moved a working network, now it doesn't work

Discussion in 'Cisco' started by kevindtimm, Jan 1, 2009.

  1. kevindtimm

    kevindtimm Guest

    Our office moved from one facility to another (different cities).

    We took a working lan from one site, and reconstituted it at the new
    site. Now it only sort of works. (BTW, all linux machines)

    I have a 2611 router w/VPN module, 12.2(8r) IOS:

    1) fast0/0 connects to the internet (straight up, no firewall)
    2) fast0/1 connects to our internal network


    interface FastEthernet0/0
    ip address 64.0.0.228 255.255.255.248
    ip nat outside
    no ip route-cache
    no ip mroute-cache
    speed auto
    duplex auto
    crypto map nolan
    !
    interface FastEthernet0/1
    ip address 192.168.25.1 255.255.255.0
    ip nat inside
    speed auto
    duplex auto
    !
    ip route 0.0.0.0 0.0.0.0 64.0.0.225


    from the router console, I can ping anything I would like (yahoo
    google 4.2.2.1)
    from the internal network (192.168.25.47) I can ping 192.168.25.XXX
    without trouble

    Output of netstat is :

    Destination Gateway Genmask Flags MSS Window irtt Iface
    192.168.25.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    0.0.0.0 192.168.25.1 0.0.0.0 UG 0 0 0 eth0

    I cannot ping anything outside (for example 4.2.2.1) . And, anytime I
    try to traceroute locally (besides the router), I get very weird
    results:

    traceroute to 192.168.25.180 (192.168.25.180), 30 hops max, 40 byte
    packets
    1 * * *
    2 * * *
    3 * * *
    4 * * *
    5 * * *
    6 192.168.25.180 1.544 ms 1.581 ms 1.564 ms

    traceroute 4.2.2.1 to the internet returns nothing

    traceroute to 4.2.2.1 (4.2.2.1), 30 hops max, 40 byte packets
    1 ausrouter (192.168.25.1) 2.965 ms 4.437 ms 4.936 ms
    2 * * *
    3 * * *
    4 * * *
    5 * * *
    6 * * *
    7 * * *
    .....
    30 * * *

    I've run wireshark on this network and it doesn't appear to ever hit
    the router (192.168.25.1)
    I've done the same test on a functionally identical network (machine
    192.168.35.120, router 192.168.35.1) and find that I get a TTL
    exceeded from 192.168.35.1 after the 4th attempt

    The strangest part? This worked for a couple of days two weeks ago but
    someone power cycled before a write mem and so it can't be retrieved.
    My only recollection from those edits was that I changed the speed and
    duplex of the 0/0 and 0/1 (but I can't be sure)
     
    kevindtimm, Jan 1, 2009
    #1
    1. Advertisements

  2. kevindtimm

    Trendkill Guest

    How is your switch configured? No changes to vlans or anything at
    layer 2? Can you source a ping from the router to the internet (type
    ping, hit enter, when you get prompted for additional options say yes
    and use a source address of the routers f0/1 interface). If you don't
    do that, it will always default to the closest interface, which would
    be f0/0 and therefore would not test NAT or routing. That will
    eliminate from the LAN segment out, and would isolate everything
    except for the LAN itself (i.e. routing and nat would be working).
    Let me know how you fare.
     
    Trendkill, Jan 1, 2009
    #2
    1. Advertisements

  3. kevindtimm

    Thrill5 Guest

    First you need to determine if you have a LAN, WAN or NAT problem.
    From one of your Linux machines can you ping the FA 0/1 interface (default
    gateway) AND ping the FA 0/0 interface. If not you have a problem with the
    connectivity between you LAN and the router, and could have config problem
    on the switch, or the FA0/1 interface on the router.

    From the router, can you ping any internet addresses? If no, then you have
    a problem with you Internet connectivity. When pinging from the router, you
    are NOT natting so if CAN ping from the router, you have a NAT problem.
    Without seeing the rest of the config, I can't offer any advice as to why
    the NAT wouldn't be working.
     
    Thrill5, Jan 2, 2009
    #3
  4. kevindtimm

    kevindtimm Guest

    unplugged at location A, plugged in at location B - router pings the i-
    net.

