Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

1760 w/NAT: only first ping works

Status
Not open for further replies.
JavaPaws

JavaPaws

Technical User
Jan 5, 2004
3
US
Anyone out there that can point out the configuration error here so I can learn what I'm doing wrong? Trying to setup a new 1760 router with a T1 interface for the WAN and a ethernet for the LAN side using NAT. I am able to get the router working and am able to access the Internet fine until I configure NAT in which case I have very odd results. When I try to ping from a system connected to the router, the first ping goes through but the rest fail, this always happens. Obviously I am also not able to browse the web or do pretty much anything else. Any help would be greatly appreciated. Here is the config, public IP's & passwords are modified everything else is the original. Two other items of note, the T1 WAN interface (virtual-template1) negotiates a private IP address, I'm trying to use one of the public IPs for the outbound traffic; and the IOS Version is 12.3(2)XE

Code: 
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco1760
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
no logging console
enable secret 5 ************
!
username ***** privilege 15 password 7 ******
no aaa new-model
ip subnet-zero
no ip source-route
!
no ip domain lookup
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
no crypto isakmp enable
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 no ip address
 vlan-id dot1q 1
  exit-vlan-config
 !
 no cdp enable
!
interface FastEthernet0/2
 no ip address
 no cdp enable
!
interface FastEthernet0/3
 no ip address
 no cdp enable
!
interface FastEthernet0/4
 no ip address
 no cdp enable
!
interface Serial1/0
 bandwidth 1536
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation frame-relay IETF
 ip route-cache flow
 no fair-queue
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial1/0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
 frame-relay interface-dlci 16 ppp Virtual-Template1
!
interface Virtual-Template1
 description $FW_OUTSIDE$
 bandwidth 1536
 ip address negotiated   [COLOR=red]<-- Negotiates a private 172.17.0.0 IP[/color]
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip route-cache flow
 ppp chap hostname ********
 ppp chap password 7 ********
 ppp ipcp address accept
!
interface Vlan1
 description $FW_INSIDE$
 ip address 10.0.3.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
!
ip nat pool MPSNAT 64.*.*.145 64.*.*.145 netmask 255.255.255.248  [COLOR=red]<-- Assigned public IP[/color]
ip nat inside source list 1 pool MPSNAT overload
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.0.1
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
!
!
access-list 1 permit 10.0.3.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 10.0.3.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 deny   ip any any log
access-list 102 permit ip 10.0.3.0 0.0.0.255 any
no cdp run
!
!
control-plane
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class 1 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 102 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!

Thanks in advance.
 
Sort by date Sort by votes
What do you see if you turn on "debug ip nat" and do a ping?

Reminder that in NAT: The first packet in a conversation will always go through the slow path, which means this first packet is process-switched. The remaining packets will go through the fast-switched path if a cache entry exists.
 
Upvote 0 Downvote
I think your access-list 101 applied to interface virtual-template1 is denying any incoming traffic except ICMP.

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.
 
Upvote 0 Downvote
Here's the debug log from debug ip nat. I had the same thing happen in that only the first ping makes it through. Also just to ensure it is not an access-list problem I removed all access lists when testing to ensure they are not causing the problems.

Code: 
*Apr 20 04:45:05.440: NAT*: i: icmp (10.0.3.10, 512) -> (66.218.71.114, 512) [1293]
*Apr 20 04:45:05.440: NAT*: s=10.0.3.10->64.*.*.145, d=66.218.71.114 [1293]
*Apr 20 04:45:05.440: NAT: fo 1896, looking for fragment 109.110.111.112 113.114.115.116 25958 106
*Apr 20 04:45:05.532: NAT*: o: icmp (66.218.71.114, 512) -> (64.*.*.145, 512) [1293]
*Apr 20 04:45:05.532: NAT*: s=66.218.71.114, d=64.*.*.145->10.0.3.10 [1293]
*Apr 20 04:45:06.430: NAT*: i: icmp (10.0.3.10, 512) -> (66.218.71.114, 512) [1294]
*Apr 20 04:45:06.430: NAT*: s=10.0.3.10->64.*.*.145, d=66.218.71.114 [1294]
*Apr 20 04:45:07.620: NAT*: i: icmp (10.0.3.10, 512) -> (66.218.71.114, 512) [1295]
*Apr 20 04:45:07.620: NAT*: s=10.0.3.10->64.*.*.145, d=66.218.71.114 [1295]
*Apr 20 04:45:09.118: NAT*: i: icmp (10.0.3.10, 512) -> (66.218.71.114, 512) [1296]
*Apr 20 04:45:09.118: NAT*: s=10.0.3.10->64.*.*.145, d=66.218.71.114 [1296]

Any ideas? Thanks again.
 
Upvote 0 Downvote
Just wanted to say thanks for the help, it's working now. I've posted the config below for reference. Now I just need to lock it down and put it on the live network! Thanks again for the help.

Code: 
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name myfw sip timeout 3600
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 ip address 64.*.*.145 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 no ip address
 vlan-id dot1q 1
  exit-vlan-config
 !
 no cdp enable
!
interface Serial1/0
 bandwidth 1536
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation frame-relay IETF
 no fair-queue
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial1/0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
 frame-relay interface-dlci 16 ppp Virtual-Template1
!
interface Virtual-Template1
 bandwidth 1536
 ip address negotiated
 ip access-group 111 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect myfw out
 ppp chap hostname ******
 ppp chap password 7 *****
 ppp ipcp address accept
!
interface Vlan1
 ip address 10.0.3.1 255.255.255.0
 ip nat inside
!
ip nat pool NATPOOL 64.*.*.145 64.*.*.145 netmask 255.255.255.248
ip nat inside source route-map nonat pool NATPOOL overload
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.0.1
ip route 0.0.0.0 0.0.0.0 172.16.0.1
!
access-list 103 permit ip 10.0.3.0 0.0.0.255 10.0.5.0 0.0.0.255
access-list 105 deny   ip 10.0.3.0 0.0.0.255 10.0.5.0 0.0.0.255
access-list 105 deny   tcp host 10.0.3.2 eq [URL unfurl="true"]www any[/URL]
access-list 105 deny   tcp host 10.0.3.2 eq smtp any
access-list 105 deny   tcp host 10.0.3.2 eq domain any
access-list 105 deny   udp host 10.0.3.2 eq domain any
access-list 105 permit ip 10.0.3.0 0.0.0.255 any
access-list 111 permit ip 10.0.3.0 0.0.0.255 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any eq non500-isakmp any
access-list 111 permit udp any any eq isakmp
access-list 111 permit gre any any
access-list 111 deny   ip any any
no cdp run
!
route-map nonat permit 10
 match ip address 105
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
368
CPM86
CPM86
jarod_paris
  • Locked
  • Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
446
jarod_paris
jarod_paris
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
690
BIS
BIS
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
493
nt8d09
nt8d09
inlsp05
  • Locked
  • Question
2811&amp;2960 48 volts wiring diagram
Replies
1
Views
421
BOKA
BOKA

Part and Inventory Search

Sponsor

Back
Top