Cisco 2611, NAT, and Default Routes

Discussion in 'Cisco' started by seanovision, Jun 19, 2007.

  1. seanovision

    seanovision Guest

    I've been searching for several days for a solution to this but I'm sur
    I'm not the only one who could have come across this.....

    I'm testing a configuration with the objective of replacing my Linksy
    home router with a 2611 running IOS 12.2(8)T5, but I'm having troubl
    with default routing. Here's the setup:

    *Cable Modem* ISP issued IP>> <<ip dhcp *Linksys* 192.168.2.1>>
    <<ip dhcp[eth0] *Cisco* [eth1]192.168.1.1>> <<ip dhcp *clients on LAN*

    I hope that makes sense....

    My clients on LAN receive an IP through DHCP from Cisco OK. The eth0 o
    the Cisco can receive an IP through DHCP from the Linksys OK, and th
    Linksys can receive an IP through DHCP form the cable modem OK, s
    everyone has a valid IP.

    When the Cisco is set up with:

    ip route 0.0.0.0 0.0.0.0 192.168.2.1

    ...the clients can ping any IP on the Internet and 192.168.2.0 networ
    OK.

    However, the problem with this is when I hook my Cisco eth0 directly t
    the cable modem, that static route to 192.168.2.1 isn't going to wor
    and I can;t set the IP statically because the ISP could change it a
    any time.

    So I tried replacing the route with this:

    ip route 0.0.0.0 0.0.0.0 int eth 0

    ... but with this configuration my LAN clients can only get as far a
    the 192.168.2.0 network. Anything on the Internet comes back a
    "request timed out" and ip nat debugging shows no successes:

    00:07:34: NAT: i: icmp (192.168.1.11, 512) -> (72.14.207.99, 512
    [1349]
    00:07:34: NAT: s=192.168.1.11->192.168.2.114, d=72.14.207.99 [1349]
    00:07:39: NAT: i: icmp (192.168.1.11, 512) -> (72.14.207.99, 512
    [1350]
    00:07:39: NAT: s=192.168.1.11->192.168.2.114, d=72.14.207.99 [1350]
    00:07:45: NAT: i: icmp (192.168.1.11, 512) -> (72.14.207.99, 512
    [1351]
    00:07:45: NAT: s=192.168.1.11->192.168.2.114, d=72.14.207.99 [1351]
    00:07:50: NAT: i: icmp (192.168.1.11, 512) -> (72.14.207.99, 512
    [1352]
    00:07:50: NAT: s=192.168.1.11->192.168.2.114, d=72.14.207.99 [1352]
    00:08:11: NAT: expiring 192.168.2.114 (192.168.1.11) icmp 512 (512)
    00:08:50: NAT: expiring 192.168.2.114 (192.168.1.11) icmp 512 (512)

    Surely there's a way to set up Cisco to receive an IP from my ISP'
    DHCP on one interface, figure out that the default gateway informatio
    in the DHCP package should be used as its default IP route, and us
    it... right?

    Here's the main parts of my config:

    !
    ip dhcp excluded-address 192.168.1.1 192.168.1.10
    !
    ip dhcp pool dhcp_pool_internal
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    !

    !
    !
    !
    interface Ethernet0/0
    ip address dhcp
    ip nat outside <<<----
    half-duplex
    !
    !
    interface Ethernet0/1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside <<<---
    half-duplex
    !
    ip nat inside source list 1 interface Ethernet0/0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.2.1 <<<------the linksys "gateway"
    no ip http server
    ip pim bidir-enable
    !
    !
    access-list 1 permit 192.168.1.0 0.0.0.255 <<<---- for NAT to the LAN
    !
    line con 0
    line aux 0
    line vty 0 4
    password 7 070C285F4D06
    login
    !
    !
    end


    Thanx!
     
    seanovision, Jun 19, 2007
    #1
    1. Advertisements

  2. Remove all static default routes.

    The IOS DHCP client should install a default route that it obtains
    from the DHCP server. IOS does it in a slightly smart manor. It'll
    install the default route with an admin distance of 254, which means a
    static config will override what the DHCP server hands out, but if you
    have no default route, the DHCP client should get the default route
    automatically.

    But, if you aren't expecting this, you don't know, and you'll get confused..
     
    Doug McIntyre, Jun 19, 2007
    #2
    1. Advertisements

  3. seanovision

    dman1973 Guest

    Also, another tip - please don't use easily cracked passwords! Or at
    least don't post them to newsgroups. I was able to decrypt your
    password in less than 5 seconds. Please change it immediately!

    If you must paste your config, it's good to use the "show tech-
    support" command, as this "sanitizes" the output and removes easily
    crackable passwords.

    -Dan
    http://ccie-lounge.blogspot.com/
     
    dman1973, Jun 20, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.