    Protocol [ip]:
    Target IP address: 4.2.2.1
    Repeat count [5]:
    Datagram size [100]:
    Timeout in seconds [2]:
    Extended commands [n]: y
    Source address or interface: fastethernet0/1
    Type of service [0]:
    Set DF bit in IP header? [no]:
    Validate reply data? [no]:
    Data pattern [0xABCD]:
    Loose, Strict, Record, Timestamp, Verbose[none]:
    Sweep range of sizes [n]:
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 4.2.2.1, timeout is 2 seconds:
    Packet sent with a source address of 192.168.25.1
    ......
    Success rate is 0 percent (0/5)
     
    kevindtimm, Jan 2, 2009
    #4
  5. kevindtimm

    kevindtimm Guest

    I can ping 64.0.0.228 (fa0/0) from inside, but nothing else. From the
    router I can ping the internet with no problem.
     
    kevindtimm, Jan 2, 2009
    #5
  6. kevindtimm

    bod43 Guest

    As Thrill5 says -
    It looks as if NAT is not working for some reason.

    Idea!
    Have you changed your Internet Address for the move?
    Maybe you have
    ip nat inside source list xx old.internet.address overload
    change it to
    ip nat inside source list xx interface fa 0/0 overload

    Remember and save the new config
    copy runn start

    or "wr" if you are typing averse:)

    Failing that please post the whole config.
    Obviously you should not post passwords/usernames
    and most people hide their real internet addresses.

    also:-
    try a ping from the inside to the internet
    and immediately (you have plenty time to do the
    command but dont delay).

    sh ip nat tr

    post that too.

    debug ip nat

    is pretty cool.

    You need to arrange to see the messages and
    remember to turn it off.

    logging buffered debug
    log buff 100000
    sh log

    and/or
    logg console debug

    telnet to router
    term monitor

    term no mon

    no logg console
    Is good practise for production since
    a lot or messages can absorb signiifcant CPU.
    One interrupt per character that is attempted to be
    output.
     
    bod43, Jan 2, 2009
    #6
  7. kevindtimm

    kevindtimm Guest


    Old cisco config (ip addresses have been obfuscated)

    ==========================================================

    interface Ethernet0/0
    ip address 4.0.1.2 255.255.255.240
    ip nat outside
    no ip route-cache
    no ip mroute-cache
    half-duplex
    crypto map nolan
    !
    interface Ethernet0/1
    ip address 192.168.25.1 255.255.255.0
    ip nat inside
    half-duplex
    !

    ip nat pool swb 4.0.1.3 4.0.1.3 netmask 255.255.255.240
    ip nat inside source route-map nonat pool swb overload

    ==========================================================
    New cisco config
    ==========================================================

    interface Ethernet0/0
    ip address 64.0.0.228 255.255.255.240
    ip nat outside
    no ip route-cache
    no ip mroute-cache
    half-duplex
    crypto map nolan
    !
    interface Ethernet0/1
    ip address 192.168.25.1 255.255.255.0
    ip nat inside
    half-duplex
    !

    ip nat pool swb 4.0.1.3 4.0.1.3 netmask 255.255.255.240
    ip nat inside source route-map nonat pool swb overload

    ==========================================================

    the swb (I'm pretty sure) stands for southwestern bell (or old
    provider) and you can notice that I don't change the pool and inside
    source lines
     
    kevindtimm, Jan 2, 2009
    #7
  8. kevindtimm

    kevindtimm Guest

    I checked it too (after I posted the above) and see that it's always
    trying to go through 4.0.1.3 when I try to ping the internet. That
    won't work (as I don't own that anymore). I need to do a little study
    on what that nat command does (the one with 4.0.1.3) and figure out
    how to replace it.

    I'm the newbie (NON) cisco guy here so I'm learning on the fly. I
    understand (pretty much) the VPN stuff, but the 'nat'ting is a little
    out of my comfort range. I bet it won't be by the end of today.

    Thanks to all, I'm very close now.
     
    kevindtimm, Jan 2, 2009
    #8
  9. kevindtimm

    kevindtimm Guest

    I tried to remove the swb nat pool and recv'd :

    %Dynamic Mapping in Use, Cannot remove

    So, I went to my trusty IOS Cookbook and found:

    clear ip nat translation *
    config terminal
    no ip nat pool old pool name

    ip nat pool new pool
    .......

    And now, it works like a CHARM!!!!!!!!

    Thanks to all
     
    kevindtimm, Jan 2, 2009
    #9
  10. kevindtimm

    Thrill5 Guest

    You have a NAT problem. Post the entire config (with the passwords blanked)
    and somewill will be able to find the issue.
     
    Thrill5, Jan 2, 2009
    #10
  11. kevindtimm

    kevindtimm Guest

    See post #9 -- it's fixed :)
     
    kevindtimm, Jan 2, 2009
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.