast
    > > ip nat inside

    >
    > ip policy route-map nat-loop


    Whoops, missed that one. Pretty important.

    > Also, in their example, they list the public ip as the secondary,
    > however it should work the way you have it.


    Well, the strange part is that if I reverse them, then pings stop
    working.

    <SNIP>
    > > ip route 0.0.0.0 0.0.0.0 216.231.59.1
    > > ip route 216.231.59.0 255.255.255.0 Ethernet0

    >
    > You don't need the route to 216.231.59.0 it is directly connected.


    I removed the route and things work fine. I left it out.


    > > !
    > > access-list 10 permit 192.168.1.0 0.0.0.255
    > > access-list 102 permit ip any 216.231.59.0 0.0.0.255
    > > access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    > > route-map nat-loop permit 10
    > > match ip address 102
    > > set ip next-hop 192.168.2.1

    >
    > The next hop should be set to a valid ip out the loopback, not the ip


    > itself. set the next hop to 192.168.2.1. You may want to negate

    this
    > command first. Otherwise, it may set a redundant next hop.


    In reading the comment above, I think you meant 'set the next hop to
    192.168.2.2' or something like that. I went ahead and did that but
    nothign worked. Then I tried ' set interface loopback 0' which is
    supposed to be equivilant, but that stil doesn't work. For kicks, I
    changed my loopback netmask 255.255.255.252 to 255.255.255.0. Same
    thing. Not working.

    <SNIP>

    > --
    > -------------------------
    > Paul Stewart
    > Lexnet Inc.
    > Email address is in ROT13


    OK, so here is the configuration commands I'm using now are at the
    bottom of this message. I have also turned on debugging with:

    debug ip nat
    debug ip policy
    debug ip packet 177 detail

    When I ping from my host (192.168.1.99) to 192.168.1.1, 192.168.2.1,
    216.231.59.200, things work as expected. However, when I ping
    216.231.59.1 (the default gateway at my ISP) it doesn't work and I
    generage the following debug messages:

    00:31:36: IP: s=192.168.1.99 (Ethernet0), d=216.231.59.1, len 60,
    policy match
    00:31:36: IP: route map nat-loop, item 10, permit
    00:31:36: IP: s=192.168.1.99 (Ethernet0), d=216.231.59.1 (Loopback0),
    len 60, policy routed
    00:31:36: IP: Ethernet0 to Loopback0 216.231.59.1
    00:31:36: NAT: s=192.168.1.99->216.231.59.199, d=216.231.59.1 [27543]
    00:31:36: IP: s=216.231.59.199 (Ethernet0), d=216.231.59.1 (Loopback0),
    g=216.231.59.1, len 60, forward
    00:31:36: IP: s=216.231.59.199 (Loopback0), d=216.231.59.1 (Ethernet0),
    g=216.231.59.1, len 60, forward
    00:31:36: IP: s=216.231.59.1 (Ethernet0), d=216.231.59.199 (Ethernet0),
    len 60, rcvd 3

    I'm not sure whats going on. It seems NAT is working, and the policy
    is being matched and routed. Oh, I'm so close...

    --Config Commands--

    ip name-server 66.93.87.2
    ip name-server 216.231.41.2

    interface Ethernet0
    ip address 216.231.59.200 255.255.255.0
    ip address 192.168.1.1 255.255.255.0 secondary
    ip nat inside
    ip policy route-map nat-loop
    no shutdown

    interface Loopback0
    ip address 192.168.2.1 255.255.255.0
    ip nat outside

    ip nat pool external 216.231.59.199 216.231.59.199 netmask
    255.255.255.0
    ip nat inside source list 10 pool external overload

    ip classless

    ip route 0.0.0.0 0.0.0.0 216.231.59.1

    access-list 10 permit 192.168.1.0 0.0.0.255

    access-list 102 permit ip any 216.231.59.0 0.0.0.255
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    access-list 177 permit icmp any any

    route-map nat-loop permit 10
    match ip address 102
    set interface loopback 0
     
    iram, Dec 14, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?ZW5ncmhhcnY=?=

    Is there any provisions for leaning difficulties in the mcse exams

    =?Utf-8?B?ZW5ncmhhcnY=?=, Apr 10, 2005, in forum: Microsoft Certification
    Replies:
    1
    Views:
    518
    HangInThere
    Apr 14, 2005
  2. Enrico
    Replies:
    0
    Views:
    609
    Enrico
    Jul 21, 2005
  3. Replies:
    3
    Views:
    4,739
    Doug McIntyre
    Jul 3, 2006
  4. ProPcM.com
    Replies:
    2
    Views:
    402
    www.BradReese.Com
    Oct 16, 2006
  5. zxcvar
    Replies:
    3
    Views:
    958
    Joe Hotchkiss
    Nov 28, 2004
Loading...

Share This Page